Security - Featured Articles

HTC One Accounts

So, you want to adopt BYOD?

What you need to know before integrating employee devices on your network Bring Your Own Device (BYOD) is the current hot trend. (And has been for a while, really.) There are many perceived advantages for a company that allows employees to bring their own devices to work and have access to your...
LG G Pro 2 Knock Code

How to use Knock Code on the LG G Pro 2

Knock Code will come to other LG phones via software updates this year With Knock On — wherein you tap the display twice to turn on your phone — has been one of our favorite new features of the past few months. LG introduced it with the LG G2 in 2013, and it returned with the LG G Flex toward...
The Boeing Black

Boeing reveals the Boeing Black — a super-secure smartphone for those with super security needs

This phone will self destruct in ten seconds… In this day and age of malicious apps and intrusive government surveillance, you might be wondering how to keep your data secure. You could turn to a solution like the up-and-coming Geeksphone Blackphone, with a modified version of Android and sets...

Security - Top Articles

SD card: Activate

KitKat and SD cards — what's fixed, what's broken and what's misunderstood

Why your SD card doesn't work the same in Android 4.4 KitKat, and the reasons for the change “Curse you, Google! Your KitKat update broke my SD card!” Poke around the Android section of the Internet and you’ll hear something similar. Users like you and me are in an uproar because they updated...
Google fixes Heartbleed

Google updates back-end in light of Heartbleed vulnerability

If you've been online at some point in the last 36 hours, chances are you've heard of 'Heartbleed', a flaw in OpenSSL that has exposed data to theft on approximately 2/3 of servers in use around the globe over the past two years. It's not known how bad the damage may be, but the revelation of the...
Android Central

NBC News and the bullshit 'ZOMG Sochi Olympics Android hack' story

Your Android smartphone only installs malware if you're being dumb (or do it on purpose) — not automatically, and not just because you're in Russia. This is just ridiculous, even for American "news" television. A report from NBC News was exposed — and rightfully so — by Errata Security (via...
The Boeing Black

Boeing reveals the Boeing Black — a super-secure smartphone for those with super security needs

This phone will self destruct in ten seconds… In this day and age of malicious apps and intrusive government surveillance, you might be wondering how to keep your data secure. You could turn to a solution like the up-and-coming Geeksphone Blackphone, with a modified version of Android and sets...
SkipLock.

Unlock With Wifi app retooled and is now SkipLock

Safety meets convenience with a set of great features  You may have heard us talk about an app called Unlock With Wifi a time or two. It's an app that tells your lock screen when to become secured with a password or PIN, based on what Wifi AP you're connected to. It's one of those apps that you...
Gmail

All Gmail will now use HTTPS, messages will be encrypted when moving inside Google

Initiatives were 'made a top priority after last summer's revelations' Google has steadily improved the overall security of several of its apps and services, and the latest move is moving to HTTPS and encryption across all of Gmail. Starting today, every single time you send or check your Gmail...
HTC One Accounts

So, you want to adopt BYOD?

What you need to know before integrating employee devices on your network Bring Your Own Device (BYOD) is the current hot trend. (And has been for a while, really.) There are many perceived advantages for a company that allows employees to bring their own devices to work and have access to your...
Cerebus

Cerberus servers have a data leak, users advised to change password

Users of the popular phone security app Cerberus are reporting a slightly disturbing email coming from the developers today. While Cerberus assures that no passwords were compromised — they are encrypted, of course — attackers did gain access to some usernames and passwords. If you're using...
LG G Pro 2 Knock Code

How to use Knock Code on the LG G Pro 2

Knock Code will come to other LG phones via software updates this year With Knock On — wherein you tap the display twice to turn on your phone — has been one of our favorite new features of the past few months. LG introduced it with the LG G2 in 2013, and it returned with the LG G Flex toward...
Android Central

Android Device Manager app launches on Google Play

Like the web interface, the new app lets you remotely track and lock down your other Android devices Google has launched a new Android app allowing users of the Android Device Manager feature to remotely track, ring, lock down or wipe their other devices. Not to be confused with the Google Play...

Security - Photos

Security RSS Feed

Chalk up another carrier in the "No" column when it comes to Carrier IQ, apparently. Regional carrier US Cellular, in an internal memo, USC says unequivocably, "None of our devices have this software/applications embedded." Here's the full skinny:

Many of you may have received inquiries from customers regarding USC's usage of Carrier IQ Software that has been in news articles the last few days. At U.S. Cellular®, we take customer privacy very seriously. None of our devices have this software/applications embedded. If you receive any further customer inquiries please let them know that our devices do not have this and we do not monitor this type of information.

We've got the full memo after the break.

Read more and comment

 

In a pair of unreleased memos seen in the usual spy-shot fashion, Sprint and T-Mobile both have, at least internally, discussed the Carrier IQ saga with their employees. 

The memos discuss the use of Carrier IQ as you'd expect -- as a metrics tool for improving network and device service, and both reiterate that Carrier IQ isn't being used to spy on text messages, phone calls and the like, backing up responses that Carrier IQ recently gave The Verge in an interview.

To wit:

T-Mobile: "T-Mobile does not use the tool to obtain the content of text, email or voice messages, or the specific destinations of customers' Internet activity. It is not used for marketing purposes. T-Mobile uses the Carrier IQ diagnostic tool to gather device data for effective troubleshooting and to increse the overall device and network performance for our customers.

Sprint: "Sprint uses the Carrier IQ data to only understand device performance on our network so we can identify when issues are occuring. ... Even with Carrier IQ, Sprint does not and cannot look at or record contents of messages, photos, videos, etc., nor do we sell or provide a direct feed of Carrier IQ data to anyone outside Sprint.

T-Mobile also details which of its current phones have Carrier IQ installed. You'll want to read the entire memos, which you can find at the source links below. 

Source: TMoNews, SprintFeed; More: The Verge

Read more and comment

 

Android hacker and professional security consultant Dan Rosenberg (you may know him as djrbliss from the Internets) has completed his own study on Carrier IQ, and found some interesting results.  All those reports about logging keystrokes and spying on SMS messages look to have been blamed on the wrong party, as his research shows that Carrier IQ as written can only capture the data that the carrier sends to it (known as metrics), and even then still has to consult a profile (think of it as a settings page for any app) that a carrier has had CIQ write specifically for their installation.  In his own words:

Dear Internet,

CarrierIQ does a lot of bad things. It's a potential risk to user privacy, and users should be given the ability to opt out of it.

But people need to recognize that there's a big difference between recording events like keystrokes and HTTPS URLs to a debugging buffer (which is pretty bad by itself), and actually collecting, storing, and transmitting this data to carriers (which doesn't happen).  After reverse engineering CarrierIQ myself, I have seen no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data.  There's a big difference between "look, it does something when I press a key" and "it's sending all my keystrokes to the carrier!".  Based on what I've seen, there is no code in CarrierIQ that actually records keystrokes for data collection purposes.  Of course, the fact that there are hooks in these events suggests that future versions may abuse this type of functionality, and CIQ should be held accountable and be under close scrutiny so that this type of privacy invasion does not occur.  But all the recent noise on this is mostly unfounded.

There are plenty of reasons to be upset about CIQ, but please don't jump to conclusions based on incomplete evidence.

Regards,
Dan Rosenberg

So what about all the stuff we see on Trevor Eckhart's video of the EVO in action?  It's obviously there, so what's up with all that?  We're not security researchers, professional or otherwise, but we are nerds who read about exploits and security every day.  The best we can figure is that HTC has exposed those events to the log while sending it as anonymous metric data to the Carrier IQ app.  There's still no evidence, and never was, that any of that data is sent anywhere. 

The biggest thing to take away from this news is that while Carrier IQ is scary, and many of us consider them evil, they only provide a service to collect data that carriers and OEM's make available.  This needs to be made more transparent, because it's never going to go away -- if you don't like it don't use our network, nobody is holding a gun to your head is likely the carriers stance on the subject, and in a way they are right.  Our choice in the matter is to not spend our money with them, and heaven knows I understand how unpopular that idea is firsthand.  But things are looking more and more like the carriers and manufacturers need to share a good bit of the blame here, and this whole mess is over an easy way to collect data they already have been collecting. 

When we get finished here, we can start looking at how the companies who rushed forward shouting "We don't use Carrier IQ on our phones" are collecting the same data with something other than Carrier IQ, so we can be sure that changes are made across the board versus crucifying a small company in Silicon Valley.

Source: Vulnfactory; Pastebin

Read more and comment

 

A little light reading for a fine fall Sunday. What is CarrierIQ, what's all the fuss about, and what can be done?

Read more and comment

 

Researchers at N.C. State University have performed a study of eight Android phones (HTC's Legend, EVO 4G, and Wildfire S; Motorola's Droid and Droid X; Samsung's Epic 4G; and the Nexus One and Nexus S from Google) and found more potentially disturbing information.  While the Nexus phones and OG Droid (phones that run stock Android) had one minor security issue, namely a code bug in the pico app that would allow another app to delete the pico installer app, the rest of the bunch didn't fare so well.  All the phones with customized versions of Android had serious security issues

In particular, by exploiting these leaked capabilities, an untrusted app on these affected phones can manage to wipe out the user data on the phones, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain user geo-locations – all without asking for any permission.

Apparently because the system applications built by vendors such as HTC, Moto, and Samsung are all signed with the same digital signing key, they are able to inter-communicate and access each other's data.  While this is a serious security flaw, it's also possible that it was done by design so that applications like Friendstream or Social Hub can easily parse social networking app data and aggregate it, and these researchers just found a new method to exploit that system.

While the implications for Android are new, the idea of exploit attacks on popular computing platforms is not.  As Android grows in popularity, more people will be focused on finding (and reporting) exploits against the OS.  Researchers have dutifully reported the issue to Google and all the OEM's, although they express difficulty dealing with HTC and Samsung who (as of this writing) the researchers say have been "very slow in responding, if not ignoring our reports/inquires". 

Should you be worried?  Not any more than you were yesterday.  Malware exists because a whole hell of a lot of people use Android, and users are not restricted to installing only approved applications.  If these types of reports bother you -- and that's a pretty valid response -- you still have the option of installing only trusted applications by well-known developers, or other options to not run the affected firmware on your phone.  And while nobody wants to hear me say it again (but I'm about to anyway), Nexus devices running Android as it was written are once again immune from these serious issues, so are always the better choice if you value your security. 

Source: NC State University CSC (.pdf)

Read more and comment

 

Angry Birds Seasons just got a new holiday update. But along with the new levels in "Wreck the Halls" came a few new permissions, including phone state and SMS permission, that furrowed a few brows. We caught up with Rovio for a big of explantion. Here 'tis:

On Android, the Angry Birds game itself asks only for the permission to use the Internet. Versions of the game that include advertisements, support for in-app purchases, or both, require additional permissions. The ones that might concern our customers the most are coarse location, phone state and SMS related permission.

Coarse Location:
Coarse location is used to target advertisements geographically, for example to avoid showing Chinese advertisements in the USA and vice-versa. Android also allows finer location discovery, but we have decided not to enable it for advertisement purposes.

Phone State Permissions:
The phone state permission is used to identify devices in order to implement advertisement frequency capping and targeting. Basically the aim is to avoid a situation where our customer has to view the same advertisement too many times on the device in question.

SMS related permissions:
SMS related permissions allow in-app purchases, where available. For example the Mighty Eagle, to be securely billed on the device owner’s phone bill.

Rovio does take privacy issues very seriously. The Android permissions that our games require are constantly reviewed and we strive to provide the best possible user experience while respecting our customers’ privacy.

Hope that clears things up for ya.

Read more and comment

 

Well, that was quick. Carrier IQ just sent out a press statement saying it's withdrawn its cease-and desist letter to Trevor Eckhart, who recently detailed how the company's action worked. Said Carrier IQ:

"Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world."

Looks like the Electronic Frontier Foundation's backing of Eckhart paid off, the lawyers have done their thing, and the security and privacy advocate known as TrevE won't be pursued for thousands of dollars of fines after all.

That doesn't change the fact that the Carrier IQ software remains on a number of phones, and many of you aren't crazy about having a hidden background app report how you use your phone back to the manufacturer -- even if you do agree to it up front -- and that's certainly an argument that needs to continue.

We've got the full press release after the break.

Read more and comment

 

The push and pull between security (and privacy) advocates and a company that supplies several Android manufacturers with application metrics has reached a new level -- and lawyers are now involved. This stems from the CarrierIQ "app" that resides in a number of HTC Android smartphones that gained notoriety in early October when a flaw was discovered in the way it was collecting data. Depending on who you ask, CarrierIQ (recently named a "Company under $100 million to watch") either is a tool that provides OEMs a look at what you're using your device for under the auspices of giving you a better user experience in the long term, or it's an evil agent spying on your every move.

On Nov. 14, Trevor Eckhart -- aka TrevE -- sent us (and presumably other sites) a link to a post he'd written explaining in great technical detail what CarrierIQ does, how it does it, and why he believes it's a bad thing. (We declined to report on Eckhart's post.) Included in the post and mirrored off site are training documents Eckhart copied from the CarrierIQ website, and Eckhart explained how he believed he evaded no security in copying the documents.

CarrierIQ, however, believes Eckhart violated copyright laws by doing so, and has sent a strongly worded cease-and-desist letter demanding cease any infringement or face thousands of dollars in fines, as well as retracting "allegations on your website ... that are without substance, untrue, and that we regard as damaging to our reputation and the reputation of our customers." CarrierIQ also demands that Eckhart contact anyone directly or indirectly sent copies of the training material, send written retractions, issue a press release on the AP (Associated Press) wire admitting "inaccuracies" and to "apologize to Carrier IQ, Inc. for misrepresenting the capabilities of their products and for distributing copyrighted content without permission."

Eckhart has retained the help of the Electronic Frontier Foundation, which responded to CarrierIQ's general counsel that Eckhart's copying and republishing of the training materials falls under fair use, and that CarrierIQ must specify the statements it believes are false. (CarrierIQ was most certainly purposely vague in its initial C&D letter. That's how it works.)

This isn't about fears over data collection anymore, folks. Now that lawyers are involved, it's about whether laws were broken. The short version is CarrierIQ thinks Eckhart copied and used the training materials illegally (remember that just because something's not behind a locked door doesn't necessarily give you permission to distribute it), and the EFF is arguing that CarrierIQ is using strong-arm tactics and threats of thousands of dollars in fines to silence Eckhart and force retractions. (If you're really into the legal stuff, it's also interesting that the EFF claims CarrierIQ is a public figure and that New York Times Co. v. Sullivan and Hustler Magainze v. Falwell apply here.)

It also should be noted that on Nov. 16, CarrierIQ posted a "media alert" titled "Measuring Mobile User Experience Does Matter!" that seeks "to clarify some recent press on how our product is used and the information that is gathered from smartphones and mobile devices." Eckhart's piece isn't explictly mentioned, but it's pretty clear what it's in response to.

The debate over CarrierIQ will continue as well (and as it well should). But it is worth mentioning that there we all gloss over a bunch of legalese every time we boot a smartphone for the first time that should (in small type) tell you your phone is collecting data about what it's doing. And it also needs reminding that when a potential security hole was found in the way CarrierIQ was collecting data, a fix was pushed out pretty quickly (for some phones, at least). And it's also worth mentioning that CarrierIQ's not acting unilaterally here. The manufacturer -- not you -- is CarrierIQ's customer. We'll all have to watch how this one plays out.

Additional links: "What is CarrierIQ?" | "Measuring Mobile User Experience Does Matter!" (pdf) | EFF post | EFF response (pdf) cease and desist letter (pdf)

Thanks to everyone who sent this in.

Read more and comment

 

Kindle Fire ships with your username and password
already entered, ready to make purchases

We interrupt our regularly scheduled Amazon Kindle Fire review for this timely editorial.

I'm really not a tinfoil hat type -- maybe a little too much on the other side of that spectrum, actually. But I'm really not crazy about how Amazon's shipping the Kindle Fire. Here's how it works: You order a Kindle Fire from Amazon, they ship it to you. You open the shipping box, and then the specially designed, "Certified frustration-free packaging" (which is pretty cool and mostly frustration-free). Unwrap the Kindle Fire, turn it on and connect to Wifi.

And find that you're already logged in, password and everything, ready to purchase books, magazines, apps and music.

This is not good.

Read more and comment

 

It's fun to say Android is fragmented on the Internet.  All the cool kids and blogs do it, they even make fancy misleading charts about it.  While there's more than one side to the argument -- choice versus fragmentation -- only the most rabid fanboy would say that it doesn't exist.  I tend to think the whole issue is living with the choice you make.  If you want the "Android" experience, buy a Nexus phone.  If you prefer the experience an OEM offers, buy one of their phones.  Both are the right choice.  But there's an underlying issue that gets forgotten when we talk about updates and versions -- security patches.

The diversity of Android gives us a chance to have this user experience regardless of the platform version it's built from.  That doesn't make the want for the new software any less, but it a fair trade for most people.  Ice Cream Sandwich looks a whole helluva lot like TouchWiz 4.  Security issues are another matter entirely.  HTC had a recent issue about user privacy, have a read if you aren't familiar (be sure to read HTC's response as well).  They caused it.  They quickly pushed out a patch to at least one carrier to address it.  All security issues need to be addressed this way.  If HTC, or, Samsung, or LG, or Motorola -- whomever -- builds the OS and sells it to the carrier, they need to follow up with security patches in a timely manner -- either by updating their base to the latest Android version and building their OS with it, or patching the issue themselves with the current code base.  Users deserve the benefit that patches to the bootloader, or browser, or whatever, much faster than companies and carriers get them rolled out.  Yes, that responsibility is shared by the carrier as well.  While they aren't the people responsible for updating the code and building the operating system, they are the people that accept your money for the device.  Carriers and OEMs need to work together to keep the phone secure for the life of the product, even if they don't work to keep the software version current.

On the enterprise side of things (something that OEMs are starting to take more seriously), this becomes critical.  Companies simply can't sit back and ignore the fact they aren't getting security patches, because their money is on the line.  Documents, contacts, and communications need to be secure as possible, and when cracks in the armor are found, the patches need to come quickly.  They don't, and this is a problem. 

I know that making sure your phone isn't susceptible to the latest bootloader hack isn't near as glamorous as getting Ice Cream Sandwich, or even Gingerbread.  These few words can't make that happen.  But I think we need to be pointing out the right issues -- not having a phone that is secure for the life of its contract is one of them.

Read more and comment

 

If you'll remember a little while back, HTC confirmed some security issues in a few of their devices and advised that an OTA security update was in testing and would soon be rolled out once carrier testing was approved. Now, Rogers users in Canada are getting a security update labeled version 1.20.631.3 for the HTC EVO 3D that also includes some performance enhancements for Sense and addresses some force close issues. If you've not yet recieved the update, go ahead and check for it -- it should be there waiting for you.

Source: MobileSyrup

Read more and comment

 

Several days ago we (and likely many others) were contacted about a potentially serious security issue with Dolphin Browser.  Apparently, quite a bit of information about your browsing session, including URL data for secure websites and search strings, was being forwarded to a remote server -- http://en.mywebzines.com.  We tore things apart and verified it, sure enough, it was happening and we were concerned.  Today the folks at Dolphin Browser have responded:

With roughly 300 Webzines supported at the moment, it was necessary for the client to check the current user URL against a database housing these 300 Webzine columns...None of these URLs have ever been stored by Dolphin, instead being used to cross-index if a Webzine for the current site exists. If it does, the current site is immediately converted to Webzine format; if not, it remains the standard mobile site. Again, none of this process is stored on the backend of our servers and we are deeply sorry that this was not made clear to our users from the beginning.

While the security nerd inside of us still cringes a bit at this, it's a perfectly reasonable explanation.  It's also the best way to handle the situation -- Webzine is pretty cool, and we don't want to have to maintain that database of 300 supported sites on our devices.  This should have been presented to the user before using the Webzine feature, but Dolphin Browser isn't evil.  We're glad they took the time to explain the whole mess, and now we can go back to using it.  Read the concerns, and Dolphin's entire response at the source links.

More: XDA-DevelopersDolphin Browser blog

Thanks, CB!

Read more and comment

 

Owners of the EVO 3D can now download a security update for their device, which will begin pushing to all users on October 27. Sprint says that software version 2.08.651.3 will inlude security improvements, though it fails to detail just what these improvements are. Regardless, you can pull now, though Sprint reminds you that like all updates, it will roll out in stages. If you can't find it today, try try again, or sit back and relax until you receive it automatically later this week. Hit the source link for installation instructions.

Source: Sprint Community

Read more and comment

 

AT&T has announced their latest offering for users looking to bring their own devices to their work environment. AT&T Toggle, as it is called allows your device to contain two worlds essentially -- your work world and your home world all while keeping both worlds safe and secure and making it easy for IT admins to implement:

  • Personal mode: When not working, send text messages to friends, watch TV shows and movies, and play games on your mobile device as you otherwise would. Personal activities remain segregated.
  • Work mode: If it’s time to buckle down and focus on business, employees can enter their work environment. In this mode, users can access corporate email, applications, calendars and more, just as they would on a company-provided device.

The service will allow IT admins to control the corporate side of the device with the capability to update applications, remote wipe and manage company access while the personal side of your device remains unaffected.

The long and short of it, you get to use the device you love to use and businesses save money and know that their data is both compliant to security standards and secure on whatever device it is that you are using. AT&T Toggle can be used on devices running Android 2.2 and higher, and with any service provider. Full press release can be found after the break.

Source: AT&T

Read more and comment

 

Well, that was quick. Just a couple days after a so-called "massive security vulnerability" was discovered in a few HTC phones, the Taiwanese manufacturer says a fix is on the way. Telling Phonescoop:

"HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability."

That's pretty much exactly how our own Jerry Hildenbrand explained this on Sunday. It's a fairly big gaffe (and likely an embarassing one for some coders somewhere), and it's good that it was brought to light. But the sky really isn't falling, no personal data is oozing out the microUSB port of your phone, and nobody was scaling any walls.

HTC says the patch will be pushed out over the air after carrier testing.

Source: Phonescoop

Read more and comment

 

(And it doesn't mean the sky is falling)

Update (Oct. 4): HTC says a fix is on the way. Original follows.

Another week, another bit of scary news that nobody is taking the time to properly explain.  This time it's more HTC data logging, and the way HTC is handling the data it collects.  Exposed in technical detail by Android Police, you'll see this spread all over the Internet for the next few days, so let's try to break down what is happening in simple terms we all can understand.

What's going on

When you first log in and set up your HTC Sense phone (so far this is only showing up on newer U.S. phones with HTC Sense), you're asked if HTC can collect and send data back home about your usage.  If you say "yes," it collects data about apps you're using, where and how your using them, and for how long -- then sends it back to the HTC mothership.  HTC has some use for this -- we figure it's to help see how to improve the next versions of HTC Sense.  That's not a bad thing.  If you opt-out, none of the data is sent back to HTC -- but that doesn't mean it's not still collected. 

Here's where it gets sticky.  HTC is collecting and logging data that lots of other apps also can collect, and we like it when they collect it.  Apps like alogcat (useful when everyone is looking for that OTA update link) or Sensorly collect device and network data.  But when you install those apps, you're told up front they are collecting potentially sensitive data.  HTC doesn't need to declare permissions to do this, because it's your operating system that's doing it, and not "just an app."  This data is then stored on your phone in a manner that other apps can get to it instead of being properly sandboxed.  We're not going to say where it's stored, or how to collect it (we don't promote that type of thing here) but the information is out there, ready for anyone else to use, and it's easy enough to get at. You just need to know where to look.  Some disruptive individual could write an app that mines this data, and sends back information to another server.  And after todays news, someone probably will.

What's being collected, and why the sky isn't falling for everyone

The next question you'll ask is "What kind of data is HTC collecting?"  It's not collecting passwords.  It's not collecting the text of any SMS message or IM you're sending.  What it is collecting is data that is unique to your phone (IMEI and device ID), your account names, geo-location, and phone numbers from your call logs.  If you're technically inclined, run a logcat locally to get an idea of the type of data that's available -- this is the kind of information HTC is storing.  How sensitive you consider this type of data can to be is something for each of us to decide.  Nobody can steal your bank password here, but they can know where you were the last time you used your GPS, and identify the device that did it.

So how to fix it?  Well, you can't if you're not rooted.  This is all part of your phone's operating system, but it is part that can easily be removed if you have the right permissions to remove it.  Head into the forums and look for the threads that are already there about it, or start a new one if you don't see one.  The advisers and senior members will be happy to guide you along if you want to take matters into your own hands.  If you're not feeling the whole root thing, just be careful what apps you install until HTC fixes the issue.  We hope that's soon.

The short, short version

HTC is collecting usage and system logs locally, as in on your phone.  It's stored in a way so that other apps can possibly access it and no longer have to collect it from the system in the normal way, properly declaring that it's doing so in the process.

Is this the end of the world?  Probably not.  And we're willing to bet this isn't a malicious act on HTC's part. But it certainly does raise a few eyebrows.

And it's something HTC needs to fix, and soon.

Read more and comment

 

AT&T has announced that they are working on a new solution for mobile security issues, partnering with Juniper Networks and offering a new security application.  Available later this year, the app will address some key concerns in both the enterprise as well as for consumers.  A bullet point look at the applications goals:

Businesses and Organizations

  • Maintain compliance with government regulations
  • Enforce security policies
  • Manage personal or enterprise-owned devices
  • Enable anti-virus, anti-malware, and application monitoring and control

Consumers

  • Protect mobile devices with anti-virus, anti-malware, and application monitoring and control

With the global growth of smartphone adoption, targeting the mobile space has become popular among unsavory types, and it makes sense to see carriers trying to slow the growth of malware and other security concerns.  AT&T Chief Security Officer Ed Amoroso details AT&T’s approach in a short video, which we've embedded after the break, along with the full press release.

Read more and comment

 

Based on information collected from more than 700,000 applications installed on more than 10 million devices, the folks at Lookout have released their first Mobile Threat Report.  This data shows that the threat of coming across malware has increased by as much as 250 percent in the past six months.  We want to make it clear that the huge majority of Android applications, both in the official Market as well as other sources, are completely legitimate and built by honest, hard working developers -- but malware, spyware, and various nasty bits of code are out there.  We've seen them out there, both real issues and overblown ones.

Now it is certainly in a company involved in mobile security's advantage to report this kind of situation, but it's always best to know exactly what we are facing out there in the wild internet.  That's where Lookout's Mobile Threat Report enters the picture, explaining the different types of security issues users are likely to come up against, and information about how to protect yourself against them.  Armed with this information, and a smattering of old fashioned common sense, you'll be better able to make the right decisions.  Hit the break to see Lookout's press release, and visit the source link to read the Mobile Threat Report in it's entirety.

Source: Lookout

Read more and comment

 

From the folks who brought you Vipre Antivirus for Windows, Vipre Mobile for Android is now available for a public beta testing.  Along with the standard functions you would expect from a security application, Vipre offers a bit of parental controls and some unique methods to block messages containing phrases or words deemed undesirable.  Here's how they describe the features in a weekly newsletter sent out to current users of their PC software:

Antivirus: VIPRE Mobile's powerful Antivirus protects your data and privacy
from malicious software that can affect your Android device's normal
operation - or worse, steal or destroy personal information.

Antispam: Spam is not only annoying, it may contain malicious links. Antispam
stops texting spam from hitting your phone, blocking by content or by
specific phone numbers.

AppControl: You may want to show off your phone or maybe a friend needs to
make a call. But there are some applications that you just don't want anyone
else to run like personal email, or online financial programs. With
AppControl, you can control what applications can be run on your Android
device with or without permission.

Remote Locate: Ever want to know where your children are. With VIPRE Mobile
you can track their Android phone or device on a map from the VIPRE Mobile
website. You can even follow its location, showing you where it's been over a
period of time.

Remote Wipe: If your device is ever lost or stolen, you can easily remotely
wipe its contents so that no one will be able to see your personal
information.

Remote Alarm: How many times have you asked "Where did I leave my phone?"
Just got to the VIPRE Mobile website and set the remote alarm and your device
will emit a very hearable and loud tone.

Backup: Maintain and protect your vital contacts, pictures, videos and other
personal items safe on our secure online servers. If your device is ever lost
(or you buy a new one and want to transfer your data), just click one button
to bring it all back. You can also backup your data to an SD card.

Monitoring: Parents can keep an eye on all your child's phone activities
including IM chats, websites visited, and call logs.

Anti-sexting: Block inappropriate texts of a sexual nature from being sent or
received. The online world is not always the safest place, keep your children
safe.

Anti-bullying: Cyberbullying has become epidemic and can cause potentially
painful emotional harassment to children. Our cyberbullying feature looks for
abusive bullying language in texts and blocks it.

Parental Controls: From the website you can easily enable or disable web
browsing, email, texting, phone calls or texting while driving, or simply set
time restrictions when it's appropriate to use these features.

I'm sure many parents out there will be interested in a bit more control over what their kids are doing with an Android smartphone, and it looks like Vipre is trying to fill that need.  As mentioned, the application is currently in an open beta, so like all other things beta there may be bugs.  If you're feeling brave and want to check it out, hit the source link for more details and a download (Android 2.2 or higher). 

Source: Vipre MobileThanks, Jimbo5000!

Read more and comment

 

As the adoption of Android continues, the amount of people looking to use their Android devices in enterprise environments is increasing along with it. T-Mobile and Good Technology have now teamed up to bring enterprise-class security to business customers on Android through Good for Enterprise. Through the agreement T-Mobile business customers now have access to Good for Enterprise on the Galaxy S 4G, the HTC Sensation 4G, the T-Mobile G-Slate, as well as the Dell Streak 7.

"As more employees start to use personal devices at their places of work, and as more companies adopt Android for business, we want to provide the best services to support their needs," said Britt Wehrman, vice president of B2B marketing for T-Mobile USA. "With Good's solution, now IT administrators can help make sure company information is secure when employees are using T-Mobile's powerful array of Android devices." 

If you find yourself in the enterprise environment the agreement with T-Mobile could be just the thing you need to have your employer welcome Android into their systems. Looking for the full details? You'll find them past the break in the press release.

Read more and comment

 

Pages