Google Minus And Project Strobe

Share if the site was helpful

Google Minus and Project Strobe

After 7 years of effort Google has decided that enough is enough for Google+.  The tech giant has admitted to failing its entrance into the social media marketplace. As both a business decision and safety concern they’ve decided to take Google+ off the web and focus on other things.

Project Strobe

Security has been at the forefront of everyone’s minds this year as privacy scandal after privacy scandal has surfaced.  Facebook’s Cambridge Analytics scandal made us hyper aware of how much data is exposed to third-parties.  In an attempt to combat privacy issues Google launched Project Strobe.  It’s a root-and-branch review of third-party developer access to Google accounts and Android devices.  Essentially it’s a research project to check up on how secure everyone’s information really is.

The findings: not the best.   Today Google announced four key findings from the project along with steps to remedy each.

1. There are significant challenges in creating and maintain a successful Google+ product that meets consumer’s expectations.

Google+ has a pretty serious bug in it that exposed user data to third-party applications that didn’t have proper access.  Google says that there is no evidence anyone else found this out before they did (hard to be sure).  But combining this with the lack of adoption among users and the end result has been to remove Google+ entirely.  I don’t think anyone is too upset at this move, and it’s probably for the best Google diverts its time towards new innovations.

2. People want fine-grained controls over the data they share with apps

When you download a new app that performs certain functions, it may need permission to do so.  Whether that’s accessing your camera to take a picture or seeing your contacts so that it can share a picture with others, apps can’t do these things until you let them.  This is a big plus for Android security, but unfortunately sometimes it’s not organized well enough.

There are some permissions that are grouped together when presented to a user, and this can potentially be a problem.  If you want an app to do one thing you shouldn’t have to grant it access to 3 permission, yet this is sometimes how things are organized.  Google has announced they’ll be launching more granular account permissions that will show individual dialog boxes for each.  Maybe a little more frustrating for relaxed users, but definitely a win for security.

3. When users grant apps access to their Gmail, they do so with certain user cases in mind

To correct the security issue of third-parties abusing contact information Google is limiting what kinds of apps are allowed to access Gmail data.  The only apps allowed will be those that are “directly enhancing email functionality”.  Basically, if there’s not real reason for your app to need to write an email, it’s banned.

4. When users grant SMS, Contacts and Phone permissions to Android apps they do so with certain use cases in mind.

3 and 4 are pretty similar to one another, but this other finding takes things past email and into the phone/contacts.  Google is limiting how many apps will be allowed to access this information.  In addition to this Contact interaction data will no longer be available vie the Android Contacts API.

The bottom line is that Google did a security sweep and decided a few things needed to change.  It seems that these changes are proactive which is always a good things, but if you’re one of the world’s Google+ user’s then I’m sorry you have to say goodbye.  For everyone else these changes should be nothing but good as security continues to improve.

What are your thoughts on Project Strobe?  Let us know in the comments below!

 

The Man In The Disk

Share if the site was helpful

The Man In The Disk

If you’ve ever taken an introductory class on cyber security (or if you’ve explored the topic on your own), then you’re likely familiar with the term MITM.  Man-In-The-Middle attacks are security breaches where a 3rd party butts their way in-between two parties attempting to communicate.  Obviously, this is not an ideal situation for either party, and a new variation of MITM is taking Android users by storm.

MITD

Man-In-The-Disk (MITD) is the name that’s been flying around the past few days.  But before we get into its details, let’s discuss a little more of what MITM attacks entail.  A MITM attack is when an unknown party inserts itself between the two trying to communicate.  When this is done that malicious party is able to spy on the conversation happening.  Even worse they might altar what is being sent.

As an example let’s picture an everyday conversation between two friends.  Person 1 and 2 are talking to one another about their plans for tonight.  And let’s say person 3 is bitter they didn’t get invited.  Person 1 might send 2 a message online asking “Want to meet up at 8?”, but 3 intercepts it, changes it, and then forwards the newly modified message to 2.  Now when 2 opens the message it instead says “On second thought there are cooler people I’d rather spend my time with”.  (A riveting example, right?)

The idea is simply that a 3rd party can both invade and modify conversations between clients and servers.  And a lot of the time the invasion can be a lot more critical than hurt feelings.  MITM attacks can be avoided by taking proper precautions and such as certificate pinning.  But that deserves a whole post of its own.

So How Does It Happen?

MITD attacks are a specific type of MITM that takes advantage of careless storage on users phones.  MITD attacks can allow 3rd party users to access information that is stored on an android device’s external storage.  This is something that many apps don’t use, but researchers at Check Point recently found that many app developers (including Google itself) are not following the recommended security precautions for avoiding this vulnerability.

There are a couple different methods for storing information in Android apps.  Android’s developer website has a good page laying out the differences between them.  If you want to go deeper into when using each is appropriate PhonLab covers this in its Android Development Course.   For the most part Android security is very sound due to sandboxing.  This is the idea that each app silo’s its information and only makes it available to others if either the user allows it or if both apps are on board for sharing.

External Storage

External storage is essentially a part of the device’s storage card that is shared by all applications. Google suggests that developers should add extra validation if apps utilize this storage functionality.  And unfortunately it seems that a lot of apps currently aren’t doing this.  Due to prioritization of external storage, data coming in to the phone may be subject to MITM attacks before it even reaches the app meant to use it.

Ironically Google was not following this advice either.  Since the report came out they’ve addressed the places where they were falling short, but it seems many other apps have made the same mistake and will be named after they correct their issues.

In conclusion, there is a security scare going around for android apps, but don’t overhype it.  If developers take the proper precautions to prevent MITM attacks (something Google explains easily how to do on their site) then this danger fades away.  Security is an ever-changing field, but this breach is one that can be easily avoided if developers do their due diligence.

 

Improved Security Or Less Freedom? APK Updates

Share if the site was helpful

Improved Security Or Less Freedom? APK Updates

Earlier this week a small change rolled out to the Google Play Store.  It’s one that you likely won’t even notice, but for those who have it’s tough to decide whether the shift is good or bad.  What change?  Just a small string of metadata for apps.

Google is adding a security string of metadata to all Android APKs (the file format android apps are stored in).  This string will come along with the usual app and be used to verify that apps are distributed through the Play Store or another approved channel.

But why?

The reasoning is (of course) for security purposes.  Users will be able to verify that the apps their downloading aren’t malicious apps seeking to wreak havoc on your system.  There are plenty of apps that have posed as secure looking every-day apps when in reality they were doing other things under the hood (such as mining bitcoin).  This new metadata will supposedly help catch apps like this and ensure that any apps users are downloading are coming from a safe place.

We’ve talked before about how android apps are pretty secure through their information silos.  Apps must use a content provider/resolver to access information from one another, and in order to get access to your serious information (contacts, messages, pictures) apps are required to request permissions that must be explicitly granted by the phone’s owner.  That being said it’s still not a good idea to go around downloading every app you can just for the heck of it.  Security should not encourage reckless behavior.

So what’s the issue?

So why the controversy?  If this new string of data will help keep our phones more secure why could people be opposed to it?  Well the new string is essentially DRM (Digital Rights Management).  As with media services, there’s potential for companies to abuse DRM to choose how and when you use their product.

Let’s say for example you download an app and like it how it is.  A new update comes out and you hear horrendous things about it like it makes an ad pop up every 5 seconds (a terrible marketing strategy).  Naturally you would try to hold off on updating to this new version as long as possible.  Well with DRM it might be difficult/impossible to tinker with the app to remove ads, and a developer could potentially force you to update to the new version by altering the metadata.  It’s a win for mobile app security, but it also invites misuse.

It’s not easy to say if this is a big deal or simply a step in the right direction for security, but it also hasn’t been in the limelight for long.  What are your thoughts on this change to coming apps?  Let us know in the comments below!

 

 

Keeping Your Keys Safe

Share if the site was helpful

Keeping Your Keys Safe

At some point in your app development career, you’ll create an app that has secrets.  By this I mean there will be keys inside that you want to keep secure from prying eyes.  If someone else gets a hold of your private info, the results could be disastrous (or expensive).

Let’s say your app uses Amazon Web Services and your monthly bill runs about $350 a month. That’s fine because you’re making the money back through app usage.  That is, until a 3rd party gets a hold of your secret key and decides to use it for their own purposes.  Then when your next bill comes due you find that you’re being charged for $50,000.

Not an exaggeration.  This exact scenario actually happened.  So the lesson is painful but memorable: secrets should be kept secret!  Let’s use this blog to talk about a couple ways people tend to store their keys and what you should avoid.

Avoid pushing keys to github:

I’ll start with what may sound obvious.  That sight that you put all of your code onto so that people can publicly view it?  Yeah, don’t put your secret keys up there.  This sounds obvious, but recent studies have shown thousands upon thousands of keys are available on public git repositories.  It’s possible your using a free service and don’t care, but if you’re being charge even a dollar for the service you’re using, keep it close to your heart.

Storing keys as basic Strings:

DON’T DO THIS!  Storing a key as a simple string is just asking for trouble.  There a couple issues behind this, but first and foremost is that it’s incredibly easy to access.  If you read our primer on reverse engineering apps then you know that it’s possible for 3rd parties to decompile your app and look at its code in its (almost) original form.  Storing a key as a string means the hacker just has to glance over your code and look for something that looks like a key.  Then it’s theirs and they can do what they want until you change it. 

Defining keys in build.gradle:

This is better than storing your keys as Strings in any old file, but the end result is unfortunately similar.  A lot of people put their keys in build.gradle in such a way that it’s created in the BuildConfig file of your app.  The bright side is your gradle file isn’t decompiled along with the rest of your app, so secrets are safe in there.  The downside?  Well, that BuildConfig class they were just created in isn’t as secure.  Again, our Strings are exposed in a very simple to access way.

Securing keys with Android NDK:

Let me take a second here to say something important: There is no such thing as absolute security.  If you’re going to have a secret in your app, all you can truly do is make it incredibly difficult to find.  Take the proper precautions to keep things safe, and a hacker will have to decide if it’s worth the time/energy to get to whatever is hidden.

With that said, the Android NDK (Native Development Kit) can help us use C and C++ code with Android.  Why would we want to do this?  Well for starters NDK libraries can’t be decompiled, so the information inside is a lot harder to find.  There are ways to access this code all the same, but we won’t go into them here.  It’s not perfect, but this will throw quite a few entry level hackers off your tail.

Make your code complicated:

This one again goes to what I said earlier about complete security.  It won’t happen, but you can make a hacker’s life hell by making your keys as hard to read as possible.  Let’s take a very basic example:  If your key was 123456, instead of storing that, you could make it the sum of the strings “12”, “34”, and “56”.  How you can break this up depends on how creative you can get, but there really isn’t a limit.  It just means more work for you both upfront and down the road to ensure you understand everything your code is doing.

Keeping keys safe is crucial for a large apps success, so you need to take precautions to avoid disaster.  If you have any suggestions for great ways to hide Strings inside your app let us know in the comments below!

Android Security Is Still Secure. Seriously.

Share if the site was helpful

Android Security Is Still Secure. Seriously.

There’s been a lot of media hype this past month about Android phones and their lack of security.  Headlines such as “How Android Phones Hide Missed Security Updates From You” have been floating around causing mass panic.

Take a deep breath.  It’s ok.

Despite the plethora of recent articles claiming that Android phones are under attack and that you’re a victim, chances are you’re actually safer than you think.  Yes there was a study earlier this month that found some phones were behind on their security updates.  But that doesn’t mean that all of your data is exposed to whoever wants to take it.  Even with a few security updates missing, you should be alright.  Let’s take a second to discuss some of the other security features that Android architecture has in place to protect you:

Google Play Protect

Google Play Protect is a safeguard to protect Android users from malicious apps.  Even with Google’s screening process to let apps onto the Play Store, chances are some baddies will slip through the cracks and are available for download.  Google Play Protect attempts to stop these apps in their tracks by doing routine scans on your phone for every app even after it’s been installed.  If there’s a cause for concern detected, you’ll be notified. 

This software also applies to apps updates, so the short version of it is that apps can’t just slide by once. As long as you have Play Protect enabled on your phone, apps are continuously exposed to it.  Chances are your phone already has Play Protect, but if you want to be sure (or just see what it’s been up to) you can find it in the Play Store.  Open the store and then tap the 3 horizontal bars menu icon.  Then select “Play Protect” and you’ll be taken to a page showing what apps have been scanned recently and how your device looks.

Sandboxing

Android apps are naturally sandboxed from one another.  What this means is that each apps data and code execution is isolated from others.  So if you happen to download the wrong app it doesn’t mean it will automatically have access to all of the apps already on your phone.  We go into depth about the android security framework in our Android development course over at Phonlab.  Content Providers offer a storage mechanism for apps so that their information has to be requested before it can become accessible to just anyone.

Android Permissions work along with this to make sure that no matter what if you have some common sense you should be safe.  Permissions essentially are requirements that if an app utilizes a certain feature (such as syncing with your contacts) it has to be granted permission by the user.

These permissions are presented to a user when the app attempts to access them, and are only allowed when the user says so.  You retain complete control over what access an app has.  Imagine you downloaded a game and it started asking you for access to your contacts and your saved media files.  Red flags should be going up right away since a game has no reason to use these.  As long as you don’t blindly hit accept to every permission, you retain a ton of control over what an app can actually do.

What are your thoughts on Android’s security measures?  Let us know in the comments below!

Android P Privacy, Personality, and Pistachios

Share if the site was helpful

Android P

It seems like just yesterday Android Oreo began rolling out to devices, and even now only 1% of android phones are running it.  Yet despite Oreo’s youth, the newest release rumors have already begun spreading about what’s up next.   Internally known as “Android Pistachio Ice Cream”, Android P is close on the horizon.

A little leaked info by Bloomberg has provided some insight to Android’s next release, and the changes are both expected, and somewhat out of left field.  Software features such as Google Assistant are being ramped up to become a more integral part of the interface. On the less predictable end it seems Android P will be revolving heavily around a new “notch” similar to that in the iPhone X.  This seems to be a marketing strategy aimed at converting iPhone users to team Android, but without knowing more about notch details it’s hard to say how impactful this design change will be.

Google Assistant

On a much more interesting note for developers and practical users, Google Assistant appears to be one of the primary focuses of growth.  This emphasis will likely open all sorts of new possibilities as Android finds ways to not only build out Assistant as a standalone, but to incorporate it into other apps!

Assistant already has high quality performance for asking questions and managing smart-home devices, but incorporating it into 3rd party apps opens a whole new door for creativity.  By opening Assistant up to third-party developers (like Amazon has with Alexa), we could see some groundbreaking apps come into being with voice commands.  Obviously fun from a development standpoint, and users would be empowered to do a whole lot more than just google something or ask to hear a joke.

Privacy

Another welcome feature being added on is privacy.  As it currently stands, when an app is granted camera/microphone recording permission by the user it can turn these on as it pleases.  Not ideal.  Recent code submissions show that Android P plans to be work through this issue by blocking background apps from accessing a device’s microphone or camera.  Whether or not you’re the type to sticky note your camera, this is most definitely a win for privacy.

Android P (any love for popsicle?) will make its debut in 3 months at Google’s annual I/O developer conference, and even then it will be a long way off from gaining a large market share of devices, but stay tuned and we’ll be sure to dive deeper into what it has to offer for both developers and users.

What are your thoughts about the new features coming to Android P?  Please comment below.

 

Phonlab E-Campus Free Course

Share if the site was helpful

Phonlab E-Campus free Chromebook Support course

I have been working with Phonlab for many months now and we decided to bring everyone a FREE course on Chromebooks to help techs and repair shops trouble shoot and fix customer devices. If you want to get access to this FREE course just head over to Phonlab.Teachable.com and enroll. Once you enroll in the Chromebook Support course you will have access to all the lessons. We hope you enjoy them and if you find them handy you may want to check out Phonlab E-Campus where we cover smartphone repairs and security.  Phonlab has just added our own tool called MotoReaper and it can remove FRP factory reset protection lock on any Motorola device on the market today. It is an amazing tool and all students at Phonlab E-campus get access to this tool. We hope to see you there so join us and be the future of mobile today.

 

RootJunky

 

Anti-Hacking Tools for Android – 2017 Guide

Share if the site was helpful

Anti-Hacking Tools for Android – 2017 Guide

 

Android officially has the largest market share in the smartphone world and there is almost 1.5 billion people who use Android smartphone or tablet. This speaks volumes of the quality and affordability that Android offers to their users, but there are also problems and liabilities that always come with using widely popular brands.

Security is frequently one of the questions that come with using Android and this topic is always a matter of interest, especially if you’re using your Android devices for your work and some form of confidential data manipulation. We’ve decided to talk about anti-hacking tools that can make the breach of your security much more difficult for cybercriminals. In 2017, you can expect that there will be lots of new viruses and malware to look out for, so here are some tools to help you along the way.

AppLock

We all love using apps and while they’re incredibly useful, they can also serve as the back door through which hackers can slither through unnoticed. Too many people are still not careful enough about what they’re installing on their devices and whether those apps come from trusted sources and therein lies the problem. To put a stopper on having this problem (even potentially) is to secure your phone with an app that is specifically designed to lock all other apps. While your lock screen only protects you from the outside attacks, it doesn’t do much more for anything going on inside your phone and this is where AppLock takes center stage.

Once you’ve downloaded it, you are free to lock any app you feel should be protected – anything from Facebook to your email and bank accounts. By using this app, you’re making sure that no one but you will be able to touch your private information plus you will limit the access that apps have in your device, so you’re killing two birds with one stone.

Use High Quality Password Manager

Seeing that practically everything on the internet has to be protected by a password, you need to do your best to keep this aspect of your security in check. This isn’t necessarily easy, because you need strong passwords for every account you have, and that means complex words usually concocted with numbers and special characters. If this sounds like a lot of work, well, it is, but thankfully, you don’t have to keep it all in your head. There are some very good password managers like Zoho, LastPass and RoboForm that will do an excellent job in managing passwords for your numerous accounts. Not only that, but a password manager worth its salt will suggest how to make your passwords more secure and give you additional tips on how to protect your privacy even more. You are also able to keep in check any personal information you have and protect your usernames as well.

Encrypt Everything with a VPN

Privacy when you’re using your Android device is equally important as when you’re using your desktop computer or laptop, though we often forget this. Smartphones are quite vulnerable to security breaches and one of the best ways to prevent that from happening is to encrypt both the data on your phone and your internet connection. Whenever you’re connected to a public network, you’re in danger of catching a virus or having a hacker on your tail, and virtual private networks simply erase this problem. Good VPN providers like Nord VPN can provide you with military level encryption for your Android device, so that hackers can’t harm your privacy in any way. Talking about anti-hacking tools, when you want to encrypt some very important files on your device, there are great encryption apps that you can use and that are also free, so that you don’t have to spend a lot of money on your Android security.

Use Security Software You Know Is Good

Long gone are the times when you could just pick any antivirus and be set when it comes to security. Android devices need to be protected with strong antivirus software because while it’s the most versatile platform, it is also most prone to small, pesky security issues like spyware and viruses. Depending on what kind of an internet user you are and how much sensitive information you’re managing on your device, you need to find antivirus that suits your needs. Sure, there are some great free version like Avira, Avast and Panda, but if you need stronger security that includes anti-spam, antimalware and functioning firewall, then you will have to pay to get all-encompassing protection. You may not pay it gladly, but online security is scarce these days, and paying a couple of bucks a month is more than acceptable for the peace of mind you’re getting in return.

Get Email Encryption Software

Email scams are still very much a thing, even though many of us believe that we wouldn’t fall for that. While you’ve got your security software to protect you against spamming and phishing, it would be wise to encrypt your emails in general. A lot of sensitive details are conveyed via email and chances are you don’t want your mail to get into wrong hands. If hackers get into your email, they can take advantage of your address book and spam all your friends and colleagues, which never ends well. Software like Data Motion and HP Secure Wall have proven their worth over time, which is why it’s worth given them a shot.

Anti-hacking tools for Android abound these days and all you have to do is take your pick. Of course, it’s very important for you to be wary as well and know what not to do when browsing the internet because no anti-hacking tool will help you unless you always remain security aware. What apps and security software do you use? Please comment and share your opinion. – Thomas Milva

 

Thomas Milva is 28, he lives in Baton Rouge and is a dedicated Analyst of Information Security, which is why he moved to Baton Rouge, where he lives now and he loves it.  He’s got Italian ancestry and is very fond of his pets, Reggie the dog and his two goldfish. Thomas mostly works from home, which is why he’s contemplating of adopting another dog.

 

Quadrooter Qualcomm Exploit

Share if the site was helpful

Quadrooter Qualcomm Exploit

Quadrooter-vulnerability-affects-nearly-1-billion-Snapdragon-powered-Android-devices

QuadRooter sounds like another serious Android security exploit. One which can apparently allow a malicious app to gain root access on Qualcomm based Android phones and tablets, enabling the app to then do pretty much what it pleases. According to Check Point, the research group that discovered QuadRooter, up to 900 million Qualcomm Android devices could be affected. This exploit targets the Qualcomm drivers which is why it is specific to this hardware. As of the Augusts 1st security update Google has patched 3 of the 4 vulnerabilities and will patch the last one in the September 1st update. To keep your device safe from these bugs it is always bests to stay on top of your security updates. One of the best ways to protect your phone from malicious software is to only download apps from google play or trusted sources.

quadrooter-scanner

If you want to check and see if your device can possible be vulnerable to this threat then you can download and run QuadRooter Scanner by check pointPersonally I am hoping that a developer can figure out this exploit and use it to get many android users root access. I am sure someone can create a app that gets root then injects supersu and su binary into the device. If you are hoping for the same I recommend not updating to new security patches and give the developers some time to get devices root access. 

I wouldn’t be surprise to see this QuadRooter vulnerability implemented into Kingroot app some time soon, as it would make there app unstoppable on Android devices. What do you think about this bug please comment below and let me know.

RootJunky