Google Ups Their Security Ante

Share if the site was helpful

Google Ups Their Security Ante

If you’ve ever been interested in learning more about cyber-security (and are also interested in Android’s) then there’s never been a more enticing offer on the table.  This week Google has officially announced a new top reward for being able to pinpoint a security flaw in the operating system.  Are you hooked yet?  Well, here’s the new figure: $1.5 million dollars!

A Quick History:

Way back in 2015 Google announced the launch of a security rewards program for Android (The one we’ve come to know and love today as it’s improved the operating system). The program covered security vulnerabilities affecting Nexus phones and tablets, and asked individuals to try to find defensive holes.  In exchange for finding one of these you could earn up to $38,000.

This is no small chunk of change, but it’s also obviously a long way away from $1.5 million.  What happened?  Well Android grew in popularity and more security researchers came on board unearthing security flaws.  In fact, from it’s first bug bounty program in 2010 Google was paying over $1 million a year to hundreds of researches who found issues.  So it’s not a complicated story.  Google offers rewards for security help.  People find flaws.  Google makes a more secure environment and ups the ante.  Rinse and repeat.

The $1.5 Million Dollar Man:

Which brings us to the 2019 cap in the program.  Google won’t pay that large a sum to just any bug though.  Their looking for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices.”  In simpler terms they want to find a bug that lets a hacker execute code on a device even after it’s been reset and without physical access. 

The Titan M security chip was first introduced in the Pixel 3.  Its job is to oversee security (passcodes, verify firmware signatures, and identify malicious apps).  It’s done a fairly good job and has been carried over into the new Pixel 4. And since it does such a good job security flaws are harder and harder to find.  But that doesn’t mean they aren’t there.  The only way security can get better is by someone figuring out how to hack it.  If you find a hole in your defenses, you know exactly what needs to be patched up.

So the $1.5 million dollar bug is the big one, but it’s not the only reward.  There are plenty of other security flaws that have led to hundred thousand-dollar payouts to dozens of individuals.  If you are interested in learning about Android security, it’s safe to say these prizes are only going to go up, so there’s no time like the present to start!

Google Minus And Project Strobe

Share if the site was helpful

Google Minus and Project Strobe

After 7 years of effort Google has decided that enough is enough for Google+.  The tech giant has admitted to failing its entrance into the social media marketplace. As both a business decision and safety concern they’ve decided to take Google+ off the web and focus on other things.

Project Strobe

Security has been at the forefront of everyone’s minds this year as privacy scandal after privacy scandal has surfaced.  Facebook’s Cambridge Analytics scandal made us hyper aware of how much data is exposed to third-parties.  In an attempt to combat privacy issues Google launched Project Strobe.  It’s a root-and-branch review of third-party developer access to Google accounts and Android devices.  Essentially it’s a research project to check up on how secure everyone’s information really is.

The findings: not the best.   Today Google announced four key findings from the project along with steps to remedy each.

1. There are significant challenges in creating and maintain a successful Google+ product that meets consumer’s expectations.

Google+ has a pretty serious bug in it that exposed user data to third-party applications that didn’t have proper access.  Google says that there is no evidence anyone else found this out before they did (hard to be sure).  But combining this with the lack of adoption among users and the end result has been to remove Google+ entirely.  I don’t think anyone is too upset at this move, and it’s probably for the best Google diverts its time towards new innovations.

2. People want fine-grained controls over the data they share with apps

When you download a new app that performs certain functions, it may need permission to do so.  Whether that’s accessing your camera to take a picture or seeing your contacts so that it can share a picture with others, apps can’t do these things until you let them.  This is a big plus for Android security, but unfortunately sometimes it’s not organized well enough.

There are some permissions that are grouped together when presented to a user, and this can potentially be a problem.  If you want an app to do one thing you shouldn’t have to grant it access to 3 permission, yet this is sometimes how things are organized.  Google has announced they’ll be launching more granular account permissions that will show individual dialog boxes for each.  Maybe a little more frustrating for relaxed users, but definitely a win for security.

3. When users grant apps access to their Gmail, they do so with certain user cases in mind

To correct the security issue of third-parties abusing contact information Google is limiting what kinds of apps are allowed to access Gmail data.  The only apps allowed will be those that are “directly enhancing email functionality”.  Basically, if there’s not real reason for your app to need to write an email, it’s banned.

4. When users grant SMS, Contacts and Phone permissions to Android apps they do so with certain use cases in mind.

3 and 4 are pretty similar to one another, but this other finding takes things past email and into the phone/contacts.  Google is limiting how many apps will be allowed to access this information.  In addition to this Contact interaction data will no longer be available vie the Android Contacts API.

The bottom line is that Google did a security sweep and decided a few things needed to change.  It seems that these changes are proactive which is always a good things, but if you’re one of the world’s Google+ user’s then I’m sorry you have to say goodbye.  For everyone else these changes should be nothing but good as security continues to improve.

What are your thoughts on Project Strobe?  Let us know in the comments below!

 

The Man In The Disk

Share if the site was helpful

The Man In The Disk

If you’ve ever taken an introductory class on cyber security (or if you’ve explored the topic on your own), then you’re likely familiar with the term MITM.  Man-In-The-Middle attacks are security breaches where a 3rd party butts their way in-between two parties attempting to communicate.  Obviously, this is not an ideal situation for either party, and a new variation of MITM is taking Android users by storm.

MITD

Man-In-The-Disk (MITD) is the name that’s been flying around the past few days.  But before we get into its details, let’s discuss a little more of what MITM attacks entail.  A MITM attack is when an unknown party inserts itself between the two trying to communicate.  When this is done that malicious party is able to spy on the conversation happening.  Even worse they might altar what is being sent.

As an example let’s picture an everyday conversation between two friends.  Person 1 and 2 are talking to one another about their plans for tonight.  And let’s say person 3 is bitter they didn’t get invited.  Person 1 might send 2 a message online asking “Want to meet up at 8?”, but 3 intercepts it, changes it, and then forwards the newly modified message to 2.  Now when 2 opens the message it instead says “On second thought there are cooler people I’d rather spend my time with”.  (A riveting example, right?)

The idea is simply that a 3rd party can both invade and modify conversations between clients and servers.  And a lot of the time the invasion can be a lot more critical than hurt feelings.  MITM attacks can be avoided by taking proper precautions and such as certificate pinning.  But that deserves a whole post of its own.

So How Does It Happen?

MITD attacks are a specific type of MITM that takes advantage of careless storage on users phones.  MITD attacks can allow 3rd party users to access information that is stored on an android device’s external storage.  This is something that many apps don’t use, but researchers at Check Point recently found that many app developers (including Google itself) are not following the recommended security precautions for avoiding this vulnerability.

There are a couple different methods for storing information in Android apps.  Android’s developer website has a good page laying out the differences between them.  If you want to go deeper into when using each is appropriate PhonLab covers this in its Android Development Course.   For the most part Android security is very sound due to sandboxing.  This is the idea that each app silo’s its information and only makes it available to others if either the user allows it or if both apps are on board for sharing.

External Storage

External storage is essentially a part of the device’s storage card that is shared by all applications. Google suggests that developers should add extra validation if apps utilize this storage functionality.  And unfortunately it seems that a lot of apps currently aren’t doing this.  Due to prioritization of external storage, data coming in to the phone may be subject to MITM attacks before it even reaches the app meant to use it.

Ironically Google was not following this advice either.  Since the report came out they’ve addressed the places where they were falling short, but it seems many other apps have made the same mistake and will be named after they correct their issues.

In conclusion, there is a security scare going around for android apps, but don’t overhype it.  If developers take the proper precautions to prevent MITM attacks (something Google explains easily how to do on their site) then this danger fades away.  Security is an ever-changing field, but this breach is one that can be easily avoided if developers do their due diligence.

 

en English
X