Google Minus And Project Strobe

Share if the site was helpful

Google Minus and Project Strobe

After 7 years of effort Google has decided that enough is enough for Google+.  The tech giant has admitted to failing its entrance into the social media marketplace. As both a business decision and safety concern they’ve decided to take Google+ off the web and focus on other things.

Project Strobe

Security has been at the forefront of everyone’s minds this year as privacy scandal after privacy scandal has surfaced.  Facebook’s Cambridge Analytics scandal made us hyper aware of how much data is exposed to third-parties.  In an attempt to combat privacy issues Google launched Project Strobe.  It’s a root-and-branch review of third-party developer access to Google accounts and Android devices.  Essentially it’s a research project to check up on how secure everyone’s information really is.

The findings: not the best.   Today Google announced four key findings from the project along with steps to remedy each.

1. There are significant challenges in creating and maintain a successful Google+ product that meets consumer’s expectations.

Google+ has a pretty serious bug in it that exposed user data to third-party applications that didn’t have proper access.  Google says that there is no evidence anyone else found this out before they did (hard to be sure).  But combining this with the lack of adoption among users and the end result has been to remove Google+ entirely.  I don’t think anyone is too upset at this move, and it’s probably for the best Google diverts its time towards new innovations.

2. People want fine-grained controls over the data they share with apps

When you download a new app that performs certain functions, it may need permission to do so.  Whether that’s accessing your camera to take a picture or seeing your contacts so that it can share a picture with others, apps can’t do these things until you let them.  This is a big plus for Android security, but unfortunately sometimes it’s not organized well enough.

There are some permissions that are grouped together when presented to a user, and this can potentially be a problem.  If you want an app to do one thing you shouldn’t have to grant it access to 3 permission, yet this is sometimes how things are organized.  Google has announced they’ll be launching more granular account permissions that will show individual dialog boxes for each.  Maybe a little more frustrating for relaxed users, but definitely a win for security.

3. When users grant apps access to their Gmail, they do so with certain user cases in mind

To correct the security issue of third-parties abusing contact information Google is limiting what kinds of apps are allowed to access Gmail data.  The only apps allowed will be those that are “directly enhancing email functionality”.  Basically, if there’s not real reason for your app to need to write an email, it’s banned.

4. When users grant SMS, Contacts and Phone permissions to Android apps they do so with certain use cases in mind.

3 and 4 are pretty similar to one another, but this other finding takes things past email and into the phone/contacts.  Google is limiting how many apps will be allowed to access this information.  In addition to this Contact interaction data will no longer be available vie the Android Contacts API.

The bottom line is that Google did a security sweep and decided a few things needed to change.  It seems that these changes are proactive which is always a good things, but if you’re one of the world’s Google+ user’s then I’m sorry you have to say goodbye.  For everyone else these changes should be nothing but good as security continues to improve.

What are your thoughts on Project Strobe?  Let us know in the comments below!

 

The Man In The Disk

Share if the site was helpful

The Man In The Disk

If you’ve ever taken an introductory class on cyber security (or if you’ve explored the topic on your own), then you’re likely familiar with the term MITM.  Man-In-The-Middle attacks are security breaches where a 3rd party butts their way in-between two parties attempting to communicate.  Obviously, this is not an ideal situation for either party, and a new variation of MITM is taking Android users by storm.

MITD

Man-In-The-Disk (MITD) is the name that’s been flying around the past few days.  But before we get into its details, let’s discuss a little more of what MITM attacks entail.  A MITM attack is when an unknown party inserts itself between the two trying to communicate.  When this is done that malicious party is able to spy on the conversation happening.  Even worse they might altar what is being sent.

As an example let’s picture an everyday conversation between two friends.  Person 1 and 2 are talking to one another about their plans for tonight.  And let’s say person 3 is bitter they didn’t get invited.  Person 1 might send 2 a message online asking “Want to meet up at 8?”, but 3 intercepts it, changes it, and then forwards the newly modified message to 2.  Now when 2 opens the message it instead says “On second thought there are cooler people I’d rather spend my time with”.  (A riveting example, right?)

The idea is simply that a 3rd party can both invade and modify conversations between clients and servers.  And a lot of the time the invasion can be a lot more critical than hurt feelings.  MITM attacks can be avoided by taking proper precautions and such as certificate pinning.  But that deserves a whole post of its own.

So How Does It Happen?

MITD attacks are a specific type of MITM that takes advantage of careless storage on users phones.  MITD attacks can allow 3rd party users to access information that is stored on an android device’s external storage.  This is something that many apps don’t use, but researchers at Check Point recently found that many app developers (including Google itself) are not following the recommended security precautions for avoiding this vulnerability.

There are a couple different methods for storing information in Android apps.  Android’s developer website has a good page laying out the differences between them.  If you want to go deeper into when using each is appropriate PhonLab covers this in its Android Development Course.   For the most part Android security is very sound due to sandboxing.  This is the idea that each app silo’s its information and only makes it available to others if either the user allows it or if both apps are on board for sharing.

External Storage

External storage is essentially a part of the device’s storage card that is shared by all applications. Google suggests that developers should add extra validation if apps utilize this storage functionality.  And unfortunately it seems that a lot of apps currently aren’t doing this.  Due to prioritization of external storage, data coming in to the phone may be subject to MITM attacks before it even reaches the app meant to use it.

Ironically Google was not following this advice either.  Since the report came out they’ve addressed the places where they were falling short, but it seems many other apps have made the same mistake and will be named after they correct their issues.

In conclusion, there is a security scare going around for android apps, but don’t overhype it.  If developers take the proper precautions to prevent MITM attacks (something Google explains easily how to do on their site) then this danger fades away.  Security is an ever-changing field, but this breach is one that can be easily avoided if developers do their due diligence.

 

Improved Security Or Less Freedom? APK Updates

Share if the site was helpful

Improved Security Or Less Freedom? APK Updates

Earlier this week a small change rolled out to the Google Play Store.  It’s one that you likely won’t even notice, but for those who have it’s tough to decide whether the shift is good or bad.  What change?  Just a small string of metadata for apps.

Google is adding a security string of metadata to all Android APKs (the file format android apps are stored in).  This string will come along with the usual app and be used to verify that apps are distributed through the Play Store or another approved channel.

But why?

The reasoning is (of course) for security purposes.  Users will be able to verify that the apps their downloading aren’t malicious apps seeking to wreak havoc on your system.  There are plenty of apps that have posed as secure looking every-day apps when in reality they were doing other things under the hood (such as mining bitcoin).  This new metadata will supposedly help catch apps like this and ensure that any apps users are downloading are coming from a safe place.

We’ve talked before about how android apps are pretty secure through their information silos.  Apps must use a content provider/resolver to access information from one another, and in order to get access to your serious information (contacts, messages, pictures) apps are required to request permissions that must be explicitly granted by the phone’s owner.  That being said it’s still not a good idea to go around downloading every app you can just for the heck of it.  Security should not encourage reckless behavior.

So what’s the issue?

So why the controversy?  If this new string of data will help keep our phones more secure why could people be opposed to it?  Well the new string is essentially DRM (Digital Rights Management).  As with media services, there’s potential for companies to abuse DRM to choose how and when you use their product.

Let’s say for example you download an app and like it how it is.  A new update comes out and you hear horrendous things about it like it makes an ad pop up every 5 seconds (a terrible marketing strategy).  Naturally you would try to hold off on updating to this new version as long as possible.  Well with DRM it might be difficult/impossible to tinker with the app to remove ads, and a developer could potentially force you to update to the new version by altering the metadata.  It’s a win for mobile app security, but it also invites misuse.

It’s not easy to say if this is a big deal or simply a step in the right direction for security, but it also hasn’t been in the limelight for long.  What are your thoughts on this change to coming apps?  Let us know in the comments below!

 

 

en English
X