January 10, 2014 By: Will Verduzco
About a month ago, we talked about a recent study (PDF) stating that most security vulnerabilities on Android are ultimately due to OEM customizations. And surprise, surprise—this can even happen on devices with technologies designed to protect users.
Late last month, security researchers at Israel’s Ben-Gurion University of the Negev discovered a security vulnerability that allowed a user-installed application to intercept unencrypted network traffic. Rather than describing this as a flaw or bug, Samsung labels the vulnerability a classic Man in the Middle (MitM) attack, which could be launched at any point on the network.
Samsung was also quick to state that this type of attack can be thwarted using existing KNOX technology (or the device-wide VPN support in stock Android):
Android development practices encourage that this be done by each application using SSL/TLS. Where that’s not possible (for example, to support standards-based unencrypted protocols, such as HTTP), Android provides built-in VPN and support for third-party VPN solutions to protect data. Use of either of those standard security technologies would have prevented an attack based on a user-installed local application.
KNOX offers additional protections against MitM attacks. Below is a more detailed description of the mechanisms that can be configured on Samsung KNOX devices to protect against them:
1. Mobile Device Management — MDM is a feature that ensures that a device containing sensitive information is set up correctly according to an enterprise-specified policy and is available in the standard Android platform. KNOX enhances the platform by adding many additional policy settings, including the ability to lock down security-sensitive device settings. With an MDM configured device, when the attack tries to change these settings, the MDM agent running on the device would have blocked them. In that case, the exploit would not have worked.
2. Per-App VPN — The per-app VPN feature of KNOX allows traffic only from a designated and secured application to be sent through the VPN tunnel. This feature can be selectively applied to applications in containers, allowing fine-grained control over the tradeoff between communication overhead and security.
3. FIPS 140-2 — KNOX implements a FIPS 140-2 Level 1 certified VPN client, a NIST standard for data-in-transit protection along with NSA suite B cryptography. The FIPS 140-2 standard applies to all federal agencies that use cryptographically strong security systems to protect sensitive information in computer and telecommunication systems. Many enterprises today deploy this cryptographically strong VPN support to protect against data-in-transit attacks.
Now before we start bashing Samsung’s KNOX technology more than necessary, let’s remember that these kinds of attacks can affect non-KNOX devices as well. Furthermore, sending personal data in unencrypted form is simply asking for trouble. If anything, this should serve as a reminder to use encrypted transfers and connections whenever possible and to be wary about where we store and input our data.
January 7, 2014 By: Will Verduzco
Modern Samsung devices generally pack class-leading specifications, great battery life, fantastic screens, and more features than you can shake a stick at. They’re also one of the better OEMs for providing somewhat timely firmware updates on at least their flagship devices.
Arguably, all of this equates to some of the best devices on the market, and you wouldn’t be faulted for thinking that their market share demonstrates this. But one thing that’s a bit harder to argue is the aesthetic beauty of their custom TouchWiz UI. Often the butt of many jokes, the company’s take on the Android UI is a face only the Korean OEM could love. And in its current version, it leaves much to be desired thanks to its childish colors and icons, cluttered interface, and overall outdated appearance.
New leaked screenshots posted by @evleaks show a dramatic shift in their artistic direction, with a flatter UI very reminiscent of HTC’s BlinkFeed. Aside from the similarities to BlinkFeed, the new UI jives much better with Android’s flat and modern UI than the previous releases that seem more at home on Android 2.x.
So will this new version of TouchWiz be your “Life companion?” We’re excited to see anything that makes TouchWiz a little less ugly. Share your thoughts on their new artistic direction in the comments below.
I am, and have always been, an early adopter of a lot of things, particularly when it comes to technology. My cell phone voyage started back in the year 2000 with a Nokia 5110. Back then, only a handful of people had phones, and seeing someone on the street with one was a somewhat rare sight. Nowadays, the same cannot be said. Cell phones have become a massive commodity—one that gets a lot of attention, and certainly one that is likely one of the most profitable industries in the world today (in the tech sector anyways).
Every Joe Schmuck and Jane Doe sport the latest Galaxy devices or one of Apple’s latest iconic iPhones (just to mention a few manufacturers). Sure, they all have a somewhat interesting appeal, and many of them are loaded with more unique functions and capabilities that (in theory) make life a lot easier. However, looking at the overall market and trying to overlay an innovation line through the timeline from the early 2000′s (when Nokia reigned supreme) ’til today, we can easily notice a few trends that are worrying and don’t necessarily correlate with what anyone would expect from “progress” or “development.”
Going back to the very beginning of my article, I mentioned owning a dinosaur of a phone, the Nokia 5110. The device was a jewel, and it did exactly what it needed to do (and far more). The device was relatively cheap to get with a 2-3 year agreement. So, the device manufacturer (again, in this particular case, Nokia) knew that in order to have a good customer base, the devices needed to last that long. After all, not everyone could spend $400-600 USD on a phone upgrade while still being locked in the middle of a contract, nor were they willing to do so either.
Nokia designed the 5100 series with a few crucial engineering concepts in mind: good battery, reliable, easy to service, and durable. I had my device for the length of my contract before I decided to upgrade (mainly due to swapping carriers). I have to admit that it must have been one of the best cell phones I have ever had the pleasure of using. Not because of the usage per se, but rather how the device gave me 0 issues in the course of 3 years of ownership. Needless to say, the thing was built to last, as the body was virtually indestructible (exaggerating a tad here, but it was a tough device). When I upgraded, I went with a Nokia 8210. They had done a good job because with their mindset, they created a device that prompted me to want to see what else they could come up a few years down the line—all that without compromising my ability to enjoy the one I currently had. Ah, those were the days.
Fast forward to 2007 (big jump, I know). The iPhone was released and the (back then) current king of smartphones, Windows Mobile HTC devices and Blackberry, were dethroned. Because of silly mistakes, loads of bugs, and a simple yet effective marketing strategy to get people to buy more, the iPhone 1G sees a successor not much later down the line. Seeing how many other manufacturers were now jumping into the bandwagon, stable and decent cell phone manufacturers saw themselves in dire need to release more products in a shorter timespan. This was primarily done to keep up with their competitors, who were quickly gaining market share due to shorter intervals between new products. The next thing that happened (and still does to this day), new models are released every 6-9 months, each one promising to be “better” than their predecessor(s). This last statement is the cornerstone of this entire article. Why are manufacturers releasing devices that are NOT designed to be the best they have to offer? It isn’t that they develop new tech for newer versions. Rather, they make enough (in)significant changes to the existing one, such that it can be labeled the “next best thing.”Does any of this sound familiar?
I myself am an engineer, as many of you are as well (or studying to become). It honestly makes my blood boil when I consider the engineering teams behind the product development of some of these devices. No longer are devices durable. Rather, they have gone entirely to the other end of the spectrum and have become practically disposable. I simply cannot believe that a $500-1000 USD item becomes “irreparable.” Product design basics dictate that any engineered product is designed to have a certain life expectancy under normal conditions, tear, and wear, and even leave some leeway for accidents. If products need repair, they should be perfectly serviceable by the manufacturer without having to charge the consumer exorbitant amounts of money to get the product back in working order. Needless to say, whenever a phone does break this day and age, sending it in for repairs is a fruitless ordeal due to the fact that more often than not, the device will be deemed as “not repairable” due to directions coming from engineering design teams.
Make the world a better place through the application of science? That is what product engineering should be about. Squeezing every last drop of sweat over your own design and making sure that you put your very best efforts into making something that people will have for years (not months) to come is what every engineering company should strive for. Unfortunately, this was quickly replaced with “ooh, look how shiny this new toy is,” which is then followed by “oh, your old one? pfft That is so 3 months ago…. you won’t get two pennies for it on eBay, and don’t even think about repairing it.”
We as consumers have allowed these companies to throw basic engineering practices out the window so that they can squeeze more juice out of us. Now, I have no issues with companies trying to make money. Hell, that is what they do after all. But when greed takes over your most basic principles, I simply have no sympathy. I still recall our friend XDA Senior Recognized Developer AdamOutler doing an unboxing of the new Droid Razr when it came out. His words have been stuck in my head ever since. “Motorola made this device to be disposable.” Why? What was the point of making the device “disposable?” Why did such an important part of engineering a new product (ease of service) gets tossed aside like this? Would it kill you to make your device fixable? Another example: I tried to fix the digitizer of my HTC Titan a few days ago, but ended up destroying the LCD entirely. Why would there be any need to superglue both LCD and digitizer and superglue that combo to the device’s body? To keep them in place you say? There are small, low profile screws that will do the job just as well without jeopardizing the serviceability of the device or its overall design (read: they will not make it any thicker).
The entire world has been sucked into a game that the companies play on a large scale. They are trying to see just how much they can shove down our throats, all while expending the least amount of effort in doing so. These practices not only have the effects mentioned earlier, but they can also have dangerous consequences (bulging exploding battery of SGS2 devices anyone?). The core activities here on XDA-Developers actually somewhat put a damper on this, as the allure of “a new OS version exclusive to a device” is now mitigated. But unfortunately, software is just but a small part of the overall equation.
Next time you are out there shopping for a cell phone, just think about a very important thing that goes beyond specs or pretty colors. Just think about how well the product you are about to purchase was engineered. Let that be your deciding factor, and don’t simply fall in line with the rest of the masses who will jump at anything shiny like fish in heat. There are manufacturers out there that still care about trying to keep their core engineering values. To these companies, kudos. To the ones like HTC, which used to be like this (my HTC Wallaby that I bought in 2003 and that has been through hell and back still works), look at your early years and try again. Get off the path you are in right now because you will lose this race. And to the companies that simply don’t give two flying feathers about engineering, progress, and making the world a better place (looking at you Apple), I sincerely hope that your lack of engineering values comes back with a vengeance and bites you where the sun doesn’t shine.
If I have to choose between a phone that is 0.0001 mm thick but that will break upon looking at it without any way to fix it or my old 5110, I’ll take my old Nokia any day of the week. At least, that has engineering at heart.
It should come as no surprise that here at XDA, we are always calling on the OEMs to do a better job of removing the bloat of their custom UIs (Samsung – we’re looking at you and your now insane TouchWiz size) and improving the overall user experience. What may come as a shock to some, though, is that a recent study by researchers at North Carolina State University says that those same OEMs, and their incessant need to have a custom UI as some sort of “branding,” are directly responsible for most of the security issues found with Android. Cue Home Alone face.
In all honesty, we really shouldn’t be all that surprised. XDA Elite Recognized Developer jcase gave a great talk at XDA:DevCon13 where he discussed “Android Security Vulnerabilites and Exploits.” There, he identified how OEMs (LG was his main example) are directly responsible for many of the vulnerabilities and exploits he finds.
The researchers at NC State found that 60% of the security issues were directly tied to changes OEMs had made to stock Android, specifically related to apps requesting more permissions than were necessary. They looked at 2 devices from each 4 different OEMs (Sony, Samsung, LG and HTC), with one running a version of Android 2.x and another running 4.x from each OEM, along with the Nexus S and Nexus 4 from Google.
Here are a few of the findings:
For the user, this should be a warning to pay attention to the permissions used when you install an app and take steps to protect yourself, like with the Xposed module XPrivacy. For OEMs, shame on you. Consumers place trust, no matter how unfounded and risky that is, on you. For you to be breaking that trust by not being responsible and open in your dealings and development is just plain careless.
The full study, presented yesterday at the ACM Conference on Computer and Communications Security in Berlin, is definitely a good read, with specific case studies done on the Samsung Galaxy S3 and LG Optimus P880.
Source: MIT Technology Review
[Thanks to XDA Elite Recognized Developer toastcfh for the tip.]
June 18, 2013 By: Samantha
There are still quite a few of folks who run Gingerbread on their devices—either because their devices have started to age a little bit, or the stability of ports of later versions is just not cutting it. However this doesn’t mean that they should be left out in the cold in terms of new functions and features, as XDA Recognized Themer and Contributor SpaceCaker has created a guide to get the Samsung Android 4.2.2 status bar and toggles on your Samsung device running Android 2.3.
SpaceCaker guides you through the necessary steps to successfully edit the .xml and .smali files within your SystemUI.apk clearly and logically, with accompanying examples of code to aid you through the way. Extra files are also needed, and these are conveniently provided by SpaceCaker in a downloadable zip file from the original post. The end result is the familiar tabbed settings and contact information in addition to the notification area with a row of quick settings lined up on the top. The settings are themed based on Samsung’s distinct lime-green UI design, although I suspect that the colors can be changed according to your own tastes with a couple simple changes of Hex values.
Third party status bar apps that essentially provide the same end result are often buggy and incompatible with earlier versions of Android. This guide offers a reliable alternative that’s also a great exercise for those who are into theming.
If you would like to give this a go, make sure to visit the original thread for more information.
May 27, 2013 By: Jimmy McGee
XDA Elite Recognized Developer Chainfire has worked around Samsung’s attempt to block rooting your phone. Therefore, new devices have been added to CF-Auto-Root. That and more are covered by Jordan, as he reviews all the important stories from this weekend. Included in this week’s news is a tutorial on testing your app with Robotium. And in related news, there is an article on how flash custom ROMs and Recovery to the Samsung Galaxy S 4.
Jordan talks about the other videos released this week on XDA Developer TV. XDA Developer TV Producer Jayce released a video on phone interview tips and tricks and he follows it up with a video on tips and tricks for a main interview. Pull up a chair and check out this video.
April 24, 2013 By: Jimmy McGee
If you’ve seen XDA Developer TV Producer Steve’s video on switching from Windows Phone to Android, you know Steve has no problem sharing his thoughts. He has been reviewing apps on the different operating systems. He has been using Samsung Devices to represent Android and Windows Phone, the Samsung Galaxy Nexus and the Samsung ATIV S, respectively.
However, his satisfaction with his Samsung devices has waned and he is switching to HTC. Steve takes the time to explain why Samsung is not the brand for him. He shares the frustration and quirks he experienced with Samsung. Check this video out.
March 3, 2013 By: Haroon Q. Raja
This year’s Mobile World Conference was different from most. There were still all the device presentations, announcements, and revelations that we’ve come to expect from the biggest tech event of the mobile industry each year. What’s different was that this time, the spotlight wasn’t taken by hardware, but rather by software—and for good reason. After all, it isn’t every day that three upcoming mobile operating systems backed by big names like Samsung, Intel, Mozilla, and Canonical are showcased at the same event. Apart from Mozilla’s Firefox OS and Canonical’s Ubuntu Touch, MWC 2013 also saw Samsung and Intel finally showcase Tizen OS running on actual hardware.
Among all contemporary mobile operating systems, Tizen OS has had perhaps the most tumultuous and complex history. First there was Nokia’s Maemo and Intel’s Moblin, before the two companies decided to combine them together into MeeGo, in collaboration with many major hardware and software partners. Then Nokia decided putting all its eggs in Windows Phone’s basket, and abandoned the platform after releasing the amazing N9 running MeeGo with Nokia’s Harmattan UI that won hearts of users and critics alike, despite not making many sales due to Nokia’s abandonment. While all this was occuring, Samsung had also decided to build an open OS of its own in order to decrease its dependence on Android, and the result was Bada. After Intel’s abandonment, the future looked bleak for MeeGo, and it indeed proved out to be so as well. The OS was shortly abandoned completely by all other supporters as well, and Tizen was born under the patronage of The Linux Foundation. Later, Samsung decided to join the picture as well, with an aim to merge Bada with Tizen.
After being in works for several years under all the different names, it was actually disappointing to see what was showcased at the MWC demo. With a conventional home screen that seemed to be nothing more than a mere grid of icons and an overall UI not too different from Android’s, Tizen seems to bring nothing new to the table that might lure users into switching to it when devices running the OS show up in the market. Granted it’s still in the making and what was demoed was essentially an early preview, it came nowhere close to what Canonical showcased in Ubuntu Touch.
The experience offered by the OS running on the demo devices was sub par at best, being laggy as well as lacking anything truly special and intuitive that’s not already out there. For an OS that has been in the making for several years by now and has major names of the industry backing it, this seems nothing short of inexplicable. One good thing was the announcement of the Tizen 2.0 Magnolia SDK being made available for developers to start working on apps for the OS. That said, there’s still a long way to go before we start seeing devices running Tizen hit the market. There have been no official time frames announced in this regard, but it is expected to be late 2013 by earliest. Also, since Bada is essentially being merged into Tizen, many are speculating whether Samsung will decide to abandon the devices running Bada, or upgrade them to the new platform in the future.
Here at XDA, we get excited about any development in the smartphone industry, especially when it’s an open-source mobile operating system aimed to offer a completely open alternative to Google’s semi-open Android ecosystem. We have also merged our Tizen and Bada forums to consolidate development for them under once roof, where you can also join several discussions about the OS.
You can learn more about Tizen and download its SDK from the Tizen website.
Another wonderful International CES has passed us by. The event was filled with many exciting displays, like the Intel Ultrabook Tree, but most important were the announcements made by many manufactures. Some announcements are still years out, embodying nothing more than an idea. Other announcements having working prototypes, while still others are in the final stages before release or have been released.
Due to the open nature of Android, at times device manufacturers make absolutely ridiculous decisions in an attempt to set their devices apart from those of the competitors. A perfect example of this is Samsung’s choice of using a proprietary QMG format for its boot animations, as opposed to the standard bootanimation.zip format used on Android by default. The QMG files need to be created using the expensive Qmage commercial software, thus effectively barring the average consumer from cooking up their own.
XDA Recognized Developer smokin1337 decided do something about it and created a hack that brings back Android’s standard bootanimation.zip support to Samsung devices. The mod was created for the Samsung Galaxy Note II, but should work on any Samsung device that uses samsungani to load up the bootanimation. The developer has also provided the Google Gears boot animation with the package, but you can choose an alternate instead.
This will add the ability to use a custom bootanimation on any rom with any kernel and probably any samsung device.
It has been tested on the Note II but should work with any samsung device that uses samsungani to load boot animations. If it doesn’t work for you please post here.
Uses the typical settings bootanimation is at /system/media/bootanimation.zip, this is for those using a stock rom or a rom the dev didn’t add it in.
As always, more information and download links can be found in the forum thread.
December 30, 2012 By: Former Writer
Android devices support a lot of external devices. From Bluetooth speakers to external hard drives, there really isn’t much you can’t hook up to an Android device anymore. However, one thing that users may have trouble with is an external microphone.
XDA Elite Recognized Developers AdamOutler and Rebellos are at it again. This time with a hardware mod that will allow better external mic support on most Samsung Galaxy devices. This includes the Galaxy Note II and the Galaxy Camera. AdamOutler explains the mod in more detail:
Elite Recognized Developer Rebellos searched the code, and we figured out that the device wouldn’t recognize my mic because its Ohms are too low. The WolfsonMicro chip uses any value below 1000 Ohms to signify button presses. Above 1000 Ohms, it signifies a microphone. My microphone is a 900 Ohm microphone, so in all actuality, it’s pretty high considering most are around 100-500 Ohms. However, Rebellos and I managed to hack through it. I wanted to share this method.
The result is a hardware mod that allows the use of larger external microphones. There are a few things to note. As Adam stated, in order to be detected, the mic must offer 1000 Ohms of resistance. If it doesn’t, then the device won’t register it as a microphone, but rather, as a button press. Since most of us don’t want to buy an entirely new microphone, a tempting solution is to create an adapter to enable the one you already have to work on the device.
According to Adam, you’ll be building a, “Samsung 4-pole to 1/4″ Mic adapter with a 200 Ohm resistor inline.” The process itself isn’t overly difficult, and for frequent hardware modders, it should be a walk in the park. Since you’re not soldering anything onto your device, you most likely aren’t putting it in direct jeopardy. Just be careful not to burn yourself with that soldering iron.
If this looks like something worth trying, head over to the original thread.
December 17, 2012 By: jerdog
We recently told you about the Exynos4 security hole found by XDA Member alephzain. This is a security hole in the kernel that allows malicious code full access to all physical memory. XDA Elite Recognized Developer Chainfire would have none of it, and not only pointed out the security hole by creating an app that roots your device without ODIN, but also provided a way to plug it.
His application, aptly named ExynosAbuse APK, gains root privileges via the ExynosAbuse exploit and installs SuperSU. In addition, in version v1.10, it allows you to disable the exploit at boot. The downside of disabling the exploit is that your camera may break. However, this is not so bad considering how your device can no longer be compromised by this exploit. Lesser of two evils, right? If you absolutely must have your camera, the application allows you to re-enable the exploit.
Unlike the other app-based patches out there, Chainfire’s solution to patch on boot runs before any normal Android apps perform their launch after boot code, thus preventing that attack vector as well. One thing Chainfire points out is that the protections included in his APK are just workarounds, rather than actual fixes. For that, we’ll have to rely on our talented developers in the XDA Developer community or Samsung. (Do I hear crickets chirping?)
For more details on the exploit, you can head over to alephzain’s exploit thread or Chainfire’s application thread. When visiting the latter, be sure to help Chainfire test various Samsung devices by stating your device, its firmware, and whether the application and fix worked.
December 5, 2012 By: Jimmy McGee
Today on XDA Developer TV, XDA Recognized Developer and XDA Developer TV first timer Benjamin Dobell gives us a tutorial on USB logging. Dobell is responsbile for Heimdall. Heimdall is an open source cross platform flashing utility much like Odin, but better. Heimdall lets you flash ROMs on Samsung devices, only Heimdall runs on Windows, Linux, and OS X.
In today’s video, Dobell introduces himself and his Heimdall suite. He then he shows you how to log the USB connection of a flash download on your Galaxy device. Dobell explains that if you log a USB connection during a Kies firmware flash and send the resulting file to him, he may be able to reverse engineer the log and get your device working in Heimdall. So check out this video and help out the community.