POSTS TAGGED: security

Samsung Responds to KNOX MitM Attack “Vulnerability”

Untitled-1

About a month ago, we talked about a recent study (PDF) stating that most security vulnerabilities on Android are ultimately due to OEM customizations. And surprise, surprise—this can even happen on devices with technologies designed to protect users.

Late last month, security researchers at Israel’s Ben-Gurion University of the Negev discovered a security vulnerability that allowed a user-installed application to intercept unencrypted network traffic. Rather than describing this as a flaw or bug, Samsung labels the vulnerability a classic Man in the Middle (MitM) attack, which could be launched at any point on the network.

Samsung was also quick to state that this type of attack can be th. . . READ ON »

no comments Read On

Snapchat: A Lesson in How NOT to do Security

Snapchat logo

Here at XDA, we focus on bringing you news about what developers are up to on the forums or significant changes in the mobile industry. Today though, I bring an analysis of some recent news about goings-on in the security world in relation to a particular mobile application you may or not have heard of: Snapchat.

Snapchat is best described as a gimmick application, widely used by teens to send each other photos and short videos, which “self destruct” after viewing, preventing copies being made, etc. Before the security world tries to spear me on a stick and roast me, allow me to point out that Snapchat is an entirely flawed application. It’s not possible to achieve what they are trying to do, as t. . . READ ON »

Tags:

10 comments Read On

CyanogenMod Adds WhisperPush Secure Messaging into CM10.2 Nightlies, CM11 Integration Soon!

Capture

While secure text messaging systems have been available on Android for quite some time, many users (even power users) have failed to set them up on their devices. This isn’t because privacy isn’t important, but it’s often one of those things you don’t think of until it’s too late.

Now, CyanogenMod is taking a great first step by incorporating an existing and open source secure text messaging platform into CyanogenMod. The integration comes in the form of TextSecure, which is maintained by Open WhisperSystems and lead engineer Moxie Marlinspike. Moxie is also in charge of the CM integration of the app, ensuring functionality and a degree of security. New to the CM impl. . . READ ON »

no comments Read On

Google Pulls HushSMS after Flash SMS DoS Info

unnamed

Not too long ago, we talked about the Flash SMS (class 0) DoS vulnerability affecting the current lineup of Nexus devices. Discovered by Romanian security researcher Bogdan Alec, the vulnerability was such that Flash SMS (class 0) messages sent in rapid succession would cause unexpected behavior on various Nexus devices. Curiously, though, the bug only affected Nexus device owners.

Luckily, the vulnerability was never all that damaging. After all, the worst outcome that has been seen so far is data loss due to a device reboot. That said, the vulnerability certainly opens up users to annoying pranks and spam that can get in the way of essential productivity.

Now, the vulnerability has claimed its first ma. . . READ ON »

2 comments Read On

Google Nexus Devices Vulnerable to DoS Attacks, Protect Yourself with Simple App

ddos-attack-335px

Due to their expedient updates and lack of potentially vulnerable carrier and OEM addons, Nexus devices are considered to be among the safest Android devices. Being certified by Google mean a lot, but everything has some vulnerabilities, and newest Nexus devices are no exemption.

According to Romanian security researcher Bogdan Alecu, the Nexus lineup is vulnerable to a denial-of-service attacks based on a special type of SMS. This attack relies on Flash SMS, short messages displayed on the screen without being stored in the inbox. These are most often seen in pre-paid contract plans, used by a carrier to send messages with recent costs.

As it turns out, Flash SMS messages sent in rapid succession can cau. . . READ ON »

10 comments Read On

How to Disable the Annoying Certificate Popup in KitKat

Android-security-apps

My mother always told me that security matters. And she was right. Security is important, as right now, devices can be hacked, phished, or scammed in multiple ways. That’s why protections are so important, especially in public areas. Security certificates were invented and widely used to prevent thieves from stealing our data.

It appears that security matters to XDA Forum Member forceu as well, as he wrote a guide on installing a custom security certificate to bypass the “Your network could be monitored” message when connecting to certain networks in KitKat. This pop up can be annoying, and it forces you to ignore the message when it could actually matter.

Forceu then discovered that c. . . READ ON »

no comments Read On

Shock and Awe: OEMs Cause Android Security Issues

Home_Alone_Boy1

It should come as no surprise that here at XDA, we are always calling on the OEMs to do a better job of removing the bloat of their custom UIs (Samsung – we’re looking at you and your now insane TouchWiz size) and improving the overall user experience. What may come as a shock to some, though, is that a recent study by researchers at North Carolina State University says that those same OEMs, and their incessant need to have a custom UI as some sort of “branding,” are directly responsible for most of the security issues found with Android. Cue Home Alone face.

In all honesty, we really shouldn’t be all that surprised. XDA Elite Recognized Developer jcase gave a great talk at XDA:Dev. . . READ ON »

9 comments Read On

Easily Change Your Android SELinux Mode

Capture

Along with the various user-facing features added in Android 4.4 KitKat, Google significantly bolstered the overall security of the platform with a number of key changes. Among other things, one of the key changes related to SELinux, which was previously introduced in Android 4.3. Android 4.4, however, shifted the SELinux status from Permissive to Enforce Mode.

To quote our security expert Pulser_G2 on the matter:

SELinux in Enforce Mode

In Android 4.4, SELinux has moved from running in permissive mode (which simply logs failures), into enforcing mode. SELinux, which was introduced in Android 4.3, is a mandatory access control system built into the Linux kernel, in order to help enforce the existing acc

. . . READ ON »
1 comment Read On

Android 4.4 KitKat Security Enhancements

Android KitKat

In addition to the many user-facing improvements in the latest incarnation of Android announced yesterday, there are a number of interesting security improvements, which seem to indicate that Google have not totally neglected platform security in this new release. This article will run through what’s new, and what it means for you.

SELinux in Enforce Mode

In Android 4.4, SELinux has moved from running in permissive mode (which simply logs failures), into enforcing mode. SELinux, which was introduced in Android 4.3, is a mandatory access control system built into the Linux kernel, in order to help enforce the existing access control rights (i.e. permissions), and to attempt to prevent privilege e. . . READ ON »

30 comments Read On