• 5,729,040
    REGISTERED
  • 41,990
    ONLINE NOW

Posts Tagged: security

Root

We have talked about app development, Ubuntu Touch development, NFC and Firefox OS presentations from XDA:DevCon 2013. All of these presentations are of great value for developers and enthusiasts. However, there is a dark secret in your pocket: exploits. These exploits can be used for good, gaining root or unlocking. However, they can also be used for bad, such as stealing your chickens or texting curse words to your mother, or worse.

This presentation has a simple title, but the content is not simple. “Android Security Vulnerabilities and Exploits” presented by XDA Elite Recognized Developer jcase. Jcase is a mobile security researcher and the developer of many Android exploits. There is great reason he is an XDA Elite Recognized Developer. Members of the forum sing his praises and OEMs curse his names.

In his presentation, Jcase talks about how the very exploits we often use to root our phones expose us and others to malicious software such as spyware, bots, keyloggers and other forms of malware. He shows past vulnerabilities in applications and firmware and how they are mitigated today. He shows off some of the tools and methods he uses in identifying vulnerabilities. Finally, he walks the audience through finding a security vulnerability and exploiting it.

If you want to see more or get a copy of the presentations slides, visit the XDA:DevCon Presentations page.

bitcoin-logo-3d

Despite previous claims by Bitcoin developers that its open-source wallet application provides “a strong level of protection against many types of fraud,” developers announced Sunday that weaknesses within the Android operating system are responsible for rendering all Android wallets generated to date vulnerable to theft.

The issue lies within the area of the OS that should be generating secure and random key codes, which is why the problem only affects wallets generated by Android applications.

Some applications affected include Bitcoin Walletblockchain.info walletBitcoinSpinner, and Mycelium Wallet. Front-end applications such as Coinbase or MtGox are not vulnerable since private keys are not generated on the Android device.

Updates are still being prepared for clockchain.info and BitcoinSpinner. The update for Bitcoin Wallet is currently under beta testing, and Mycelium Wallet has already received an update. It is strongly recommended to update as soon as a new version is available. In the meantime, key rotation is necessary, according to the Bitcoin developers in their Aug. 11 blog post. “This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself…Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.”

The discovery just so happened to coincide with a ruling made by Magistrate Judge Amos Maazant of the Eastern District of Texas federal court that the online payment form be thought of as a true currency. The ruling sets a precedence that anyone committing fraud with the “online crypto-currency” could be looking at more severe penalties. Jon Matonis, executive director of the Bitcoin Foundation, predicted that the International Standards Organization may eventually classify the currency as a “non-national” commodity, which does not need to be issued or backed by any government. Matonis said the ruling “highlights the fact that Bitcoin is becoming recognized as commodity money in the same way that gold and silver are recognized as money.”

Advertisment
SecureYourAndroid

Whether you want to admit it or not, Android is not always as secure as it could be. But thankfully, good people find the security flaws and report them. Google then patches the vulnerabilities. Then, we hit a roadblock. If you are on a stock ROM, you usually have to wait for your carrier to roll out an update for your device to get the patch. Since rolling out updates doesn’t lead to new phone sales, some carriers don’t offer updates in any reasonable amount of time, or sometimes not at all.

Well don’t leave yourself vulnerable. XDA Recognized Contributor Tungstwenty has a solution, as Portal Administrator Will Verduzco reported earlier.  In this video, XDA Developer TV Producer TK reviews Master Key Dual Fix patch. TK shows off how to install the patch and the required Xposed framework, so check out this video.

READ ON »

Jordan0719

Android 4.3 leaked for the Google Nexus 4 That and more are covered by Jordan, as he reviews all the important stories from this week. Included in this week’s news is an article using your Android device as a Virtual driving game wheel and news about an Xposed Patch for the two recent Master Key-style Android vulnerabilities

Jordan talks about the other videos released this week on XDA Developer TV. XDA Developer TV Producer Kevin released a video talking about Xprivacy to protect your privacy, Elite Recognized Developer AdamOutler should how to do an Unbrickable Mod on the Samsung Captivate, and TK showed us how to root our T-Moble variant of our Samsung Galaxy S 4. Pull up a chair and check out this video.

READ ON »

ss

By now, you’ve undoubtedly heard of the Android Master Key vulnerability, which allows a malicious payload to be inserted in an application that is installed, due to a discrepancy between signature verification and app installation. The vulnerability has been known for some time, having been responsibly disclosed by Bluebox back in February, and patched a couple of weeks ago.

Another vulnerability, also known officially as Bug 9695860, works in a similar fashion and results in the installation of an unwanted malicious payload from a seemingly innocuous file. It, just like its predecessor, has also been patched a little over two weeks ago by Google.

Unfortunately, while these vulnerabilities have since been patched by Google and incorporated into a handful of OEM firmware updates, not every manufacturer has been so expedient. And given the usual delays ranging from laziness and lack of profitability to technical complexity, there’s really no telling as to when they will make their way into the majority of end-user devices. The aftermarket community’s quite a bit better, though. Case in point, CyanogenMod 10.1 has had the fix merged ever since July 7th.

However, while quite a good number of people run CM10.1 and derivative kanged ROMs, obviously not everyone is running CM10.1 on his or her device. After all, a good number of people enjoy running modified stock ROMs in order to preserve the original look and feel or OEM-specific features. And there are other source-built ROMs that just haven’t been updated to include the upstream fixes.

So what are stock firmware + root users to do in order to be safe? Well first off, said users should refrain from installing APKs that don’t come from trusted sources such as Google Play. However, we realize that this isn’t a true solution. To deliver that, XDA Recognized Contributor Tungstwenty came up with an Xposed module that patches both vulnerabilities in one go.

Previously, we’ve seen Recognized Developer rovo89‘s Xposed Framework used for quite a few modifications ranging from alleviating issues in recent Android revisions to managing permissions to loading the borderline malware (I kid, I kid) Facebook Home. However, we’ve not yet seen the framework used to deliver a fix for a vulnerability in such a manner. (Those wishing for a primer on the fantastic Xposed Framework should visit our write-up from a few months back.)

As expected from any Xposed-based modification, installation of Tungstwenty’s Xposed Module is incredibly simple. In his words:

1. Make sure the Xposed Framework is installed.
Follow the instructions on the thread. Root is required only during installation, it is no longer required afterwards. Only ICS or above is supported.

2. Install the Master Key dual fix module.

3. Follow the Xposed notification about a new module being available, and on the list of modules activate Master Key dual fix

4. Reboot the device (a Soft reboot is sufficient)

You should now see an image similar to the attached one. The green text shows that the module is active and the 2 vulnerabilities have been patched.

Those who would like to learn more about the vulnerability should visit this thread by Recognized Developer Adam77Root, which explains it in a little bit greater detail. It also outlines which ROMs would and would not be affected. Until you’re patched by either installing this Xposed patch or updating to the latest CM10.1 nightly, we advise that you only install APKs from trusted sources such as the Google Play store.

Head over to Tungstwenty’s modification thread to get your fix… literally.

telstra us

Looks like even we Australians haven’t been able to stay clear from the unprecedented, mass surveillance that Americans have been subjected to, as The Sydney Morning Herald (SMH) has revealed today. It may or may not come as a shock that Australia’s largest telecommunications company Telstra has had a secret pact with the US intelligence agencies for at least a decade, obliging Telstra to store mass volumes of communication data of Australians for potential investigations by the US in the future.

An agreement penned when 50.1 percent of Telstra was still owned by the Australian Federal Government, it obliged Telstra to meet the demands of the FBI and Justice Department to “provide technical or other assistance to facilitate…electronic surveillance,” while allowing for all communications involving a US point of contact to be stored in a secure storage facility located on US soil and managed and sifted through by Americans with top-level security clearance. This data includes phone calls, emails, and online messages.

This means if you’re an Australian who’s contacted anyone in the US in the last decade at least, those related phone calls, emails, and online messages are stored in some dark, dank dungeon of borderline criminality with  big, shameful ‘Made in Australia’ and ‘Owned by the US’ stickers all over it. That’s not a very desirable place for your private information to be stored.

SMH has also confirmed that the agreement was still in operation “as recently as March 2011,” while Telstra has disappeared in their White House replica doghouse with the tail between the legs, refusing to comment or answer detailed questions about it.

This is a major concern for Aussies, as although the contract does not “authorise Telstra or law enforcement agencies to undertake surveillance” (SMH), the legality of the contract is very questionable, if not an “invasion of privacy and erosion of Australia’s sovereignty,” as spoken by the Greens on Friday. This is so, as there a a number of legislation such as the Telecommunications (Interception and Access) Act 1979 (Cth) and Telecommunications Act 1997 (Cth) that govern the ‘privacy of communications,’ with the former “[prohibiting] the interception of communications passing over a telecommunications system and prohibits access to stored communications (i.e. email, SMS and voice mail messages) except where authorised in specific circumstances” (Electronic Frontiers Australia).

And for Optus customers, don’t feel so safe, as our second largest telecommunications company has also declined to comment whether they have stored data for “potential surveillance by US, or Australian, authorities” (SMH). This also certainly doesn’t mean that all you folks with unmentioned companies such as Vodafone are exempt from such probings.

Let’s see how this unfolds, shall we?

“It’s How We [Dis]Connect” Telstra Advertisement

[Source: Sydney Morning Herald]

heml.is_

In light of all the recent panic over surveillance and Internet monitoring, there are a plethora of “secure” communication programs being announced and launched. These tend to make bold promises of being secure, protecting users from surveillance, and being better than equivalent services.

Yesterday, 3 notable personalities in the web-o-sphere lost much credibility in my (and anyone interested in security’s) view. Why? For using pseudo-security, and trying to market it as security. They clearly do not have a strong background in cryptography or security theory, and appear out to make money, rather than to create a well-designed and well-architected, resilient and decentralised service. And I’m not against someone making a commercial service, but hey, at least design it well, and make it open source.

Open source doesn’t prevent being a commercial success. Take a look at, say, Android, or RedHat Linux, or SUSE, or indeed any open source project with a company behind it that doesn’t turn a loss (and hey, a company that runs at a loss won’t last long).

Without further ado, let’s just take a look at what they say about their service.

From their own FAQ:

Will it be Open Source?
We have all intentions of opening up the source as much as possible for scrutiny and help! What we really want people to understand however, is that Open Source in itself does not guarantee any privacy or safety. It sure helps with transparency, but technology by itself is not enough. The fundamental benefits of Heml.is will be the app together with our infrastructure, which is what really makes the system interesting and secure.

While it is true that being open source alone is not a guarantee of security, they want to open the source, “as much as possible”. Yet they are intent on offering a closed platform. From history, lessons have been learned about poor security, such as Cryptocat, which is open-source, and has had many security holes. Would these holes (which are critical to the security of the service) have been found if it was not open source? Arguably not, as they arose in review of the source code.

Is it really secure?
Yes and no. Nothing is ever 100% secure. There will not be any way for someone without access to your phone to read anything, but with access to your phone they can of course read the messages. Just as they can use any other app you have installed.

This suggests the decryption keys are stored unprotected on the device, meaning a rooted device permits trivial key retrieval. This can easily be avoided by encrypting the key with a strong, password-derived key. Every rooted user should be aware of this. But likely won’t, as the makers appear unwilling to suggest downsides of the system.

Your server only?
Yes! The way to make the system secure is that we can control the infrastructure. Distributing to other servers makes it impossible to give any guarantees about the security. We’ll have audits from trusted third parties on our platforms regularly, in cooperation with our community.

How is this ANY better than iMessage, or any other large-corporation, closed-source rival? If they control the infrastructure, and one cannot freely review the source code running on it, this is just as bad as iMessage, which is simply not secure. They mention third party audits in cooperation with the community, but what community will there be, when the software is closed source, and entirely centralized?

Will you provide an API and/or allow third party clients?
At this point we don’t see how that would be possible without compromising the security, so for now the answer is no.

In security, the mantra is “trust nothing”. In particular, it is NEVER safe to trust the end user’s device, or client software. The answer above says that they, the experts, cannot see a way to permit an API or third party clients, without compromising security. As everyone familiar with XDA knows, it is trivially easy to modify apps and their underlying code, as is seen with tools like smali and apktool, as well as the Xposed Framework. 

It is clear that this Heml.is system is placing far too much trust in the clients in this system. While alternative systems are trusting nobody but themselves (for example, Bitcoin), this is a step backwards, towards the dependent situation where users are forced to trust a closed network, over which they have no input. This closed network can only run on the servers of the service provider.

Does Heml.is save every message on a server?
Messages will only be stored on our end until they have been delivered to the recipient. We might add support for optional expiry times to messages, in which case messages would be stored until they had been delivered or they expire. Whichever comes first.

Frankly, this answer actually made me laugh out loud, and get many a strange look. This is the kind of answer that public relations (PR) people dream of. The answer here is “yes”, and the people behind Heml.is even admit it. But they fail to recognize that with an untrusted central server, you are forced to go simply on THEIR WORD that they actually do remove these messages. What makes you certain they do remove them? And that they always will? Do you trust the NSA to remove what they store about you? Do you trust iMessage to? Why should you trust Heml.is to?

I honestly cannot understand why they have brought this kind of product to the public at this stage; they have proposed nothing in any way better than ANY other service on the market. There is as much guaranteed security in this system as there is in standing on a pedestal in a crowded city with a megaphone and shouting your correspondence to the world. This is a real shame, as I really hoped that Heml.is would be different. I thought more from its developers, who have reputations for being sensible and privacy/security conscious.

What is on offer here is a closed-box security system. Statistically speaking, any project of this magnitude will have at least 1 major flaw in its cryptographic implementation. And I can already predict that flaw, having no access to the software, or indeed any information beyond that available to us all from their website. So I will make that prediction now, and in public. This system will, in my professional opinion, rely on trusting their centralized server for the identification and authentication of users to each other. Meaning, if the central server is compromised, or the operators are forced through duress, they would be able to modify the server so a request for Bob’s public key would return a public key under the control of the attacker. The only way to alleviate this is to have an entirely open and distributed, decentralized back-end, which never trusts a client not to lie, and a client that never trusts the server.

It is not currently possible to achieve perfect security in this sense (of being assured the key you receive is from the person it claims to be), short of in-person verification of key fingerprints. But it is possible to at least not rely on a centralized server to be trustworthy, when that server is not able to be inspected by yourself, and independently run. This was a major opportunity for a totally distributed network facilitating free and secure private communications, which has been spoiled through a lack of experience by those designing it, with regard to security.

I see no way that even the proposal can withstand any kind of scrutiny from those in the security field such as myself. I would love for the guys behind it to get in touch, and see if they are willing to address some of these issues. Perhaps it’s all a big set of misunderstandings, but from the wording here, this system is wholly insecure, and relies entirely upon their “service in the middle” to honestly relay keys to users. And if they’re going for “all out convenience”, that will be the easiest way to go. But there are plenty of changes they can make to improve this system, and if they are willing to discuss this, I am more than happy to make a few suggestions that would eliminate the issues with their central server, and “no third party clients” (which effectively means they wouldn’t properly open-source the resulting application).

Peter, Leif or Linus, drop me an email (pulser _at_ xda-developers.com) and we can have a constructive chat about this, and if you want to make a response here, add one. As it stands though, this whole project comes across as an exercise to produce money from the “masses” for the promise of secure communications. And there’s nothing wrong with that. But at least make it use proper, well-designed, and robust security principles, which will stand up to users making use of third party clients, or being able to ensure they are not placing any trust in your server for key distribution. If you rely on trusting the user’s client to behave, or on your server to never be compromised (and your staff never placed under legal or physical threats), then one day, the walls will crumble down. And it’s all achievable, while being fully open-source, open-standard, and open-platform.

XDA_Articles-devcon

At XDA, we get downright giddy when we see a heavily locked down device unlocked and rooted. An unlocked bootloader and rooted device opens the door for many options of custom ROMs. Without root we have no recovery, no ROMs, no kernel optimizations, and very limited other development. Most of us are guilty of just flashing away what greater minds say we need to without ever understanding what they do.

Justin Case, aka XDA Elite Recognized Developer jcase, is a mobile security researcher and the developer of many of these Android exploits. He is one of these great minds, and he will be presenting at XDA:DevCon 2013. Jcase will be discussing vulnerabilities and common security shortfalls in Android applications and firmware. He will also be walking the audience through identification of a vulnerability and development of an Android root exploit.

Being one of the great minds that understands Android security, jcase knows that the very same exploits we use to root our phones expose us and others to malicious activities such as spyware, bots, keyloggers, and other forms of malware. At XDA:DevCon, jcase will discuss past vulnerabilities in applications and firmware, as well as how they are mitigated today. He will teach the audience about some of the tools and methods used in identifying vulnerabilities. Finally, he will be speaking about application and firmware security, citing and explaining common mistakes, and how we can mitigate them. To end the presentation, jcase will publish and discuss a brand new root exploit for the LG Optimus series of phones.

Join us August 9 to 11 in Miami for XDA:DevCon 2013. Register to attend using this link for exclusive savings.

hiapplock

With the citizens of the United States debating the Orwellian state of citizen surveillance, security is a hot topic. Perhaps it is a good idea to protect yourself from spying a bit more. Grab a piece of tin foil and fashion a hat, lock your phone, and talk only in short syllables.

XDA Forum Member hiapp has an application to block access to your applications.  In this video, XDA Developer TV Producer TK reviews Hi App Lock. TK shows off the application and gives his thoughts, so check out this app review.

DISCLAIMER: Neither XDA nor the app developer guarantees any protection from government surveillance with the use of this or any app / idea presented in this video.

READ ON »

Screen-Shot-2013-06-10-at-10.40.14-AM-580x328

In case you are someone like I am who doesn’t follow the annual “update” of iOS, this is where they make it more like Android and make use of some features Android has had for years (i.e. notification pull-down), and announce a few changes and “new” things the rest of the world has done for years.

Before I go any further, the previous sentence is intended as a joke, let’s not turn this into an iOS vs whatever war. This is about something that all platforms need to unite on: user data security.

Apple yesterday announced a new feature, whereby your passwords will be synced between all your devices, using their iCloud service. On the face of it, this ought to encourage users to use stronger passwords, as they do not need to remember each password. Unfortunately, this “user friendly” system appears to have a few fundamental flaws. This is called iCloud Keychain.

Firstly, Apple encourages password re-use. Not in the strict sense of using the one password across different sites, rather in the sense of using one password for secure and nonsecure tasks—an iPhone user must enter his/her Apple Account/iCloud password to install or update an app. They must also enter this same iCloud password to restore their cloud device backup to a new phone. And, no doubt, will use this iCloud password to unlock the iCloud Keychain.

At this point, the security-inclined among us will be boiling up in a nerdrage, at the thought of using the same password for a routine, insecure environment task (installing an app a friend recommends), and then re-using that same password to unlock your entire digital life of passwords and credit card details. To quote from Apple, this service will store website logins, credit card numbers, WiFi networks, and account information. Asides from the fact I sincerely doubt it is storing WiFi networks, and rather stores WiFi passwords, this seems rather unsafe.

I know 3 of my friends’ iCloud passwords. Not through some devious social engineering scam, or through some super-sneaky shoulder surfing. No… They each volunteered it to me. For whatever reason they were showing me something on their phone, and Apple decided it was time to ask for their iCloud password again. I was showing one how to update their apps, and before I could hand the phone back to them to log in on, they had told me their iCloud password. AAARGH… Don’t Apple teach security to their users?

I am more than certain that plenty of iPhone (and other Apple product users) are not aware of the need to keep secure their iCloud password, as Apple shields them from the technical nuances to avoid spoiling their marketing of everything being sleek and safe. Having a red warning “IF ANYONE FINDS OUT THIS PASSWORD, THEY WILL OWN YOUR ENTIRE LIFE FOREVER MORE” would be justifiable, but there is no such warning.

Unfortunately, the product launch also introduced some technical words. “Oh, but it protects them with robust AES 256-bit encryption”, I hear you say, quoting from the announcement. And indeed, that is correct. But AES-256 encryption is not quite so robust when a legitimate user can obtain the key through simply knowing their iCloud password. Or when someone just resets your iCloud password. Do you really think Apple will design this system securely, so if a user forgets his/her password, they forever lose access? Or will they build in a user-friendly backdoor to allow the user back into his/her account once they call support? I’ll let you figure that out…  Unfortunately Apple are in a predicament here: They need users to use super-strong, hyper-complex passwords for their iCloud account. And understand the technical reasons they must keep this password secure. The problem is, like most Apple products, they are designed for ease of use, and therefore the majority of users will pick a simple password.

Which means it will be nice and short so it is convenient for them to type in every time they install or update an app.

Which means it’s not secure.

Expect attacks on iCloud accounts to rise in volume and risk, particularly against less technical users. I anticipate a lot of phishing attacks attempting to tell Apple device users their account just needs a “little upgrade”, and to just click this link so one of their geniuses will sort it all out automatically. While the friendly-friendly approach works to a point, it doesn’t work whatsoever when it comes to the harsh realities of security. This is not secure encryption, as it depends on a user who is constantly shielded from the technical intricacies of the process.

privacy

Android, as an operating system, is fairly unique in that it makes users aware of the permissions available to apps in a fairly transparent way. Compared to Blackberry or iOS, which issue granular prompts such as “Can Angry Birds access your location?” or “Can Instagram access your camera to take photos?” There is a somewhat subtle difference here: The rivals give the user a choice about these requests.

Jump over to Android where, after installing an app, it has free reign to use every permission you agreed to. While this doesn’t sound an issue, let’s take a look at the Play Store. Let’s look at a nice, popular app (for better or for worse): Facebook.

The Facebook app has permissions to:

  • Create accounts and set passwords for those accounts, and add or remove accounts - this allows Facebook to store its account login using the AccountManager, and is good to see
  • access your accurate (GPS) location and network location - this is to allow for geo-tagging of posts and status updates, which some people might want, but others may be very against. More on this later.
  • full network access - Google lacks a way to give an app selective internet access, so this is needed, much as it might be nice to limit the remote servers an app can communicate with
  • directly call phone numbers - I confess to not researching this one – I am fairly sure Facebook lets you tap a phone icon to call someone. Would it really be so bad to just let you confirm you want to call, and avoid this permission? How long until we see profiles listing premium rate numbers as their phone number?
  • read your phone status and identity - This one is a privacy stealer – while allowing an app to tell if a call is active or not, it also is fairly invasive, allowing an app to obtain your phone number, IMEI, IMSI, device ID (etc), and if you are on a call, the phone number you are connected to!
  • read to and write from USB storage devices - Perhaps this is for caching of files, but maybe a tad excessive?
  • install shortcuts on your homescreen without user interaction - Not sure when this is used, but the permission is there, so it might like to self-promote Facebook services?
  • read your detailed battery statistics - As described in the descriptions, this gives low-level battery use data, and can allow the app to find out what other applications you use.
  • see what other apps are running - Likely for the Facebook Home feature, again allows Facebook to see what apps are running
  • take photos and videos at any time without prompting - Rather concerning, allows the Facebook app to take photos or videos whenever it wants, without prompting or alerting you
  • draw over other applications – Likely for the Chat Heads feature of messenger, although why that’s not a permission in the messenger app is a good question

Getting tired and out of breath yet? It’s not over yet though! Facebook can also:

  • write to your call log - Why? Just why? This allows for call log erasing and writing
  • read from your call log – and thus see all the calls you have made, and when, and for how long, and who they were to
  • read your contacts - while useful if you sync Facebook contacts, many people  don’t want Facebook to have full reign over their contacts
  • write to your contacts - pretty much as above

What is perhaps most disconcerting is that while Google acknowledges openly the risks in each permission (I suggest you take a read at the detailed description of some of the permissions on a Play Store listing), the company takes no steps to help you with this. Thus, the entire Android ecosystem is built around you trusting the developer to play fair, and not do anything dodgy.

Unfortunately. This. Doesn’t. Happen. It really seems clear that many app developers just DO NOT UNDERSTAND SECURITY. Full stop.

And while I might be unique in my recommendation (which I firmly believe is warranted in this day and age given recent information revealing the extent of mass surveillance that is ongoing) to trust nobody, not even yourself. For this reason, I suggest the Android permissions system is totally flawed, in relying on developers to not abuse permissions, and not request excessive permissions. How many torch apps on Android have more than the required camera permission (to enable the camera)? I’d suggest most do, feel free to take a look!

You’d think the Android community would rally against such behaviou, but it’s reached a point where it is acceptable for developers to declare a need for excessively gratuitous permissions in order to use their apps. What happened to user choice? I then was pointed towards this post on G+ by Steve Kondik (XDA Recognized Developer cyanogen), which I read with much dismay. While I do not use G+ (closed platform, requiring far too much data to be disclosed to Google), I would suggest that with respect, the need for user privacy and security MUST come first, as it’s clear app developers cannot “do” security.

Perhaps if Google introduced zero tolerance for moronic errors in security (plaintext passwords, gathering contacts data, obtaining device IDs that are not hashed suitably with a cryptographic hash etc), it might offer an incentive to consider security? Given many users (wrongly) reuse passwords between services, the sending of plaintext passwords should be sufficient, in this author’s opinion, to justify immediate removal of all of a developer’s apps from the Play Store, forever.

Some people just don’t know how to do security. And for them, I sigh. Users deserve security, and privacy, and unless you go ahead and look at the OpenPDroid project on XDA (which I strongly suggest you check out), you are pretty much being abandoned by even the leader of CyanogenMod. While I appreciate his concerns for app developers, it is simply inexcusable to not look into fixing the glaring hole that is contacts access. This is 2013, the era of social engineering, and I cannot choose selectively which apps see which contacts in my address book? REALLY?

Something needs to happen here, before people wake up and smell the coffee, and realize this isn’t sustainable. It’s time users became more aware about what apps are doing, and the extent of data mining that is ongoing. It’s your data, and it should be entirely your choice who gets it.

You shouldn’t have to avoid an app because you don’t like the look of its permissions; you should be able to (whether as stock Google feature, or custom ROM feature) be able to selectively decline to allow an app to access your data. And this should be done gracefully, either providing empty data (for contacts, or similar), or null data (i.e. requesting phone number or IMEI should return the same response as a tablet lacking these identifiers).

Is it right to deny your users the choice, to make life “easier” for app developers? (arguably to allow them to capture user data more easily) I argue it’s not, and it’s time the Android community unites to put an end to apps having free reign over YOUR data. If this concerns you, why not check out the aforementioned OpenPDroid (and similar) projects on XDA, and see if you can help out, or test, or contribute to the cause?

privacy-card-3x2

The UK newspaper The Guardian has revealed today that US CDMA telecommunications provider Verizon is secretly collecting and disclosing the telephone records of a huge number of subscribers (likely in the order of tens of millions of Americans) to USA’s National Security Agency (NSA), often cynically referred to as “Never Say Anything.” This classified, top secret court order, whose classification does not expire until April 2038, compels Verizon to provide, and continue to provide on an ongoing basis:

[...] an electronic copy of the following tangible things:

All call detail records or “telephony metadata” created by Verizon for communications

(i) between the United States and abroad; or

(ii) wholly within the United States, including local telephone calls

As if to somewhat diminish this, the order goes on to state it does not require Verizon to provide details of calls that start and end outside of  the United States. This is little comfort, however, for any subscriber using the Verizon network, as the order goes on to detail the definition of the metadata requested. This includes the source and end-point telephone numbers, the IMSI and IMEI numbers, and the trunk identifier, among other things. The significance of this is that the presence of both the IMEI and IMSI numbers mean that Verizon is being forced to disclose information that identifies individual devices and handsets in use (the IMEI permits identification of the handset model in use, as well as the individual phone).

Quite why such top-secret blanket surveillance is required is obviously the top question right now. And while the NSA claims this is the equivalent to looking at a traditional letter’s envelope, it seems a somewhat tenuous link since letters do not contain an unchangeable identifier on them (IMEI) that can be tied back to you at the point of purchase.

While the NSA’s aims specifically exclude it from carrying out “spying” or surveillance on non-foreign targets, this is somewhat concerning, no?

Source: The Guardian

owncloud-logo-150x74

Welcome to Part 2 of our Say Sayonara to Google series, raising awareness of the options for using Android without Google services. Today, we look at alternative “cloud” services that are Open Source and can be installed on your own server. While there are no doubt many of these available, one that has gained significant attention recently is OwnCloud. OwnCloud is developed totally in the open (you can even clone and run directly from their Github repositories if you so desire, though this is obviously not recommended for running on a production system), in contrast to the “pseudo-open” development carried out on AOSP by Google.

What is OwnCloud About?

OwnCloud aims to offer an extendable online storage system including synchronization, to allow for contacts, calendars, files and bookmarks to be synchronized across multiple devices while retaining control of your data in the process. When using OwnCloud, all of your data is stored on a system within your control, with an Open Source backend (as opposed to a closed system such as Google).

How can I get Started?

You can set up and run your own OwnCloud instance for free on your own existing server by following the instructions from the OwnCloud website. It is strongly advisable to use an SSL certificate with this though, which may come at a small cost. Additionally, if you trust the third parties, there are a handful of providers offering free OwnCloud installations. Obviously in light of the fact that if you’re doing this, you likely don’t “trust” Google with your data. Thus, I’d suggest you consider these services merely for testing.

OK, so Contact Sync?

Yep. Unfortunately though, CardDav isn’t natively supported in Android. It might be supported in your third party variant of Android. (I’m sure I remember seeing this in an older version of TouchWiz.) It’s most likely that you’ll need to use a third party alternative client to sync your contacts. To get this application (which is free), you’ll need to use the Play Store unfortunately, as the developer has only published the free version there. The free Beta version is available here, although the developer has stated he will Open Source the application when he has the application ready for 1.0 release and the code has been tidied up.

Presuming you have set up OwnCloud (which is fairly straightforward if you have your own server etc, and which I believe to be outwith the scope of this article, unless enough readers want a guide), you can configure the CardDav sync client fairly simply by installing the above linked application, and entering the URL of your OwnCloud server (hopefully you are using SSL!), followed by “remote.php/carddav/” (see the developer’s wiki for more details of syncing with OwnCloud).

Once this is done, you can configure syncing. I suggest you disable the “one-way only” sync option, although be aware of the risks of doing this (i.e. if something goes wrong on your phone, it could overwrite server contacts). Presuming you have a backup strategy in place (which you should already have), you should be fine. By enabling two-way contact sync, you should have full contact syncing, like with Google’s own contacts sync service.

Unfortunately, it appears HTC are being deliberately obstructive on using third party contact syncing, so you may have issues on the HTC One using Sense UI. Let us know if you do manage to get it working though. Apparently the bug is a “feature…” Good one, HTC. One more reason to avoid the One (pun intended).

What now?

Your phone should upload all your existing contacts to your CardDav server at this point. Alternatively, if you are setting up your phone from scratch (recommended) to purge Google from it, you could export your Google contacts as a VCF file and import them into OwnCloud’s web interface.

At this point, it’s worth ensuring that you are no longer syncing contacts with Google by going to the Accounts and Sync menu and disabling contact sync for your Google accounts. If you wish to erase your contacts from Google, head over to Gmail in your browser and delete the contacts from the web interface.

Congratulations, you are now syncing your contacts between devices, only using your own server. We unfortunately have to use one non-Open Source application at present. However, hopefully once Marten Gajda completes his application, it will be open-sourced, offering Android users a way to  sync their contacts using entirely open software and server systems.

Advertisement

XDA TV: Most Recent Video

Buy/Sell on Swappa

  • Nexus 5 (Unlocked) buy | sell
  • Galaxy Note 3 (T-Mobile) buy | sell
  • HTC One M7 (Verizon) buy | sell
  • Galaxy S 5 (Unlocked) buy | sell
  • Nexus 7 2013 buy | sell
  • Swappa is the official marketplace of XDA