Boing Boing 

Blackphone announces privacy-oriented app store


Blackphone, the Swiss-based, secure hardware/OS mobile phone from PGP inventor Phil Zimmerman has announced that it will provide a store with privacy-oriented apps that are sandboxed to minimize data-misuse.

Read the rest

Darkmatter: a secure Paranoid Android version that hides from attackers

Stock Android phones with the Darkmatter OS use encrypted storage, OS-level app controls, and secure messaging by default, but if the phone thinks it's under attack, it dismounts all the encrypted stuff and reboots as a stock Android phone with no obvious hints that its owner has anything hidden on it.

Read the rest

Mobile malware infections race through Hong Kong's Umbrella Revolution


The protesters are dependent on mobile apps to coordinate their huge, seemingly unstoppable uprising, and someone -- maybe the Politburo, maybe a contractor -- has released virulent Ios and Android malware into their cohort, and the pathogens are blazing through their electronic ecosystem.

Read the rest

Samsung Galaxy back-door allows for over-the-air filesystem access


Developers from the Replicant project (a free Android offshoot) have documented a serious software back-door in Samsung's Android phones, which "provides remote access to the data stored on the device." They believe it is "likely" that the backdoor could provide "over-the-air remote control" to "access the phone's file system."

At issue is Samsung's proprietary IPC protocol, used in its modems. This protocol implements a set of commands called "RFS commands." The Replicant team says that it can't find "any particular legitimacy nor relevant use-case" for adding these commands, but adds that "it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back-door. Nevertheless, the result is the same and it allows the modem to access the phone's storage."

The Replicant site includes proof-of-concept sourcecode for a program that will access the file-system over the modem. Replicant has created a replacement for the relevant Samsung software that does not allow for back-door access.

Read the rest

Boeing's self-destructing, tamper-resistant spookphone: the Black


Boeing has sought regulatory approval from the FCC for a tamper-resistant phone intended to self-destruct if its case is opened. The phone, called "Black," runs Android, and is intended for use under the DoD Mobile Classified Capabilities guidelines. It will be sold with a nondisclosure agreement prohibiting tampering or service, and opening the case will trigger a system intended to wipe the phone's data.

Interestingly, it has a removable battery (something that's become increasingly scarce in smartphones). Best operational security practice holds that you should remove your phone's battery when you want to be sure that it's off, because any malware that turned your phone into a bug could also cause it to simulate being switched off while it remained running.

It's an intriguing technical problem. I'm intuitively skeptical of the security model. I can believe that this phone will be tamper-evident, but I don't know if it will be all that tamper-resistant. That is, it may be capable of preventing an attacker from surreptitiously opening the case to access the components, but how about an adversary willing to simply smash the screen to get at the components beneath?

The manufacturer could make a phone whose accelerometer tried to detect these events and wipe the device as a precaution, but I suspect there'd be a lot of spooks who'd end up cursing their self-destructing phones every time they butterfingered them while getting them out of a pocket while walking down the street. I'm pretty sure that I can use tools to remove my phone's screen in a way that generates less detectable stress than it receives during everyday knockabout and drops.

Read the rest

Woz: Apple should make Android phone

Mat Honan, at Wired, quotes co-founder Steve Wozniak: “The great products really come from secret development,” he said. “You put small teams of great people on them and they aren’t bothered by other people commenting on what they’re doing while they’re doing it. A whole new category of products doesn’t happen very often. It might happen once a decade. Sometimes you have to wait for one of those to come about.”

Teach your rooted Android phones to lie to apps about whether it's rooted

There's a funny paradox in rooting your Android phone. Once you take total control over your phone, some apps refuse to run, because they're trying to do something that treats you as untrusted. Now there's a utility called Rootcloak that lets you tell your rooted phone to lie to apps about whether it is rooted. It's both long overdue and a neat demonstration of what it means to be root on a computer.

Blackphone: a privacy-oriented, high-end, unlocked phone

http://vimeo.com/84167384

Blackphone is a secure, privacy-oriented mobile phone company co-founded by PGP inventor Phil Zimmerman. It integrates a lot of the privacy functionality of Zimmerman's Silent Circle, which makes Android-based privacy tools (secure calls, messaging, storage and proxies). Blackphone also runs Android, with a skin that switches on all the security stuff by default. The company is based in Switzerland, whose government privacy rules are better than most. The phone itself is a high-end, unlocked GSM handset. No info on pricing yet, but pre-orders open in late February. I'm interested in whether the sourcecode for the Blackphone stack will be free, open, auditable and transparent. If it is, I will certainly order one of these for myself and report here on its performance.

Read the rest

HOWTO delete your smartphone's fine-grained log of everywhere you've been

If you have an Android or Ios smartphone, it defaults to storing the history of all the places you go, at a very fine resolution, for a very long time, and mirrors that data on remote servers from which it might be leaked or subpoenaed. Lifehacker has a great tutorial on deleting your Location History and turning off future logging of your location. They cover both Ios and Android. I just did my devices, and it was very easy.

Read the rest

Audio game app for blind people

Bob Smolenski says: "I've released a new audio game app for blind and visually impaired. Open Field Echo Sounder uses GPS on your iPhone or Android. Walk to the center of an open field and six virtual targets will be arranged around you. Echo locate them using headphones to determine direction. Sighted folks can play it also ;)"

Open Field Echo Sounder: $2 on iOS and Google Play

Google yanks vital Android privacy feature

Well, that didn't take long: shortly after Google added a new Android feature that let you deny apps access to your sensitive personal data, they have revoked it. This is frankly terrible, and the Electronic Frontier Foundation's Peter Eckersley has some very pointed commentary, recommendations for Android customers, and advice for Google:

Read the rest

Android gives you the ability to deny your sensitive data to apps

Android privacy just got a lot better. The 4.3 version of Google's mobile operating system now has hooks that allow you to override the permissions requested by the apps you install. So if you download a flashlight app that wants to harvest your location and phone ID, you can install it, and then use an app like AppOps Launcher to tell Android to withhold the information.

Peter Ecklersley, a staff technologist at the Electronic Frontier Foundation, has written up a good explanation of how this works, and he attributes the decision to competitive pressure from Ios, which allows users to deny location data to apps, even if they "require" it during the installation process.

I think that's right, but not the whole story: Android has also always labored under competitive pressure from its free/open forks, like Cyanogenmod.

Read the rest

Cyanogenmod adds encrypted SMS from WhisperSystems

The latest (unstable) build of Cyanogenmod (a free/open version of Android) incorporates a secure, encrypted SMS program called TextSecure, which was created by Open WhisperSystems. Open WhisperSystems's chief engineer is the respected cryptographer and privacy advocate Moxie Marlinspike, and the source for the Cyanogenmod integration is open and available for inspection and scrutiny. The new encrypted SMS is designed to be integrated with whatever SMS app you use on your phone, and allows for extremely private, interception- and surveillance-resistant messaging over the normally insecure SMS. It requires that both parties be using TextSecure, of course -- if you send a TextSecure message to someone without secure messaging, the message will fall back to unencrypted text.

Read the rest

Cyanogenmod installer removed from Google Play store

Two weeks ago, the one-click Cyanogenmod installer hit the Google Play store, making it possible to switch from the stock Android operating system to a more free, more open version without any special expertise. Yesterday, Google asked Cyanogenmod to remove the installer, because using it voids your device's warranty. I've downloaded other apps from the Play Store that root your device and void the warranty, so this seems like a very selective enforcement to me.

In any event, Cyanogenmod's installer can be "sideloaded" into your device without having to go through the Play Store (one of the advantages of Android is that it doesn't attempt to prevent you from installing unapproved software). Hundreds of thousands of people used the Play Store version, and we can hope that it remains in use, even without Google's official support.

Read the rest

One-click Cyanogenmod installer in the Play store


Cyanogenmod Installer is a one-click Android app that unlocks your bootloader, roots your device, and flashes Cyanogenmod's OS onto it. Cyanogenmod is a free/open fork of Android, where much of the proprietary Google elements have been replaced by open equivalents, giving you lots more customizability and privacy in your device. For example, the Cyanogenmod device locating feature lets you find your phone, but makes it much harder for third parties to track you using the same feature. The company raised $7M in venture capital in September, and this is the first serious change the the OS since then, and it's a huge improvement. Previously, installing Cyanogenmod was pretty tricky and arcane, and was a huge barrier to adoption. Now you can download an app from the Play Store, and install with one click.

Read the rest

Apps for Kids 46: Nimble Quest


Apps for Kids is sponsored by HuluPlus. HuluPlus lets you binge on thousands of hit shows – anytime, anywhere on your TV, PC, smart phone or tablet. Click here to support Apps for Kids and get an extended free trial of Hulu Plus.

Apps for Kids is Boing Boing's podcast about cool smartphone apps for kids and parents. My co-host is my 10-year-old daughter, Jane.

In this episode, we review Nimble Quest. It's $2.99 in the iTunes store and free in Google Play.

Our Minecraft contest deadline has been extended to October 11 at noon PT! email us a screenshot or YouTube link of your Minecraft creation and we'll pick a winner to join us on an upcoming episode of Apps for Kids!

If you're an app developer and would like to have Jane and me try one of your apps for possible review, email a redeem code to appsforkids@boingboing.net.

Jane and I love to get your emails with questions about game, gear, and tech. What's your question?

Listen to past episodes of Apps for Kids here.

To get a weekly email to notify you when a new episode of Apps for Kids is up, sign up here.

APPS FOR KIDS: RSS | iTunes | Download this episode | Stitcher

Android vs malware: how to run a secure, open ecosystem


A presentation by Android Security chief Adrian Ludwig at Berlin's Virus Bulletin conference lays out a fascinating picture of the security dynamic in the open Android ecosystem, through which Android users are able to install apps from the official, Google-operated Play Store, as well as from anywhere else they fancy. Ludwig describes a "defense-in-depth" strategy that is based on continuous monitoring of the overall Android world to come up with responses to malicious software. According to Ludwig, only 0.12 percent of Android apps have characteristics that Google thinks of as "potentially harmful" and there are lots of good apps that share these characteristics, so that number doesn't represent the number of infections. There's also a lot of material on the kind of badware they find on mobile handsets, from commercial spyware that looks at users' browser history and location data to snoopware that covertly spies through the camera and mic to fraudware that sends out premium-rate SMSes in the background.

Read the rest

Cyanogenmod goes commercial

The hoopy froods of Cyanogenmod -- a free/open replacement for Android, with lots of privacy- and security-oriented features -- have raised capital and are going commercial. They're going to productize Cyanogen with the motto "available on everything, to everyone." This is great news. Cyanogen isn't just a great OS -- it's also a huge force pushing Google into adding more features, even when the carriers hate them (for example, the addition of a tethering service to Android, which followed on from Cyanogen).

Read the rest

Apps for Kids 45: Bean's Quest (Plus a Minecraft contest!)

Apps for Kids is Boing Boing's podcast about cool smartphone apps for kids and parents. My co-host is my 10-year-old daughter, Jane.

In this episode, we review Bean's Quest. It's $2.99 in the iTunes store and Google Play.

We also announced our first contest! email us a screenshot or YouTube link of your Minecraft creation and we'll pick a winner to join us on an upcoming episode of Apps for Kids!

If you're an app developer and would like to have Jane and me try one of your apps for possible review, email a redeem code to appsforkids@boingboing.net.

Jane and I love to get your emails with questions about game, gear, and tech. What's your question?

Listen to past episodes of Apps for Kids here.

To get a weekly email to notify you when a new episode of Apps for Kids is up, sign up here.

APPS FOR KIDS: RSS | iTunes | Download this episode | Stitcher

CyanogenMod rolls out secure device-locating feature

CyanogenMod is a free/open version of the Android operating system. Yesterday, they announced a cool new feature called CM Account, for recovering and/or wiping lost or stolen devices. Unlike traditional device-locating services, which effectively offer a back-door to your phone or tablet that can be exploited by hackers, spies, or unscrupulous insiders, CyanogenMod's version relies on your browser establishing a secure connection to your device, without anyone in the middle having access to the keys and passwords used to hijack the device and get its location or wipe its drive. The service was developed in part by Moxie Marlinspike, a legendary security and privacy hacker, and the code is open and free for audit.

Read the rest

Nvidia Shield, portable game console, reviewed

Nvidia's Shield is the chipmaker's big push into an already well-stocked portable gaming field. Sony and Nintendo sell millions of handsets, yet their lunch's been conspicuously eaten by Apple's iPhone, and other touchscreen smartphones and tablets, in the last few years.

Resembling a large game controller with a flip-out screen, the $299 monster will win no awards for pocketability, prettiness or pricing. With beefy specs, traditional controls and a versatile, open cut of Android, though, it has a strong appeal to serious gamers—it can even control games streamed live from your PC. What did reviewers make of it?

Read the rest

PIN-punching $200 robot can brute force every Android numeric screen-password in 19 hours

Justin Engler and Paul Vines will demo a robot called the Robotic Reconfigurable Button Basher (R2B2) at Defcon; it can work its way through every numeric screen-lock Android password in 19 hours. They built for for less than $200, including the 3D printed parts. It doesn't work on screen-patterns (they're working on that) nor on Ios devices (which exponentially increase the lockout times between unsuccessful password attempts). They're also whomping up new versions that can simulate screen-taps with electrodes, which will run much faster. They're also working on versions that can work against hotel-room safes, ATMs, and other PIN-pad devices. It's a good argument for a longer PIN (six-digit PINs take 80 days to crack), and for using robust and random PINs (26% of users use one of 20 PINs).

Read the rest

On the Android security bug

Peter Biddle, who helped invent trusted computing when he was at Microsoft, discusses the serious Android security bug that was just reported. It's a good, short read, and most alarming is the news that Google's had information on this critical bug since February: "The entire value of a chain of trust is that you are limiting the surface area of vulnerability to the code-signing and hashing itself. This bug, if it’s as described, destroys the chain."

Controlling a robot arm with an Android phone

Paul sez, "This past semester, three engineering grad students at the University of Toronto (myself and two others) created an Android app for a course project that allows for wireless and intuitive control of a robotic arm from an Android-powered smartphone. We're pretty proud of the results (the link is to a demo we put together) and have released the code open source."

Android Robotic Manipulator Demo (Thanks, Paul!)

Access files on locked, encrypted Android phones by putting them in a freezer for an hour


This is alarming, if true: according to a group of German security researchers at the University of Erlangen, if you put a locked, encrypted Android phone in the freezer for an hour and then quickly reboot it and plug it into a laptop, the memory will retain enough charge to stay decrypted, and can boot up into a custom OS that can recover the keys and boot the phone up with all the files available in the clear. The attack is called FROST: "Forensic Recovery Of Scrambled Telephones," and it requires a phone with an unlocked bootloader to work.

At the end of 2011, Google released version 4.0 of its Android operating system for smartphones. For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently scrambles user partitions, thus protecting sensitive user information against targeted attacks that bypass screen locks. On the downside, scrambled telephones are a a nightmare for IT forensics and law enforcement, because once the power of a scrambled device is cut any chance other than bruteforce is lost to recover data.

We present FROST, a tool set that supports the forensic recovery of scrambled telephones. To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are generally possible for the first time, and we perform our attacks practically against Galaxy Nexus devices from Samsung. To break disk encryption, the bootloader must be unlocked before the attack because scrambled user partitions are wiped during unlocking. However, we show that cold boot attacks are more generic and allow to retrieve sensitive information, such as contact lists, visited web sites, and photos, directly from RAM, even though the bootloader is locked.

FROST: Forensic Recovery Of Scrambled Telephones

Why Andy Ihnatko switched from an iPhone to an Android

My friend, the technology journalist Andy Ihnatko, traded in his iPhone 4s for a Samsung Galaxy S III. Here's the first of his "three-part epic" for TechHive in which he explains why he did it.

I find that typing on an Android device is faster and much less annoying than typing on my iPhone. It's not even close.

This example also points out some of the philosophical differences that often allow Android to create a better experience for the user. Why is the iOS keyboard so stripped-down? Why can't the user customize the experience? Because Apple's gun-shy about adding features at the cost of simplicity and clarity. They're not wrong; it's a perfectly valid philosophy, and usually an effective one.

But sometimes, an Apple product's feature lands at the wrong side of the line that divides "simple" from "stripped down." The iPhone keyboard is stripped-down.

If you don't like how Android's stock keyboard behaves, you can dig into Settings and change it. If you still don't like it, you can install a third-party alternative. And if you think it's fine as-is, then you won't be distracted by the options. The customization panel is inside Settings, and the alternatives are over in the Google Play store.

But I'll be honest: the fact that the Samsung Galaxy S III doesn't suddenly go bip-BONG! and stick a purple microphone in my face when I'm mentally focused on what I'm writing is reason enough for me to prefer the Android keyboard.

Seriously, Apple. This is the single iOS quirk that makes me hate my iPhone. Every time it happens, it yanks me out of my task, and as I scowl and dismiss the microphone, I wonder if you folks put a lot of thought into this feature. "Press and hold to activate speech-to-text" needs to be a user-settable option.

Also, I wanted to mention that Andy has a terrifically entertaining podcast called The Ihnatko Alamanac, where he covers comics, technology, and other stuff that he expounds upon in colorful ways.

Why I switched from iPhone to Android

Robots say the craziest things

This morning, while hurrying down the concourse at La Guardia Airport, I tried to dictate a text message to my Nexus 4 while wheeling my suitcase behind me. It got the dictation fine, but appended "kdkdkdkdkdkdkdkd" to the message -- this being its interpretation of the sound of my suitcase wheels on the tiles.

Super-high-end 5" Android phone from China's Oppo


A high-end Chinese electronics company called Oppo has announced a super-deluxe, $500 5-inch Android phone called the Find 5, with some amazing specs:

As the name suggests, the Find 5 has a 5-inch display with a 1080p display, something we saw on the impressive HTC Droid DNA. Inside of the Find 5′s sharply designed chassis, you’ll find Qualcomm’s speedy quad-core Snapdragon S4 Pro processor, 2GB of RAM, 16 gigs of storage and an NFC chip. Yes, the Droid DNA has the same internals. But Oppo one-ups that handset by giving the Find 5 a 13-megapixel rear shooter. There’s a 1.9-megapixel camera up front.

The phone uses Google’s Android 4.1 Jelly Bean operating system and, like Google’s Nexus 4, will run on HSPA+ and GSM networks but not LTE.

Chinese Phone Packs All the Best Specs Into a Sexy Package [Nathan Olivarez-Giles/Wired]

New features in Glympse, a location-sharing mobile app I like

For the last year or two I have been using a free location–sharing app on my iPhone called Glympse. It's purpose is simple: when you are driving somewhere to meet someone, the app generates a URL so they can see where you are on a map and track your progress as you are driving.

Today, Glympse introduced a new version of the application, and it has interesting improvements.

Glympse Groups allows users to share and interact via common activities, such as sporting or industry events, meetings or social gatherings. Glympse reveals group members’ real-time locations on a map for a set amount of time, encouraging local interaction and social discovery.

Glympse allows users to automatically schedule location updates to everyone associated with a specific calendar event, virtually replacing the need for “Running Late” or “On my way” emails, texts or phone calls.

When Glympse first debuted, it made it fast and easy for users to “Share Your Where” with others, for a specified period of time without creating yet another network. Now, the new Glympse turns the tables and makes it just as easy to ask your friends, family, and colleagues, “Where are you?” With the new “Request a Glympse” feature, users simply send a request via text or email and recipients can instantly accept and start broadcasting their location for the given time period.

Get Glympse in the App Store and Google Play

Android Jelly Bean is sweet

I got an over-the-air update to my Nexus Galaxy last night, and I'm now running version 4.1 of Android, AKA Jelly Bean. My preliminary impression: holy shit, this is awesome. Fast! Like a time-lapse of my old phone with all the waiting edited out. Haven't tried the voice-search yet, but I will.