A presentation by Android Security chief Adrian Ludwig at Berlin's Virus Bulletin conference lays out a fascinating picture of the security dynamic in the open Android ecosystem, through which Android users are able to install apps from the official, Google-operated Play Store, as well as from anywhere else they fancy. Ludwig describes a "defense-in-depth" strategy that is based on continuous monitoring of the overall Android world to come up with responses to malicious software. According to Ludwig, only 0.12 percent of Android apps have characteristics that Google thinks of as "potentially harmful" and there are lots of good apps that share these characteristics, so that number doesn't represent the number of infections. There's also a lot of material on the kind of badware they find on mobile handsets, from commercial spyware that looks at users' browser history and location data to snoopware that covertly spies through the camera and mic to fraudware that sends out premium-rate SMSes in the background.
The hoopy froods of Cyanogenmod -- a free/open replacement for Android, with lots of privacy- and security-oriented features -- have raised capital and are going commercial. They're going to productize Cyanogen with the motto "available on everything, to everyone." This is great news. Cyanogen isn't just a great OS -- it's also a huge force pushing Google into adding more features, even when the carriers hate them (for example, the addition of a tethering service to Android, which followed on from Cyanogen).
CyanogenMod is a free/open version of the Android operating system. Yesterday, they announced a cool new feature called CM Account, for recovering and/or wiping lost or stolen devices. Unlike traditional device-locating services, which effectively offer a back-door to your phone or tablet that can be exploited by hackers, spies, or unscrupulous insiders, CyanogenMod's version relies on your browser establishing a secure connection to your device, without anyone in the middle having access to the keys and passwords used to hijack the device and get its location or wipe its drive. The service was developed in part by Moxie Marlinspike, a legendary security and privacy hacker, and the code is open and free for audit.
Nvidia's Shield is the chipmaker's big push into an already well-stocked portable gaming field. Sony and Nintendo sell millions of handsets, yet their lunch's been conspicuously eaten by Apple's iPhone, and other touchscreen smartphones and tablets, in the last few years.
Resembling a large game controller with a flip-out screen, the $299 monster will win no awards for pocketability, prettiness or pricing. With beefy specs, traditional controls and a versatile, open cut of Android, though, it has a strong appeal to serious gamers—it can even control games streamed live from your PC. What did reviewers make of it?
Justin Engler and Paul Vines will demo a robot called the Robotic Reconfigurable Button Basher (R2B2) at Defcon; it can work its way through every numeric screen-lock Android password in 19 hours. They built for for less than $200, including the 3D printed parts. It doesn't work on screen-patterns (they're working on that) nor on Ios devices (which exponentially increase the lockout times between unsuccessful password attempts). They're also whomping up new versions that can simulate screen-taps with electrodes, which will run much faster. They're also working on versions that can work against hotel-room safes, ATMs, and other PIN-pad devices. It's a good argument for a longer PIN (six-digit PINs take 80 days to crack), and for using robust and random PINs (26% of users use one of 20 PINs).
Peter Biddle, who helped invent trusted computing when he was at Microsoft, discusses the serious Android security bug that was just reported. It's a good, short read, and most alarming is the news that Google's had information on this critical bug since February: "The entire value of a chain of trust is that you are limiting the surface area of vulnerability to the code-signing and hashing itself. This bug, if it’s as described, destroys the chain."
Paul sez, "This past semester, three engineering grad students at the University of Toronto (myself and two others) created an Android app for a course project that allows for wireless and intuitive control of a robotic arm from an Android-powered smartphone. We're pretty proud of the results (the link is to a demo we put together) and have released the code open source."
This is alarming, if true: according to a group of German security researchers at the University of Erlangen, if you put a locked, encrypted Android phone in the freezer for an hour and then quickly reboot it and plug it into a laptop, the memory will retain enough charge to stay decrypted, and can boot up into a custom OS that can recover the keys and boot the phone up with all the files available in the clear. The attack is called FROST: "Forensic Recovery Of Scrambled Telephones," and it requires a phone with an unlocked bootloader to work.
At the end of 2011, Google released version 4.0 of its Android operating system for smartphones. For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently scrambles user partitions, thus protecting sensitive user information against targeted attacks that bypass screen locks. On the downside, scrambled telephones are a a nightmare for IT forensics and law enforcement, because once the power of a scrambled device is cut any chance other than bruteforce is lost to recover data.
We present FROST, a tool set that supports the forensic recovery of scrambled telephones. To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are generally possible for the first time, and we perform our attacks practically against Galaxy Nexus devices from Samsung. To break disk encryption, the bootloader must be unlocked before the attack because scrambled user partitions are wiped during unlocking. However, we show that cold boot attacks are more generic and allow to retrieve sensitive information, such as contact lists, visited web sites, and photos, directly from RAM, even though the bootloader is locked.
My friend, the technology journalist Andy Ihnatko, traded in his iPhone 4s for a Samsung Galaxy S III. Here's the first of his "three-part epic" for TechHive in which he explains why he did it.
I find that typing on an Android device is faster and much less annoying than typing on my iPhone. It's not even close.
This example also points out some of the philosophical differences that often allow Android to create a better experience for the user. Why is the iOS keyboard so stripped-down? Why can't the user customize the experience? Because Apple's gun-shy about adding features at the cost of simplicity and clarity. They're not wrong; it's a perfectly valid philosophy, and usually an effective one.
But sometimes, an Apple product's feature lands at the wrong side of the line that divides "simple" from "stripped down." The iPhone keyboard is stripped-down.
If you don't like how Android's stock keyboard behaves, you can dig into Settings and change it. If you still don't like it, you can install a third-party alternative. And if you think it's fine as-is, then you won't be distracted by the options. The customization panel is inside Settings, and the alternatives are over in the Google Play store.
But I'll be honest: the fact that the Samsung Galaxy S III doesn't suddenly go bip-BONG! and stick a purple microphone in my face when I'm mentally focused on what I'm writing is reason enough for me to prefer the Android keyboard.
Seriously, Apple. This is the single iOS quirk that makes me hate my iPhone. Every time it happens, it yanks me out of my task, and as I scowl and dismiss the microphone, I wonder if you folks put a lot of thought into this feature. "Press and hold to activate speech-to-text" needs to be a user-settable option.
Also, I wanted to mention that Andy has a terrifically entertaining podcast called The Ihnatko Alamanac, where he covers comics, technology, and other stuff that he expounds upon in colorful ways.
This morning, while hurrying down the concourse at La Guardia Airport, I tried to dictate a text message to my Nexus 4 while wheeling my suitcase behind me. It got the dictation fine, but appended "kdkdkdkdkdkdkdkd" to the message -- this being its interpretation of the sound of my suitcase wheels on the tiles. — Cory
A high-end Chinese electronics company called Oppo has announced a super-deluxe, $500 5-inch Android phone called the Find 5, with some amazing specs:
As the name suggests, the Find 5 has a 5-inch display with a 1080p display, something we saw on the impressive HTC Droid DNA. Inside of the Find 5′s sharply designed chassis, you’ll find Qualcomm’s speedy quad-core Snapdragon S4 Pro processor, 2GB of RAM, 16 gigs of storage and an NFC chip. Yes, the Droid DNA has the same internals. But Oppo one-ups that handset by giving the Find 5 a 13-megapixel rear shooter. There’s a 1.9-megapixel camera up front.
The phone uses Google’s Android 4.1 Jelly Bean operating system and, like Google’s Nexus 4, will run on HSPA+ and GSM networks but not LTE.
For the last year or two I have been using a free location–sharing app on my iPhone called Glympse. It's purpose is simple: when you are driving somewhere to meet someone, the app generates a URL so they can see where you are on a map and track your progress as you are driving.
Today, Glympse introduced a new version of the application, and it has interesting improvements.
Glympse Groups allows users to share and interact via common activities, such as sporting or industry events, meetings or social gatherings. Glympse reveals group members’ real-time locations on a map for a set amount of time, encouraging local interaction and social discovery.
Glympse allows users to automatically schedule location updates to everyone associated with a specific calendar event, virtually replacing the need for “Running Late” or “On my way” emails, texts or phone calls.
When Glympse first debuted, it made it fast and easy for users to “Share Your Where” with others, for a specified period of time without creating yet another network. Now, the new Glympse turns the tables and makes it just as easy to ask your friends, family, and colleagues, “Where are you?” With the new “Request a Glympse” feature, users simply send a request via text or email and recipients can instantly accept and start broadcasting their location for the given time period.
I got an over-the-air update to my Nexus Galaxy last night, and I'm now running version 4.1 of Android, AKA Jelly Bean. My preliminary impression: holy shit, this is awesome. Fast! Like a time-lapse of my old phone with all the waiting edited out. Haven't tried the voice-search yet, but I will.
The Ouya is an Android-based games console design that's been floated on Kickstarter. It's done spectacularly well, garnering over $2.3MM in the first day (now closing in on $4MM), far in excess of its target of $950,000. So much money has been raised, in fact, that the project's founders are now asking supporters for ideas on what to do with all the extra: "The biggest thing for us right now: we are working on our stretch goals, what we can do if we raise more money. It might take us a few days to figure that out, and we want your help."
Ouya's pitch is pretty awesome: a handsome, blobjecty console that is built on free/open source software, free SDKs to level the playing field to developers, with no publishing, licensing or retail fees. They promise easy-to-root hardware, and warranty support for rooted systems, and openness to hacker-designed peripherals.
Have at it: It's easy to root (and rooting won't void your warranty). Everything opens with standard screws. Hardware hackers can create their own peripherals, and connect via USB or Bluetooth. You want our hardware design? Let us know. We might just give it to you. Surprise us!
* Tegra3 quad-core processor
* 1GB RAM
* 8GB of internal flash storage
* HDMI connection to the TV, with support for up to 1080p HD
* WiFi 802.11 b/g/n
* Bluetooth LE 4.0
* USB 2.0 (one)
* Wireless controller with standard controls (two analog sticks, d-pad, eight action buttons, a system button), a touchpad