Boing Boing 

Google yanks vital Android privacy feature

Well, that didn't take long: shortly after Google added a new Android feature that let you deny apps access to your sensitive personal data, they have revoked it. This is frankly terrible, and the Electronic Frontier Foundation's Peter Eckersley has some very pointed commentary, recommendations for Android customers, and advice for Google:

Read the rest

Android gives you the ability to deny your sensitive data to apps

Android privacy just got a lot better. The 4.3 version of Google's mobile operating system now has hooks that allow you to override the permissions requested by the apps you install. So if you download a flashlight app that wants to harvest your location and phone ID, you can install it, and then use an app like AppOps Launcher to tell Android to withhold the information.

Peter Ecklersley, a staff technologist at the Electronic Frontier Foundation, has written up a good explanation of how this works, and he attributes the decision to competitive pressure from Ios, which allows users to deny location data to apps, even if they "require" it during the installation process.

I think that's right, but not the whole story: Android has also always labored under competitive pressure from its free/open forks, like Cyanogenmod.

Read the rest

Cyanogenmod adds encrypted SMS from WhisperSystems

The latest (unstable) build of Cyanogenmod (a free/open version of Android) incorporates a secure, encrypted SMS program called TextSecure, which was created by Open WhisperSystems. Open WhisperSystems's chief engineer is the respected cryptographer and privacy advocate Moxie Marlinspike, and the source for the Cyanogenmod integration is open and available for inspection and scrutiny. The new encrypted SMS is designed to be integrated with whatever SMS app you use on your phone, and allows for extremely private, interception- and surveillance-resistant messaging over the normally insecure SMS. It requires that both parties be using TextSecure, of course -- if you send a TextSecure message to someone without secure messaging, the message will fall back to unencrypted text.

Read the rest

Cyanogenmod installer removed from Google Play store

Two weeks ago, the one-click Cyanogenmod installer hit the Google Play store, making it possible to switch from the stock Android operating system to a more free, more open version without any special expertise. Yesterday, Google asked Cyanogenmod to remove the installer, because using it voids your device's warranty. I've downloaded other apps from the Play Store that root your device and void the warranty, so this seems like a very selective enforcement to me.

In any event, Cyanogenmod's installer can be "sideloaded" into your device without having to go through the Play Store (one of the advantages of Android is that it doesn't attempt to prevent you from installing unapproved software). Hundreds of thousands of people used the Play Store version, and we can hope that it remains in use, even without Google's official support.

Read the rest

One-click Cyanogenmod installer in the Play store


Cyanogenmod Installer is a one-click Android app that unlocks your bootloader, roots your device, and flashes Cyanogenmod's OS onto it. Cyanogenmod is a free/open fork of Android, where much of the proprietary Google elements have been replaced by open equivalents, giving you lots more customizability and privacy in your device. For example, the Cyanogenmod device locating feature lets you find your phone, but makes it much harder for third parties to track you using the same feature. The company raised $7M in venture capital in September, and this is the first serious change the the OS since then, and it's a huge improvement. Previously, installing Cyanogenmod was pretty tricky and arcane, and was a huge barrier to adoption. Now you can download an app from the Play Store, and install with one click.

Read the rest

Apps for Kids 46: Nimble Quest


Apps for Kids is sponsored by HuluPlus. HuluPlus lets you binge on thousands of hit shows – anytime, anywhere on your TV, PC, smart phone or tablet. Click here to support Apps for Kids and get an extended free trial of Hulu Plus.

Apps for Kids is Boing Boing's podcast about cool smartphone apps for kids and parents. My co-host is my 10-year-old daughter, Jane.

In this episode, we review Nimble Quest. It's $2.99 in the iTunes store and free in Google Play.

Our Minecraft contest deadline has been extended to October 11 at noon PT! email us a screenshot or YouTube link of your Minecraft creation and we'll pick a winner to join us on an upcoming episode of Apps for Kids!

If you're an app developer and would like to have Jane and me try one of your apps for possible review, email a redeem code to appsforkids@boingboing.net.

Jane and I love to get your emails with questions about game, gear, and tech. What's your question?

Listen to past episodes of Apps for Kids here.

To get a weekly email to notify you when a new episode of Apps for Kids is up, sign up here.

APPS FOR KIDS: RSS | iTunes | Download this episode | Stitcher

Android vs malware: how to run a secure, open ecosystem


A presentation by Android Security chief Adrian Ludwig at Berlin's Virus Bulletin conference lays out a fascinating picture of the security dynamic in the open Android ecosystem, through which Android users are able to install apps from the official, Google-operated Play Store, as well as from anywhere else they fancy. Ludwig describes a "defense-in-depth" strategy that is based on continuous monitoring of the overall Android world to come up with responses to malicious software. According to Ludwig, only 0.12 percent of Android apps have characteristics that Google thinks of as "potentially harmful" and there are lots of good apps that share these characteristics, so that number doesn't represent the number of infections. There's also a lot of material on the kind of badware they find on mobile handsets, from commercial spyware that looks at users' browser history and location data to snoopware that covertly spies through the camera and mic to fraudware that sends out premium-rate SMSes in the background.

Read the rest

Cyanogenmod goes commercial

The hoopy froods of Cyanogenmod -- a free/open replacement for Android, with lots of privacy- and security-oriented features -- have raised capital and are going commercial. They're going to productize Cyanogen with the motto "available on everything, to everyone." This is great news. Cyanogen isn't just a great OS -- it's also a huge force pushing Google into adding more features, even when the carriers hate them (for example, the addition of a tethering service to Android, which followed on from Cyanogen).

Read the rest

Apps for Kids 45: Bean's Quest (Plus a Minecraft contest!)

Apps for Kids is Boing Boing's podcast about cool smartphone apps for kids and parents. My co-host is my 10-year-old daughter, Jane.

In this episode, we review Bean's Quest. It's $2.99 in the iTunes store and Google Play.

We also announced our first contest! email us a screenshot or YouTube link of your Minecraft creation and we'll pick a winner to join us on an upcoming episode of Apps for Kids!

If you're an app developer and would like to have Jane and me try one of your apps for possible review, email a redeem code to appsforkids@boingboing.net.

Jane and I love to get your emails with questions about game, gear, and tech. What's your question?

Listen to past episodes of Apps for Kids here.

To get a weekly email to notify you when a new episode of Apps for Kids is up, sign up here.

APPS FOR KIDS: RSS | iTunes | Download this episode | Stitcher

CyanogenMod rolls out secure device-locating feature

CyanogenMod is a free/open version of the Android operating system. Yesterday, they announced a cool new feature called CM Account, for recovering and/or wiping lost or stolen devices. Unlike traditional device-locating services, which effectively offer a back-door to your phone or tablet that can be exploited by hackers, spies, or unscrupulous insiders, CyanogenMod's version relies on your browser establishing a secure connection to your device, without anyone in the middle having access to the keys and passwords used to hijack the device and get its location or wipe its drive. The service was developed in part by Moxie Marlinspike, a legendary security and privacy hacker, and the code is open and free for audit.

Read the rest

Nvidia Shield, portable game console, reviewed

Nvidia's Shield is the chipmaker's big push into an already well-stocked portable gaming field. Sony and Nintendo sell millions of handsets, yet their lunch's been conspicuously eaten by Apple's iPhone, and other touchscreen smartphones and tablets, in the last few years.

Resembling a large game controller with a flip-out screen, the $299 monster will win no awards for pocketability, prettiness or pricing. With beefy specs, traditional controls and a versatile, open cut of Android, though, it has a strong appeal to serious gamers—it can even control games streamed live from your PC. What did reviewers make of it?

Read the rest

PIN-punching $200 robot can brute force every Android numeric screen-password in 19 hours

Justin Engler and Paul Vines will demo a robot called the Robotic Reconfigurable Button Basher (R2B2) at Defcon; it can work its way through every numeric screen-lock Android password in 19 hours. They built for for less than $200, including the 3D printed parts. It doesn't work on screen-patterns (they're working on that) nor on Ios devices (which exponentially increase the lockout times between unsuccessful password attempts). They're also whomping up new versions that can simulate screen-taps with electrodes, which will run much faster. They're also working on versions that can work against hotel-room safes, ATMs, and other PIN-pad devices. It's a good argument for a longer PIN (six-digit PINs take 80 days to crack), and for using robust and random PINs (26% of users use one of 20 PINs).

Read the rest

On the Android security bug

Peter Biddle, who helped invent trusted computing when he was at Microsoft, discusses the serious Android security bug that was just reported. It's a good, short read, and most alarming is the news that Google's had information on this critical bug since February: "The entire value of a chain of trust is that you are limiting the surface area of vulnerability to the code-signing and hashing itself. This bug, if it’s as described, destroys the chain."

Controlling a robot arm with an Android phone

Paul sez, "This past semester, three engineering grad students at the University of Toronto (myself and two others) created an Android app for a course project that allows for wireless and intuitive control of a robotic arm from an Android-powered smartphone. We're pretty proud of the results (the link is to a demo we put together) and have released the code open source."

Android Robotic Manipulator Demo (Thanks, Paul!)

Access files on locked, encrypted Android phones by putting them in a freezer for an hour


This is alarming, if true: according to a group of German security researchers at the University of Erlangen, if you put a locked, encrypted Android phone in the freezer for an hour and then quickly reboot it and plug it into a laptop, the memory will retain enough charge to stay decrypted, and can boot up into a custom OS that can recover the keys and boot the phone up with all the files available in the clear. The attack is called FROST: "Forensic Recovery Of Scrambled Telephones," and it requires a phone with an unlocked bootloader to work.

At the end of 2011, Google released version 4.0 of its Android operating system for smartphones. For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently scrambles user partitions, thus protecting sensitive user information against targeted attacks that bypass screen locks. On the downside, scrambled telephones are a a nightmare for IT forensics and law enforcement, because once the power of a scrambled device is cut any chance other than bruteforce is lost to recover data.

We present FROST, a tool set that supports the forensic recovery of scrambled telephones. To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are generally possible for the first time, and we perform our attacks practically against Galaxy Nexus devices from Samsung. To break disk encryption, the bootloader must be unlocked before the attack because scrambled user partitions are wiped during unlocking. However, we show that cold boot attacks are more generic and allow to retrieve sensitive information, such as contact lists, visited web sites, and photos, directly from RAM, even though the bootloader is locked.

FROST: Forensic Recovery Of Scrambled Telephones

Why Andy Ihnatko switched from an iPhone to an Android

My friend, the technology journalist Andy Ihnatko, traded in his iPhone 4s for a Samsung Galaxy S III. Here's the first of his "three-part epic" for TechHive in which he explains why he did it.

I find that typing on an Android device is faster and much less annoying than typing on my iPhone. It's not even close.

This example also points out some of the philosophical differences that often allow Android to create a better experience for the user. Why is the iOS keyboard so stripped-down? Why can't the user customize the experience? Because Apple's gun-shy about adding features at the cost of simplicity and clarity. They're not wrong; it's a perfectly valid philosophy, and usually an effective one.

But sometimes, an Apple product's feature lands at the wrong side of the line that divides "simple" from "stripped down." The iPhone keyboard is stripped-down.

If you don't like how Android's stock keyboard behaves, you can dig into Settings and change it. If you still don't like it, you can install a third-party alternative. And if you think it's fine as-is, then you won't be distracted by the options. The customization panel is inside Settings, and the alternatives are over in the Google Play store.

But I'll be honest: the fact that the Samsung Galaxy S III doesn't suddenly go bip-BONG! and stick a purple microphone in my face when I'm mentally focused on what I'm writing is reason enough for me to prefer the Android keyboard.

Seriously, Apple. This is the single iOS quirk that makes me hate my iPhone. Every time it happens, it yanks me out of my task, and as I scowl and dismiss the microphone, I wonder if you folks put a lot of thought into this feature. "Press and hold to activate speech-to-text" needs to be a user-settable option.

Also, I wanted to mention that Andy has a terrifically entertaining podcast called The Ihnatko Alamanac, where he covers comics, technology, and other stuff that he expounds upon in colorful ways.

Why I switched from iPhone to Android

Robots say the craziest things

This morning, while hurrying down the concourse at La Guardia Airport, I tried to dictate a text message to my Nexus 4 while wheeling my suitcase behind me. It got the dictation fine, but appended "kdkdkdkdkdkdkdkd" to the message -- this being its interpretation of the sound of my suitcase wheels on the tiles.