Submit a link Features Reviews Podcasts Video Forums More ▾

Android gives you the ability to deny your sensitive data to apps

Android privacy just got a lot better. The 4.3 version of Google's mobile operating system now has hooks that allow you to override the permissions requested by the apps you install. So if you download a flashlight app that wants to harvest your location and phone ID, you can install it, and then use an app like AppOps Launcher to tell Android to withhold the information.

Peter Ecklersley, a staff technologist at the Electronic Frontier Foundation, has written up a good explanation of how this works, and he attributes the decision to competitive pressure from Ios, which allows users to deny location data to apps, even if they "require" it during the installation process.

I think that's right, but not the whole story: Android has also always labored under competitive pressure from its free/open forks, like Cyanogenmod.

Read the rest

Cyanogenmod adds encrypted SMS from WhisperSystems

The latest (unstable) build of Cyanogenmod (a free/open version of Android) incorporates a secure, encrypted SMS program called TextSecure, which was created by Open WhisperSystems. Open WhisperSystems's chief engineer is the respected cryptographer and privacy advocate Moxie Marlinspike, and the source for the Cyanogenmod integration is open and available for inspection and scrutiny. The new encrypted SMS is designed to be integrated with whatever SMS app you use on your phone, and allows for extremely private, interception- and surveillance-resistant messaging over the normally insecure SMS. It requires that both parties be using TextSecure, of course -- if you send a TextSecure message to someone without secure messaging, the message will fall back to unencrypted text.

Read the rest

Orange UK plumbs the depths of insulting, stupid marketing, finds a new low

I had the above-reproduced SMS exchange with a bot from my horrible mobile phone carrier, Orange UK (now called "EE" after the high-pitched noise my incipient aneurysm makes whenever I have to deal with them, and because vowels) today. They have "good news" -- I have been subscribed to "special offers" from "great brands" via SMS. And I can opt out. Except, surprise, it takes three weeks to process these opt-outs.

Not sure what I should do apropos of any "great brands" who pay Orange to spam me in the runup to Christmas: maybe just name-and-shame them here? Any other ideas?

NSA collecting unimaginable quantities of mobile phone location data for guilt-by-association data-mining

A new Snowden leak reveals that the NSA and major US mobile phone carriers colluded to gather the location of millions of people around the world, including Americans in the USA, people not suspected of any crime, in order to data-mine them and ascribe guilt to people based on whether they were in proximity to suspected terrorists.

The program, called CO-TRAVELLER, tracks at least "hundreds of millions" of devices on "a planetary scale, and comprises at least 27 terabytes of data. According to an NSA document, they are gathering location data more quickly than they can store it, and have been building out more capacity at speed.

Less than one percent of the Snowden documents have been made public to date. Snowden was tasked by his employer with consolidating training and briefing materials from the NSA, and so he had access to enormous amounts of sensitive details on the NSA's internal programs.

Read the rest

Cyanogenmod installer removed from Google Play store

Two weeks ago, the one-click Cyanogenmod installer hit the Google Play store, making it possible to switch from the stock Android operating system to a more free, more open version without any special expertise. Yesterday, Google asked Cyanogenmod to remove the installer, because using it voids your device's warranty. I've downloaded other apps from the Play Store that root your device and void the warranty, so this seems like a very selective enforcement to me.

In any event, Cyanogenmod's installer can be "sideloaded" into your device without having to go through the Play Store (one of the advantages of Android is that it doesn't attempt to prevent you from installing unapproved software). Hundreds of thousands of people used the Play Store version, and we can hope that it remains in use, even without Google's official support.

Read the rest

Your smartphone's hidden, radio-controlling OS is totally insecure

Every mobile phone runs two operating systems; the one you interact with (like Android or Ios), and the one that controls the radio hardware. This second OS is ancient, creaking, and wildly insecure. Security researcher Ralf-Philipp Weinmann of the University of Luxembourg presented work on reverse-engineering the most popular "baseband" OSes from Qualcomm and Infineon and the horrifying security vulnerabilities he found. Anyone operating a cellular base-station (you can buy 'em on Ebay or build them from open source hardware specs) can send a 73-byte message that lets them run raw code on the processor; can silently activate auto-answer, crash the device, brick devices, install rootkits, send SMSes to premium numbers, and more.

Read the rest

One-click Cyanogenmod installer in the Play store

Cyanogenmod Installer is a one-click Android app that unlocks your bootloader, roots your device, and flashes Cyanogenmod's OS onto it. Cyanogenmod is a free/open fork of Android, where much of the proprietary Google elements have been replaced by open equivalents, giving you lots more customizability and privacy in your device. For example, the Cyanogenmod device locating feature lets you find your phone, but makes it much harder for third parties to track you using the same feature. The company raised $7M in venture capital in September, and this is the first serious change the the OS since then, and it's a huge improvement. Previously, installing Cyanogenmod was pretty tricky and arcane, and was a huge barrier to adoption. Now you can download an app from the Play Store, and install with one click.

Read the rest

Papa Sangre II: 3D audio video game with no video

Paul from London's Somethin' Else sez, "We have been working hard on video games that use 3D (binaural) audio instead of graphics, because the graphics card in your head is better than the one in your phone. We've just released Papa Sangre II — a video game with no video — and we're incredibly proud of it. It stars Sean Bean (BOROMIR! NED STARK!) and it's a huge advance on the first game. We've actually managed to make something close to 'Wii Shit Your Pants' by using techniques with some fun haptic input on the Iphone. Plus if we sell enough on Ios we'll be able to release an Android version, now." Cory 6

Unfuck your Habitat: the app

I blogged the site Unfuck Your Habitat, which offers timely, humane, simple advice for people who struggle with mess and disorganization . Today there's "MAKE YOUR BED: excuses are boring" and a brief post on getting sex stains off a comforter, though a more typical bedtime post reads:

Unfuck tomorrow morning

* Wash the dishes in your sink
*Get your outfit for tomorrow together, including accessories
*Set up coffee/tea/breakfast
*Make your lunch
*Put your keys somewhere obvious
*Wash your face and brush your teeth
*Charge your electronics
*Pour a little cleaner in the toilet bowl (if you don’t have pets or children or sleepwalking adults)
*Set your alarm
*Go to bed at a reasonable hour

All of this simple and useful stuff has been packaged into a new Android app that's simple and cute -- good advice, timers for short sprints of cleaning (along with suggestions, room by room, for said sprints), a wall commemorating your achievements, and the same friendly, understanding, compassionate approach to "terrifying motivation for lazy people with messy homes."

Read the rest

Conductive cosmetics to control mobile devices

Computer scientist Katia Vega has developed conductive eye shadow and false eyelashes that can be used to control wearable computers. For example, an extended blink could trigger your phone's camera. "We use voluntary movements to amplify intentions – using our body as a new input device," Vega, a researcher at Rio de Janeiro's Pontifical Catholic University, told New Scientist.

Android vs malware: how to run a secure, open ecosystem

A presentation by Android Security chief Adrian Ludwig at Berlin's Virus Bulletin conference lays out a fascinating picture of the security dynamic in the open Android ecosystem, through which Android users are able to install apps from the official, Google-operated Play Store, as well as from anywhere else they fancy. Ludwig describes a "defense-in-depth" strategy that is based on continuous monitoring of the overall Android world to come up with responses to malicious software. According to Ludwig, only 0.12 percent of Android apps have characteristics that Google thinks of as "potentially harmful" and there are lots of good apps that share these characteristics, so that number doesn't represent the number of infections. There's also a lot of material on the kind of badware they find on mobile handsets, from commercial spyware that looks at users' browser history and location data to snoopware that covertly spies through the camera and mic to fraudware that sends out premium-rate SMSes in the background.

Read the rest

Iphone fingerprint hacker on the limits of biometrics for security

Jan "Starbug" Krissler, the Chaos Computer Club researcher who broke the fingerprint reader security on the new Iphone, had given a long interview to Zeit Online explaining his process and his thoughts on biometrics in general. The CCC's Alex Antener was good enough to translate the interview for us; I've included some of the most interesting bits after the jump.

Read the rest

New Cyanogenmod release for Android devices includes secure locate-my-device and remote wipe

The Cyanogenmod project -- a free, open version of Android with lots of great features that Google can't or won't add to the official version -- has a new release out, 10.1.3. The new release includes CM Account, a way of finding lost phones and wiping them that -- unlike similar functions in Android and Ios -- does not allow the company itself to keep track of your device or erase it.

Read the rest

Cyanogenmod goes commercial

The hoopy froods of Cyanogenmod -- a free/open replacement for Android, with lots of privacy- and security-oriented features -- have raised capital and are going commercial. They're going to productize Cyanogen with the motto "available on everything, to everyone." This is great news. Cyanogen isn't just a great OS -- it's also a huge force pushing Google into adding more features, even when the carriers hate them (for example, the addition of a tethering service to Android, which followed on from Cyanogen).

Read the rest

Why fingerprints make lousy authentication tokens

An "expert" quoted in the Independent predicts that thieves will amputate their victims' fingertips in order to bypass the biometric locks on the new Iphones. I'm not particularly worried about this vulnerability (if you're willing to cut off someone's fingertip to unlock his phone, you're probably also willing to torture him into giving up his PIN), though I remember reading stories of carjackers who amputated their victims' fingertips in order to make off with their biometrically protected cars.

More interesting is the prediction that phone thieves will lift their victims' fingerprints and use them to bypass the readers. As German Interior Minister Wolfgang Schauble discovered, you leak your fingerprints all the time, and once your fingerprint has been compromised, you can't change it. (Schauble was pushing for biometric identity cards; playful Chaos Computer Club hackers lifted his fingerprints off a water-glass after a debate and published 10,000 copies of them on acetate as a magazine insert).

This is the paradox of biometric authentication. The biometric characteristics of your retinas, fingerprints, hand geometry, gait, and DNA are actually pretty easy to come by without your knowledge or consent. Unless you never venture into public without a clean-room bunny-suit, mirrorshades, and sharp gravel in your shoes, you're not going to be able to stop dedicate strangers from capturing these measurements. And as with Schauble's fingerprints, you can't revoke your DNA and replace it with new DNA once a ripoff artist has used it to clean out your bank-account or break into your workplace.

That's why cops use them, after all: it's nearly impossible to keep them to yourself, and once they're in the wild, they can be used against you.

Read the rest