Tweaks made to Android OS are causing massive security holes

Last month, I used up a good chunk of text talking about how much I’ve come to enjoy using Android-powered smartphones. Unfortunately, a story I ran across over at Wired has convinced me that, at least for the time being, spending significantly more time with my iPhone 6 Plus might be a good idea.

According to the report, for many Android users, it’s not necessary to download an altered .APK file from a shady torrenting website or click an email link that’ll fill your handset up with malware in order to compromise your smartphone’s security. Twenty-five different Android smartphone models, made by well-known manufacturers and available across North America, have been found to be full of security flaws and other exploitable nightmares baked into them. The most frustrating part of it all: none of the exploits detailed in the story would be there if the manufacturers had their shit together

From Wired:

The potential outcomes of the vulnerabilities range in severity, from being able to lock someone out of their device to gaining surreptitious access to its microphone and other functions. They all share one common trait, though: They didn’t have to be there.

Instead, they’re a byproduct of an open Android operating system that lets third-party companies modify code to their own liking. There’s nothing inherently wrong with that; it allows for differentiation, which gives people more choice. Google will release a vanilla version of Android Pie this fall, but it’ll eventually come in all kinds of flavors.

Those modifications lead to headaches, though, including the well-established problem of delays in shipping security updates.

Read the rest

Fortnite welcomes Android users

Google fans no longer get an automatic L, Epic Games has opened pre-registration for Fortnite Android.

Fortnite Battle Royale is Epic Games 100 player, last player standing megahit. Cartoon-y as heck, with Wile E. Coyote like antics, eliminated players are sent back to the lobby while their opponents dance and celebrate their wins.

Fortnite for Android will be available on some devices. I'll post the list below. Purchase a new Samsung Note 9 or Galaxy Tab S4 and you get an awful looking skin to play with that other folks won't have.

Epic has some confusing partnership with Samsung but the game is available on other manufacturers handhelds as well. Epic is NOT partnering with Google, and has elected not to distribute the game via the Google Play store. Survive the storm, beware the malware. Downloads will be direct from Epic.

Sign up here.

Android Beta initially will work on the following devices:

Samsung Galaxy: S7 / S7 Edge, S8 / S8+, S9 / S9+, Note 8, Note 9, Tab S3, Tab S4 Google: Pixel / Pixel XL, Pixel 2 / Pixel 2 XL, Asus: ROG Phone, Zenfone 4 Pro, 5Z, V Essential: PH-1 Huawei: Honor 10, Honor Play, Mate 10 / Pro, Mate RS, Nova 3, P20 / Pro, V10 LG: G5, G6, G7 ThinQ, V20, V30 / V30+ Nokia: 8 OnePlus: 5 / 5T, 6 Razer: Phone Xiaomi: Blackshark, Mi 5 / 5S / 5S Plus, 6 / 6 Plus, Mi 8 / 8 Explorer / 8SE, Mi Mix, Mi Mix 2, Mi Mix 2S, Mi Note 2 ZTE: Axon 7 / 7s, Axon M, Nubia / Z17 / Z17s, Nubia Z11

See the FAQ for the list of more compatible devices.

Read the rest

I'm an Android loving iPhone user

Hardware reviews are a big part of how I put bread on the table. In order to do my job properly, I’ve got to be something of a platform agnostic.

While I do most of my writing using Apple devices, I also have to consider other platforms in my coverage: software that works well on a laptop running Windows 10 may be a dog’s breakfast on a MacBook once it’s been ported.

A bluetooth speaker that sound great when paired with my iPhone 7 Plus, for example, might sound like hot garbage when linked to another audio source. So I invest in other hardware that may not be used as part of my day-to-day life, but which I still need to think about when doing my job.

About six months ago, I came to the conclusion that maybe hauling the hardware out when it came time to test something and then throwing it back in a box when I’m done with it wasn’t enough: to really understand whether, say a pair of headphones that comes with an app to control their EQ or noise cancellation, without seeing how it fits into my day-to-day life using a given platform. So, I upped the amount of time that I spend working in Windows 10, I now read books on both Kobo and Amazon e-readers and, in a real shift in how I live my lift, I’ve spent more than half a year using Android-powered smartphones as my daily drivers. In the time since I last used an Android device as my go-to, things have improved so much, I was taken aback. Read the rest

Android's keyboard will no longer autocomplete "sit" with "on my face" thanks to me

Last week, I sent an SMS to our babysitter that said, "Hey, are you free to sit on," and rather than offering autocomplete suggestions like "Saturday" or "Friday," the default Android keyboard suggested "on my face and." Read the rest

Redditor claims Chinese border guards installed malware on his phone

BigTyPB: "I saw the installation process, an icon appear on the home screen, the police ran the application and then the icon hid itself. Not sure if it rooted my phone or what. I know something was running on my phone because they used a handheld device to confirm our phones were communicating with their system before letting us go." Read the rest

Fortnite is coming to Android to kill your productivity

It's still a few months down the road but, if you're an Android user, like I am more and more, these days, there's reason for celebration: Fortnite is finally coming to the platform.

Fortnight has been at the top of the hot game dog pile in the iOS App Store for some time now. And no wonder: it's accessible, fun, looks great and, at least on more recent iPhone handsets, plays like a dream. According to TechCrunch, prior to bringing the game to iOS, Epic Games was making $126 million in revenue off the title. With this being the case, it makes sense that they'd throw all of the resources possible to make Fortnight playable on every single platform on the planet. That Android users would soon be able to crush any hope they have of being productive throughout their day wasn't the only thing that Epic had to say about the game, either.

From TechCrunch:

That news comes amid a flurry of other Fornite related announcements this week. Earlier this morning, Epic unveiled a Battle Royale competition with a large in-game cash prize. This morning, the company also laid out plans to bring voice chat and improved gameplay and controls to the mobile side of things. Stats are coming to mobile, as well, along with a reduced install size.

While I prefer playing shooters, survival games and other twitchy fare that requires a fine touch with a keyboard, mouse or gamepad (I know you can can use all of that with Android, but it feels gross to haul those around with a smartphone,) Having the option to play a huge title like this on the go, no matter whether I'm rocking an iPhone or my OnePlus handset at the time, is pretty great.

Read the rest

I've been using my $120 Amazon 10" Fire HD Tablet for 5 months and love it

I use my Amazon Fire HD 10 every day. At $120 it is the bargain tablet I wanted.

My bright red Amazon Fire HD 10" tablet is amazingly darn useful. Compared to the Apple equivalent I've saved $100s of dollars on features I didn't want to use. I bought this tablet as soon as it was announced, and it has become a pretty constant companion. Read the rest

Amazon doesn't like how Signal circumvents censorship

Signal is an encrypted messaging app for smartphones and desktops that I and a lot of other folks use on a daily basis to communicate with discretion and security. I like it so much that I've moved away from using other services on my iOS and Android phones to using Signal for all of the texting I do, even with those who don't use the app. Unfortunately, according to The Verge, the Signal team is having a difficult time trying to provide its services to users in the UAE, Egypt and Oman, where the app has been banned by the government. Considering the fact that these states aren't known for treating political dissidents and minorities none too well, that's a big deal. For some people, encrypted comms are essential to avoiding incarceration or worse.

The crux of Signal's issues with providing services to users in these countries is that Amazon, whose CloudFront web services Signal's parent company, Open Whisper System, uses, has banned domain-fronting. Domain-fronting, put simply, is a technique for making traffic from one site look like it's from another site. In an email received by Open Whisper System's founder, Moxie Marlinspike (best damn name in the business,) the General Manager of Amazon CloudFront called Open Whisper Systems' domain-fronting out, telling Marlinspike that Amazon would love to have their business, but not his company refuses to comply with their no domain-fronting policies.

From the email:

When access to Signal was originally censored in Egypt, Oman, Qatar, and UAE, we responded by through Google App Engine.

Read the rest

It's 2018, and Google just proposed an instant messaging tool with no encryption

It's 2018, five years after Edward Snowden's documents revealed the scope of US and allied mass surveillance; after a string of revelations about creepy private-sector cyber-arms-dealers who sell spying tools to stalkers, criminals, and autocratic governments, Google has proposed "Chat," a new Android standard for instant messaging with no encryption and hence zero protection against snooping. Read the rest

F-Droid: A free, open, privacy-oriented Android app store that corrects Android's "original sin"

After uncovering a ferocious horde of hidden spyware in official Android apps the Yale Privacy Lab and Exodus have pitched in with F-Droid's app store that only allows apps that include their source-code and whose licenses require anyone who modifies them to also include the source. Read the rest

A newly discovered strain of Android malware contains never-seen surveillance features

A new research report from Kaspersky Labs details their analysis of Skygofree, a newly discovered strain of malware that offers some of the most comprehensive and invasive surveillance tools ever seen for Android.

Read the rest

Researchers craft Android app that reveals menagerie of hidden spyware; legally barred from doing the same with iOS

Yale Privacy Lab and Exodus Privacy's devastating report on the dozens of invasive, dangerous "trackers" hidden in common Android apps was generated by writing code that spied on their target devices' internal operations, uncovering all manner of sneaking trickery. Read the rest

Mozilla's new Android browser blocks ads and trackers

Mozilla has extended and improved its Firefox Focus browser, heretofore an Ios product, bringing it to Android, with auto-blocking of trackers and ads and making it easy to erase your browser history. Read the rest

Netflix app will no longer run on rooted Android devices

Netflix has become one of the main forces for DRM in the world, a driver behind the W3C's dangerous, web-scale DRM project, and now they've announced that their app will no longer run on rooted/bootloader unlocked Android devices, because these devices can run code that overrides Google Widevine DRM (Widevine doesn't work well under the best of circumstances, and it harbored unpatched, showstopper bugs since its very inception). Read the rest

235 apps attempt to secretly track users with ultrasonic audio

Ultrasonic beacons (previously, previously) let advertisers build an idea of when and where you use your devices: the sound plays in an ad on one device, and is heard by other devices. This way, they can associate two gadgets with a single user, precisely geolocate devices without aGPS, or even build graphs of real-world social networks. The threat was considered more academic than some, but more than 200 Android apps were found in the wild using the technique.

In research sponsored by the German government [PDF], a team of researchers conducted extensive tests across the EU to better understand how widespread this practice is in the real world.

Their results revealed Shopkick ultrasonic beacons at 4 of 35 stores in two European cities. The situation isn't that worrisome, as users have to open an app with the Shopkick SDK for the beacon to be picked up.

In the real world, this isn't an issue, as store owners, advertisers, or product manufactures could incentivize users to open various apps as a way to get discounts.

From the paper:

While in April 2015 only six instances were known, we have been able to identify 39 further instances in a dataset of about 1,3 million applications in December 2015, and until now, a total of 234 samples containing SilverPush has been discovered. We conclude that even if the tracking through TV content is not actively used yet, the monitoring functionality is already deployed in mobile applications and might become a serious privacy threat in the near future

Apparently it's not very effective—consumer speakers and mics aren't designed with ultrasonic use in mind and the authors say noise, audio compression and other factors "significantly affects the feasibility" of the technology—but the intent is clearly there on the part of advertisers and appmakers to make a stab at it. Read the rest

Even by North Korean standards, the DPRK's Ullim tablet is creepily surveillant

The Ullim Tablet is the latest mobile device from North Korea to be subjected to independent analysis, and it takes the surveilling, creepy nature of the country's notoriously surveillant Android devices to new heights of badness. Read the rest

Poisoned wifi signals can take over all Android devices in range, no user intervention required

Vulnerabilities in the Broadcom system-on-a-chip that provides wifi for many Android devices mean that simply lighting up a malicious wifi access point can allow an attacker to compromise every vulnerable device in range, without the users having to take any action -- they don't have to try to connect to the malicious network. Read the rest

More posts