Category Archives: Android

Google Trying to Compete With Apple in Android Security

I think it would be hard to argue with the statement that when it comes to mobile (phone) security, Apple has it all over Google.

For the most part, other than for the Google branded phones, that is because they have to work through the handset manufacturers and wireless carriers.

Apparently, not any more.

For new phones running Android Q, currently in beta, Google will directly install updates for 14 modules of the Android OS – Without the user even having to reboot.  This is moving Android (very slowly) in the direction of a micro kernel operating system like Minix 3.0 (full disclosure – my brother’s team wrote Minix 3.0).

The 14 modules are:

ANGLE
APK
Captive portal login
Conscrypt
DNS resolver
Documents UI
ExtServices
Media codecs
Media framework components
Network permission configuration
Networking components
Permission controller
Time zone data
Module metadata

If one of these modules is updated, they stop the service, update it and restart it.  Transparently to the user.  And dealing out both the handset manufacturer and the carrier.

But only for phones that come with Android Q out of the box – not those that get it via an upgrade (probably due the the license agreement between Google and the handset vendor).

Handset manufacturers CAN opt out of this, called project Mainline, but why would they?

Android Q comes with 50 security enhancement in addition to this including TLS V3, MAC address randomization, increased control over location data and better user control over what apps have what permissions.

For users, they should be looking for phones that ship with Android Q out of the box and where handset manufacturers are supporting project Mainline.

For users, whether Q comes out of the box or via an upgrade, you still get the new security features.  If you are a security conscious Android user, you should definitely look for Q on your next phone.

Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

Financial Institutions are Risking Customer’s Data. And Money.

Banks are very good at security.  Certain kinds of security, that is.

They have vaults with really cool doors.

Many banks have armed guards.  And alarms.

In some cities they put tellers in cages to protect them (that is NOT a great metaphor).

But when it comes to developing software, they are subject to the same challenges that everyone else developing software deals with.

So it shouldn’t be much of a surprise that banking software for your phone is not as secure as it should be.

According to a recent report of 30 mobile banking apps offered by financial institutions, almost all of the apps could be reverse engineered by hackers revealing account information, server information and other non-securely stored data.

According to the report, 97% of the apps tested lacked the proper code protections.  90% of the apps shared services with other apps on the device.  83% of the apps stored data insecurely.  You get the idea.

And that is not the end of it.  For more information on what the apps are doing wrong, read the Tech Republic Article below.

So what should you be doing?

Believe it or not, bank web sites are probably more secure than their apps.  For one thing, the web sites run on servers owned or controlled by the banks.  Your phone is, to be polite, a cesspool when it comes to security.  All those apps,  Many that were there when you bought the phone and a lot that you can’t remove, even if you want to.

General phone cyber hygiene helps.  Don’t install any apps that you don’t need to.  Remove apps that you don’t use any more, if you can.  Patch your phone’s operating system and apps whenever patches are available.

To the degree that you can avoid installing banking apps (I know they want you to use it), that is more secure.

Unfortunately, the report does not list which apps it tested and which apps came up on the wrong side of the security story.  Needless to say, the banks are not going to tell either.  My guess is that the researchers are worried about being sued.  Which does not help us.

Do look for third parties that review apps for security.  Since most people don’t ask whether their money is secure, I haven’t found many, but keep looking.

If I find more information, I will post it.

Source: Tech Republic.

 

 

Facebooktwitterredditlinkedinmailby feather

Android Q (Version 10) To Have A Number of New Security Features

NOTE:  This is a bit of a rant on my part, but I will get to the good stuff further down.  Sorry, but I think the subject is important.

While the fact that Google is finally trying to counter Apple’s various ad campaigns such as their CES ad below

and their March Madness ad campaign”if privacy matters in your Life, it should matter to the phone your life is on”  is a good thing, it does not really solve the problem.

Android P or Pie, version 9,  was released in March of last year.  Here is the most recent distribution of Android OSes on active phones.

Android Pie is represented by the light blue bars on the top in the last three bars and is a tiny percentage of the market.

As of January, 2% of phones are still running Android 4,  almost 5% are running Android 5, 10% are running Android 6, 21% are running Android 7, 54% are running Android 8 and only 5% are running Android 9 – roughly.

Android 4.4, the last version of Android 4, was released in 2013; Android 5 in 2014, Android 6 in 2015, Android 7 in 2016 and Android 8 in 2017.

All versions of the Android OS before version 7 are no longer supported and will never have security holes fixed.  That means around 20% of the Android phones out there are unsupported and when Android 10 is released this summer, that number will rise as Android 7 support gets discontinued.

While companies have been (sort of) good about getting rid of unsupported Windows OSes (like Windows XP), they have been much less active in stomping out unsupported phone OSes.

As employees move more and more to using their mobile devices as a true computing device, this is becoming a bigger security challenge for all companies – one that most companies have been ignoring.  THE SINGLE BIGGEST UPCOMING THREAT TO COMPANY DATA IS OLD, UNPATCHED MOBILE DEVICES.  This is especially true in regulated industries where very sensitive financial, health and national security data is accessed.

Apple has been very good about upgrading their phones to the current iOS version, supporting iPhones from the current iPhone 10 all the way back to the iPhone 5S and pretty much shoving the new releases down their user’s collective throats, whether users are happy about the results or not (older iPhones typically run slower with the newer releases).  But, at least, those phones are as secure as Apple knows how to make them.

But for Android phones, there are WELL over 1,000 MANUFACTURERS of Android phones and likely WAY over 10,000 phone models in use.

Add to this Android’s fractured release distribution model.  Users, other than Pixel users, do not get their software updates from Google like Apple users get theirs from Apple.   Rather they have to wait for Google to release fixes, their phone vendors to tweak them and their phone carrier to actually push them down.

Many phone vendors don’t ever release patches and that does not seem to be much of decision making consideration on the part of users (and really shouldn’t have to be).

The Fortune 100 and the carriers could change this pretty quickly (like we are not going to sell your phone and we are not going to buy your phone unless you release monthly patches). but that has not happened yet.

Google is trying hard to improve this.  Last year they made two changes.  First, they layered the operating system so that they can make (security) changes below a certain layer without affecting Android apps that carriers get paid to install on your phone and second, they began to require phone manufacturers to release patches a few times a year for two years.

While this is an improvement, many people (most people?) keep phones for more than two years and don’t buy those phones on the date they were released, so while this is a start, it is not a solution.

Companies need to understand that this is a risk and decide what their company policies are going to be regarding allowing users to access company data using phones that are vulnerable and unpatched.  For companies that are subject to regulations such as HIPAA or NIST SP 800-171, this is a violation of the regulation and could possibly get the company fined.

OK, enough ranting.

What is coming in Android Q (Version 10)?

The Android Q beta will drop this month and the best guess is that it will be released in August.  Some of the new security features include:

  • The Android OS will stop tracking contacts “affinity” (who is talking to whom on your phone – yes they have been doing that forever), so that will no longer be available to apps
  • Phones will transmit a RANDOM MAC address (the address of the network card) to reduce sites’ ability to track based on MAC address.
  • Only some apps will be able to obtain the device’s serial number and IMEI (electronic serial number).
  • Users will get more control over location permissions.  Now you will be able to say that an app can only access your location when it is the active application on your screen.  This comes after it was released that some apps, running in the background, transmit your location data to the app maker over a thousand times a day.
  • Only the active app can access data stored in the clipboard.
  • Some network device state information will now be restricted.
  • Apps will need to have access to a special FINE location API (for WiFi and Bluetooth).  This is how grocery stores, for example, know that you are in the cereal aisle and can send you ads for cereal and not pantyhose.
  • Each app will be given a sandbox regarding access to the disk on “external” storage (USB storage).  Currently, if you give an app access to USB storage, they can access any data on the device.  If apps are well behaved, this is not a problem, but ….
  • There are new restrictions on apps starting in the background without telling you.
  • There are several changes to the permissions model – apps will need to be given specific permissions in order to detect, for example, a user’s movement.

One thing Apple has figured out how to do, is to get users to spend a thousand dollars on a new phone every year or two (An iPhone XS Max with 512 gig of storage costs almost $1,500!!!).  Not sure how they do this, but they have.  Android users are much more sensible.

Until users understand that their devices (and more importantly their data) are at risk because they are not being patched, this is unlikely to change.

Information for this post came from Helpnet Security.

Facebooktwitterredditlinkedinmailby feather

One in Three Companies Suffered Data Breaches Due To Mobile Malware

As people use their mobile devices as what one friend used to call a “pocket super computer” as opposed to something where you dial 7 digits (remember that) and talk to someone, hackers have figured out that the new attack vector is your phone.

In part, this is due to the fact that finally, after 20 years of trying, Apple and Microsoft have significantly improved the security of their operating systems, making the hacker’s job more difficult (lets ignore for the moment that people are not very good about applying patches).

When it comes to phones and security, we are at roughly the same point we were with Windows computers in say 1995 or so.  That is not very comforting.

For example,  when was the last time you patched your phone?

In fact, DO YOU KNOW FOR SURE if there are patches available for your phone on a regular – monthly – basis?

For most iPhone users, Apple does provide patches for the operating system BUT NOT FOR THE APPLICATIONS THAT RUN ON IT. And not for old iPhones.

For Android users, it is a much more complicated situation that splits the job between Google, the phone manufacturer (such as LG or Samsung or 100 other vendors) and the carrier.  With one exception – Google provides patches directly to phones for Google branded phones.

According to a new Verizon report, one in three organizations ADMITTED that  they suffered a compromise due to a mobile device.  That is up five percent since last year.  And probably highly underreported.

Mobile devices are susceptible to many of the same attacks as Windows and Macs as well as a whole host of special mobile attacks.  And, no, Linux users are not in the clear.  Remember that the Android kernel is basically Linux and the iPhone OS is basically BSD Unix on top of a Mach kernel, so all phones are Linux cousins and other relatives.

And here is an interesting tidbit – OVER 80 percent of organizations BELIEVE their protections are either effective or very effective, even though less than 12 percent had implemented all basic protections: Encrypting data on public networks, changing default passwords, REGULARLY testing security systems and restricting access based on a need to know.

80% of the companies said they could spot a problem quickly.  Only problem is that 63% of the problems were found by customers.

Okay, so now that we have a kind of “state of the phone security union”, what should you do?

First, you should create a policy regarding mobile device security.

Part of that policy needs to include what mobile devices are allowed to access corporate data (for example, only phones which are running a currently supported operating system) and what happens if the mobile device does not meet those requirements.

Then you need to decide how you are going to enforce the rules – software generically called mobile device management (MDM) is the most efficient way to do that and there are many vendors of MDM software.

Next you need to set up the people and the processes to make this work from now forward.  (If you need help with this, contact us).

Not simple, not easy, but absolutely necessary.  Sorry.

Some information for this post came from CSO.

Facebooktwitterredditlinkedinmailby feather

Now (Some) (Important) Meta Data Can Be Encrypted

Worried about the NSA capturing all that metadata about you?  That is the stuff about you that the government says it can collect without a warrant (and courtesy of the Patriot Act) because you send it unencrypted over the Internet and so you have no expectation of privacy.

A big part of the data (besides the Internet address that identifies you) is the DNS queries that you make.

DNS is the phone book that the Internet uses to map that friendly name like www,foxnews.com to an IP address  like 23.36.10.215 that the Internet can route.

This week Google announced that it’s DNS service (the one at 8.8.8.8) can now handle DNS over TLS (meaning that your queries are encrypted) blinding not only the NSA but also making it more difficult for your ISP to sell your data as well.

Since DNS is used so much, there was a lot of work done to make sure that DNS over TLS was fast, including using TCP fast open, pipelining and supporting out of order responses.

You can use DNS over TLS in one of two ways and the distinction is important.  The first is opportunistic, meaning it will encrypt your data if it can.  The other is called strict, which means that if the receiving server won’t accept encryption, the transmission will fail.

Google made support for it available for Android 9 (Pie) users Yesterday.  Android 9 users will have to make some settings changes to use it.  Users of older phones will have to upgrade.

Cloudflare also supports DNS over TLS and also DNS over HTTPS, an older variant of it, but until the phones support it, it is unimportant what services support.

Apparently iPhone users can do this to, but Apple does not support it natively; you have to do some significant shenanigans to get it to work.

Information for this post came from the Hacker News.

 

 

 

Facebooktwitterredditlinkedinmailby feather

HIPAA Privacy Rules and High Tech Services

Health IT Security wrote an article beating up Amazon on it’s HIPAA compliance process.  The article was not favorable and also interesting.

The issue that they are talking about was a medic-alert style bracelet that someone bought on Amazon.  After this person bought it, the vendor put a picture of it, with the lady’s name, birth date and medical condition on it in an ad on Amazon.  The customer found out about it when her physician called her saying he had seen it.

When the buyer contacted Amazon, she was told they would investigate.  She later received an email from Amazon saying that they would not release the outcome of the investigation.

So the lady reached out to her local NBC TV affiliate.  It is amazing what a little bad PR can do.  The TV station contacted the Amazon vendor and they apologized and said they would fix the problem.  The TV station confirmed that the offending material was removed.

But this post is not about health jewelry.

It is to clear up a possible misunderstanding on the part of the average consumer.

While Amazon may yet get into trouble for not understanding and complying with HIPAA, this is not a HIPAA issue.

For consumers that use apps and other tech products there is an important lesson here.

Amazon does *NOT* have a HIPAA problem.

In fact, as of today, Amazon’s web site does not need to be HIPAA compliant because they are neither a covered entity nor a business associate under the terms of HIPAA.  Covered entities include organizations like doctors, hospitals and insurance companies.  Business associates are companies that handle HIPAA type information on behalf of one or more covered entity.

That means that they have no HIPAA requirement to protect your personal information.

They *MAY* have a requirement to protect it under state law in your state, but they also may not.  This depends on the particular law in your state.  In this case they may be in more trouble for publishing her birth date (which may be covered under her state’s privacy law) than her medical condition.

It does mean that they have no requirement to protect your healthcare information under Federal law because other than HIPAA, which does not apply here, there is no Federal law requiring anyone to protect your healthcare information that I am aware of.

This also includes Apple, Google and any app that is available on either the Apple or Android stores.  Apple and Google are likely covered entities because of the way their employee health insurance plans work, but that is completely separate from iphones, android phones and apps.

So, if one of those apps collects information from a hospital for you, for example, and makes it available to you, they can certainly use the diagnosis, for example, that you have diabetes to show you ads for diabetes medicine or supplies.

It is also possible (although I think this may be pretty dicey) that they could sell your healthcare data.  Depending on the state that you live in, healthcare data may not be protected AT ALL under the state’s privacy laws.  This is likely because legislators are usually lawyers and lawyers rarely understand tech and often don’t understand privacy and they think that your healthcare data is protected under HIPAA.  it is, but only under certain circumstances.  The net effect is that it MAY BE perfectly legal to sell your health care information.

If anyone thinks differently, please post a reply and I will publish it.

Information for this post came from Health IT Security.

 

Facebooktwitterredditlinkedinmailby feather