Category Archives: Android

THIS is Why Patching Your Phone Is Important

I tend to be a bit of a dog on a bone when it comes to patching your phone.  Apple helps its phone owners and usually shoves patches down your throat, whether you want them or not – as long as the phone is still supported.

But when it comes to Android phones, it is an entirely different game unless you own a Google branded Pixel, Pixel 2 or Pixel 3 phone.  For those phones, Google releases and installs patches like Apple does.

For every other Android phone, Google publishes the open source code to a public repository every month.  Then the phone’s manufacturer had to download it and integrate any changes that it made.  Up until recently, this was a completely optional decision on the part of the phone manufacturer.  Once this is done and tested, the manufacturer, say LG Electronics, has to make the code available to each of the mobile carriers around the world.  The mobile carrier then needs to integrate its changes into the code and test it.  Again, completely voluntary.  There will be a new option for brand new phones released with Android 10 this fall, but nothing now.

One more thing.  Most manufacturers only patch a phone for a year or two AFTER THE INITIAL RELEASE – not after the date that you bought it.  So, if a phone was released in January 2017 and you bought it in March 2018, it likely will only be patched for the first 9 months that you own it, at best.  This means that for most of the time that you are using the phone, it will be vulnerable to be hacked.  If you keep the phone for say 3 years – many people keep Android phones longer – than for about 2 and a half of those years, it will be open to attack.

This is why understanding this and being vigilant about patching is so important.  And why many Android phones are already compromised.

So why today?

Security firm Tencent announced two critical bugs in the Qualcomm chipsets and one in the driver that would allow a hacker to take over an affected phone WITH NO USER ACTION REQUIRED.

Check out the link below for the details and CVE numbers.

Once compromised, the attack gives hackers full system access, including the ability to install rootkits (which are not detectable) and steal any information on the phone, most likely without being detected.

Some of the Qualcomm chipsets affected are:

“IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA8081, QCA9379, QCS404, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SXR1130”

Point is – a lot of them, affecting a lot of phones – most of which will never be patched.

While the researchers have not released all of the details on how to do the hack, all that is required is that you have WiFi enabled and be within WiFi range of the attacker such as being out in public in a store, coffee shop, airport, hotel or meeting area, just to name a couple of options.

If you use an Android phone, check to see if it is receiving patches.  if you store anything sensitive on the phone, disable WiFi if you can. 

IF YOUR PHONE IS NO LONGER RECEIVING PATCHES, THERE IS NOTHING THAT YOU CAN DO OTHER THAN NOT USING WIFI OR BUYING A NEW PHONE.

It will not be long before attackers figure out the details and start using this in the wild.

Source:  The Hacker News.

 

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Phone Apps Collect User Data Even If You Deny Permissions

All smartphones are data collection machines; hopefully everyone understands that.  There are an amazing number of sensors on the device and many apps just ask for everything.  If the user grants that, then the app can harvest all that data and likely sell it, either individually or in the aggregate.

Researchers took a tiny sample of 88,000 apps out of the Android app store (because that is easier than the Apple store) and found that 1,300+ of those apps – or a bit more than one percent – figured out how to circumvent the permission rules.

Some of these apps are mainstream apps.  For example, Shutterfly grabs the GPS coordinates out of your pictures, assuming they are there in the photos.

Does this mean that they are hacking the phone?  No, it means that they have figured out how to finesse  the system.

Another thing that some apps do is look for data other apps leave unprotected on the phone and snarf that data up.  For example, in older versions of Android do not protect individual data on external storage.  If you give an app access to external storage, it can rummage around on that external storage for any data that might be there.

If an app can find the phone’s IMEI number (basically the phone’s serial number) that was retrieved by another app that has permission to do that and which was not protected, then it can tie all of your data to you even if it doesn’t have permission to retrieve your serial number.

With each new release of iOS and Android, the developers of those operating systems implement new controls in an effort to rein in developers who have figured out how to game the system.

Sometimes it is not the app developer who is being deceptive but rather the provider of one or more libraries that the developer integrated into the application.  That means the the app provider could be unwittingly helping out Chinese library developers (yup, that is happening, for reals).

This is not limited to one operating system.  As they say, if the app is free, then you are the product.

As an app developer, you need to understand what each and every library does and if you can’t be sure, you can sniff the network traffic and see what is actually happening.

Source: The Hacker News.

 

Facebooktwitterredditlinkedinmailby feather

Google Trying to Compete With Apple in Android Security

I think it would be hard to argue with the statement that when it comes to mobile (phone) security, Apple has it all over Google.

For the most part, other than for the Google branded phones, that is because they have to work through the handset manufacturers and wireless carriers.

Apparently, not any more.

For new phones running Android Q, currently in beta, Google will directly install updates for 14 modules of the Android OS – Without the user even having to reboot.  This is moving Android (very slowly) in the direction of a micro kernel operating system like Minix 3.0 (full disclosure – my brother’s team wrote Minix 3.0).

The 14 modules are:

ANGLE
APK
Captive portal login
Conscrypt
DNS resolver
Documents UI
ExtServices
Media codecs
Media framework components
Network permission configuration
Networking components
Permission controller
Time zone data
Module metadata

If one of these modules is updated, they stop the service, update it and restart it.  Transparently to the user.  And dealing out both the handset manufacturer and the carrier.

But only for phones that come with Android Q out of the box – not those that get it via an upgrade (probably due the the license agreement between Google and the handset vendor).

Handset manufacturers CAN opt out of this, called project Mainline, but why would they?

Android Q comes with 50 security enhancement in addition to this including TLS V3, MAC address randomization, increased control over location data and better user control over what apps have what permissions.

For users, they should be looking for phones that ship with Android Q out of the box and where handset manufacturers are supporting project Mainline.

For users, whether Q comes out of the box or via an upgrade, you still get the new security features.  If you are a security conscious Android user, you should definitely look for Q on your next phone.

Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

Financial Institutions are Risking Customer’s Data. And Money.

Banks are very good at security.  Certain kinds of security, that is.

They have vaults with really cool doors.

Many banks have armed guards.  And alarms.

In some cities they put tellers in cages to protect them (that is NOT a great metaphor).

But when it comes to developing software, they are subject to the same challenges that everyone else developing software deals with.

So it shouldn’t be much of a surprise that banking software for your phone is not as secure as it should be.

According to a recent report of 30 mobile banking apps offered by financial institutions, almost all of the apps could be reverse engineered by hackers revealing account information, server information and other non-securely stored data.

According to the report, 97% of the apps tested lacked the proper code protections.  90% of the apps shared services with other apps on the device.  83% of the apps stored data insecurely.  You get the idea.

And that is not the end of it.  For more information on what the apps are doing wrong, read the Tech Republic Article below.

So what should you be doing?

Believe it or not, bank web sites are probably more secure than their apps.  For one thing, the web sites run on servers owned or controlled by the banks.  Your phone is, to be polite, a cesspool when it comes to security.  All those apps,  Many that were there when you bought the phone and a lot that you can’t remove, even if you want to.

General phone cyber hygiene helps.  Don’t install any apps that you don’t need to.  Remove apps that you don’t use any more, if you can.  Patch your phone’s operating system and apps whenever patches are available.

To the degree that you can avoid installing banking apps (I know they want you to use it), that is more secure.

Unfortunately, the report does not list which apps it tested and which apps came up on the wrong side of the security story.  Needless to say, the banks are not going to tell either.  My guess is that the researchers are worried about being sued.  Which does not help us.

Do look for third parties that review apps for security.  Since most people don’t ask whether their money is secure, I haven’t found many, but keep looking.

If I find more information, I will post it.

Source: Tech Republic.

 

 

Facebooktwitterredditlinkedinmailby feather

Android Q (Version 10) To Have A Number of New Security Features

NOTE:  This is a bit of a rant on my part, but I will get to the good stuff further down.  Sorry, but I think the subject is important.

While the fact that Google is finally trying to counter Apple’s various ad campaigns such as their CES ad below

and their March Madness ad campaign”if privacy matters in your Life, it should matter to the phone your life is on”  is a good thing, it does not really solve the problem.

Android P or Pie, version 9,  was released in March of last year.  Here is the most recent distribution of Android OSes on active phones.

Android Pie is represented by the light blue bars on the top in the last three bars and is a tiny percentage of the market.

As of January, 2% of phones are still running Android 4,  almost 5% are running Android 5, 10% are running Android 6, 21% are running Android 7, 54% are running Android 8 and only 5% are running Android 9 – roughly.

Android 4.4, the last version of Android 4, was released in 2013; Android 5 in 2014, Android 6 in 2015, Android 7 in 2016 and Android 8 in 2017.

All versions of the Android OS before version 7 are no longer supported and will never have security holes fixed.  That means around 20% of the Android phones out there are unsupported and when Android 10 is released this summer, that number will rise as Android 7 support gets discontinued.

While companies have been (sort of) good about getting rid of unsupported Windows OSes (like Windows XP), they have been much less active in stomping out unsupported phone OSes.

As employees move more and more to using their mobile devices as a true computing device, this is becoming a bigger security challenge for all companies – one that most companies have been ignoring.  THE SINGLE BIGGEST UPCOMING THREAT TO COMPANY DATA IS OLD, UNPATCHED MOBILE DEVICES.  This is especially true in regulated industries where very sensitive financial, health and national security data is accessed.

Apple has been very good about upgrading their phones to the current iOS version, supporting iPhones from the current iPhone 10 all the way back to the iPhone 5S and pretty much shoving the new releases down their user’s collective throats, whether users are happy about the results or not (older iPhones typically run slower with the newer releases).  But, at least, those phones are as secure as Apple knows how to make them.

But for Android phones, there are WELL over 1,000 MANUFACTURERS of Android phones and likely WAY over 10,000 phone models in use.

Add to this Android’s fractured release distribution model.  Users, other than Pixel users, do not get their software updates from Google like Apple users get theirs from Apple.   Rather they have to wait for Google to release fixes, their phone vendors to tweak them and their phone carrier to actually push them down.

Many phone vendors don’t ever release patches and that does not seem to be much of decision making consideration on the part of users (and really shouldn’t have to be).

The Fortune 100 and the carriers could change this pretty quickly (like we are not going to sell your phone and we are not going to buy your phone unless you release monthly patches). but that has not happened yet.

Google is trying hard to improve this.  Last year they made two changes.  First, they layered the operating system so that they can make (security) changes below a certain layer without affecting Android apps that carriers get paid to install on your phone and second, they began to require phone manufacturers to release patches a few times a year for two years.

While this is an improvement, many people (most people?) keep phones for more than two years and don’t buy those phones on the date they were released, so while this is a start, it is not a solution.

Companies need to understand that this is a risk and decide what their company policies are going to be regarding allowing users to access company data using phones that are vulnerable and unpatched.  For companies that are subject to regulations such as HIPAA or NIST SP 800-171, this is a violation of the regulation and could possibly get the company fined.

OK, enough ranting.

What is coming in Android Q (Version 10)?

The Android Q beta will drop this month and the best guess is that it will be released in August.  Some of the new security features include:

  • The Android OS will stop tracking contacts “affinity” (who is talking to whom on your phone – yes they have been doing that forever), so that will no longer be available to apps
  • Phones will transmit a RANDOM MAC address (the address of the network card) to reduce sites’ ability to track based on MAC address.
  • Only some apps will be able to obtain the device’s serial number and IMEI (electronic serial number).
  • Users will get more control over location permissions.  Now you will be able to say that an app can only access your location when it is the active application on your screen.  This comes after it was released that some apps, running in the background, transmit your location data to the app maker over a thousand times a day.
  • Only the active app can access data stored in the clipboard.
  • Some network device state information will now be restricted.
  • Apps will need to have access to a special FINE location API (for WiFi and Bluetooth).  This is how grocery stores, for example, know that you are in the cereal aisle and can send you ads for cereal and not pantyhose.
  • Each app will be given a sandbox regarding access to the disk on “external” storage (USB storage).  Currently, if you give an app access to USB storage, they can access any data on the device.  If apps are well behaved, this is not a problem, but ….
  • There are new restrictions on apps starting in the background without telling you.
  • There are several changes to the permissions model – apps will need to be given specific permissions in order to detect, for example, a user’s movement.

One thing Apple has figured out how to do, is to get users to spend a thousand dollars on a new phone every year or two (An iPhone XS Max with 512 gig of storage costs almost $1,500!!!).  Not sure how they do this, but they have.  Android users are much more sensible.

Until users understand that their devices (and more importantly their data) are at risk because they are not being patched, this is unlikely to change.

Information for this post came from Helpnet Security.

Facebooktwitterredditlinkedinmailby feather

One in Three Companies Suffered Data Breaches Due To Mobile Malware

As people use their mobile devices as what one friend used to call a “pocket super computer” as opposed to something where you dial 7 digits (remember that) and talk to someone, hackers have figured out that the new attack vector is your phone.

In part, this is due to the fact that finally, after 20 years of trying, Apple and Microsoft have significantly improved the security of their operating systems, making the hacker’s job more difficult (lets ignore for the moment that people are not very good about applying patches).

When it comes to phones and security, we are at roughly the same point we were with Windows computers in say 1995 or so.  That is not very comforting.

For example,  when was the last time you patched your phone?

In fact, DO YOU KNOW FOR SURE if there are patches available for your phone on a regular – monthly – basis?

For most iPhone users, Apple does provide patches for the operating system BUT NOT FOR THE APPLICATIONS THAT RUN ON IT. And not for old iPhones.

For Android users, it is a much more complicated situation that splits the job between Google, the phone manufacturer (such as LG or Samsung or 100 other vendors) and the carrier.  With one exception – Google provides patches directly to phones for Google branded phones.

According to a new Verizon report, one in three organizations ADMITTED that  they suffered a compromise due to a mobile device.  That is up five percent since last year.  And probably highly underreported.

Mobile devices are susceptible to many of the same attacks as Windows and Macs as well as a whole host of special mobile attacks.  And, no, Linux users are not in the clear.  Remember that the Android kernel is basically Linux and the iPhone OS is basically BSD Unix on top of a Mach kernel, so all phones are Linux cousins and other relatives.

And here is an interesting tidbit – OVER 80 percent of organizations BELIEVE their protections are either effective or very effective, even though less than 12 percent had implemented all basic protections: Encrypting data on public networks, changing default passwords, REGULARLY testing security systems and restricting access based on a need to know.

80% of the companies said they could spot a problem quickly.  Only problem is that 63% of the problems were found by customers.

Okay, so now that we have a kind of “state of the phone security union”, what should you do?

First, you should create a policy regarding mobile device security.

Part of that policy needs to include what mobile devices are allowed to access corporate data (for example, only phones which are running a currently supported operating system) and what happens if the mobile device does not meet those requirements.

Then you need to decide how you are going to enforce the rules – software generically called mobile device management (MDM) is the most efficient way to do that and there are many vendors of MDM software.

Next you need to set up the people and the processes to make this work from now forward.  (If you need help with this, contact us).

Not simple, not easy, but absolutely necessary.  Sorry.

Some information for this post came from CSO.

Facebooktwitterredditlinkedinmailby feather