Tag Archives: Android

Friday News Bites for May 18, 2018

Signal Does it Right

Matt Green, the well known cryptographer and professor at Johns Hopkins said this about the encrypted messaging app Signal: “After reading the code, I literally discovered a line of drool running down my face.  It’s really nice.”  But even nice code isn’t perfect.  Last Friday, researchers announced very serious bug in Signal’s Windows and Linux implementation and within hours, Signal had it fixed and available for download.  I wish every vendor moved at this speed.  Signal may not auto update, so make sure that you download the new version [1.10.1] (Source: The Hacker News).

Google Gets It RIght – Probably.  Finally.

One of my big complaints about Android is the lack of consistent patching from vendor to vendor.  Some vendors were even caught lying saying that they had patched software that was not patched.  Google has announced that with Android P (version 9), OEMs will be required to release regular patches as part of their license agreement.  Details are not out yet, so stay tuned, but this, if it happens, will close down a major security difference between Android and iOS (Source: The  Hacker News).

Facebook isn’t the Only One Selling Your Data

The big 4 cell carriers – AT&T, Verizon, T-Mobile and Sprint – and others are selling your location data to data aggregators such as LocationSmart, who in turn sell it to companies like Securus, sometimes through distributors.  Securus is the company who put its head in a noose by giving location data of judges and state police officers to a sheriff without a warrant and for reasons unknown.  While this data is likely only accurate to a few hundred yards because it uses cell tower data rather than GPS data, it works perfectly even if you have location tracking turned off.  And, of course, everyone makes money off the deal – the carriers, the aggregators and the distributors.  Sounds like a win for everyone but you and me.  They say that due to what may be sloppy drafting of the Electronic Communications Privacy Act, selling this data may not be illegal.  While the Sheriff who used it should have had a warrant, private companies who buy the data just need to pay for it – no questions asked as to what or why.  (Source: ZDNET).

Securus Attacked By Hackers

Securus (as in Secure Us), the incredibly unsecure company that gave a Missouri sheriff location information on state police and judges (that we can assume he did not like) with no judicial oversight, has been hacked.  We also don’t know if the attacker was somehow thinking that they deserved it.

One example of the data stolen by the hacker and given to Motherboard was a spreadsheet with names, emails, phone numbers, weakly hashed passwords and security questions for over 2,500 law enforcement customers.  Assuming this data makes it to the black market, it could be used as a hit list for cops – who already are being attacked on a daily basis.

We also don’t know what else the attacker took or what he plans to do with it.

Securus, who has a track record of poor security, says they are “investigating it” (Source: Motherboard).

For the Second Time in a Week – Another Critical Signal Bug

Right after I upgraded my copy of Signal for Windows to version 1.10.1 (see the first item in this post), I noticed that it upgraded itself to 1.11.1 .  Yup!  That means that they found another bug – a critical one – that could reveal data and even Windows passwords.

Does this mean that Signal is bad?  Actually not,  Think about the number of patches for Windows that Microsoft has released over the years.  The number is likely in the tens of thousands.  Signal has released 10.  BUT, no software is perfect.  Or invincible.  So upgrade your copy of Signal and don’t assume that Signal is invincible.   It is not.  It is good, but that is different. (Source: The Hacker News).

Google Fixes Over 100 Bugs In Android


It appears that Google is getting serious about Android security.  They have, for the past several months, been releasing patch updates every month – like other software companies.  While I have no visibility to AT&T and Verizon, Sprint has been religious at pushing those updates out to my phone.

This month they released patches covering over 100 bugs in both the Android core OS and in chipset drivers from various component chip manufacturers.

Phone vendors have a choice between two different update packages to distribute to their customers.

Android’s Mediaserver component is the recipient of 16 patches, including 7 rated as critical.  These bugs, like Stagefright before it, allow hackers to attack your phone just by sending it specially crafted text (MMS) messages or audio and video files.  This works because the Android OS, in an effort to speed things up when a user wants to open a picture, audio or video file, pre-processes those files in the background without asking or telling you.  If those files are infected, so is your phone.  It has been so bad that Google Hangouts, for example, no longer  pass media files to this component automatically.

Another critical vulnerability is in the built in crypto libraries, OpenSSL and BoringSSL.

The first of the two patch options, labelled 2016-07-01 when you go to SETTINGS|ABOUT in Marshmallow, fixes 32 bugs, 8 of which are critical, 15 high and 9 moderate.  These bugs apply to the core Android OS.  32 bugs starts to rival Microsoft patches, but doesn’t reach the level of Adobe Flash patches.

The other patch option, labelled 2016-07-05 in ABOUT fixes 75 additional bugs that are device specific, meaning some may affect this device while others may effect a different device.

These fixes are in modules such as the Qualcomm GPU driver, the MediaTek WiFi driver, the Qualcomm performance component, the NVIDIA video driver, the kernel file system (not sure why this is device specific though), the USB driver and other unspecified drivers.

Since these are running in a privileged process, a compromise of these modules is a serious problem.  In fact, some of these compromises may only be repairable by reflashing the device firmware, something most users cannot do even if they wanted to.

There are an additional 54 high severity bugs in various drivers that can also lead to a complete device compromise. The difference here is that an attacker would have had to already compromise the phone in order to exploit these 54 bugs.

Google has already released these patches to Google branded Nexus phones – possibly the most important reason to buy a Nexus phone.  How long it will take the various phone manufacturers to get off their collective butts and release them is unknown.

In the meantime, hackers around the world have access to these patches and are busy reverse engineering them to figure out how to attack your phone – it is a race to the bottom.

While this is the biggest Android patch release I have ever seen Google release in a single month, I think, maybe, it is a good thing.  I am hoping that it means that Google is getting serious about upgrading the security of Android and not just trying to cram as many features as possible into the next release.

What this does mean is that users who are running Lollipop (Android 5), Jelly Bean (Android 4.1), Ice Cream Sandwich (Android 4.0) and earlier are at significant risk of compromise because these versions of the Android OS will never be patched.

As of June 1st, 2016, only 10 percent of Android phones were running Marshmallow.  Apple is quite a bit better in FORCING adoption of new versions of the OS because they own the OS and the phone, but this may change as Congress is looking at passing a law forcing phone vendors to patch phones that they sell.  If you make money from it, you have to patch it.  Since Google isn’t releasing patches for older versions, this will force the phone makers, if the law is enacted, to upgrade the phones to the current version.  From a user standpoint, this would be a good thing.

As a consumer, if you are concerned about the security of your data, or, if you are a business and you are concerned about the security of your company systems accessed by employee phones, you need to consider replacing phones on a regular basis.  If you combine Android 5 and 6 together, this still represents less than half the Android phones.  Many of the phones running Android 4 and earlier are likely outside the U.S., but companies, especially, need to be proactive about dealing with this.

Information for this post came from Infoworld.

5 Year Old Qualcomm Bug Leaves Many Phones Vulnerable

A 5 year old bug in a Qualcomm chipset used in many Android phones allows a hacker to elevate their privileges and read SMS and call history data, change system settings or disable the lock screen.

Hackers could exploit this bug by having physical access to an unlocked phone or by getting a user to install a malicious app.

The bug affects older versions of the Android OS, like version 4.3 and earlier, the most.  Since that software is likely not supported by anyone, those phones likely will never be patched.

The Android OS added something call Security Enhancements for Android in version 4.4 which reduces significantly but does not eliminate the problem.  This is the main reason why Apple tries really hard to force people to upgrade OS versions, even if it means that they have to trash their old phones.

Congress is now investigating the issue of OS support in old phones (yes – we’re from the government and we’re here to help you), however, that is unlikely to change anything any time soon.

Google released a patch for this bug on May 1, but given the carrier’s track record at releasing patches, it is likely going to be months before most users see that patch – if ever.  Google says that Nexus phones are not vulnerable to this – I assume this means that they do not use the Qualcomm chip that is at the heart of this problem,

For any given user, it would be difficult to figure out whether their particular phone is susceptible, but users running Lollipop (V5) and Marshmallow (V6) are likely least affected.

One more time, Apple beats Google because they control the supply chain end to end.  In a closed world, where one company makes the phones and the OS, they can force patches quickly.  In the Android world, Google can release patches and patch their Nexus phones, but have very little control over the  handset makers like LG and Samsung or the Carriers like AT&T or Sprint.

Congress could potentially have some impact here, but I am not counting on them doing anything smart.  They do not seem to have a good track record.


Information for this post came from Ars Technica.

Open Source Software Does Not Solve All Of The World’s Problems

While I am not a Linux user personally, I am a big fan of it.  However, I am not delusional enough to think that just because a piece of software is open source, it is secure and bug free.

Anyone who thought that should have had those delusions ripped away when the Heartbleed bug was publicized.  For those readers not familiar with Heartbleed,  Heartbleed is the name given to the bug that affected the wildly popular open source software that implements SSL or HTTPS, the protocol used to protect secure many web sites.

It was thought that the bug affected around a half million to one million ecommerce web sites, many of which still have not been fixed 18 months later.

As popular as this software is, many, many people looked at it and even made contributions to it.  Still, this bug lived in the software from December 31, 2011 until a fix was released (but of course released does not mean that people have integrated into software that used the flawed version) on April 7, 2014.

To me, this proves that open source software, no matter the goals and desires of developers, may have security holes in it.

Fast forward to this week.

All versions of Linux released since Kernel version 3.8 (released in early 2013 -about 3 years ago) have a bug in the OS keyring, where encryption keys, security tokens and other sensitive security data is stored.

Whether hackers and foreign intelligence agents knew about this over the last few years or not is unknown, but we expect many Linux variants will release a patch this week.

More importantly, at least some versions of Android, which is based on Linux, also have this bug.  The researchers who found the bug said it affected tens of millions of Linux PCs and servers and 66% of all Android phones and tablets.

Google says that it does not think that Android devices are vulnerable to this bug being exploited by third parties and the total number of devices impacted is significantly smaller than the researchers though.  In this case, I trust Google researchers.  Google will have a patch available within 60 days, but getting that patch through the phone carrier release process could take a while.  I call this patch process TOTALLY BROKEN.  The only phones that we know will be patched quickly will be Google Nexus phones because Google releases those patches directly.

So, one more time, a major and highly visible piece of open source software is found to have a significant security hole for years.  This post talks about two examples, but there are many, many others.

If open source software as popular as Linux and OpenSSL has security holes, imagine the holes that MIGHT live in other, less popular open source software.  Some open source software might only be used by tens of people and only be looked at by one person.

The moral of this story is NOT that you should not use open source software;  it is no less or more risky than closed source software.  The moral is that you should ALWAYS consider the potential risks in using software and to the maximum degree possible, test for and mitigate potential security bugs.  And be ready to deal with the new ones when they are found.

Information on the OS Keyring bug can be found here.

Information on Heartbleed can be found here.

Android Security Is Improving – But Not As Good As iPhone

The Android community is slowly beginning to understand that they are going to have to step up to the plate and deal with security like Apple has done from the beginning.  The challenge is that unlike Apple, where there is one master in control, the Android community is fractured.  The only one who has any hope of pulling off a solution is Google.  They have the size (money) and the motivation to fix the problem.

Two examples popped up today.

First, Google has stepped up and is issuing monthly security updates – like Microsoft has done for a long time.  Some vendors, such as Oracle, choose to announce patches quarterly.  The advantage of that is that you only have to make 4 updates a year.  The disadvantage is that the patch releases are monstrous – with hundreds of patches  in each one – so many companies just ignore them.  Typically, Microsoft’s monthly patch release is in the low teens for number of patches and often those are bundled so users have to deal with less details.  Also, the bugs are fixed sooner with monthly releases.  I vote for monthly.

In this month’s Google patch release, there are two patches which can be exploited remotely with specially crafted media files (Argh!, again) – this is a continuing effort to clean up the fright fest which is Android’s media handling (called Stagefright – you may remember that there were two earlier patches to fix problems in Stagefright.  This is number 3.  Expect more – they are announcing them as they fix them).  There are also 3 other patches in this month’s collection.

Owner’s of Google Nexus phones will get these patches quickly.  Owners of phones from other manufacturers will need to wait until the manufacturers decide to release the patches.

I am an Android user and am seriously considering making a Nexus phone my next phone since Google seems to have gotten the security message.

The other article is about Android Bloatware or Crapware.  Those are the terms for all of the garbage that phone manufacturers think that you want and they need to add to differentiate their phones from their competitors.  In most cases, they are so sure that you want this garbage that they do not give you a way to remove it.  In fact, in many cases, they are being paid by the manufacturers of the software to install it on your phone, which is why they do not let you remove it.  This is another advantage that Apple has.  They control the phones.  Since there is no competition, they control the price and don’t have to install Crapware to subsidize the price of the phone.  This is one reason why Apple phones are more expensive than Android phones.

Google has a research team that hunts for bugs.  Besides hunting for bugs in Windows, Mac OSx and Linux, they are now looking inside Android phones.  This month, they announced, they found 11 bugs inside the Samsung Galaxy S6 Edge Crapware.  These bugs likely won’t be on a Galaxy S5 or on a LG phone as the crapware, for the most part is tailored to the phone.  Who did Samsung make a deal with for this particular phone.

The biggest risk is in software drivers – that software that talks to the hardware and has the most permissions.  That is where these bugs, for the most part, were found.

The good news is that Samsung has fixed these.  The bad news is that there are hundreds of phones and Google’s researchers do not the resources to review that many phones.

The manufacturers – like Samsung – need to realize that this is an impediment to sales and deal with it.

One more point.  The patches that Google released ONLY patch Lollipop (5.x) and Marshmallow (6.x).  Almost no one is running 6.x – it is brand new – and less than 15% are running 5.x according to a statistic that I just found.  Almost 75% of the Android users are running 4.x and the patches just released DO NOT protect those users.

In their defense, Apple does the same thing.  They patch the current release and one release back typically.

For Android users, they need to understand that if they are saving money by not upgrading their phones, they are at greater risk for being attacked because these old phones are not being patched.

As Google ramps up their security efforts and releases more patches, they are giving the hackers a road map for how to attack these old phones, making them more vulnerable every month.

Just food for thought.

Information for this post came from two articles in Network World – here and here.

Android Stagefright Rears Its Ugly Head Again

You probably are well aware, at least if you are tuned in to the Android world, of the family of bugs called Stagefright.  Well now there is Stagefright 2.0 and this will be an opportunity for Google and the carriers to prove to us whether they can deal with ongoing security patches or not – something Apple’s iPhone has well in hand, giving Apple the competitive advantage.

As a reminder, Stagefright 1.0 dealt with a series of 6 or 7 bugs related to how Android preprocessed video – in that case, with video text messages called multimedia messages or MMS.

The scary part is that Stagefright, the name of the video subsystem in Android that does this video processing, by default runs in the background so that you can be infected without actually doing anything – no clicks, no downloads, no interaction at all.  You can turn that background preprocessing off but I doubt very many people actually did that.

All a hacker needs to infect you is your phone number.

The patch process was slightly ugly from Google, but mostly ugly from the carriers.  The challenge for the carriers is (a) they don’t get revenue from patches, (b) they still are fooling themselves that they are NOT in the software business and (c) they really are not set up to deal with this.  The consequences are that some people will ditch their Android phone and rent a phone, absent a 2 year contract, from Apple.  That has to keep the carriers’ executives up at night.

So now we move on to Stagefright 2.0.  Zimperium, the firm that discovered the original bugs, has found more Stagefright bugs. This time it affects MP3 and MP4 files.  Google JUST released patches for these bugs to Nexus phone users.  It is now up to the carriers to release these patches to you and me.

In addition, Zimperium has said they are working with Google on another handful of bugs, so this is certainly not the last patch to expect in the near future.

There is a Stagefright Detector app in the Google Play store.  There actually two;  I would recommend the one from Zimperium.  It is free and does not require any special privileges.   They don’t want to steal your address book or copy your email or anything like that!  What is a bit unnerving is that you don’t have to interact with the app for it to play the hack scenario and see if you are vulnerable.  The Zimperium app tests for each bug individually, so you might see 6 green and 2 red or 7 red and 1 green or whatever the situation is.

If you begin to see red (pun intented), then you need to beat up your carrier – they control the patches.  This is an opportunity for the carriers to get the patch act together.  We will see if they do.

Will the fun never end?


Information for this post can from Android Central and SC Magazine.