Archive for the ‘Android’ Category

FCC crowdsources mobile broadband research with Android app

Friday, November 8th, 2013

Most smartphone users know data speeds can vary widely. But how do the different carriers stack up against each other? The Federal Communications Commission is hoping the public can help figure that out, using a new app it will preview next week.

The FCC on Friday said that the agenda for next Thursday’s open meeting, the first under new Chairman Tom Wheeler, will feature a presentation on a new Android smartphone app that will be used to crowdsource measurements of mobile broadband speeds. 

The FCC announced it would start measuring the performance of mobile networks last September. All four major wireless carriers, as well CTIA-The Wireless Association have already agreed to participate in the app, which is called “FCC Speed Test.” It works only on Android for now — no word on when an iPhone version might be available.

While the app has been in the works for a long time, its elevation to this month’s agenda reaffirms something Wheeler told the Journal this week. During that conversation, the Chairman repeatedly emphasized his desire to “make decisions based on facts.” Given the paucity of information on mobile broadband availability and prices, this type of data collection seems like the first step toward evaluating whether Americans are getting what they pay for from their carriers in terms of mobile data speeds.

The FCC unveiled its first survey of traditional land-based broadband providers in August 2011, which showed that most companies provide access that comes close to or exceeds advertised speeds. (Those results prompted at least one Internet service provider to increase its performance during peak hours.) Expanding the data collection effort to the mobile broadband is a natural step; smartphone sales outpace laptop sales and a significant portion of Americans (particularly minorities and low-income households) rely on a smartphone as their primary connection to the Internet.

Wheeler has said ensuring there is adequate competition in the broadband and wireless markets is among his top priorities. But first the FCC must know what level of service Americans are getting from their current providers. If mobile broadband speeds perform much as advertised, it would bolster the case of those who argue the wireless market is sufficiently competitive. But if any of the major carriers were to seriously under-perform, it would raise questions about the need for intervention from federal regulators.

Source:  wsj.com

iOS and Android weaknesses allow stealthy pilfering of website credentials

Thursday, August 29th, 2013

Computer scientists have uncovered architectural weaknesses in both the iOS and Android mobile operating systems that make it possible for hackers to steal sensitive user data and login credentials for popular e-mail and storage services.

Both OSes fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission, according to a just-published academic paper from scientists at Microsoft Research and Indiana University. The so-called same-origin policy is a fundamental security mechanism enforced by desktop browsers, but the protection is woefully missing from many iOS and Android apps. To demonstrate the threat, the researchers devised several hacks that carry out so-called cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks to surreptitiously download user data from handsets.

The most serious of the attacks worked on both iOS and Android devices and required only that an end-user click on a booby-trapped link in the official Google Plus app. Behind the scenes, a script sent instructions that caused a text-editing app known as PlainText to send documents and text input to a Dropbox account controlled by the researchers. The attack worked against other apps, including TopNotes and Nocs.

“The problem here is that iOS and Android do not have this origin-based protection to regulate the interactions between those apps and between an app and another app’s Web content,” XiaoFeng Wang, a professor in Indiana University’s School of Informatics and Computing, told Ars. “As a result, we show that origins can be crossed and the same XSS and CSRF can happen.” The paper, titled Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation, was recently accepted by the 20th ACM Conference on Computer and Communications Security.

All your credentials belong to us

The Plaintext app in this demonstration video was not configured to work with Dropbox. But even if the app had been set up to connect to the storage service, the attack could make it connect to the attacker’s account rather than the legitimate account belonging to the user, Wang said. All that was required was for the iPad user to click on the malicious link in the Google Plus app. In the researchers’ experiments, Android devices were susceptible to the same attack.

A separate series of attacks were able to retrieve the multi-character security tokens Android apps use to access private accounts on Facebook and Dropbox. Once the credentials are exposed, attackers could use them to download photos, documents, or other sensitive files stored in the online services. The attack, which relied on a malicious app already installed on the handset, exploited the lack of same-origin policy enforcement to bypass Android’s “sandbox” security protection. Google developers explicitly designed the mechanism to prevent one app from being able to access browser cookies, contacts, and other sensitive content created by another app unless a user overrides the restriction.

All attacks described in the 12-page paper have been confirmed by Dropbox, Facebook, and the other third-party websites whose apps were tested, Wang said. Most of the vulnerabilities have been fixed, but in many cases the patches were extremely hard to develop and took months to implement. The scientists went on to create a proof-of-concept app they called Morbs that provides OS-level protection across all apps on an Android device. It works by labeling each message with information about its origin and could make it easier for developers to specify and enforce security policies based on the sites where security tokens and other sensitive information originate.

As mentioned earlier, desktop browsers have long steadfastly enforced a same-origin policy that makes it impossible for JavaScript and other code from a domain like evilhacker.com to access cookies or other sensitive content from a site like trustedbank.com. In the world of mobile apps, the central role of the browser—and the gate-keeper service it provided—has largely come undone. It’s encouraging to know that the developers of the vulnerable apps took this research so seriously. Facebook awarded the researchers at least $7,000 in bounties (which the researchers donated to charity), and Dropbox offered valuable premium services in exchange for the private vulnerability report. But depending on a patchwork of fixes from each app maker is problematic given the difficulty and time involved in coming up with patches.

A better approach is for Apple and Google developers to implement something like Morbs that works across the board.

“Our research shows that in the absence of such protection, the mobile channels can be easily abused to gain unauthorized access to a user’s sensitive resources,” the researchers—who besides Wang, included Rui Wang and Shuo Chen of Microsoft and Luyi Xing of Indiana University—wrote. “We found five cross-origin issues in popular [software development kits] and high-profile apps such as Facebook and Dropbox, which can be exploited to steal their users’ authentication credentials and other confidential information such as ‘text’ input. Moreover, without the OS support for origin-based protection, not only is app development shown to be prone to such cross-origin flaws, but the developer may also have trouble fixing the flaws even after they are discovered.”

Source:  arstechnica.com

Dangerous Linux Trojan could be sign of things to come

Friday, August 16th, 2013

‘Hand of Thief’ Trojan specifically targets Linux but operates a lot like similar malware that targets Windows machines

Desktop Linux users accustomed to a relatively malware-free lifestyle should get more vigilant in the near future — a researcher at RSA has detailed the existence of the “Hand of Thief” Trojan, which specifically targets Linux.

According to cyber intelligence expert Limor Kessem, Hand of Thief operates a lot like similar malware that targets Windows machines — once installed, it steals information from web forms, even if they’re using HTTPS, creates a backdoor access point into the infected machine, and attempts to block off access to anti-virus update servers, VMs, and other potential methods of detection.

Hand of Thief is currently being sold in “closed cybercrime communities” for $2,000, which includes free updates, writes Kessem. However, she adds, the upcoming addition of new web injection attack technology will push the price to $3,000, and introduce a $550 fee for major version updates.

“These prices coincide with those quoted by developers who released similar malware for the Windows OS, which would make Hand of Thief relatively priced way above market value considering the relatively small user base of Linux,” she notes.

Getting Linux computers infected in the first place, however, could be more problematic for would-be thieves — Kessem says the lack of exploits targeting Linux means that social engineering and email are the most likely attack vectors, citing a conversation with Hand of Thief’s sales agent.

Kessem also says that growth in the number of desktop Linux users — prompted, in part, by the perceived insecurity of Windows — could potentially herald the arrival of more malware like Hand of Thief, as the number of possible targets grows.

Historically, desktop Linux users have been more or less isolated from the constant malware scares that plague Windows, which is at least partially a function of the fact that their numbers represent a tiny fraction of the Windows install base.

Users of Linux-based Android smartphones, however, have become increasingly tempting targets for computer crime — and with the aforementioned growth in desktop users, the number of threats may increase even further.

Source:  infoworld.com

Mobile malware, mainly aimed at Android devices, jumps 614% in a year

Friday, July 12th, 2013

The threat to corporate data continues to grow as Android devices come under attack

The number of mobile malware apps has jumped 614% in the last year, according to studies conducted by McAfee and Juniper Networks.

The Juniper study — its third annual Mobile Threats Report — showed that the majority of attacks are directed at Android devices, as the Android market continues to grow. Malware aimed specifically at Android devices has increased at a staggering rate since 2010, growing from 24% of all mobile malware that year to 92% by March 2013.

According to data from Juniper’s Mobile Threat Center (MTC) research facility, the number of malicious mobile apps jumped 614% in the last year to 276,259, which demonstrates “an exponentially higher cyber criminal interest in exploiting mobile devices.”

“Malware writers are increasingly behaving like profit-motivated businesses when designing new attacks and malware distribution strategies,” Juniper said in a statement. “Attackers are maximizing their return on investment by focusing 92% of all MTC detected threats at Android, which has a commanding share of the global smartphone market.

In addition to malicious apps, Juniper Networks found several legitimate free applications that could allow corporate data to leak out. The study found that free mobile apps sampled by the MTC are three times more likely to track location and 2.5 times more likely to access user address books than their paid counterparts. Free applications requesting/gaining access to account information nearly doubled from 5.9% in October 2012 to 10.5% in May 2013.

McAfee’s study found that a type of SMS malware known as a Fake Installer can be used to charge a typical premium rate of $4 per message once installed on a mobile device. A “free” Fake Installer app can cost up to $28 since each one can tell a consumer’s device to send or receive up to seven messages from a premium rate SMS number.

Seventy-three percent of all known malware involves Fake Installers, according to the report.

“These threats trick people into sending SMS messages to premium-rate numbers set up by attackers,” the report states. “Based on research by the MTC, each successful attack instance can yield approximately $10 in immediate profit. The MTC also found that more sophisticated attackers are developing intricate botnets and targeted attacks capable of disrupting and accessing high-value data on corporate networks.”

Juniper’s report identified more than 500 third-party Android application stores worldwide, most with very low levels of accountability or oversight, that are known to host mobile malware — preying on unsuspecting mobile users as well as those with jail-broken iOS mobile devices. Of the malicious third-party stores identified by the MTC, 60% originate from either China or Russia.

According to market research firm ComScore, Android now has a 52.4% market share worldwide, up 0.7% from February. As Samsung has been taking market share from Apple, Android use is expected to continue to grow, according to ComScore.

According to market analyst firm Canalys, Android representedalmost 60% of the mobile devices shipped in 2012. Apple accounted for 19.3% of devices shipped last year, while Microsoft had 18.1%.

Source:  computerworld.com

Google: Critical Android security flaw won’t harm most users

Tuesday, July 9th, 2013

A security flaw could affect 99 percent of Android devices, a researcher claims, but the reality is that most Android users have very little to worry about.

Bluebox, a mobile security firm, billed the exploit as a “Master Key” that could “turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user.” In a blog post last week, Bluebox CTO Jeff Forristal wrote that nearly any Android phone released in the last four years is vulnerable.

Bluebox’s claims led to a fair number of scary-sounding headlines, but as Google points out, most Android users are already safe from this security flaw.

Speaking to ZDNet, Google spokeswoman Gina Scigliano said that all apps submitted to the Google Play Store get scanned for the exploit. So far, no apps have even tried to take advantage of the exploit, and they’d be shut out from the store if they did.

If the attack can’t come from apps in the Google Play Store, how could it possibly get onto Android phones? As Forristal explained to Computerworld last week, the exploit could come from third-party app stores, e-mailed attachments, website downloads and direct transfer via USB.

But as any Android enthusiast knows, Android phones can’t install apps through those methods unless the user provides explicit permission through the phone’s settings menu. The option to install apps from outside sources is disabled by default. Even if the option is enabled, phones running Android 4.2 or higher have yet another layer of protection through app verification, which checks non-Google Play apps for malicious code. This verification is enabled by default.

In other words, to actually be vulnerable to this “Master Key,” you must enable the installation of apps from outside Google Play, disable Android’s built-in scanning and somehow stumble upon an app that takes advantage of the exploit. At that point, you must still knowingly go through the installation process yourself. When you consider how many people might go through all those steps, it’s a lot less than 99 percent of users.

Still, just to be safe, Google has released a patch for the vulnerability, which phone makers can apply in future software updates. Scigliano said Samsung is already pushing the fix to devices, along with other unspecified OEMs. The popular CyanogenMod enthusiast build has also been patched to protect against the peril.

Android’s fragmentation problem does mean that many users won’t get this patch in a timely manner, if at all, but it doesn’t mean that unpatched users are at risk.

None of this invalidates the work that Bluebox has done. Malicious apps have snuck into Google’s app store before, so the fact that a security firm uncovered the exploit first and disclosed it to Google is a good thing. But there’s a big difference between a potential security issue and one that actually affects huge swaths of users. Frightening headlines aside, this flaw is an example of the former.

Source:  techhive.com

‘Master key’ to Android phones uncovered

Friday, July 5th, 2013

A “master key” that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox.

The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.

The loophole has been present in every version of the Android operating system released since 2009.

Google said it currently had no comment to make on BlueBox’s discovery.

Writing on the BlueBox blog, Jeff Forristal, said the implications of the discovery were “huge”.

The bug emerges because of the way Android handles cryptographic verification of the programs installed on the phone.

Android uses the cryptographic signature as a way to check that an app or program is legitimate and to ensure it has not been tampered with. Mr Forristal and his colleagues have found a method of tricking the way Android checks these signatures so malicious changes to apps go unnoticed.

Any app or program written to exploit the bug would enjoy the same access to a phone that the legitimate version of that application enjoyed.

“It can essentially take over the normal functioning of the phone and control any function thereof,” wrote Mr Forristal. BlueBox reported finding the bug to Google in February. Mr Forristal is planning to reveal more information about the problem at the Black Hat hacker conference being held in August this year.

Marc Rogers, principal security researcher at mobile security firm Lookout said it had replicated the attack and its ability to compromise Android apps.

Mr Rogers added that Google had been informed about the bug by Mr Forristal and had added checking systems to its Play store to spot and stop apps that had been tampered with in this way.

The danger from the loophole remains theoretical because, as yet, there is no evidence that it is being exploited by cyber-thieves.

Source:  BBC

Mobile’s dawning signal crisis

Wednesday, February 13th, 2013

Telecommunications tower (Copyright: SPL)

In April 1973, Marty Cooper made a phone call that put him straight into the history books. As he strolled down Lexington Avenue, New York, the Motorola executive (CK) whipped out an enormous prototype handset that he had built and placed the first public, mobile phone call.

The brief chat – and the photograph that immortalised the moment – marks the start of the mobile phone era. But Cooper’s legacy extends far beyond just that first conversation.

Along with a host of inventions, the engineer also formulated – and lent his name to – a mathematical law that captures the inexorable progress of our communications. Cooper’s Law, as it is known, shows how our use of the ether has grown since Guglielmo Marconi first transmitted radio waves 2.4 kilometres across the streets of Bologna – eight decades ahead of Cooper’s own historic transmission.

It has been estimated that the technology available when Marconi made his first transatlantic transmission, radio techniques were able to support just 50 simultaneous conversations worldwide. Since then radio capacity has grown by a factor of a trillion – doubling every two-and-a-half years. That’s Cooper’s law.

As well as describing progress, the law also become the mobile industry’s ruthless master: providing an aggressive roadmap for the rise of mobile culture.

The industry met this challenge thanks to advances in technology.

But now the game has changed. Although few in the industry acknowledge it publically, Coopers Law, which has stood for more than a century, is broken. And it is all down to the phone in your pocket.

Bin there, sent that

To understand the scale of the problem, you only need to look at the numbers.

For example, the mobile giant Ericsson has been tracking the growth in mobile traffic for years. But 2009 was a landmark year, according to the firm’s Patrik Cerwall: “That year saw more data traffic than voice traffic over the mobile networks”. And the data traffic has been doubling every year since – far outracing Cooper’s law.

The big accelerator was the smartphone, which suddenly made the data-carrying capacity of 3G networks attractive. “People didn’t really understand the benefit of 3G until the app concept changed everything,” Cerwall elaborates.

Data-hungry video is also driving demand. Networking firm Cisco has just reported video downloads last year crossed the 50% threshold, accounting for half of all data transferred over the mobile networks.

At the moment, there are around 1.1 billion smart phones across the world; by 2018 (the horizon for the Ericsson forecasts) that will treble to 3.3 billion. If you think that in 2012, smartphones represented only 18% of total global handsets, but represented 92% of total global traffic, you begin to see the problem.

And the growth will continue relentlessly, according to the Cisco analysis. In 2012, for example, global mobile data traffic grew 70% from 2011, to 885 petabytes per month – that is 885 million gigabytes of data. And in the next five years, it is expected to increase 13-fold, eventually reaching 11.2 exabytes (11, 200 million gigabytes) per month by 2017, according to Cisco.

These dramatic hikes will in part be driven by more people switching to smartphones, particularly in emerging markets, as well as new features on phones and in apps.

The impact of simple changes in an app was dramatically demonstrated in November 2012 when Facebook released new version of its mobile app for Android and Apple phones. Prior to the release, according to networking firm Alactel, the social network already accounted for 10% of the signalling and 15% of the airtime load on 2G/3G networks, respectively. But, as users around the world updated and started to use this new version, the firm noticed a dramatic increase of almost 60% in the signalling load and 25% in the airtime consumed by new features in the app.

However, data hikes will not just be driven by consumers. Firms also predict a rise in so-called machine-to-machine (M2M) communication, that will connect the mobile networks to an array of inanimate objects – from bins that will signal when they are full to electricity meters that will constantly call in to the utility company.

By the end of this year, Cisco predicts that the number of mobile-connected devices will exceed the number of people on earth, and by 2017 there will be more than 10 billion.

No wonder the chairman of the US Federal Communications Commission recently declared: “The clock is ticking on our mobile future.

Running out

The illusion is that the airwaves, like the atmosphere they pass through, are effectively limitless. We can’t see them, they can travel in any direction and link any two points – why should they be limited? Yet, in practice they are as hemmed in as a motorway through a city.

Radio spectrum is a limited resource, strictly farmed out by national and international regulation. At the moment it is all spoken for by the military, mariners, aviation, broadcasters and many more – all the way up to the very extreme of useful frequencies at 300 gigahertz.

No-one can get more bandwidth without someone else losing out. The 4G spectrum auction that recently began in the UK, for example, is the equivalent of adding a new six-lane motorway to the existing wireless infrastructure (itself already running at 10-lanes), built on virtual land vacated by old-fashion TV broadcasts.

It helps, but will only keep the expansion going for a certain time. Which is why mobile operators, and their rivals, are gearing up for major spectrum negotiations at the International Telecommunications Union in 2015. The so-called WRC-2015 conference aims to carve up the available spectrum amongst different competing uses. But an overriding priority is identifying and allocating additional frequencies to mobile services.

Already, the stakeholders are preparing their positions. Ericsson’s Afif Osseiran, project coordinator for the European consortium Metis, says the ITU conference “will be a crucial moment for laying out the spectrum needs for the 2020s.”

But industry will not just rely on these delicate negotiations to secure its future. Much of the advance in the past 20 years has not been about how many of these wireless “lanes” we have, but how efficiently we use them.

Like a newly built motorway that’s used by just a few cars, the first generation of phones were incredibly wasteful of the spectrum they used. Capacity was wasted in the same way as the gaps between vehicles represented lost transport opportunities.

In going from 1G to 2G, there was a 1,000-fold increase in capacity, mostly not because of the new radio lanes added in, but because more traffic was squeezed onto those lanes.

And in going from 2G to 3G, capacity rose another factor of 1,000: digital techniques managed to squeeze out yet more of the empty space.

But with the latest generation of tricks being rolled out in 4G (actually described as 3G Long Term Evolution by developers), the industry is running out of ways to improve the efficiency further.

These limits that determine how much information can be transmitted were established in the 1940s by the American engineer Claude Shannon. Although his employers, the Bell Labs of AT&T telephone, were interested primarily about the limitations of telephone wires, Shannon’s equations can be used equally for radio transmissions.

And mobile experts generally accept that the limits to data flow revealed by Shannon’s formulae are close to being reached.

Data crunch

So how will the mobile industry meet this challenge and keep satisfy out appetite for data?

The industry is clearly optimistic. It already confidently speaks of 5G – a further generation of technology that will roll out as current ideas have run their course. What exactly they mean by 5G is poorly defined, but a host of tricks are being discussed that it’s hoped will keep past trends going well into the next decade.

Which is just as well, as the lure of being immersed in a seamless flow of data will only become more compelling, says Rich Howard, formerly head of wireless research at Bell Labs and now with Winlab at Rutgers University.

“Mature technology is invisible – and that’s the direction we’re heading,” he says.

Howard looks forward to a day when phones begin to make intelligent decisions by themselves.

“What you want is a digital assistant that, while you’re having a call with somebody, will be busy looking at options for actions relevant to that call and have them available,” he says. So, if you are talking about a train journey, the phone could begin to check your calendar, ticket prices and connections. By the time you hang up, it would be able to present you with a list of available options. “Everytime you start to say something, you turn around and it’s already done, the way you want it done.”

It is a vision that is a world away from Cooper’s first call forty years ago and one that is only going to add the coming data crunch.

How the industry plans to keep up and deliver this future will be explored in the next article in this series.

Source:  BBC