Posts Tagged ‘android’

Posted: August 6, 2015 in Uncategorized
Tags: , , , , , , , , , , ,
0

broccoli-390001_1280You might not like broccoli but it’s good for you. This next bit of news fits in that same category.

Android device manufacturers are going to move to monthly patch cycles according to a report from Computerworld.

Yay? Yes, yay! Sure, it will be a pain to apply software updates with each new moon, especially with so many mobile devices (e.g. phones, tablets, etc.) running the OS, but it really is a good thing.

The reasoning is as follows …

  • all software has bugs (try as we might, this remains true for anything other than simple programs)
  • some percentage of those bugs are security-related (call it the law of averages)
  • therefore, all software needs security patches (the punch line)

Mobile phones don’t get a pass from these inexorable truths just because they fit in your pocket. For what it’s worth, neither to cars which I’ve written about here before as well. In fact, some of the higher end models these days have more lines of code than the Windows operating system so take a guess at how many security holes that translates into…

Apple hasAndroid-Army done a better job in this area because as both the hardware maker and OS supplier, they had 2/3’s of the equation under their control with only the carrier side to coordinate. The Android ecosystem has had 3 players that needed to sync up since the people that made the handsets (e.g. Samsung, LG, etc.) were different from those that supplied the OS (Google) which were different from the carriers (e.g. Verizon, AT&T, Sprint, etc.).

This dragon isn’t slayed yet as the precise details of how the Android army is going to amass against this issue have yet to be fully worked out but it’s a step in the right direction and one that is long overdue.

Advertisement

Goldilocks weighs in on security

Posted: September 24, 2014 in Uncategorized
Tags: , , , , ,
0

For some, the mere fact that newer mobile phone models exist is reason enough to desire them. For others, the tried and true, trusty sidekick that has served them well (not to mention, that it took it 2 years to figure out how to use the thing) is more than adequate.

I confess to belonging to the first group because I love new technology. I also lean that direction because of my security roots.

As I mentioned in my previous post, old phones run old software and old software has old security bugs that haven’t been fixed.

In keeping with that theme, Graham Cluely recently wrote a thought provoking post entitled “If You Care About Security, Throw Away Your iPhone 4 Right Now.” OK, it’s a bit alarmist, but the underlying point is valid.

This isn’t picking on Apple because Android has the same issue. The point is that while newer doesn’t always mean better, when it comes to security you need to remember that …

Goldilocksold phone = unsupported = security bugs that won’t ever get fixed

Of course, the flip side of this is that …

new phone = not fully tested = new security bugs (that will, hopefully, one day get fixed)

Oh, and, by the way, the same holds true for operating systems, apps, etc.

So, what are you supposed to do? Balance is the key. Too old or too new is always going to be riskier than “just right.” I think Goldilocks said that in the sequel …

Rotten Software

Posted: August 11, 2014 in Uncategorized
Tags: , , , , , ,
0

Unlike fine wine or cheese, old software doesn’t get better with age, it just starts to smell bad. Certainly it can “mature” as upgrades and patches are applied but if you simply “install it and forget it” then you could be setting yourself up for a world of trouble.

Recently Microsoft withdrew support for an old standby, Windows XP, and, as a result, pushed many to upgrade or face the risk of exposure to an increasing list of unpatched security vulnerabilities. Many grumbled about having to make the change but it was not unexpected. It costs vendors lots of money to support any operating system so it behooves them to support the fewest number they can or risk draining precious resources that could be spent developing newer versions with even better features demanded by the marketplace.

Windows XP is old in OS terms — nearly 13 years old, in fact. So, the end of the ride was inevitable, even if not fully appreciated by everyone.

But what about, say, Windows 95? It would be hard to feel a lot of sympathy for a user still running that moldy oldie if their system got hacked. After all, that was essentially 8 generations ago as a desktop OS. There are tons of security bugs that have been discovered in it since its introduction and, while most of been fixed, there are plenty that never will be since it was withdrawn from support a long time ago. Therefore, anyone still running Win95 isn’t likely to get a lot of sympathy given the known risks of doing so, right?

What about someone doing essentially the same thing on their mobile phone? Smart phones have very complex operating systems and we are finding more and more security holes in them every day. What would you say to someone still running the Win95 equivalent of Android? Good luck!

Well, it turns out that about 20% of Android devices world wide are essentially doing just that. That’s roughly what Android 2.x matches up to if you compare its generations to those of Windows. How many bugs do you think are sitting around on those aging handsets just waiting to be exploited? A lot more than their owners are aware of, I suspect.

To be fair, mobile OS generations have been rolling out faster than desktop OSs lately so the time lines won’t match up perfectly, but the truth is that there are a scary number of mobile devices that are wide open to attack because they are running old software.

Why not simply update the OS on these devices? Because, in many cases you can’t. Unlike the PC world where a single vendor (i.e. Microsoft) can push out a new OS when they like and users can update whenever they choose (for the most part), the Android world involves a sometimes unholy trinity of handset makers, Google (who makes the Android OS) and the carriers. If you want to update your phone you have to get the sun, moon and stars to align so that all three parties allow it and that has proven much harder and slower than most people would like. Since change is happening so rapidly in the mobile space, it is hard for old handsets to keep up with the demands of new OS versions plus handset makers have a stronger incentive to get you to upgrade than they do to keep you on an old device.

What all this adds up to is a lot of handsets with OS levels that have long since passed from stale to downright rotten and since hackers are drawn to vulnerable systems like ants to a picnic, it would not at all be unreasonable to expect a buggy mess as a result.

The Apple/iOS ecosystem is a little less complicated because you have only a two-headed monster (Apple and the carrier) to deal with. This results is fewer options for users but considerably less software rot.

More freedom/choice or more security? I actually use both but hope that whichever one you choose, you at least do so with your eyes wide open…

BYOD or Bring Your Own … Ostrich?

Posted: April 1, 2014 in Uncategorized
Tags: , , , , , , ,
0

 

 

 

 

 

Here’s a link to a posting I did for IBM’s Security Intelligence Blog on the perils of ignoring the whole Bring Your Own Device (BYOD) trend. Enjoy …

http://securityintelligence.com/byod-why-you-better-not-ignored-it/

 

 

Google probably knows your Wi-Fi password

Posted: December 20, 2013 in Uncategorized
Tags: , , , ,
0

It’s been an interesting year in the world of IT security and privacy. It turns out that all the world’s spy agencies are, in fact, spying on each other. Shocking, right? OK, so they aren’t just spying on other spies but probably you and me as well to one degree or another. How much do they know? How long have they known it? How is the information being used?

I think the best answer is a quote from Tom Waits that predates this latest controversy but is quite apropos, nevertheless …

“The folks who know the truth aren’t talking. The ones who don’t have a clue, you can’t shut them up.”

In other words, don’t believe everything you hear because the people making the most noise tend to be those with the least actual information. At the risk of falling into that latter category I will suggest that the organizations that might know more about you than the TLAs (Three Letter Agencies) are the ones that we voluntarily give up our personal information to in exchange for free email, social media, cloud storage, navigation services, etc.

Along those lines comes a revelation that sits squarely between the uncomfortable intersection of security and convenience — your wifi passwords. If, for instance, you have an Android device you probably connect it to a wireless LAN on occasion. Unless you enjoy typing in long, complicated passwords on tiny keyboards, you probably opted to let the OS store this info for future use. For further convenience you probably allow Google to back up the settings on your phone since this makes recovery far easier when you get a new one. All very nice but …

This means that Google is storing all those “secret” passwords somewhere in their cloud. Who has access? How well is it secured? How could this information be used/abused? Now the heartburn begins…

I have no idea whether Google does a great job or a poor job of securing this data just like I have no idea how well credit card numbers and other sensitive information is being secured on systems for major retailers but I do know that at least in the case of the latter there have been some major breaches. We might not know about these failures were it not for legislation that requires public disclosure of such incidents and I suspect we wouldn’t necessarily know about similar compromises in social media, email and other Internet-based services.

And don’t make the mistake of thinking that a leak of wifi passwords would only affect a few home networks or that if you choose not to have your info backed up by Google or because you use an iPhone or no phone at all that you will be safe because all it takes is for one user — any user — of any wifi network you use to have saved and backed up this info for it to make everyone on that network at risk. 

Just another reason why you should make sure that you use a good VPN or SSL connection, even when you think you are on a secure wifi network…

Which is safer – Android or iOS?

Posted: March 11, 2013 in Uncategorized
Tags: , , , ,
1

The conventional answer to this question is that Apple’s “walled garden,” which places restrictions on app developers, creates a more secure environment for iOS whereas Google’s more permissive model puts Android users at greater risk.

As I have posted here before, there is plenty of ammo to bolster that position:

But the story is more complicated than that. For instance, take this recent report from Appthority which finds that “iOS apps leak more personal data than do Android apps”.

The differences are not huge but they do add fuel to the fire regarding which platform is safer. Apple Insider sums it up well:

A number of questionable policies and security concerns have painted Google’s Android platform as inherently less secure than Apple’s iOS. Android does appear to be more vulnerable to malware than iOS, but mobile malware affects only one percent of apps. The larger concern, the study concludes, should be over how mobile apps handle personal information and company data.

In the end, the unsatisfying answer as to which is more secure is, you guessed it, — it depends — so pick your poison … 🙂

 

115 and counting…

Posted: January 3, 2013 in Uncategorized
Tags: , , , , ,
3

If my last post regarding Android devices being marshaled into zombie armies sounded a little over the top maybe this one will resonate a little better.

According to forensic blog, which focuses on mobile phone forensics and malware, as of December 26, 2012, there are 115 unique Android malware families known to exist. That number would be significantly higher if you counted all the variations on these that might be circulating.

115 doesn’t sound like a lot compared to the tens of thousands of Windows viruses in existence but its a far cry from zero and should serve as a wake up call regarding the need for malware protection on mobile devices. If that still doesn’t convince you then maybe the analysis regarding the threat that these present might:

Families that steal personal information 51,3 %
Families that send premium rated SMS messages 30,1 %
Families with characteristics of a Botnet 23,5 %
Families that contain Root-Exploits 18,3 %
Families downloaded from the Google-Play Market 11,3 %
Families that install additional applications 10,4 %
Families that steal location related data 8,7 %
Potentially unwanted applications 7,8 %
Online-Banking Trojans 3,5 %

Source: forensic blog, http://forensics.spreitzenbarth.de/

And don’t get too smug because your phone or tablet runs iOS. We had this debate years ago when people claimed that Mac OS was immune and then again with UNIX/Linux. Granted, the relative risk might be lower over the entire population of these install bases but the fact remains that any functional OS can be exploited because none are perfect.

Put more succinctly, all software (of any significant complexity) has bugs and some percentage of those bugs will be security-related, therefore, all software carries with it a set of security risks.

Android Zombie Uprising?

Posted: December 19, 2012 in Uncategorized
Tags: , , , , ,
1

 A story that should be no surprise to anyone (but, no doubt will catch many off guard), BBC News is reporting that, unbeknownst to their owners, Android phones are being used as spam relays.

Yes, that smart phone that goes with you everywhere you go, fits easily in either a pocket or a purse, and has become an indispensable tool of modern life is, in fact, a small, fully functional computer. As such, it can not only place and receive calls but also do most the great things that we’ve come to expect from a PC (e.g. send/receive email, browse the web, run apps, play music, etc.). In addition, it can do most of the really awful things that PC can do as well such as crash at inopportune times, leak personal information and get infected with viruses.

Although, the amount of malware affecting smart phones to date is relatively small as compared to PCs, the threat is not insignificant and will only continue to grow.

So it shouldn’t surprise us when we read that infected versions of popular apps like Angry Birds are beginning to circulate. The latest twist is just a variation on a theme we learned about more than a decade ago with the advent of so called “zombies” or “bots” — systems under the control of a remote attacker that can be coordinated to form an army of denial of service attackers or spam senders. If you could do it on a PC, there’s no reason to believe it couldn’t (and wouldn’t) be done on a smart phone and, in fact, now it has been.

What can you do to protect yourself from being an unwilling accomplice and avoid a monstrously large cell phone bill if the zombie happens to exceed your monthly data limit or, potentially worse, leverages premium SMS text messaging services without your knowledge?

  1. Don’t install apps from untrusted sources.

    Even the official Google Play store is known to have more than its share of sketchy apps but if you veer off into some lesser known (and less reliable) sources, you are really playing with fire.

  2. Don’t install apps that you don’t really need.

    What constitutes “need” vs. “nice to have” is an endless debate topic that varies from person to person. Suffice it say, if that by limiting the number of apps you have to those that you will really use, you will have reduced your risk by effectively reducing the attack surface.

  3. Check the permissions before granting access.

    One of the nice features of Androids over iPhones is that they actually tell you during the install process what resources on your phone the app is going to access. At that point you can choose to proceed or abort the install based upon your tolerance for risk. Unfortunately, there isn’t much granularity in this process as you can’t see the details of how these resources will be used or have the ability to selectively grant access to some but not others but at least it’s a start.

  4. Install anti-malware.

    Yes, they have this for smart phones now. It’s not a perfect solution and some will argue that it’s unnecessary given the relatively small number of malware examples on smart phones but it wasn’t all that long ago that people were saying the same thing about Macs and, before that, PCs and time eventually proved them wrong.

Apple does a good job of vetting apps before they make it into their app store but that doesn’t mean there is no risk with that option either as there have been some cases where bad stuff slipped through.

Bottom line: If it does the good things a computer can do then it can also do the bad things a computer can do and that means you need to be mindful of security threats to not only desktops, laptops and servers, but also to phones and tablets. Can TVs and cars be far behind?