By the end of this current year, 1.4 billion smartphones will be in use: 798 million of them will run Android, 294 million will run Apple’s iOS, and 45 million will run Windows Phone, according to a new study by ABI Research.
This is an incredible number of smartphone users which are connected to the big wide web. But how secure are they ? Is it possible for a mobile operating system to be secure ? Or is it insecure from the roots up ?
As you already might guess I will only be covering the Android part, not surprisingly they have the bigger marketshare. So, how do you ‘test’ a secure mobile system ?
A system can be locked down extremely but this can have an impact on the user friendliness, where do you draw the line ? How do we test if a given Android system is secure. Do we forget the user friendliness or are we considering the bigger picture : a secure , user friendly, Android system. I think considering the bigger picture is a more realistic impact as it includes the user’s behavior, which makes up a great part of the system’s security.
Let’s take a look at the security mechanisms Android has implemented for save distribution of applications. Android applications are shared through the Google Play Store. Android has two important security mechanisms which involve distribution and installation of apps in order to protect the installing user from malicious actions.
- applications need to be signed
- applications need permissions to access phone functions
Applications need to be signed with a special unique key that a developer can obtain. The signing of an application can be thought of as providing the application of a digital certificate. With this certificate Android aims on establishing trust relationships between applications. For example consider an app which we call “AppX”. If “AppX” is first installed, it is signed with a specific private key. If the developer upgrades “AppX” to “AppX2″, he needs to use the same key which he used to sign “AppX”. This creates a trusted relationship between “AppX” and “AppX2″, because only the developer that holds the key for “AppX” can develop an upgrade for the app. But is this waterproof ?
Probably u know the answer already because else I wouldn’t have hinted it. Well, no this is not waterproof. A rather invasive bug was found in the signing process.
The core issue is that Android package (APK) files are parsed and verified by a different implementation of “unzip a file” than the code that eventually loads content from the package: the files are verified in Java, using Harmony’s ZipFile implementation from libcore, while the data is loaded from a C re-implementation.
The way that these two implementations handle multiple files with the same name occurring in the zip file differs. The way the Java implementation reads the file is that it goes through the “central directory” and adds each entry to a LinkedHashMap. The key the entry is stored using is the name of the file.
Later, the PackageParser goes through each entry in the zip file, verifying that the file was signed with a consistent signature. This code iterates over the LinkedHashMap. The result is that only the last entry with a given name is considered for signature verification: all previous duplicates are discarded.
Source : Saurik
This is a rather technical explanation of the bug, so a more noob explanation follows. As .APK files are nothing more than JAR files, this is where the problem lies. Where a JAR stands for Java ARchive, a sort of folder with all your Java code. If you want to ensure the integrity of a JAR as a self-contained entity such as an Application then the ability to sign individual files is not a requirement. In fact it is difficult to see in what circumstances the ability to sign individual files and only individual files could be a requirement.
Because it is only possible to sign individual files, a signed JAR is really nothing more than a collection of files which may or may not be signed and the verification of a signed JAR is a very convoluted way of determining into which category each file belongs. All of which leads us to question of what signed JARs are actually for ?
The ability to package files in this way was presumably considered useful when the specification was produced but it is clear that it is a decidedly sub-optimal way of attempting to ensure the integrity of an Application made up of a number of files which have been packaged as a ZIP file.
While signed JARs undoubtedly constitute a flexible mechanism for doing something, its just not clear what, they do so at a cost.
As we have seen the cost is the complexity of the verification process and the inconclusiveness of the result.
The process of verification is ridiculously complicated and consequently dangerously error-prone which is not what you want from something which is a key part of ensuring the security of your platform. (Source : Simon Lewis)
Now, what can a user do about this ? Nothing much actually. The bug is known for some time now, the only actions Google has taken so far was to change something in the .APK submission in the play store. A fix to the devices is coming with Android 4.3 . Older devices need to install the CyanogenMod custom ROM. They have included the 4 LINE BUGFIX, which google failed to deliver OTA.
Next up on the list was “Permissions”. Every app needs specific permissions to access phone functions. As an example I will include permissions my currently developing app needs :
<uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.WRITE_INTERNAL_STORAGE" /> <uses-permission android:name="android.permission.READ_LOGS"/> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/> <uses-permission android:name="android.permission.WAKE_LOCK" /> <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
These permissions look like they’re asking a lot, but the only access they give to the phone are :
- The use of internet
- Ability to write to SD card(= caching images) and internal memory (= for settings)
- Read error log on crash to send back a detailed error log to me
- Google Cloud Messaging service
- Accessing the network state , to check if there’s an internet connection
- And wake lock, my app uses a service that needs to run with or without the app running , so the services needs a wake lock
These permissions will be shown to the user upon install. So this is the part where the user’s common sense plays a big part. If you want to play a game and the game asks for a whole list of permissions, the game is usual spyware. It will collect as much info as it can and will send it back to a server. The maintainers of this server will use the information to sell to advertising companies. So reading through the permissions is not time lost, as they can be pretty invasive on the privacy of the phone user.
So I did not reach a conclusion, as it as a whole research on its own (maybe a master thesis ? ). But I hope I gave some pointers that there’s a huge gap between user friendliness and optimal security of a mobile system. Any comments or questions, shoot !
Often I get the question : “What is your view on online privacy with all those social networks invading it ?”. Well, in short I usually answer it with : “Dangerous if you don’t know how to use it. Easy,awesome and interesting when used correctly.” I will only focus on the dangers, because I think everybody knows how awesome and interesting social networks are when used safe.
Connected with the world
People usually forget they are connected with the internet, by extend to almost the whole world. Internet is rather a dark place. However you should not fear it, but you should travel it with a torch in your hand. How does this relate to Facebook you may ask ? Well, Facebook is connected through the internet, without internet Facebook would not exist. I find it ridiculous how a ten year old can make an account and connect with almost 2 billion people with some clicks on a button. Aight, I hear you, it’s not Facebook’s fault. I agree, but some things must change in society’s view on social networks.
Dark corners of Facebook
Parents should be aware of the dangers a social network can have. Children are the weakest to fall for phishing attacks. Hackers are constantly sharking on children’s forums trying to get login information. A sentence often used “Omg, is this you on this photograph ?! http://www.ishouldneverclickthis.com”, sounds familiar ? Hackers are interested in this information for the sole purpose of selling it to a criminal organization. More specifically, to child traffickers. They use the info from these profiles to generate false passports. Nowadays a Facebook profile is almost a blueprint of someone’s life. This is dangerous in many ways. Not to forget for personal attacks on victims or robbery’s.
Children should be taught how to use social networks. Chances are if you ask children in a classroom : “Who has a Facebook profile ?” that almost everybody puts their fingers up.
I am disgusted
I am disgusted with the educational organization in my country, Belgium. Mainly, we have two kinds of schools. Public state schools and Catholic schools. I was shocked by the latter. They cancelled the IT course and defend it by saying it should be integrated into the other courses. I agree with the fact that it should be integrated in different courses. But I am strongly, STRONGLY recommending to have additional hours of IT course. LEARN CHILDREN TO USE A COMPUTER. What better way to learn children about the dangers on social networks than in schools ? They should know how to safely use a computer in general. Children should not be the victim of a retarded ideology (Yes! I am looking at you, Catholic education).
I simply cannot understand how a society, so entangled with computers, does not educate their children appropriate when it comes to cyber security. *sarcasm* The fact I had to teach my IT teacher what PHP was in my 3th year of secondary school is totally out of the picture. */sarcasm*
It’s our duty
It’s our duty, as a parent, brother, sister, teacher to educate our children. People should understand what impact computers can have in our life. Privacy is a valued thing, that needs, nay demands protection. The era that computers were for the rich is past us. Almost everybody has access to a computer, yet few have an appropriate basic understanding on how to use it safe. Reach out to me with any questions or comments. Please share this idea with other, whoever you think should know this.
Hi guys, what up !? First blog post in a long time, will be a short one though. Here’s what happend today :
First up we took the Eurolines bus that took us to Amsterdam after a 3.5 hours busride. After that we arrived at the Sarphati hostel and dropped our bags. (I get a free room the next time I come if I mentioned them in my blog )
The BlackBerry Jam 10 reception and TweetUp started around 5 p.m. , here we talked with several BlackBerry partners along with a beer. Some interesting partners were there , with a lot of interesting content. For example :
Application Developer Alliance : A community where you find everything you need to know about building,funding and distributing webapps or mobile apps. Free membership for now, so subscribe!
Further there were also : Sencha, Unity 3D, Evernote,TenCode and many more.
This took pretty much the whole evening, and was interesting. Excited to start the real work tomorrow at 10.30 a.m. more coverage to come ! Keep an eye out on twitter if you want to know my thoughts and things live on BlackBerry 10 Jam Europe 2013, Amsterdam.
Privacy. Government point of view : ” If you aren’t doing anything illegal, why bother if we see everything you do online ? “
My point of view : ” Why checking and screening what I do online ? I am not doing anything illegal.” Privacy is a fundamental human right. Privacy is the key to find some rest, away from the eyes of the community. It doesn’t make a difference if we search for privacy on the internet or other places. If internet traffic should be screened , why don’t hang camera’s in every home ? Put taps on every phone ? Privacy is the key to a free opinion, a free mind.
The internet is no one’s property. It doesn’t belong to a private corporation, it doesn’t belong to a government.
The day we lose our privacy, our free will. Is the day we stop being human.
Demand your privacy, be anonymous.
Since one month and a half I am the owner of a MacBook Pro 13,3 inch mid 2012. This came as a shock to myself and some people around me. I felt like I needed a change from the Windows machines I was used to for 13 years now. What you’re about to read is a personal opinion about the two different machines.
For my studies I wanted a machine that could handle the task. My 3 years old Acer Aspire did quite a good job although I had to replace the battery and RAM memory. However the keyboard was a real pain in the buttocks :-). I have to give this one to the MBP. Not only do I love the keyboard, the fact that the body is made out of aluminium really gives it a sturdy look and feel.
However, for me personally, I think the MBP is overpriced. Some say you pay for the durability and quality that comes with an Apple product. Maybe it’s true, I’ll give you an update on that in less than 3 years !
Well. I have mixed feelings about this.
Mac OS X is, by far, the most stable OS I’ve ever used. It looks nice, it feels nice. Windows on the other hand gave me a lot of the famous BSOD. But what annoys me on the Mac OS X is the fact it uses a fregging high amount of RAM. Right now, I am running Chrome,Spotify,Tweetdeck , Sparrow and Agenda : RAM left = 262 MB. Upgrading the RAM is the first thing I’ll do.
Will I ever be an Apple fanboy ? Hell no ! I love Android to much for that to happen. However I’ve got to admit the MBP sure is one piece of engineering. Especially the trackpad. They should give a medal to the engineers that designed it.
Rather short opinion, but hey exams are on the way Any other Windows/Mac users want to share their experience ? Comment below !
Hacktivism is a word you see surfacing a lot in the news lately. You must have been living on Mars if you did not heard once about Anonymous. What is this new movement ? Why are they doing this ? Is this legal , or just ethical justified ?
Hacktivism is the use of computers and computer networks as a means of protest to promote political ends.
This is the definition for hacktivism according to Wikipedia. Hacktivist use their knowledge about computer technology and cybersecurity to fight for an idea. They feel an authority is treating them unfair. Anonymous , the example for hacktivism, fights for the right on information freedom, a more equal division of money. These are considered their main fighting cause.
Some say, information freedom is dangerous. For example : the Wikileaks documents are considered a threat for the soldiers still fighting in the war-zones : Iraq, Afghanistan, … True , some information can be dangerous and are not for terrorist eyes to be seen. But, it is a price you pay as a government for decades of cover-up operations. How can people trust their governments , if they are not honest towards their people.
A lot of people do not know what soldiers are doing in those foreign war countries, murdering innocent people. A couple of graphical hints :
Be warned : these videos are not for the faint hearted.
Is this legal ? No, this is not legal. Most information is obtained by breaking into secured computer systems. Is this ethical justified ? Well, this question should be answered by everybody individual.
After Mastercard, Visa , Paypal closed all accounts owned by Wikileaks, Anonymous stood up. They found it was not ethical justified to cut the funds Wikileaks has the right to receive. The result : Anonymous put up an incredible big offensive. They gathered with over 4000 anons, sympathisants,.. to DDOS the servers of these company’s. This resulted in the sites not being accessible ranging from a couple of hours to 1-2 days. I see this as a cyber sit-in. When you protest on the streets you can deny access to a building by sitting with a whole group of people in front of the entrance. DDOS does exactly the same, only it’s over the internet. The servers are flooded with requests until they shut down and need to be reset. No information is being leaked in the process, nor damage other than economical damage is being made.
It’s a personal question wether or not you find it ethical justified to use cyber force to fight for a cause. Share your thoughts in the comments below.. keep it friendly and clean
An idea is bulletproof.
Maybe some of you want to know how to set up your computer to start developing for Android. I will cover to set up Eclipse and downloading the Android SDK.
Installing Android SDK
Once downloaded you have to install it, on Windows just start the executable file.
Installing Java JDK and Eclipse
The Java Development Kit is needed to develop Android applications since Android is based on Java and XML. Writing Android code is being done using an editor, the best supported ,and in my opinion, the best one around is Eclipse. Eclipse is an opensource freeware editor that is capable of supporting a wide range of programming languages.
Installing the ADT Plugin
Once Eclipse is installed we need to connect the Android SDK with Eclipse, this is being done by the ADT Plugin. Installing this plugin is easily done using eclipse.
- Start Eclipse. Navigate in the menu to Help > Install new software..
- Press ‘ Add..’, in the new window that pops up you can fill in Name with an arbitrary name. A good suggestion could be “Android Plugin” and in the location you have to paste :
- Click ‘Ok’. Make sure the checkbox for Developer Tools is selected and click “Next”.
- Click ‘Next’. Accept al the license agreements, click ‘Finish’ and restart Eclipse.
- To configure the plugin : choose Window > Preferences
- Select ‘Android’ on the left panel and browse for the Android SDK you downloaded in the first step. (On windows : C:\Program Files (x86)\Android\android-sdk)
- Click apply and you’re ready and ok !
Adding platforms and components
On windows, start the SDKManager.exe . Located in C:\Program Files (x86)\Android\android-sdk and install all platforms and components.
You’re ready to start coding now ! Any problems , comment below !
Happy coding, h4
Some people ask how to be truly anonymous on the web, or how to protect your privacy on the internet. A lot of people don’t know that quite a bit of information can be collected by websites or hackers without you even being aware of it. This post will try to make clear what actions you can take on protecting your privacy on the web.
Everything you read here is for security and educational purposes only. If you use this information for any illegal actions this is on your own responsibility.
I will be covering some techniques to protect your privacy on the web. However keep in mind that you will never be 100% anonymous. It just depends on how much time and money they want to waste on finding you.
What information can they gather about me ?
Well, the answer is really easy. Almost everything they want : ip-adress, location, internet service provider (isp) , browser you’re using, … If you want to check what a webserver can tell about you, you can simply use this website : http://www.whatsmyip.org/more-info-about-you/
If you scroll down the middle of the page you’ll see they can also determine what plugins you have installed on your machine, this in particular can come in handy for hackers to exploit bugs in these plugins.
How to hide this information ?
Well , just switching off the plugins is the only way to protect against exploit or bugs in these plugins. To truely stay anonymous on the web you will have to scramble your ip-adress. The only way to this, is by using other machines to access a given webserver.
A proxy server can be seen as a box with a lot of incoming connections with different IP-adresses and one outgoing IP-adress. If you browse to a webserver using a proxy server your request will first be sent to the proxy server. The proxy server will ask the information at the webserver and redirects the information to your machine. The result ? The webserver will only see the IP-adress of the proxy server you used. So if you live in Belgium you can use a proxy server located in France to browse to a webserver in Italy. If the proxy server doesn’t keep logs of the connections it’s very hard to determine who connected to the proxy server. So if you choose a proxy server make sure you choose one without logs that are being kept. Some good proxy servers can be found here : http://www.socks24.org/
Proxies can be chained to scramble even more the path between the server and your machine. For a tutorial check google and firefox users maybe want to check the FoxyProxy plugin. But sometimes even proxy’s aren’t enough.
The TOR Project
The TOR Project was developed to provide a secure line for the US Military forces to transmit information and create an encrypted network. After the project became open source it is now used to browse anonymously on the web. The key principle used in TOR is based on connecting different nodes to each other using encrypted connections. It is build in an onion kind of way. When a user requests a certain webpage the request will go through different layers using encrypted connections. The n-th node doesn’t know anything about the n-1-th node. Following image shows how the network works :
Every time a request is sent a new random path is chosen , this is a solution to protect yourself against traffic analysis.
However some say the Tor network is being infiltrated by the government that installs exit nodes that keeps information about your machine. It’s recommended to switch off the Java plugin when using Tor. Sometimes a webpage can ask for permission to run a java applet, this is a perfect manner to obtain the IP-adress of a machine. How than may you ask ? Well, in short , Java applications run in a Java Virtual Machine. Tor can protect your IP-adress when you’re using firefox (with the Tor plugin) but it can’t route your information through the network when the request is being launched from the JVM. Interested to start using Tor or to learn more about it : https://www.torproject.org
Be warned, the Tor network is not for the fainthearted. Tor is being used also by criminals that use it to share : child pornography, black market , racism forums, etc.. Use it wisely. But can we even be more anonymous?
Virtual Private Networks (VPN’s)
A virtual private network (VPN) is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network.
VPNs typically require remote users of the network to be authenticated, and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties.
The Wikipedia quote above sums it pretty much all up. The ideal situation is to use a VPN in addition to TOR. The best VPN services are often paid. I prefer GhostVPN : http://cyberghostvpn.com/ and here’s a list with some other good VPN’s :
SSL and HTTPS
A last tip is the fact you should use the HTTPSEverywhere plugin for firefox. This plugin will make sure your machine connects to every webserver (where possible) through an encrypted connection using the SSL encryption protocol. Very simple said : it will scramble the text you send over a network and the receiving machine is capable to put it back into readable text. For example use Facebook secure : https://facebook.com notice the ‘https’ prefix. This protects you from eavesdroppers on a local network, in a college house for example.
This is just a basic summary in internet security. But it already shows that a secure internet connection needs a lot of knowledge. Use this information to protect and secure your own privacy. Be anonymous, and enjoy. Any questions or remarks : comment below.
New HTC Wildfire ROM , a Gingerbread AOSP ROM based on version 2.3.4 r1.
- Added a patch-fix to prevent browser from crashing
- Used the froyo libcamera.so library to use the camera app, capturing video still gives force closes.
- Added a new ARMv6J-target to enable JIT compilation on Dalvik-VM (increase performance).
- Used the froyo libgps.so library for use of the GPS-antenna. (first use outside, else you won’t get a GPS-fix).
- a patch for SurfaceFlinger by Cyanogenmod Team.
- patch from google to add a bunch of APN’s that normally aren’t present.
- Tweaked memory usage for optimal CPU processing.
- Busybox (unix commands).
- Busybox runparts intstalled.
- Enabled JIT.
- Self-compiled nFinity kernel
- Did some internal code-cleaning.
- Redesigned framework changed refresh variables for smoother animations
- Added a Honeycomb Launcher (SyndicateApps)
- Redesigned Lockscreen.
- Added RomManager. (Clockworkmod)
- Added FileManager (Cyanogen)
Download Wild Ginger alpha-release here : http://www.mediafire.com/?1aa4a48gii7clk4
Make sure your phone is rooted. Do factory reset , wipe cache and wipe Dalvik cache from recovery. You do this at your own risk. You can’t hold me responsible by messing up your own phone. If you point your finger at me I may and probably will laugh at you. Btw : this is completely safe to flash , so don’t worry ;). First boot can take up to 5-10 min.
Enjoy , and let me know if you found other bugs on : firstname.lastname@example.org or comment below.
- Updated : Youtube, RomManager, Adobe Reader, Google maps, Market, ADWLauncher
- Added : Titanium BackUp , Java (re-added, was gone in 1.2)
- Tweaked cool Window Animation : Menu > Settings > Display > Animation > choose “All animations”
- Fixed Lockscreen (smaller slides)
- Redesigned the framework (notificationbar, icons etc)
- Fixed batterydrain (v1.2 drained battery to fast)
- Fixed popup-bug (sometimes text was unreadable in a popup)
MAKE SURE YOU WIPE CACHES AND MAKE A NANDROID BACKUP
Find bugs or do you have problems : Comment below or contact me.