Repeat of history for Apple
I think Android is making gains against iOS in the same fashion now as Windows did against Mac OS in 80s. Back then Mac OS ran only on Macs; now iOS only runs on iPhone and iPad… and I fear that this closed system approach would lead to the repeat of history. As much as I love Apple products, the tsunami of Android phones will only get better. Apple might be a trend setter, but with its current approach, it’s daring to compete with an army of manufacturers and open-source contributors on its own. And when an open-source operating system is as good as Android, I don’t think Apple’s win is likely.
Source: http://tinyurl.com/26ln4p9
Android Security – what is out there?
I have been doing some research lately on the security of Android platform. I recently presented to a group of security researchers on the state of security applications available in Android Marketplace, and what can possibly be done in terms of security on Android application level. My presentation contains more details; the summary of my major findings goes below:
- Most of the security applications (such as OI Safe, B-folder + sync, Secrets-for-android, etc.) available on Android platform at the moment focus on the encryption and secure storage of user generated content and data. They do not do anything on the system level. The primary reason for that is Android manifest only allows limited number of application permissions, thus possible permissions declarations in Android manifest define the upper boundary for what a developer can achieve with an Android app. Nothing more can be achieved, at least not on a phone, which is not rooted. (It’s a bad news if you want to do something with the network traffic, like monitor traffic etc.)
- Anti-malware apps (such as Smobile Security Shield, WaveSecure, etc.) offer some useful functionality, but it is nothing compared to what is offered by anti-virus software on PCs. Android anti-malware apps do signature-based and permission-based malware detection (more details in the presentation). However, I found permission-based detection quite pre-mature; it’s proved by Smobile security report that 29 apps on Marketplace require the same application permissions as known spyware apps do. Thus, it clearly shows that reliance on permission-based detection will lead to a greater number of false-positives.
- Some new apps (RedPhone, SecureText, etc.) implement encrypted phone calls and text messages. However, there is no way to replace the default phone or text messaging applications pre-installed on Android unless the phone is rooted. Therefore, the possibility of being more creative with user authentication (such as authenticating users with accelerometer & GPS sensors instead of typed passwords) is simply not possible (at least until Android 2.2).
Smobile Android security report revealed some astounding numbers very recently that I found quite remarkable. Such as:
- About 20% of 48,000 apps in Android Marketplace allow a third-party application access to sensitive or private information.
- 5% apps can place calls to any number without user interaction.
- 2% apps can send text messages without user interaction.
- 29 apps require the exact same permissions as applications that are known to be spyware.
- 383 apps have the ability to read and use the authentication credentials from another app or service.
One could argue that Android does show all the required permissions to users at time of app installation, thus users should be able to recognize malicious apps. However, one could counter argue if the users really read the application permissions at install time? Even if they do, when do they do it? I haven’t come across any user studies addressing this questions yet, but my gut feel says, majority of the users probably don’t check all permissions of all apps, and I believe, that ratio of users will go significantly down for the case of app updates. Who has the time to keep track of all permissions for all updates of all apps?!? I don’t!
Moreover, how can a user know if the app really needs access to his phone-records without trying the app in the first place! Moreover, the way Android marketplace security model is put in place, it will almost always be true that a decent number of users will be trapped into a scam (if the app is malicious) before the malicious behavior of the application is recognized and appropriately dealt with.
Application authority disclosure on smartphone platforms is still an open question that in my personal opinion needs revolutionary ideas! However, one thing is certain that users surely don’t like paragraph and outline styled permission disclosure, as found out by this user study. Instead, designs with images could surely prove as game-changer.
Attachement: Android Security Presentation
Crypto nerd imagination
This sounds like that “US special million dollar pen that works in space Vs. Russian pencil” example…
Fascinating Steganography
Masked Letter: http://www.lettersofnote.com/2009/10/masked-letter.html
I wonder how much effort it would require to even come close to this. Moreover, doing it with your own hand writing requires no less than perfection. Mind blowing indeed!
P.S. I’ll keep updating this post with more links to other fascinating steganographic material.
Sticky AES tells its story
What a fantastic way of explaining AES! Loved reading it.
http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html
![[Chrome3stableV8.PNG]](http://3.bp.blogspot.com/_7ZYqYi4xigk/Sq_HobZ0YNI/AAAAAAAAEh0/ARcrVsTFCZU/s1600/Chrome3stableV8.PNG)
Why unverified torrents are unsafe?
Many of the torrent distribution/search websites (such as mininova.org, torrentz.com) mark their torrents as “verified” (hint: a green colored check mark). By definition, a verified torrent is the one which comes from a trusted source sharing legitimate files. Please note that not all but only known group’s torrents are marked as verified sources.
As most of the users would know, one can check the contents of a torrent file when he opens it using a Bittorrent client. However, what many people don’t realize is that even if the torrent file only contains a single video file inside its contents (a 700 MB movie file if you are downloading a standard DVDrip movie) and no executables, you are still potentially at risk! The video, if opened via Windows Media Player, can redirect the user to any arbitrary site and download a trojan on a computer. And here is how it works:
1. User downloads a movie file (.avi) using Bittorrent.
2. User opens it using any random media player (let’s say VLC player). The video would usually display, “Use Windows Media Player” and not play any video content.
3. The above message probably would only make a computer techie suspicious. Most of the users will just open it the way it says i.e. with Windows media player without giving it a second thought. Let’s assume that the user opens it with Windows Media Player! And that’s basically it.. the user is framed.
4. It exploits Windows media player’s security loophole and opens up an illegitimate website (wmvlicense.com in my test case) via default browser and pretends that it is downloading a corresponding license to play the video file. The website asks (if doesn’t do it automatically) the user to download a codec upgrade/installation file, and that actually turns out to be a Trojan!!
How does it exploit Windows media player’s weakness?
Normally when a user tries to play a protected Windows media file, and a valid license is not stored on a computer, the application will look for it on the internet, so that the user buy access to copyright-protected content. This new technology is incorporated in the latest Windows Media Player 10 update as well as XP SP2.
If the user runs a video file that is infected by one of the “DRM Trojans”, they pretend to download the corresponding license from the net. In reality users are redirected to sites that take advantage of Windows vulnerabilities to download spyware, adware, premium-rate diallers and other viruses onto victim’s machines.
The illegitimate website (that I was redirected to in my experiment) branded itself as a Microsoft website and it even had a usual blue-theme used by microsoft.com. However, I found out that the website actually used PHP and not ASP.Net – and that was fishy enough for me to not download it; McAfee Site Advisor confirmed it here.
My software development background helped me uncover the mini-monster, but everyday users can seek help from McAfee Site Advisor service before downloading anything in tricky situations. McAfee and other anti-virus companies actually maintain a list of websites and mark them as bad if they host spywares, viruses, trojans etc. Downloading McAfee’s in-browser toolbar or checking for website’s legitimacy online might help a few if not many.
Safe surfing/downloading!
