Wednesday, 25 March 2015

Android Security: A Big Concern go Unnoticed by Smartphone Users

As we all know, we are in the world of Internet. Whoever don't have access to Internet or WWW is looked up as orphan in this digitized world. With kids growing up with high-end tech, the penetration of Smartphones is inevitable. The vast majority of smartphone comes loaded with most popular Open Source Operating System, Android, owned and developed by Google. A desktop Operating System tweaked to fit hand-held device. Good and sweet to carry a PC power in pockets. But any tech will come with its own cost.

Rooting your Android Device:

Well! The huge buzz about the Android OS is level of customization. When Android raced with IOS, the Android won users with option to customize the Android experience ( I don't wish to start war of word with which is best?). Android OS customization and tweaking to adapt to users requirements has earned its market share.

One of most popular method to unlock the potential of Android OS is to Root your Device to get Admin privileges as we do in Linux system. It would help to hibernate apps, uninstall bloatwares which comes loaded with your phone, to create swap partition, and etc. Many loved to root the Android Devices. Yet it had its own disadvantage.

Once rooted, any app which request for root permission could sniff out confidential data. Even sensitive information could be compromised. Yet, advocates of Android would state that the app need permissions from the users. So it is user who must act responsibly. But the talk does not end with apps which we grant SuperUser privilege. The Apps which we download from Google Play Store might deduct rooted devices and sniff out data as most users grant permission to those apps. The situation is users can't miss a particular app from his Smartphone. So the permissions are forced upon the users by Software Vendors.

And the apps which we use to root our device might compromise our data. Who knows whats been taken out of  your device, the application got its right to work with your device! So beware, whenever you install an app that too not from Google Play Store, know that you risk your device and sensitive data.

Whatsapp Calling:

People who use popular messaging application Whatsapp would have received links from friends and unknown person to install a software to their Smartphones to enable "Whatsapp Calling feature". I wonder some tried it without realizing that such feature could be added by Facebook with an update from Play Store. It was too late. Most of them lost sensitive information from their smartphones. It stole sensitive information from users to be stored in third party server.

Remember, not only Whatsapp, all such apps are vulnerable to such hacking attempts. With Android users added exponentially, the hackers have found pasture in this field. From PC attack, the mode has be switched to mobile attacks.

Malicious App from Play Store:

The recent revelation that Facebook private pictures could be sniffed out of your Smartphone has raised alarm among Security Researcher who work on Smartphone security.  With unlimited privileges any of your favorite app could gain access to your Smartphone temple. One such example was the Facebook private picture leak.

But not all app would be stealing data. In Play Store, we found many responsible developers who explains the need of such permission when posed with a question. Some open comments could draw developers voice in to Play Store Market. Yet, few grey developers try to sniff out data from app users.

Beware of the purpose of Smartphone:

Last but not the least, make yourself sure about the purpose of your Smartphone. Limit the number of Apps. It might have a potential of PC, yet it is phone. With access to mic, sdcard storage, call information, any app could record your voice calls and upload them when ever you get connected to Internet. Judicious use would fetch more benefits. Beware of what you use and how you use. 

Sunday, 22 March 2015

Google Stops Security Support For Android 4.3 and Earlier!

Google has stopped security support for Android devices which run 4.3 or earlier version. The default internet browser vulnerability unearthed recently could bug almost more than half of the Android devices. The move signals that the Google is planning to concentrate on the current software and focus more on future products than hogging its mind on outdated issues and problems.

Google which is well known for it security as well as encryption of email has recently took cognizance of the security flaw reported in the old default web browsers of the Android which was fixed by September, 2014. Later another bug was discovered which was reported for patch to Google. But Google turned down the bug stating that "we generally do not develop patches ourselves for web browser in Android 4.3 or earlier". However, it did not rule out the possibility of patches by other developers.

Google's decision to abandon older versions of Android has left many devices at lurch. It will increase the risk for exploitation by hackers. Since most people use old devices, the reported bug will increase the security risk of smartphone users.

Android need to move for Long Term Support (LTS)

Android which has created huge buzz when it comes to mobile computing has brought wide sweep to the mobile market culture. The one who doesn't own a smartphone is considered as serious identity crisis. But these developments has brought inherit security risk which each Operating system pose to its users.

With Android release on the way, the new devices are brought down to the category of old devices in the market. With more and more new releases, it would be stuck in recursive loop of development rather than providing support to the users. 

Time has arrived for Google to reconsider the Android Strategy. Instead of short new releases, Google must provide a Long Term Support for new Android releases. Any new development will come with its own bugs and so the security risks. In order to avoid exposing users to such risk, Google might chart out a strategic plan for the next release of android with Long Term Support to patch security risk and flaw which would help in improving Android User experience and also will help to create next version Android free of bugs. The present strategy to abandon older version will make dent on Android.

Mobile Security: Hackers Steal Mobile Payment data In China

China, one of largest market in the world, home to 649 million Internet users with millions of users being added every month. With high Smartphone penetration into the life of people, the money transactions through mobile payment services are inevitable. Comparing the internet payments, mobile payments may surpass in next 2 years. It was evident from the growth of Smartphone market.

While any benefit technology brings home will not come free of its own shortcomings. The days when the computers were target by hackers to steal confidential information were the past. With advent of mobile Operating Systems (OS), most of the human internet life is spent on Smartphone than on the PC. The convenience, portability and accessibility has lured users to adapt Smartphone while neglecting the risk associated with them. Here are few ways the hackers try to steal mobile payment data from your Smartphone.

Fraudulent Wifi


The most common trick the hackers tend to employ is setting up a free Wifi network. Chinese Internet users tend to make payments and bank transfers on-the-go via public Wifi networks. The reason is obvious. The Wifi is free to use and available when ever needed. Hackers started placing Fraudulent Wifi connection in the Shopping malls, multiplex entertainment centers.

When any person connects to such fraudulent Wifi network, all personal information from the Smartphone are sniffed out. The worst is when user make any purchase, hackers can steal the account data. Any Sniffers with promiscuous mode would suit the job to extract personal information that are travelling through Wifi network.

QR Codes with Virus


It is wildly used in Chinese Internet users to find friends, make payments, exchange information, redeem coupons. Hackers have started embed a virus to QR codes so that anyone scanning them will automatically download a virus to their smartphones. Personal information from phone numbers, contacts, mailing addresses to banking details and passwords would be stolen in seconds once the virus sits on the Smartphones. Any message or email stating to scan a QR code must be done with caution. The source of such message must be known before scanning them.

Phishing Website Attack


Most popular method among hackers, employed to steal confidential information from the users. The fake website which would appear as if the original website, will be presented to the end-user either through an email or a link. The user will be lured to enter confidential information to find oneself that the hackers have tricked them to disclose sensitive data. These fraud is commonly used against Internet banking users. Though, security agencies have beefed up security measures to counter the phishing threat, it still pose a serious threat. The customer who are unaware of the internet security usually end-up with phishing websites.

Firefox, Chrome, Safari, IE exploited


Firefox, Safari, Chrome and Internet Explorer all fell within than a second

Security Vulnerabilities in every one of the four big browsers were exploited in a Hacking Contest to remotely execute arbitrary code on Windows PC.

But the vulnerabilities were never made public. It was disclosed privately to the concerned parties mostly the software makers to release patches as soon as possible. In the interest of public at large, the details were not disclosed.

South Korean Security Researcher Jung Hoon Lee, who ised the handle "lokihardt" won a hooping $225,000 who left Vancouver with huge bank balance.

The time-of-check to time-of-use (TOCTOU) vulnerability and a sandbox escape through privileged Javascript injection to get past Windows Security Software and pull of medium-integrity remote code execution with the same privileges as logged-in user. 

Further, the buffer overflow bug of stable and beta versions of Google Chrome were used to execute full system level remote code execution.

Later, the finale Apple's Safari was pawned. With use-after-free(UAF) vulnerability using a uninitialized stack pointer to perform remote code execution on OS X won him the contest.

The Mozilla Firefox was compromised with in a second. The out-of-bounds read/write vulnerability leading to medium-integrity code execution in the browser.

The contest was a win-win situation for the hackers and the software vendors. The people who cracked earned a decent cash while the software vendors gained by knowing the vulnerability so they can release patches for the end-user.

Saturday, 21 March 2015

Text that Crash Google Chrome browser in Mac

If you are using Mac, then beware that Google Chrome Web browser will crash the moment it try to render special character. Here is the link for the error, open bug ticket on the Chromium product which details the issue.

The issue rose up when Google Chrome on Mac crashed trying to render obscure language. Hence, if you open any blog post, twitter or email with those obscure characters, you end up crashing the Chrome. But this bug is limited to Chrome on Mac. The users has reported that such obscure character didn't bother when rendered through Apple Safari. Instead of those special characters, boxes ([]) were displayed for the page title and text.

The windows version of Google Chrome were fine with the obscure characters. Those who use Chrome on Mac reported the issue. Hope, it is fixed soon.

GitLab acquires Gitorious

GitLab, rival of GitHub, acquires Gitorious

GitLab has acquired Gitorious, a repository management system which would leverage GitLab to compete against other commerical and propriety repository management system. The acquisition has knocked the strong hold of GitHub which is the most popular among the collaborative code repositories.

The acquisition not only leveraged the GitLab resourced but also added the huge user base. Now, GitLab has close to one million users. Those users include open source projects such as Opensuse and AT&T and Expedia, etc.

The exact figures for which the deal was done is yet to be known. So the existing Gitorious will shut down by June and its customers can migrate to GitLab. As well the staff currently working on Gitorious won't be joining GitLab, although GitLab expects to collaborate with them.

Cyanogen Teams with Qualcomm and Alcatel

Cyanogen partners Qualcomm and Alcatel


Earlier this year, Cyanogen, developers of Cyanogen OS, a free smartphone operating system based on Android, broke up with handset maker OnePlus. While many believed that this was a blow to the Cyanogen, to our surprise, it recovered by inking a good deal with popular chip maker Qualcomm, the famous smartphone device chip maker.

The deal will pave way for select features and UI elements from Cyanogen OS to be installed on Qualcomm's upcoming reference designs powered by QualComm's Snap Dragon 200, 400 and 600 processors. The reference designs are a way for smaller companies to pick up smartphone templates and release then under their own brand.

Further, Cyanogen teamed up with handset maker Alcatel to install Cyanogen OS on Hero 2+ smartphones that will be made available in the U.S market this spring. The trend of Cyanogen OS getting moment with various handset manufacturers experimenting them at production level. If such trend continue, the prominence of Android will take a deep dent in the smartphone market. The local smartphone makers are keen on improvising smartphone user experience which lead to installation of Cyanogen OS at production level. The level of customization has attracted Android users towards Cyanogen smartphones.