Last week Bluebox Security published details of an Android vulnerability that affects up to 99% of all Android devices. I wrote about it on Infosecurity Magazine here. It’s a code signing flaw that allows attackers to trick the device into accepting an update as an official update even when it isn’t. The fractured nature of the Android market makes it difficult to fix – different manufacturers use different versions of the operating system, and it is likely that some manufacturers won’t bother fixing it all.
The immediate workaround is to avoid side loading. It will be difficult for attackers to use the flaw for a mal-modified app via the Play store. But not – nothing ever is – impossible.
Now Bluebox has come to the rescue with a new free app. It doesn’t negate the flaw, but will help you know if you’ve been done. Firstly, it allows you to check to see if your device has been patched. But, “It will also scan devices to see if there are any malicious apps installed that take advantage of this vulnerability,” writes Jeff Forristal, Bluebox CTO, in a blog posting today.
Back in April Google amended its Google Play developer policy. It was a simple addition: “An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.”
Simple, but far-reaching. At a stroke, it eliminated the growing threat of ‘silent updates’ to Android apps. At the time, many people thought it was specifically aimed at arch display advertising rival, Facebook. It probably was.
Facebook had been secretly experimenting with silent updates to its new Facebook Home app. Once an app has been installed with acceptable and accepted permissions, it is able to update itself with new and expanded permissions secretly (silent updates); that is, without telling the user what was happening, or what new permissions were being enacted.
But by forcing those updates to go via the Play Store, Google is able to stop them being ‘silent’. Good job, really. Facebook’s Android app has been updated — but provided you got it from Play, it cannot update itself silently.
Sarah A. Downey, a lawyer and privacy strategist with Abine, did a simple blog: eighteen words and a graphic compilation of three screenshots:
Her comment: “Really, Facebook? Three screens of permissions? No thanks. We don’t have that kind of relationship.”
Says it all really. If Google hadn’t insisted on updates via Play, you might never know about it this update. And if you side-load an app — for example, straight from Facebook — you might still never know about it.
So, two lessons: get your apps from Play; and dump Facebook anyway.
Years ago, when broadband first arrived, security experts warned of the dangers inherent in ‘always on’. That danger has increased exponentially with the rise of smartphones and their always-on sensors and cameras. Now a new proof of concept demonstrates the potential of 3D mobile spyware.
‘Proofs of concept’ (POCs) are developed by researchers to demonstrate what could be done in the future, in order to aid legitimate new development and to help anti-malware vendors produce defenses against less legitimate developments. What a new paper from researchers at the US Naval Surface Warfare Center in Crane, Indiana, and scientists from the University of Indiana demonstrates is spyware science fiction come true: a 3D visual map of the victim’s environment.
“We introduce,” say the researchers, “a proof-of-concept Trojan called ‘PlaceRaider’ to demonstrate the invasive potential of visual malware beyond simple photo or video uploads.” The paper describes an Android app (but suggests the concept will work equally well on iOS and Windows Phone), which it calls PlaceRaider, and “which we assume is embedded within a Trojan Horse application (such as one of the many enhanced camera applications already available on mobile app market places).” This app can then secretly and silently take photographs via the Android phone, and send them back to a C&C server for 3D processing.
PlaceRaider does three things. It collects orientation data from the Android’s sensors (“related to the accelerometers, gyroscopes, or magnetometers that a phone possesses”) in order to easily relate different photographs. It then surreptitiously takes photographs – in this case, one every 2 seconds. To remain unnoticed, it uses low resolution (so as to not use too much of the phone’s power), and temporarily mutes the shutter sound while the photo is taken. Finally, it uses a special algorithm to judge the quality of the photographs, discarding poor ones and transmitting the good ones.
Back at the main server, the received photos are compiled and used to construct a 3D map of the target’s location. Subsequent tests with volunteers showed that recognition of ‘points of interest’ is much higher from the 3D map than from static photos. However, since the original photos are of low resolution, further capabilities allow the attacker to use the orientation data to instruct the phone to take and transmit a high-resolution photo on demand – perhaps an open cheque book, or exposed documents.
The attraction of such spyware for both intelligence agencies and criminals is obvious – but the report also shows that there are easy defenses that the OS and hardware manufacturers could implement: making it impossible to mute the shutter sound, introducing permissions for collecting data from the sensors, and ensuring that photos can only be taken by physical interaction with the user. Furthermore, “There is no logical motivation for users to intentionally take poor-quality photos that have any combination of improper focus, motion blur, improper exposure, or unusual orientations/twist” – making heuristic detection of PlaceRaider by the anti-malware vendors a distinct probability.
Hat tip to Daniel Gyenesse for pointing me to the story
Microsoft once ruled a roost that is now dominated by that great cock, Apple. Apple dwarfs all other technology – in fact, all – companies. And Microsoft is jealous.
Apple’s secret is that it owns both the hardware and the software; and is a must-have brand. Microsoft owns only the software; and for many is a must-not-have brand. None of this is written in stone.
But Microsoft’s solution is just plain wrong. It is planning to build its own tablet, to compete with the iPad and Android.
This would be a mistake. Microsoft should remember its roots (software) and its history (it destroyed IBM’s PC-DOS, and the IBM PC, by making MS-DOS available to any and all hardware manufacturers; but made none itself). Google has learnt this lesson. Android is the antithesis – and possibly the ultimate nemesis – of iOS. It is open, cheap, and available to all hardware manufacturers.
Microsoft’s latest plan for its own tablet will merely hasten its own demise. Already, MS-fanboy Acer has said, “If Microsoft is going to do hardware business, what should we do? Should we still rely on Microsoft, or should we find other alternatives?” There’s some sort of advice here: if you want to rule the roost, don’t shit in your own hen-house.
Josh Ruben has shown a pretty basic security design flaw in Google’s Android Wallet. Google says it’s not really a problem and Ruben says Oh yes it is. I don’t want to go into the details of this vulnerability because I’ve written about it on Infosecurity Mag here: Google Wallet vulnerable to brute forcing the PIN. But what I do want to consider is to what extent we will choose convenience over common sense?
Common sense says we should never trust a mobile phone. We lose them. We leave them in taxis. They’re stolen. And it doesn’t matter what security they have or how secure they are supposed to be, once they are out of our control we have absolutely no way of knowing what is or can be done to them. Common sense should tell us that everything on a mobile phone is vulnerable once it is out of our control.
So how come the mobile phone is increasingly used to store personal data, banking information, and even virtual money? The answer is simple. It’s cool and convenient; especially for the young.
I think we need to accept this. Our virtual identity will increasingly migrate to the smartphone, and we won’t – and perhaps even shouldn’t – be able to stop it. The best we can do is increase and maintain a level of distrust. We may have to use this virtual wallet containing our money, our identity, our life – but we should never, ever trust it.
Last week’s news stories (Jan 30 to Feb 3):
Security researchers break satellite phone encryption
German researchers have cracked 2 satellite phone encryption codes – huge implications.
EU publishes 10 Myths about ACTA
EU says ACTA ain’t bad, just misunderstood.
VeriSign repeatedly hacked in 2010
VeriSign was repeatedly hacked in 2010, and never even told its own senior management.
Science and Technology Committee publishes Malware and Cyber Crime report
Commons committee makes recommendations on how to tackle cybercrime.
New development in post-transaction banking fraud
Banking malware now seeks to divert telephone calls between banks and customers.
Counterclank is not malware, just aggressive adware
Contrary to Symantec’s initial claim, Android’s Counterclank (Apperhand) is not a trojan.
Major UK companies still not blocking porn namesakes
UK companies remain open to cybersquatting by YourBrandName.xxx
New Forrester Report: Big Data Risks
Forrester describes how to secure Big Data.
Resilience is the key to security says World Economic Forum
WEF suggest an holistic view of resilience to risk rather than an isolated view of prevention.
A call for a new standard in infosec training and awareness
We need a new standard to improve security awareness in users.
IE6 users: no longer caught between a rock and a hard place
A new product allows legacy IE6 applications to run in new versions of the browser.
75% of all new malware are trojans
PandaLabs 2011 report is full of facts, figures and information.
Spam and phishing are growing problems: DMARC has the answer
A new standard is being developed to help stop spam and phishing.
CSO Interchange: Cloud concerns are largely propaganda
Misunderstandings about the cloud make it seem a problem rather than an opportunity.
Up to five million Androids infected with Counterclank
Android’s largest ever infection reported by Symantec.
I’m not behind Kelihos botnet, claims Sabelnikov
Man named by Microsoft says I didn’t do it, guv.
There is a new jailbreak for the Apple 4S called Absinthe (a strong alcoholic drink prepared from wormwood and largely banned for its toxicity). I have written about this for Infosecurity Magazine here.
But what I want to consider now is perhaps more philosophic: is a jailbroken iPhone basically an Android? Opinions vary.
David Harley, the independent researcher behind the Mac Virus website, thinks ‘not really’. Jailbreaking alters the Apple’s kernel. If this is done you would get no further support from Apple. As a result, software that really requires co-operation between the developer of the software and the developer of the hardware would be at a disadvantage. Anti-virus software running on a jailbroken Apple, for example, would suffer. “So no,” he says, “jailbreaking isn’t precisely analogous to an unrooted Android: while most Android AV is pretty patchy in performance, you can get AV that could be described as commercial standard.”
But yes, thinks Luis Corrons of PandaLabs. “At the end of the day, the main difference between both platforms is that Android gives me, as a user, the option to decide what applications I want to install.” Confirming his view, Luis has a jailbroken iPad 1 and used to use a jailbroken iPhone 3GS (which he has now replaced with an Android Galaxy SII).
Kaspersky’s David Emm has a similar view. “It’s the commercial models taken by Apple and Google that are different.” The result of these commercial differences is that a jailbroken Apple has access to hundred of thousands of secure apps plus a few hundred unknown apps from Cydia Store. Android users have access to hundreds of thousands of unknown apps. The inference I draw, unstated by David, is that a jailbroken iPhone remains more secure, albeit more restricted, than an Android.
So what can we conclude? Not a lot really. If you jailbreak an iPhone you can technically gain the freedom inherent in an Android – but since most users will still be limited to third-party apps, you don’t gain many more. And you lose the security of the iPhone. In the final analysis, you simply pay your money and take your choice: Apple if you want security; Android if you want freedom. Jailbreaking seems to give you neither.
Absinthe download (unchecked, unverified)
Two separate bits of news that caught my eye are Google’s purchase of PittPatt (a face recognition company as reported by the WSJ), and Entrust’s release of a digital certificate system for smartphones.
Google has acquired a seven-year-old company that develops facial-recognition technology for images and video, though the Web-search giant didn’t say what it plans to do with it.
Google Acquires Facial Recognition Technology Company
What will it do with it? Is it going to add it to Google+ in the same way Facebook introduced face recognition last year? Or will it be built into Android? (Could be both, of course, just like it could equally hive off into a new profit centre offering facial biometrics and recognition to law enforcement and border agencies…).
Moving on, Entrust yesterday announced and claimed that ‘Entrust IdentityGuard strengthens mobile security with device authentication, network access (VPN), SMIME and application security — all with self-service capabilities’.
You have to look at the detail here. This is a self-service digital certificate for smartphones: “Authorised employees, staff or contractors simply log in to the Entrust IdentityGuard Self Service Module to enroll their mobile device — compatible platforms include the Apple iPhone, Apple iPad, Android, BlackBerry, BlackBerry PlayBook and more — and are issued a digital certificate.”
The problem is that a digital certificate authenticates the identity of the device, not the person using it. I asked Bill Connor, President and CEO of Entrust, to elaborate on the security of the digital certificates themselves.
The Entrust IdentityGuard Self-Service Module offers end users a simple and consistent way to enrol for and install certificates and keys for network access and secure email on their mobile devices. The certificates and keys are stored within the devices’ native certificate stores and can therefore be leveraged by native device applications such as VPN clients and email clients. Private keys are thus protected according to the mechanisms employed by the mobile device OS.
But what if the device is lost, stolen or cloned? Could it be used as an authenticated device by an unauthenticated user?
As the private keys are stored natively by the mobile device, they are protected against device cloning and theft according to the mechanisms employed by the mobile device vendor, including device PIN protection, password protection and hardware-derived keys for the certificate store. Certificates issued to mobile devices may be easily and immediately revoked by both administrators, through IdentityGuard WebAdmin, and users, via the IdentityGuard Self-Service Module, if/when users become aware of device theft or compromise.
Notice those two key phrases: ‘according to the mechanisms employed by the mobile device OS’ and ‘according to the mechanisms employed by the mobile device vendor’.
So what we have here is an excellent product from Entrust that will authenticate the device and is perfect for business use; but is reliant on other systems for authenticating the user to the device. But the only way you can really authenticate the user is with biometrics – so we’re back to PittPatt.
It is coincidence rather than conspiracy that I learnt of these two developments on the same day – but what a co-incidence. Put the two together: facial recognition built into the operating system for user authentication and Entrust’s easy-to-use and established certificate system for device authentication and the result would be genuine security for mobile devices.
Two developments to watch, I think!
“I have been saying for years,” said Philippe Courtot, chairman and CEO of Qualys, “that we are simply not meant to be dependent on a huge complex operating system like Windows on the desktop; and that in the future, most of our computing will be done in the cloud.”
That prediction is now coming true with shrinking clients and expanding clouds. “Look at the audience of technology professionals in any conference,” he continued. “They’ve all got their iPads and or their smartphones; and nothing else. You can get your email on your smartphone; and if you need to write a longer report you can use your iPad and Google Apps.” We no longer need, and probably never wanted, bloated operating systems on huge desktop computers that served primarily to shackle us to our desks.
We were actually talking about security and the cloud. Courtot’s point here is that because of the cloud, we now only need thin clients. This has two ramifications. Firstly, use of the cloud will, counterintuitively, make us more secure since thin clients can more easily be hardened; and secondly, tied-down clients have a head-start on open clients.
Think of this last point. As we enter the Second Computer Wars (the First Computer Wars was 25 years ago between Apple and Microsoft, and the theatre was The Desktop; this one is between Apple and Google, and the theatre is The Internet), we must remember that weapons have changed. In the first war, Apple lost because it was closed. But in this war we must ask ourselves whether that very closed nature is now an advantage. Philippe Courtot certainly seems to think so.
Today it is closed Apple versus open Android/Chrome. “Microsoft and Nokia will be left in the dust,” adds Courtot; they each took wrong turnings. Microsoft thought it could carry on with its old philosophy while Nokia never really committed itself one way or the other.
Android versus iOS. Open versus closed. Logic leans towards closed; my heart hopes for open.