Archive for the 'security' Category

Security Incentive For Device Upgrade

Friday, November 21st, 2014

Two Android security problems have hit the news over the last few days. The first is a problem with java.io.ObjectInputStream on ALL devices prior to Lollipop. It’s not a problem in itself in that the user needs to somehow accidentally install a malicious app. The second is one such app, NotCompatible, that has been around […]

Majority of Top Paid/Popular Apps Have Been Hacked

Monday, November 17th, 2014

Arxan has a free State of Mobile App Security research report (pdf) that claims a very large proportion of the top paid/popular Android and iOS apps have been hacked. Hacked apps either have IP stolen that’s used in other apps, have clones created or the apps are modified to remove payment mechanisms.
 
Related Articles:WebView UnbundlingAndroid GrowingAndroid […]

WebView Unbundling

Tuesday, October 28th, 2014

There’s an interesting post on ars technica on "Unwrapping Lollipop" talking to "high ranking members of the Android team" about changes to the OS. It includes a very useful breakdown of what’s now in the Android OS, what’s in Play services and what’s distributed via the Play Store.
 
Of particular interest is that WebView has been […]

Android Binder Subversion

Monday, October 20th, 2014

Some of the vulnerabilities in Android allow code to be run as root. Alternatively, if users root their device malware can already run as root. However, what can such code then do?
Nitay Artenstein and Idan Revivo of Checkpoint Research have a new presentation and white paper on how intercepting IPC, via the Android Binder, can […]

Android Device Churn

Tuesday, October 7th, 2014

Bidouille has some great charts showing how Android version distribution has changed over time. They are based on values taken, over time, from Google’s own Android dashboard. However, remember there’s possibility that these charts might not represent the actual distribution of devices as not all devices (or users) access the Play Store.
 
What with few manufacturers […]

CERT Vulnerable Android App Naming and Shaming

Friday, October 3rd, 2014

I have previously written (here, here, here, and here) about Android apps that fail to validate SSL certificates. CERT has started to name and shame libraries and apps that their Tapioca tool has detected to be vulnerable to Man In The Middle (MITM) SSL attacks. There’s a blog post on how they have automated the […]

Another Android WebView Vulnerability

Thursday, October 2nd, 2014

Another day, another Android WebView vulnerability. This time it’s related to users that have enabled accessibility on their phones. This exposes two Javascript objects allowing remote code execution.
You might think this problem has low risk as not many people would enable accessibility features that are intended to assist users with disabilities. However, even I have […]

Same Origin Bypass and Android Apps

Tuesday, September 30th, 2014

There has recently been a high profile ‘Same Origin Bypass’ security issue regarding the Android browser, prior to Android 4.4 KitKat, that allows a client session on one site to affect a client session on another. TrendLabs have just posted some information that shows that this vulnerability has wider reach than first thought. Like me, […]