Android Fake ID bug exposes smartphones and tablets
Leo Kelion
An Android flaw has been uncovered that lets malware insert malicious code into other apps, gain access to the user’s credit card data and take control of the device’s settings.
BlueBox Labs said it was particularly concerning as phone and tablet owners did not need to grant the malware special permissions for it to act.
The company added it had alerted Google to the problem in advance to allow it to mend its operating system.
Google confirmed it had created a fix.
“We appreciate BlueBox responsibly reporting this vulnerability to us. Third-party research is one of the ways Android is made stronger for users,” said a spokeswoman.
“After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to the Android Open Source Project.”
There are many ways in which credit card data can be protected from data theft. One of those ways is credit card tokenization, which you can learn more about over here. It is not known what Google has done to fix the issue.
However, the many thousands of devices still running versions of the operating system ranging from Android 2.1 to Android 4.3 have not been sent the fix by relevant network operators and manufacturers remain vulnerable if they download apps from outside the Google Play store.
Forged signatures
BlueBox has dubbed the vulnerability Fake ID, because it exploits a problem with the way Android handles the digital IDs – known as certification signatures – used to verify that certain apps are what they appear to be.
The issue is that while Android checks an app has the right ID before granting it special privileges, it fails to double-check that the certification signature involved was properly issued and not forged.
Jeff Forristal, chief technology officer of BlueBox, likened the issue to a tradesman arriving at a building, presenting his ID to a security guard and being given special access to its infrastructure without a phone call being made to the tradesman’s employer to check he is really on its books. People get these systems, like those https://www.mirantis.com/software/docker/security/ has to offer, to prevent these kinds of situations from arising. Hearing that they happen anyway is concerning.
“That missing link of confirmation is really where this problem stems,” he told the BBC.
“The fundamental problem is simply that Android doesn’t verify any claims regarding if one identity is related to another identity.”
Adobe Flash in Google Play
Apps that make use of Adobe’s Flash plug-in can have malware added to their code
To make matters worse, he added, a single app can carry several fake identities at once, allowing it to carry out multiple attacks.
Mr Forristal gave three examples of how a faked certification signature might be used to cause harm:
The app pretends to be created by Adobe Systems – Adobe is granted the privilege of being able to add code to other apps in order to support their use of its Flash media-player plug-in. The malware can take advantage of this to install Trojan horse malware into otherwise authentic programs
The app uses the same ID used by Google Wallet – the search firm’s mobile payment software is usually the only app allowed to communicate with the secure hardware used to make credit card transactions via a phone’s tap-to-pay NFC (near field communication) chip. By exploiting this, the malware can obtain financial and payment data that would otherwise be protected
The app impersonates 3LM software – many manufacturers add their own skins to Android to customise their devices’ user interfaces and functions. In the past, HTC, Sony, Sharp, Motorola and others did this by using extensions created by a now defunct business called 3LM. By masquerading as 3LM’s software, malware could take full control of the relevant devices and both uninstall their existing software as well as adding spyware, viruses and other damaging content of its own
BlueBox made headlines last July when it revealed the Master Key bug – a coding loophole that could allow hackers to take control of Android devices. Cybercriminals were later spotted using the technique to target users in China.
Mr Forristal said he believed that the Fake ID flaw had the potential to be a bigger problem.
“Master Key did allow a whole device to be taken over… but the user had to be duped into a couple of decisions before the malware would be able to achieve its goal,” he explained.
“Fake ID unfortunately occurs in a manner that is hidden to the user – there’s no prompts, no notifications, no need for special permissions.
“The user can actually be told the app doesn’t want any special permissions at all, which most people would think makes it relatively safe. But once Fake ID is installed it’s ‘game over’ instantly.”
Dr Steven Murdoch, a security expert at the University of Cambridge’s computer laboratory agreed this was a serious flaw. But he added that most device owners should still be able to avoid being affected.
“Google will be looking for people who are exploiting this vulnerability in applications being distributed through its own Google Play store,” he said.
“So, if that’s the only place that you get apps from, you are in a relatively good position.
“But if you download applications from other sources you will be putting yourself at risk.”
A spokeswoman from Google confirmed that the company had scanned all the applications in its own store as well as some of those elsewhere.
“We have seen no evidence of attempted exploitation of this vulnerability,” she added.
BlueBox is releasing an Android app of its own that will check whether the host device has been patched.
T-Mobile undercuts AT&T on 4-line, 10GB family plan
Ben Fox Rubin @benfoxrubin
Just last month, T-Mobile started offering its customers more streaming music. Now — just in time for the back-to-school shopping season — the wireless carrier is following up with more data.
The company said starting Wednesday, customers can sign up for its four-line Simple Choice plan at $100 per month and get more than twice the high-speed data as before. It’s now offering 10 gigabytes of 4G LTE data — 2.5GB for each line — up from just 1GB per line of high-speed data before.
The move represents yet another shot across the bow to T-Mobile’s larger competitors, as the company continues to stay aggressive on pricing. Similar four-line plans with 10GB of high-speed data from rivals Verizon and AT&T cost $160. A difference between the plans, though, is that all 10GB are shared across the four lines in the Verizon and AT&T plans, while each T-Mobile line is portioned 2.5GB.
In a blog post introducing the promotion, T-Mobile CEO John Legere took the opportunity to take shots at AT&T, as he’s done repeatedly before, saying it “infuriates” him that his rival is selling its plan for $60 more to “hardworking families who could use that money for more important things.”
AT&T spokesman Mark Siegel said his company declined to comment about the post.
The promotion could help T-Mobile continue to capture more customers, especially amid the school-shopping frenzy. The carrier, the fourth-largest in the nation by subscriber base, has been aggressively working to increase its customer base through a handful of offers, such as paying for customers’ early termination fees to get out of their cell phone contracts with rival carriers.
Facebook too big to fail? Three warnings from Myspace
Paul Armstrong @paul__armstrong
Ten years ago I joined Myspace at its HQ in Beverly Hills. It was a pivotal time for the social network, just as they were being bought by Newscorp and during a key growth period for what at the time was a media and tech darling.
The downfall of Myspace has been comprehensively documented and comparisons with Facebook can become stretched; the two companies are, and always have been, inherently different. Myspace was a pure media brand (hence the interest from Newscorp) and in today’s marketplace Myspace would be considered more as a competitor to Pandora or Spotify than Facebook.
As a rule, Facebook pushes away from content whereas MySpace devoured it. Facebook is more of a tool than Myspace ever was. Both had similar features but at its core Myspace was about self-expression. Facebook invests heavily in technology, Myspace didn’t (and much has been written about the part this played in its downfall).
But once you stop looking at both companies purely as social networks and consider the ways in which Facebook is similarly vulnerable, it becomes clear how it could fail in the same way – or even more spectacularly – as Myspace.
-
Here are three warnings for Facebook:
Don’t be overly focused on advertising
At its heart, Myspace was never really built as an advertising platform, but at one point it began ignoring the user and focused on the advertising, which frustrated people internally and externally (but certainly made some of those involved very rich indeed).
Facebook on the other hand grew up on ads and no one can deny that, when it comes to making ads pay, Facebook has been successful where others have not. The site recently announced that more than 60% of its $2.9bn (£1.7bn) is generated from mobile advertising. Facebook can’t rest on its laurels but it can pay more attention to the newsfeed and projects such as its Flipboard-esque Paper (still to launch in the UK) – projects that help the user understand and order information and the world around them.
Stop keeping your users dumb
All social networks are pretty bad at helping users make full use of their platform’s functionality. Beyond simple click tutorials, the user usually gets one shot before they are back to what they originally came to do. Educating users about how to use the site and not be used by it (including understanding why and what elements, such as privacy settings, have changed) appears to be secondary because it is against the platform’s direct commercial interests.
In essence, it’s a “keep them dumb and keep them hungry” strategy. It would be remiss of me not to mention that there are early signs of this being heeded, with app uncoupling and Facebook’s implementation of an app constellation strategy, which provides different apps for services instead of trying to combine properties within a single app.
However, Facebook (and it is not alone) has a “feature dumb” and light-use user base. Instead of the resource it could be, it could be argued Facebook is simply a receptacle for watercooler moments. Is this the vision Facebook has for itself?
Don’t lose sight of the fundamentals
Myspace lost its way and tried to be many things in a short space of time. I believe this is the greatest risk to Facebook today. Acquiring Oculus Rift? Altering news feeds as a psychological assessment to see if it could make people feel bad about their lives? Myspace never had such dreams but they abandoned developing (fixing in some cases) core features in favour of new products like Myspace Karaoke and Myspace Email.
Facebook would benefit from having a state-of-the-nation type event to address its intentions in a way that creates a baseline for the future. By sharing these intentions with an increasingly anxious user base (the youth demographic is leaving), sniping media and the unsure marketers responsible for pumping ad dollars into its coffers to pay for it all it could be a pivotal moment for Facebook.
So is Facebook too big to fail?
History tells us that no, it isn’t. However, there has never been an entity like Facebook before, playing a pivotal role in the lives of its 829 million daily users. Despite recent breaches of trust, ongoing social experiments and the continuing debates about public and private boundaries, Facebook continues to provide products and services its users love.
My concern for Facebook is that if it stays on its current “push them gently and see how far we can go” path we will get to a place where we (its users) lose more than we gain. I suspect it will take reaching this precipice before the question can be answered whether Facebook is too big to fail.
Samsung indefinitely delays the release of its first Tizen smartphone
Kif Leswing
Samsung’s homegrown Tizen operating system has suffered yet another setback: On Monday, Samsung Electronics said that it is delaying sales of the Samsung Z in Russia. No new release date was announced.
Tizen, a Samsung-developed operating system based on MeeGo, has been installed on cameras and smartwatches, but has yet to make it onto a smartphone. Earlier this year, a Tizen launch was nixed in Japan after carriers pulled out, and a Tizen developer’s conference in Russia where the Samsung Z was set to be launched was cancelled after attendees learned there were no production devices at the event. Samsung said it will “continue to actively work with Tizen Association members to further develop both Tizen OS and the Tizen ecosystem.”
Samsung is the world leader in smartphone sales, but the vast majority of those devices run Android, and the development of Tizen and its app store is seen as a defensive move meant to limit Samsung’s reliance on Google. According to Samsung, Tizen is eventually going to run on televisions and appliances, in addition to mobile devices.
Fresh off a disappointing quarter which saw smartphone and tablet sales miss expectations, Samsung faces a fresh batch of challenges in the difficult mobile computer market: low-end Android devices from Chinese companies such as Huawei and Xiaomi are cutting into Samsung’s sales, and its display and microprocessor divisions, which supply smartphone components for the mobile division, are feeling trickle-down effects. Assuming developers embrace the operating system and develop apps for it, Tizen should be a welcome differentiator and bulwark against generic Android smartphones, if a device running it ever goes on sale.
New photo app is all Selfies, all the time
STEVE DENT @STEVETDENT
We know what you’re thinking, but a new app called Selfies is actually kind of fun, considering that it’s a barely-promoted one-off from Automattic (the company responsible for WordPress). It told TechCrunch that Selfies was in development for eight weeks or so as part of the Gravatar universal avatar app before it became a separate thing. Trying the app showed that its basic-ness is part of the kick, since it let us post our own pic right after logging on. (We also found it to be a little rough around the edges with a few crashes.) Right now, there’s just a single public feed showing ever photo, but the company has plans to filter the best content soon. You can try it now for yourself, but only on Android — the company narrowly picked that platform to launch it first thanks to a user poll.
Amazon is giving Prime users video credit for choosing slower shipping
Brittany Hillen
Amazon has given its Prime subscribers a new perk, and it comes in the form of slower shipping. What’s the benefit of choosing the slower free shipping option? A $1 Amazon Instant Video Credit, potentially shaving down the costs of that series you plan to binge-watch in the future.
The change was spotted by the folks at BetaBeat, who say they saw the feature appear last night on a book order. As you can see in the screenshot, the slower shipping option is below “standard” shipping and quite a bit slower than two-day shipping. Called No-Rush shipping, it looks like buyers would be waiting a solid week or so to get their package.
The move appears to be an effort in getting subscribers to use Amazon Instant Video, though that explanation isn’t an official one. Amazon doesn’t appear to have made any sort of official reveal for the new option as of yet.
A $1 video credit would typically be enough to pay for half a television episode, so the frugal folks among us who don’t mind exercising their patience can get a free episode with two orders on No-Rush Shipping.