Month: July 2014

#FakeID flaw in Android leaves millions of phones vulnerable since 2010. #Android #Security #JTB

If you are an Android user you need to read this..

Bluebox reports this today..

 

Every Android application has its own unique identity, typically inherited from the corporate developer’s identity. The Bluebox Security research team, Bluebox Labs, recently discovered a new vulnerability in Android, which allows these identities to be copied and used for nefarious purposes.

 

Dubbed “Fake ID,” the vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. For example, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM.

Implications:

This is a widespread vulnerability dating back to the January 2010 release of Android 2.1 and affecting all devices that are not patched for Google bug 13678484, disclosed to Google and released for patching in April 2014. All devices prior to Android 4.4 (“KitKat”) are vulnerable to the Adobe System webview plugin privilege escalation, which allows a malicious application to inject Trojan horse code (in the form of a webview plugin) into other apps, which leads to taking control of the entire app, all of the apps’s data, and being able to do anything the app is allowed to do. Android 4.4 is specifically immune due to a change in the webview component (the switch from webkit to Chromium moved away from the vulnerable Adobe-centric plugin code).

Users of devices from specific vendors that include device administration extensions are at risk for a partial or full device compromise by malware. The 3LM device extensions (temporarily owned by Motorola and Google) are present in various HTC, Pantech, Sharp, Sony Ericsson, and Motorola devices – and are susceptible to the vulnerability as well.

Other devices and applications that depend upon the presence of specific signatures to authenticate an application may also be vulnerable. Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability.

How it works:

Android applications are typically cryptographically signed by a single identity, via the use of a PKI identity certificate. The use of identity certificates to sign and verify data is commonplace on the Internet, particularly for HTTPS/SSL use in web browsers. As part of the PKI standard, an identity certificate can have a relationship with another identity certificate: a parent certificate (“issuer”) can be used to verify the child certificate. Again, this is how HTTPS/SSL works – a specific web site SSL certificate may be issued by a certificate authority such as Symantec/Verisign. The web site SSL certificate will be “issued” by Verisign, and Verisign’s digital identity certificate will be included with the website certificate. Effectively, the web browser trusts any certificate issued by Verisign through cryptographic proof that a web site SSL certificate was issued by Verisign.

Android applications use the same certificate signature concepts as SSL, including full support for certificates that are issued by other issuing parties (commonly referred to as a “certificate chain”). On an Android system, the digital certificate(s) used to sign an Android application become the application’s literal package “signature”, which is accessible to other applications via normal application meta-data APIs (such as those in PackageManager).

Application signatures play an important role in the Android security model. An application’s signature establishes who can update the application, what applications can share it’s data, etc. Certain permissions, used to gate access to functionality, are only usable by applications that have the same signature as the permission creator. More interestingly, very specific signatures are given special privileges in certain cases. For example, an application bearing the signature (i.e. the digital certificate identity) of Adobe Systems is allowed to act as a webview plugin of all other applications, presumably to support the Adobe Flash plugin.  In another example, the application with the signature specified by the device’s nfc_access.xml file (usually the signature of the Google Wallet application) is allowed to access the NFC SE hardware. Both of these special signature privileges are hard coded into the Android base code (AOSP). On specific devices, applications with the signature of the device manufacture, or trusted third parties, are allowed to access the vendor-specific device administration (MDM) extensions that allow for silent management, configuration, and control of the device.

Overall, this is an appropriate use of digital signatures in a system that supports the notion of PKI digital certificate identities. However, Bluebox Labs discovered a vulnerability that has been relatively present in all Android versions since Android 2.1, which undermines the validity of the signature system and breaks the PKI fundamental operation. The Android package installer makes no attempt to verify the authenticity of a certificate chain; in other words, an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim (normally done by verifying the issuer signature of the child certificate against the public certificate of the issuer). For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate. Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.

The problem is further compounded by the fact that multiple signers can sign an Android application (as long as each signer signs all the same application pieces). This allows a hacker to create a single malicious application that carries multiple fake identities at once, taking advantage of multiple signature verification privilege opportunities to escape the sandbox, access NFC hardware used in secure payments, and take device administrative control without any prompt or notification provide to the user of the device.

For the PKI & code savvy, you can see for yourself in the createChain() and findCert() functions of the AOSP JarUtils class – there is a conspicuous absence of cryptographic verification of any issuer cert claims, instead defaulting to simple subjectDN to issuerDN string matching.  An example of the Adobe Systems hardcoded certificate is in the AOSP webkit PluginManager class.

You can download the Bluebox app below,click the image below.

bluebox security

 

SOURCE

You can also follow bluebox on Twitter for updates

 

One Plus One walkaround,A look at the packaging and device. #OnePlus #NeverSettle #JTB

We received our One Plus One over the weekend and here is a quick look at the device and packaging of possibly the most hyped about device this year due to its costs,A rather silly invitation system is one way of getting your hands on one now which we bypassed either that or you can check online for people selling invites or the device itself,it may be costly now due to the availability.But this will level off over time as with any new release,and when production ramps up,this was kind of similar to how jolla started out if you remember it,the device running sailfish.

 

Myself and many did not like how this launched via invites and basically a lottery to get one but this has seemed to turn out in their favour,people are going crazy to get this device,personally i thought how it was launched was wrong,especially when its a new product but its turned out well for them so hats off,hopefully continued updates and support will thrive leaving others something to think about.

First thing to notice is the packaging is rather nice,its solid and robust, does not feel cheap and it feels premium.

Given the package came in three pieces we can forgive this due to the high quality of the packaging and how its presented.

With the One Plus you get a universal adapter,and a two pin plug,remember this comes from china,you also get a sleek USB cable much nicer than what is present in todays packaging also the sim tray key is presented in a rubber casing which again not seen to be honest.

The back of the device has a rough finish but its actually nice,its nice to hold and not slippy like alot of todays phones there is a good gripping surface on it and its not easily marked though it does show dirt quite well but cleans off easily.It can be a dirt magnet depending where you leave it.

 

The top of the device gives us the headphone socket and a mic also on the top looking at the device is the earpiece, front facing camera,proximity sensor and a notification light,this can be disabled if you wish as the device is very customisable.

 

 

The bottom of the device gives us dual speakers and are quite loud,not on par with the HTC M8/816 but good,im impressed they pass the test and there is a decent sound from them.Also at the end is the USB port and another mic.

The back of the device has the camera and flash near the top also the one plus logo embedded into the casing,the camera protrudes a little so i would advise get a case,again this may take the look off the device and you cant feel how good it is to hold protecting your purchase is always important from my point of view.

Also we have some company info and usual standard practice info printed down the end of the device.

The left hand side of the one plus has the volume toggle and the sim tray,the sim tray is flush with the side panel and the volume toggles slightly raised,no problems with the buttons at all..

The right hand side only gives us the power key,thats it one small button on its own,some may be used to having the volume toggles on this side but not this,its not a problem anyway.

 

 

 

As a size comparison from the left.

HTC 816 – HUAWEI ASCEND Y530 – NOKIA LUMIA 930 – ONE PLUS

 

 

First impressions of the One Plus are quite impressive despite its price it gives some high end droids stiff competition its fast and its powerful,good camera,robust premium build and not holding that horrible plastic feel.

 

Multitasking is great again no problems,not noticed any lag at all.

The screen is great a 5.5 inch screen with a 401 ppi.,Corning Gorilla Glass 3.Good camera 13MP dual flash with AF.

Battery is  3100 mAh battery but non removeable ,this is becoming the norm,but the power is good which should be almost standard for a device of this size,there is no SD expansion this might annoy some but you get 64GB internal storage.

You can read all about the one plus one HERE

#BANG by Coloud. A mini portable speaker with a punch. #Coloud #Music #Portable

Today Nokia announced the all new Nokia Lumia 530 and also an new little accessory to be a companion with the 530 and other handsets The Coloud BANG portable speaker was announced..

This portable, compact speaker costs only €19 which is a keenly priced extra to have with you on your travels etc.

 

Last year we had the chance to be the first in Ireland to test other products by coloud. The coloud BOOM,KNOCK and POP and overall they where a good product and we still have and use them today they are great value for money products.

The Bang has enough power to keep the party going. Enjoy up to 8 hours of play back time on a single charge and daisy chain two or more speakers together to make your music sound even better. It’s a powerful portable speaker for a super-affordable price.

 

Make a statement with your favourite colour. Whether it’s bright green or vibrant orange, choose the colour that makes you want to get up and dance. It’s a colourful way to press play. Get a portable speaker that’s ready to go anywhere – Get a Coloud Bang.

Specs

  • Dimensions

    • Width: 75 mm
    • Height: 51 mm
    • Weight: 96 g
    • Cable length: 17 cm

  • Audio

    • Frequency response: 200 – 15 000 Hz
    • Maximum output: 94 dB at 0.5 m
    • Speaker drivers: 40 mm high performance

  • Connectivity

    • AV connectors: 3.5 mm stereo headphone connector
    • Charging connectors: Micro-USB

  • Power

    • Rechargeable battery: Yes
    • Maximum music playback time: 8 h

    For full details check out the Store

     

    Source Nokia Conversations