Archive

Posts Tagged ‘Android security’

Four Must-Have Android Settings, From a Security Expert

February 23, 2012 Leave a comment

Google made an announcement last week that it has located a latest security flaw in Google Wallet,  through which a determined could root one’s non-rooted device ex post facto and retrieve your Google Wallet prepaid card. That was partly true. So we can assure that there is technical issue that remains still, even though if Google Wallet itself is safer.

To recap the Google Wallet brouhaha this month, first researcher Joshua Rubin from zvelo revealed a quick, simple brute force technique to extract the Google Wallet PIN from a rooted phone. But it actually requires some skills, but the next day The Smartphone Champ revealed that even in a non-rooted Nexus smartphone with Google Wallet, a thief can steal your Google Wallet prepaid card by simply wiping Google Wallet settings and attaching the app to a new Google account. Atlast, Rubin made a report on how a thief can root one’s non-rooted phone ex post facto and steal their Google Wallet funds. This is processed due to the root privileges that does not remove all the data on one’s Android device, and Google prepaid cards are stored in the device, not in one’s Google Wallet account.

Google made a respond to Rubin’s discovery. It suspended new prepaid cards on Sunday. The corporation began re-issuing Google Wallet prepaid cards on Tuesday, claiming that it has fixed the problem. But as a spokesman told Neil Rubenking, Google’s “fix” was to require users to contact Google Support to re-activate a Google Wallet account. So yes, the technical issue still remains.

Rubin, who discovered the latest hack and told us how one might get past the lock screen to perform the root exploit, offered four easy ways to tighten the security settings on your Android device. Not only do we urge anyone using Google Wallet to do this, but any Android user concerned about securing the data on his device should make sure the following Settings are turned on:

1. Enable Lock Screens: Under Settings\Security. Enable Face Unlock, Pattern, PIN, and Password to increase physical security to the device. Slide doesn’t do much.

2. Disable USB Debugging: Under Settings\USB debugging. When enabled, the data on mobile devices can be accessed without first passing a lock screen challenge unless Full Disk Encryption is also enabled.

3. Enable Full Disk Encryption: Under Settings\Security. This will prevent even USB Debugging from bypassing the lock screen.

4. Maintain Device Up-To-Date: Ensure the device is current with the latest official software. Unfortunately, users are largely at the behest of their carrier and cell phone manufacturer for this, but when you are finally prompted to upgrade your operating system, do so. Using only official software and keeping devices up-to-date is the best way to minimize vulnerabilities and increase security overall.

Bonus: Stick to official app stores. This is far less likely, but an attacker can also discover your PIN lock (which is necessary for him to root your phone) if you accidentally install a malicious app that records your personal data, including PIN. Most malicious apps are distributed through shady Chinese/Russian app stores; to be on the safe side stick to the Android Market, GetJar, and the Amazon App Store.

And always read through app permissions, as malicious apps typically make unusual requests. Most mobile security apps, like McAfee Mobile, Lookout Mobile, and F-Secure Mobile Security, come with an app auditing feature to help you keep tabs on permission requests.

Advertisements

Researchers Find That Not All Androids Are Equally Secure

December 1, 2011 Leave a comment

 

Researchers at North Carolina State University (NCSU) have published a paper which details differences in Android security across eight models.

According to the results, only three phones “properly” enforced Android’s permission-based security model.

The declaration is that Google’s Nexus One and Nexus S phones with baseline Android configurations as well as the Motorola Droid “were basically clean“. Yet the pre-installed applications added by the manufacturers and carriers includes a considerable hazard of successful malicious attack to phones, says Xuxian Jiang, an assistant professor of computer science at NCSUand co-author of a paper describing the research.

HTC’s Legend, EVO 4G and Wildfire S, Motorola’s Droid X and Samsung’s Epic 4G showed “significant vulnerabilities”.  The EVO 4G was the most vulnerable phone with eight leaked permissions in the test. The Legend and the Wildfire had six leaks each, followed by the Wildfire and Droid X with four leaks each.

Jiang also reported,

Some of these pre-loaded applications, or features, are designed to make the smartphones more user-friendly, such as features that notify you of missed calls or text messages.  The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential ‘backdoors’ that can be used to give third-parties direct access to personal information or other phone features.

The researchers said that they notified the software vendors of the discovered vulnerabilities prior to the release of the report and recommend that users should keep up with security updates from software vendors to protect themselves from attacks.

 

Source: tomsguide