Android Vulnerabilities and Exploits in the Wild!

Android garden

Time to Do what?

When I was researching this on the web I didn’t expect to find so much stuff, but I do think IOS has more vulnerabilities then Android but it isn’t as bad as Apple IOS problems!

I am not going to talk about all of them but just a few that have peaked my interest!

The ‘Master Key’ Exploit

A simple but yet easy way to fool your Operating System and gain more access than it should.  The name doesn’t mean they actually have the master key to your device.   It is using what all Android devices use in the APK.  The MANIFEST.MF, which if done right, will have two more copies in the APK (Zip file).   When the Android OS installs this APK it will use the the last MANIFEST.MF and thus it can gain more access than you once thought.   Be able to communicate with a server  or copy your contacts.   I’ve pretty much come to the conclusion that 3rd party apps are dangerous now and I will not use anything but Google or Maybe even Amazon US app store!  

The ‘Webview’ JAVA Exploit

If you don’t use JAVA you will need to consider disabling it in Android.  While this one is a little more trickier and harder to avoid if you use Java, you best bet is to install Dolphine Browser, FireFox, and/or Chrome.   Then install a java an Addon or and Extension that does not allow Java to be used unless you specify.   This exploit can send SMS, or send out emails from you to spam your friends and family.   So this is one that you must start worrying about to a point.

The ‘Scarevertising’ Exploit

This last one I have seen become very prevalent and thus you should be on the lookout for this!   They claim in either a push notification or in some kind of inside application banner that basically tries to scare you into thinking you have a virus.   I’m not sure which advertising networks are being used but you can bet this will be a constant problem.   Some rules of thumb are install only from the Google App Store and never install any third party apps, which some call side along install.  

If your worried and you want to protect your Android Device, here are a few free applications that will help and hopefully keep you safe:

The last thing I can say is there are more than 100 different anti virus apps out there but it all depends on the end user (you) to know and trust vendors who are reputable and you can trust.   If you don’t know the Anti virus Company than maybe they shouldn’t be used.   I do hope I have helped you find what your looking for and we will discuss more in the future on Android Exploits!

 

Why using the Reverse Pin number won’t work!

Seems to circulating around!

I got this email about this and wanted to clarify something about this and I wasn’t sure if this was a hoax or not.    Wikipedia is not helping this myth if it is but I will talk about the reasons why it won’t work and explain to you in detail the reasons!

Privacy!

In the Privacy Act of 1974, No business or organization can release personal information about you without your direct consent or without a court order.   Although this isn’t strictly followed by all Online business or organization.   In order for ANY ATM To disclose your location of the ATM you are at or even your financial information would be against the Privacy Act!

Terms of Service would be need to updated!

All banks would have to change their TOS just to cover their butts in case something would go wrong.  You would see bank after bank making sure you knew about the changes in their services when it comes to ATMS!  This would be one of the requirements to be able to do this!   

The Algorithm!

Let’s face it if this software was available, it would be a screaming security nitemare!  Every bank uses their own Algorithm and HASH in association with each account.   In order for an ATM to give out money from any institution it would be required to provide the currect security code which would be the PIN code.   So the bank would have to create both front door passcode(PIN NUMBER) and a back door passcord(Reverse pin number) to access your personal information and also what money you have on your account.   This two PIN approach would make your account much easier to hack and or guess your pin, if implemented!  Since the ATM would not know which pin is correct until it connected with the bank server, it would not know if the pin entered is correct or reversed until the bank granted access and thus it would be impossible to implement this!!

Safety and Such!

It would just cause more problems than it is worth.   Just think if you had to put in your pin in reverse wouldn’t it be more trouble and possibly cause more violence than it would solve.   I know I have ADHD and I wouldn’t be able to do it very easily.   If the robber wants the money he will get impatient and maybe even hurt the victim even more.   This is why it will never be implemented because in the long run.   It doesn’t stop violence or death it just is more inconvenience than anything.   Think about how long it would be before the police actually got to that ATM.  On average it takes 20 mins just where I live and I know the robber won’t stay their very long if at all!  Once he gets what he wants, your either dead or very lucky!   Just some stuff to think about!

Paul Sylvester

Windows update is getting a revision!

[ad#ad2-right]According to Computer World, dated Oct 31, 2008 and I’ll quote:

“Over the next couple of months, we’ll be rolling out another infrastructure update to the Windows Update agent (client code),” said an unidentified Microsoft employee on the Windows Update team’s official blog. “This update makes it possible for users to install more than 80 updates at the same time.”

[via Computer World]

Now if your like me and have several computers who need to be updated at a given schedule, you sometimes worry about these updates that come along that might just break your system. I have been using a program call Offline Updater, which does what Autopatcher does really nicely. So why is Microsoft sending out this patch? Two reasons, one they want you to be able to update your operating System without hurting your system integrity.

Now lets talk about the integrity of having to reboot your system. You see, every time you reboot the system, it causes the system hardware some strain.  It is something like having starting up a car, sooner or later you will have the starter go out, because of to much start up.

[ad#ad2-left]Second reason for this is, basically the update software needs to be update yet again for any security flaws or features that might be exploitable.  I am sure there are some and Microsoft probably knows about that we do not.   So that is the second reason, which it is the most obvious reason yet to push out another revision of the Windows update.

What about stopping the update from effecting your system.  The only way that I know of is to prevent Windows from checking for updates.  Which is simple:

Windows XP Version:

[Category View and Classic View]

<Start> / Control Panel / Security / Click Windows Updates

For Windows Vista:

<Orb> / Control Panel/ Security Center/ Windows Update / click “change Settings”

With both ways, you will be able to control four ways to handle Windows updating and they are:

  • Automatic Will download all necessary updates and install them without your permission or knowledge.  Note some of the updates will automatically reboot your system.  Most commonly they are set to do this every day in the 12am to 4 am period of time.   So when you wake up you would see an log in screen.
  • [ad#ad2-right]

  • Download updates but let me choice which ones to install and when –  This is most commonly used by people who don’t want to bother having to check manually.  It will check and download, then it will let you know.

  • Check for updates but don’t Download them –  This is like the previous one but this will only tell you.  The rest of the decision is in your hands not the computer.  This is good for people who have limited system resources, like Hard drive space.  It still reminds you like the previous one but won’t download any updates.

  • Never check for updates –  This is used for people who don’t want to be bothered with updates and have a way to update manually.  This is commonly used by businesses who have several systems on and don’t want to risk an update causing trouble or weigh down the companies internet by downloading updates un-necessarily.   This option is not to be messed with because it leaves your system with quite a lot of vulnerabilities.  You do this one if you have a set schedule to update each and everyone system. (Extremely Dangerous to do)

With what I talked about, I am hoping you find this useful and to share your discoveries with other people who might want to be able to change how Windows updates are handled on other systems.  If you have comments or questions, please post them in the comment section and someone will be more than glad to help you out.