Android Vulnerabilities and Exploits in the Wild!

Android garden

Time to Do what?

When I was researching this on the web I didn’t expect to find so much stuff, but I do think IOS has more vulnerabilities then Android but it isn’t as bad as Apple IOS problems!

I am not going to talk about all of them but just a few that have peaked my interest!

The ‘Master Key’ Exploit

A simple but yet easy way to fool your Operating System and gain more access than it should.  The name doesn’t mean they actually have the master key to your device.   It is using what all Android devices use in the APK.  The MANIFEST.MF, which if done right, will have two more copies in the APK (Zip file).   When the Android OS installs this APK it will use the the last MANIFEST.MF and thus it can gain more access than you once thought.   Be able to communicate with a server  or copy your contacts.   I’ve pretty much come to the conclusion that 3rd party apps are dangerous now and I will not use anything but Google or Maybe even Amazon US app store!  

The ‘Webview’ JAVA Exploit

If you don’t use JAVA you will need to consider disabling it in Android.  While this one is a little more trickier and harder to avoid if you use Java, you best bet is to install Dolphine Browser, FireFox, and/or Chrome.   Then install a java an Addon or and Extension that does not allow Java to be used unless you specify.   This exploit can send SMS, or send out emails from you to spam your friends and family.   So this is one that you must start worrying about to a point.

The ‘Scarevertising’ Exploit

This last one I have seen become very prevalent and thus you should be on the lookout for this!   They claim in either a push notification or in some kind of inside application banner that basically tries to scare you into thinking you have a virus.   I’m not sure which advertising networks are being used but you can bet this will be a constant problem.   Some rules of thumb are install only from the Google App Store and never install any third party apps, which some call side along install.  

If your worried and you want to protect your Android Device, here are a few free applications that will help and hopefully keep you safe:

The last thing I can say is there are more than 100 different anti virus apps out there but it all depends on the end user (you) to know and trust vendors who are reputable and you can trust.   If you don’t know the Anti virus Company than maybe they shouldn’t be used.   I do hope I have helped you find what your looking for and we will discuss more in the future on Android Exploits!

 

Yet Another Android Scarevertising!

 

Androidsecurityfree.org

These are on the Rise!

I’ve seen more and more of this in the last few week.   One blogger, on barfooin.net talked about TunIn their advertising practices.  This one however came up with from Defrag+ and the advertising was simple yet to some very scary “Virust Detected! Remove Now!” and you saw a little animated bar like it was actually doing something.   This form of advertising should not be allowed and you should not install it!

The story behind installing this app, was a very simple one.   My Acer tablet was starting to get unresponsive and I wanted to see if the internal memory needed to be cleared and re-arranged.  I guess I could of bought the 10$ version but if they are going to allow this type of advertising on their app then I guess it doesn’t really do anything else. 

Third Party Advertising!

I should say this isn’t a big problem right now but I can see that if you got did your research to find me and you probably did.   You will see that there isn’t any real information out their about this and others like androidantivirusfree(dot)org which is one of the few that I’ve actually documented and talked about in the past! 

I don’t know which advertiser networks are allowing this sort of thing but I am sure sooner or later someone will start giving this people a mess of problems and they will see that they need to fix the problem.  

Push Notifications problems!

It definitely seems that this little app wants to advertise every chance it gets and it kind of seems the publisher is money hungry.   So I am unsure how trust worthy this app is and how much I want to keep it on my android device.   No wonder he is charging 10$ for the pro version of this app.   Oh well, I am going to delete this app and figure out how to fix the problem with out paying for apps like this one and others.   I am sure there is a simple solution to the problem but first I will go through and remove some of the apps that I don’t use anymore for starters and see where that leads me!

 

 

Library administrators just don’t get it and that just bugs me!

Blocking Proxpm

At the Library!

You hit the road for your favorite library and you decide you want to protect yourself from all those snooping people who like to watch what you do.   The problem is you have an unprotected and unencrypted network.   You try as you might to get a VPN setup and you just can’t connect.  So you try to find other VPN’s that woul work and your instantly blocked.  They’ve installed websense into their serves to prevent people from using a VPN.  

Not all VPNS are bad!

When I found this out, I was really irked by them preventing me from visiting such website.  I suspect they are worried someone will use a VPN to visit porn sites or research something bad.  It wouldn’t be so bad if they woul allow people to use VPN or ones they trust but this is a blacket attempt to prevent people from using them.  

Ways they can help people wit h security!

If they want to prevent this an still monitor traffic.   That is also fine with me, I understan this.   I just don’t feel comfortable using a public wifi without some privacy protection.   What if somone gets my credit card while I am using their public wifi.  Would they be liable?  More than certain, they have some clause to prevent this.

All they would have to do is make all open wifi spots encrypted with a way for guest to login to.   They wouldn’t have to have a different password for every person login in.   A simple guest password would suffice and make every wifi connection secure to prevent someone from snooping over the air transmissions.   libraries probably won’t do this but I am asking they look into this problem and come up with a solution to help us security minded people.   If they do nothing, then nothing will be solved.  

Paul Sylvester 

 

Why using the Reverse Pin number won’t work!

Seems to circulating around!

I got this email about this and wanted to clarify something about this and I wasn’t sure if this was a hoax or not.    Wikipedia is not helping this myth if it is but I will talk about the reasons why it won’t work and explain to you in detail the reasons!

Privacy!

In the Privacy Act of 1974, No business or organization can release personal information about you without your direct consent or without a court order.   Although this isn’t strictly followed by all Online business or organization.   In order for ANY ATM To disclose your location of the ATM you are at or even your financial information would be against the Privacy Act!

Terms of Service would be need to updated!

All banks would have to change their TOS just to cover their butts in case something would go wrong.  You would see bank after bank making sure you knew about the changes in their services when it comes to ATMS!  This would be one of the requirements to be able to do this!   

The Algorithm!

Let’s face it if this software was available, it would be a screaming security nitemare!  Every bank uses their own Algorithm and HASH in association with each account.   In order for an ATM to give out money from any institution it would be required to provide the currect security code which would be the PIN code.   So the bank would have to create both front door passcode(PIN NUMBER) and a back door passcord(Reverse pin number) to access your personal information and also what money you have on your account.   This two PIN approach would make your account much easier to hack and or guess your pin, if implemented!  Since the ATM would not know which pin is correct until it connected with the bank server, it would not know if the pin entered is correct or reversed until the bank granted access and thus it would be impossible to implement this!!

Safety and Such!

It would just cause more problems than it is worth.   Just think if you had to put in your pin in reverse wouldn’t it be more trouble and possibly cause more violence than it would solve.   I know I have ADHD and I wouldn’t be able to do it very easily.   If the robber wants the money he will get impatient and maybe even hurt the victim even more.   This is why it will never be implemented because in the long run.   It doesn’t stop violence or death it just is more inconvenience than anything.   Think about how long it would be before the police actually got to that ATM.  On average it takes 20 mins just where I live and I know the robber won’t stay their very long if at all!  Once he gets what he wants, your either dead or very lucky!   Just some stuff to think about!

Paul Sylvester

Why companies don’t consider Security and how to decode a Barcode!

Weak Security is NO security!

I am working with a company of late that few months and I must say their security is weak to say the least. They use Barcodes to establish who they are and what jobs they are doing.   It seems kinda simplistic to some but to me they are just asking for problems.   Now a days, 90% of people who work have access to some kind of smart phone, whether it be Android or IOS each one has their unique problems but I am not here to talk about their problems but to point out that each one can literally scan a barcode and decode it in a matter of minutes!

How to decode a Barcode!

If your looking to decode a barcode for Android, I can help.  Here are a few that I’ve found to work really well with any and all barcodes you might have a need for!

  • Google Goggles — This app for the Android is so interesting, I have installed on my phone just to see what would the world be like if we had those on Google Glasses which I suspect is coming soon!
  • Barcode Scanner  by ZXing Team — This is a good little app for those of you who just want to see what the code is and so forth.   It can does 1d, 2d, and QR Codes.   This is also a really useful app for those of you who want to see what the barcode at work really says about you!
  • Barcode Scanner by TACOTY CN — Another one that does basically what others do and it can decode any barcode that you might have to see what it really says about you.   
  • Scan by Scan, Inc — Here is a good tool for reading barcodes.   I really can’t say much more than this because they are do basically the same thing 1d, 2d, and QR Codes.   Works really well though!
  • ClearImage Free Online Barcode Reader / Decoder — Although this isn’t a app for Android it can be very useful for anyone who has a camera and would like to decode a barcode this way.   No need for a smart phone, just a camera will do that can take digital pictures.

The Problem!

The company I am contracted with thinks this is convenient and probably even thinks no one will abuse this.   I hate to think of who might use this to gain personal information about another worker or even get them fired.   It isn’t hard to imagine that someone may go so far as use someone else’s barcode just to get them in trouble.   So why use barcodes in business?  This is a constant problem that needs to be fixed ASAP for any business that does this might want to consider changing over to something a little more secure.   In the coming weeks, I’ll probably talk about this in more detail but until I fix the problems with this company I can’t go into much more detail.   

Paul Sylvester