Every year, Defcon brings about some new concepts, hacks, vulnerabilities, and other digital tomfoolery. Sometimes it's all in good fun, but other times it's all too scary, which happens to be the case with a new class of Android malware that could allow for phishing attacks and pop-up ads alike.
Thanks to a design flaw in Android, there is a "feature" that allows an application to steal focus and pull itself into the foreground, bypassing the notification system entirely.
Well, that was pretty fast, actually. The DROID Incredible 2 has successfully been unlocked by AlphaRev - that means 100% rooted and (soon) ROM-ready. Instructions and a download will follow soon - so hold tight, we'll keep you updated on this one.
If you've been watching the blogosphere over the last few days, you might have seen an article or two about a "complaint" filed with the FCC over Verizon's block on tethering applications in the Android Market.
The complainant's argument goes something like this: Verizon purchased the 700MHz spectrum ("block C" of the spectrum) back in 2007, and that spectrum is now used by Verizon for its 4G LTE service. That purchase, ala Google and other net neutrality lobbyists, came with one seemingly large caveat: Verizon (or AT&T, or anyone who bought in that spectrum) could not "deny, limit, or restrict" the phones using that spectrum in particular ways: phones must be carrier unlocked, able to access all parts of the web, and run any software.
Update: If you've somehow inexplicably ended up at this article, please note, HTC has since announced the 3D will be unlocked (at some point) and their future policy is to have unlocked bootloaders on all devices.
It seems HTC has finally caved to what are likely the security demands of wireless carriers with its newest phones, and is locking down its handsets Moto-style. Latest case in point: the EVO 3D - which sports the same sort of security we found on the Sensation earlier this month.
Well, that's the easy part done. The DROID X2 has been rooted, huzzah! The device was found to be vulnerable to one of the known root exploits out there (Gingerbreak) - apparently Moto couldn't be bothered to patch up the hole (the fix has been backported to 2.2 from AOSP, according to our own Justin Case.) This hasn't been fully confirmed yet, but it seems plausible, given that all previous Motorola Froyo builds have been susceptible to this exploit.
Well, that only took one media firestorm. Google, in response to widespread reports of a potential credential security hole in Android (which not only affects Android, but any OS using authTokens), is starting to roll out a fix for the public Wi-Fi vulnerability to all affected Android devices today. Google's statement, below:
Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts.
Regardless of where you sit in the tech world, there is one thing that affects us all: security vulnerabilities. Unfortunately, our little green robot is no exception this rule, and The Registerrecently dropped a report on a potentially bad exploit.
Apparently, in Android 2.3.3 and below, there is a vulnerability that would allow attackers to collect digital tokens that are stored on the device after users login to Google Calendar, Facebook, Twitter, and "several other accounts."
Here's how it works: when you login to an account, an authToken is stored locally on your device for 14 days, allowing you to re-access the service without hassle.
Well, that was fast. It hasn't been very long since thevold exploit was found that allowed root access to Gingerbread and Honeycomb systems, but Google has already patched it and moved the fix into the AOSP code (see these commits: , , , ). This means that once this update is pushed, we will need to find another route to achieve root access on devices running Gingerbread and Honeycomb.
Skype released an update to its Android app this morning, remedying the vulnerability which exposed tons of personal info that we revealed last week. Our own Justin Case who originally found the issue has taken a look at the updated version of the app and confirmed that the exploit he developed to demonstrate the vulnerability no longer functions.
Specifically, Skype has changed the permissions of the databases (which contain the personal information) in question.
Update #1: Skype is investigating the issue, we've been told.
Update #2: Skype's official first response can be found here.
The safety of our personal information is often a concern of mine - who has my email address, my phone number, my date of birth? How can I keep my private information safe while still enjoying the internet? These concerns have prompted me to take a deeper look at Android apps more than once, and often this can yield some frightening information.