Starting in Android 4.4, Google implemented verified boot (known as dm-verity) in the Android kernel to prevent malware from hiding in your device. This was all behind the scenes until Android 6.0 Marshmallow—that's when Google started alerting users to system integrity. In Android 7.0, it's going a step further. In Nougat, verified boot will be "strictly enforcing" and won't allow your device to boot if the software has been compromised. Android will also be able to correct errors, but this will cause some headaches for modders. Read More
The Factory images and OTA ZIPs for July 2016 are now available for the full line of supported Nexus hardware (still waiting for the Pixel C). They're a little behind schedule this month, possibly because it was Independence Day in the United States on Monday, or possibly to leave time for some late-breaking security patches that may have been added in the eleventh hour. The Android Security Bulletin covers the list of vulnerabilities addressed with this set of updates, and for the first time it includes two separate lists: one dated July 1st and the other dated July 5th. Read More
Ransomware is one of the nastier types of malicious software to emerge in the last few years. It's not exclusive to mobile, but the basic gist is that it locks down either specific files or an entire machine until the user sends money to a shady, untraceable online account to get their digital life back in order. The combination of easily-exploited security vulnerabilities, relatively small payments spread out over thousands of devices, and users reliance on their phones or computers has proven incredibly lucrative for malware developers. Read More
The internet is a dangerous place with all sorts of shady people out to get your personal data. One of the best ways to keep your accounts secure is with 2-step verification (AKA 2-factor auth). Google has long supported that feature, but typing in those codes every time you log in can be annoying. Starting today, you can approve account logins from a prompt on your authorized mobile device. Read More
A year ago today Google announced Android Security Rewards, an expansion of its Vulnerability Rewards Program. Find a vulnerability, tell Google about it, help them fix the issue, and take home money. That's the concept, and it's a common one in the tech industry.
Google handed out over half a million bucks to 82 individuals over the past year. This averaged out to $2,200 per reward. Researchers averaged higher payouts, at $6,700. One, @heisecode, received $75,750 for 26 vulnerability reports. 15 researchers received $10,000 or more. Read More
Google started taking security updates much more seriously last year after the Stage Fright vulnerability hit. Samsung followed suit, and even launched a monthly security bulletin mirroring Google's. Now, LG has a security bulletin site where it will post updates on vulnerabilities. First up, the May security bulletin, the most recent one Google has published. Read More
Google Street View is awesome. With just a few taps of a button, you can get transported to new countries to explore their streets, landscapes, museums, and more. I remember using it two years ago to get a feel for my hotel's location in London and check the distance between the metro station exit and the hotel. I didn't want to look like a complete tourist upon my arrival for my first vacation in the city.
But Street View has caused lots of security and privacy concerns. Some countries have outright banned Google from driving their streets, others have spent years arguing with Google until they let it start collecting information (like Greece), and others have citizens who asked Google to blur their houses, and so on. Read More
A little earlier today Google posted the Android 6.0.1 security updates for June to the AOSP changelog. Being the responsible Android citizen that it is (well, most of the time), Samsung has immediately followed suit with its own list of code updates. These are the issues that are problems for specific Samsung devices and their related software builds, or at least, the ones that have been addressed since the same security bulletin last month. As usual, they're limited to "major flagship models." Read More
Google will be launching its new Allo chat application in the coming weeks, and with it comes true end-to-end encryption. Open Whisper Systems has announced that its own Signal Protocol is powering the encryption in Allo. It's not on by default, which has sent some privacy purists into a fit, but this is still a very good thing. Read More