Ask anybody that spends time in the security circles and they'll tell you that every large software project is bound to have a few long-standing vulnerabilities in the code. Fortunately, there are usually a few people who are paid to close up those holes so you, the customer, don't find yourself the victim of nefarious evildoers someday. Like so many before it, the latest update to Android came with a boatload of changes, at least one of which fixes a potentially dangerous vulnerability that can be used for numerous attacks, including a way to acquire root.
Over the years, Google has been shoring up security on Android in a bid to make the operating system more attractive to governments and businesses, and to reduce the threat of malware for regular users. Unfortunately, these changes often come at the expense of flexibility in our beloved platform. As we close in on the next major release of Android, due to be announced next month, SuperSU developer Chainfire has discovered a set of commits to the Android Open Source Project (AOSP) that may seriously impact some of the functionality currently enjoyed by many root users.
An update is rolling out to the Lookout security app with a new feature tucked away exclusively for premium account holders. This feature is theft alerts. After the alerts have been enabled, Lookout will send phone owners an email automatically when the phone starts engaging in behavior that indicates it could have been stolen. This way you get notified as soon as shenanigans begin, rather than having to manually check for the device's location yourself.
LifeLock is a company that claims it can protect consumers from identity theft, but it found recently that its own apps might be part of the problem. The company bought Lemon Wallet late last year, gaining control of its mobile wallet apps on iOS and Android. Now those apps have been pulled from their respective app stores after concerns over the safety of data stored in them. Oops.
Google has bought Divide, a startup that secures smartphones to make them enterprise-friendly. It uses containers, a concept that should not sound unfamiliar around these parts thanks to the likes of Samsung KNOX. The approach separates a user's personal data from work-related files, effectively isolating them from one another on the same device. Google's purchase could imply a desire to tighten up Android's security out of the box and better attract the interest of enterprise customers.
Google changed the policy for app refunds from 24 hours to 15 minutes a few years ago, but Android users eventually adjusted to it. There is still a less prominent way to seek a refund after the 15 minute window if you have a legitimate gripe – it's tucked away in the Play Store order history. However, at some point recently, Google changed the way these refund requests worked.
The blog iTechTriad posted this as a PSA and a potentially serious bug on April 8th, and we've spent the last several weeks digging for details, eventually confirming it as a new Google policy.
The Android Device Manager might get the basics taken care of, but Cerberus goes a few steps farther. It's a powerful security suite with features like SIM locking, device alarms, remote lock, remote wipe, remote picture taking, and location tracking. It would usually cost you €2.99 (about $4) for a lifetime license, but it's free for the next day in celebration of the app's third birthday.
Cerberus has robust functionality on standard devices, but it can also take advantage of root access to move to the system partition so it persists between device resets.
The Internet has been abuzz over the recently discovered Heartbleed bug. If you're not already familiar, Heartbleed is a vulnerability in the OpenSSL software library that allows an attacker to steal data directly from the memory space of an application and learn the private keys used to keep data securely encrypted as it travels over the Internet. The implications of this kind of leak are certainly severe, and it has everybody rushing to either install updates that fix the bug or implement workarounds to disable it.