A few weeks ago the "Master Key" APK verification vulnerability rocked the Android security landscape... then immediately stopped rocking it, once Google revealed that they had patched the vulnerability months ago. Still, that's little comfort to users who aren't on a brand-new 4.2 phone (or, you know, a Nexus device that gets real updates). CyanogenMod has responded by patching all of its official ROMs (twice), and now noted security firm Duo has teamed up with Northeastern University's SecLab to do the same for all Android rooted users, regardless of their device.
Second verse, same as the first. Two days ago the CyanogenMod ROM team announced a security update to the CM 10.1 platform, incorporating the "Master Key" security patch that Google had already issued back in February. Yesterday another, more intricate exploit in the same vein was posted by a Chinese blog, and again, Google has rapidly moved to patch the problem in Android... which won't be much comfort to those running an older release.
Hot on the heels of Bluebox's disclosure of the "Master Key" exploit, a Chinese blog has posted details of a similar vulnerability. This attack also sidesteps a bug in the signature verification step and allows seemingly innocent APKs to include a potentially dangerous payload; and like its brethren, Google has already patched the flaw and posted it to the Android Open Source Project (AOSP). The information comes to us from a China-based group (or possibly individual) calling itself the Android Security Squad.
While most Android users are waiting on updaters that might patch some of the recently reported security holes, CyanogenMod is already getting a bug fix update out the door. CyanogenMod 10.1.1 is now hitting the stable channel for all supported devices.
The Master Key exploit will be presented by Jeff Forristal at Black Hat 2013 as "One Root To Own Them All." It's essentially a bug in signature verification which can be used to insert malicious code into an APK.
Scary tales about Android malware have been told since before people started guessing what dessert name would start with the letter 'D' (it's "Donut," in case anybody has forgotten.) Most of those claims came and went, amounting to little more than ghost stories. Unfortunately, there are a few real ghouls and goblins for which we should be afraid. Back in February, one such monster was discovered lurking about that allowed modified APKs to be installed on your device while successfully side-stepping the cryptographic signature used to prevent that very thing.
After a few months of testing, Sony has announced its my Xperia service will be hitting all regions in the next few weeks. This system will provide remote management of 2012 and 2013 Xperia devices. Smartphones are expensive – it's nice of Sony to help you keep track of it.
Once it is deployed in your country, my Xperia will come in the form of a new app that can be enabled in settings.
We don't need no NSA up is our business, right? CyanogenMod recently added the Privacy Guard feature to nightlies to protect user data from sketchy apps, but the next innovation might go deeper than that. Koushik Dutta (Koush) has started development of a secure messaging platform for CyanogenMod devices.
Koush expressed his admiration for the elegance of iMessage in his post, and he wants to do the same for CyanogenMod. To that end, Koush has built an encrypted open source push messaging plugin for CM that would stand in for regular SMS.
Have you ever refused to install an app because it wants too many permissions? Yeah, a lot of people have, and we don't blame them. A little too much trust can lead to stolen information, mysterious charges on your cellular bill, or worse. Thanks to developer M66B, we've got a simple way to lock down potentially misbehaving software. His new mod, XPrivacy, can block several types of activities and queries, despite the permissions granted at installation.
Most people make do with a PIN or pattern lock to secure their Android devices. If you need something a little stronger (or just want to feel like Ethan Hunt) EyeVerify has just released the beta version of an app that uses honest-to-goodness eye scans. Eyeprint takes a photo of your face, then matches the pattern of blood vessels on your eyeballs to a previous photo to access locked apps. The beta is extremely limited - none of my devices are showing compatible on the Play Store.
Google has quietly rolled out two new features in account settings that give you a quick overview of everything going on with your account security. The security dashboard shows all your important security settings, and the recent activity page tracks account sign-in history. These features could potentially help users track down suspicious behavior in a snap.
The security dashboard tells you how long ago you changed your password, what your account recovery options are, how you receive notifications, 2-step verification status, and lists your connected apps.