You probably see that "Display images below" button in Gmail all the time on both mobile and desktop. This is the default behavior because it makes it harder for spammers and advertisers to track you. However, Google says it has prepared a workaround that mitigates the security concern and will allow it to show those images by default.
The CyanogenMod team has been working on a secure messaging component for the popular ROM in recent months, and the time has come for some real world testing. The new encrypted WhisperPush messaging system is being rolled out to CyanogenMod 10.2 nightlies for compatibility and server load testing. If all goes as planned, it will reach the CM11 branch soon.
CyanogenMod's secure messaging is an implementation of TextSecure, a cross-platform encrypted SMS platform maintained by Open WhisperSystems.
Back in October, Google announced a rewards program that would give financial incentives for "down-to-earth, proactive improvements" to security across third-party open-source projects that Google deems "vital to the health of the entire Internet."
Starting with core infrastructure services, Chrome foundations and other "high impact libraries," Google vowed to expand the program soon. Today, in an entry to the official security blog, Google announced that the program has been expanded in scope to include open-source bits of Android, found in AOSP, and several other projects.
An XDA member recently unveiled serious vulnerabilities in all three root packages used to gain superuser access on devices. The developers have been contacted, and the two active projects are working to address the issues. If you're running an older version, you might want to get on the update train.
According to cernekee on XDA, the vulnerabilities allow for a malicious app to obtain root access without going through the proper channels.
There's a new Google Play Services app in town, and it includes all kinds of goodies for developers. But there's a nasty surprise waiting inside Google Play Services 4.0, at least for users on some devices: it may have disabled the Android Device Manager's permission to act as a Device Administrator. This is what allows users to access the new remote lock and device wipe features from the web... which some of them might not realize they can no longer do.
Yet another facet of KitKat worth pointing out today is the addition of new security enhancements to the OS. Security is one area that's frequently sensationalized with Android - it seems that every few days a scare story about Android malware creeps onto my Google News page. Google's eliminating security arguments (and possible arguments) one at a time, though, and has made a few key enhancements this time around.
First among them is a change to SELinux.
According to Google, less than one hundredth of a percent of apps out there are both malicious and capable of evading the built-in defenses in both Android and the Google Play Store. But if you really feel like you need a defense from that one-in-100,000 app, a trusted name in software protection has just entered the fray. Malwarebytes, makers of the popular eponymous Windows software, is now offering its services on Android.
You hear a lot of reports about malware and other undesirable third-party apps these days, especially from security researchers (and people who want to sell you something to make you feel safe). It's undeniable that malicious apps are a problem on an open system, but new data from Google indicates that the amount of actual harm being done might be negligible. QZ.com reports on a presentation from Google's Android Security Chief Adrian Ludwig at the Virus Conference in Berlin.
Google will soon roll out changes to Voice intended to prevent unauthorized access to our voicemail inboxes. To access accounts via phone, you will now have to call from a verified forwarding number. If you're calling from a number Google doesn't recognize, you will be prompted to enter a verified number instead. In addition to this, PIN codes can now be up to 10 digits long. These changes will take effect starting on the first day of October, and anyone who signs in via a web browser should receive a notification giving them a head's up.