Described by the Wall Street Journal as "a vulnerability that could allow malicious software to track emails and record data communications," a potential vulnerability in Samsung's Knox platform was discovered in late December by researchers at Israel's Ben-Gurion University. The researchers said the vulnerability would allow those with malicious intent to "easily intercept" secure data from Knox users. Samsung's initial response was that the problem may be less serious than researchers implied, and that it would investigate the situation thoroughly.
Even casual observers of the Android ecosystem know that piracy is a big issue for developers. But if a report from mobile security company Arxan is to be believed, app piracy and "hacking" is incredibly prevalent, or at least prevalent enough that most of the popular apps are available in a pirated or cracked form. According to the company's "State of Security in the App Economy" report for 2013 (PDF link), the top 100 paid Android apps have been "hacked."
We used "cracked" in the headline because Arxan doesn't mention the purpose behind these hacks, so we're assuming that in most cases they're free, pirated versions of paid apps.
You probably see that "Display images below" button in Gmail all the time on both mobile and desktop. This is the default behavior because it makes it harder for spammers and advertisers to track you. However, Google says it has prepared a workaround that mitigates the security concern and will allow it to show those images by default.
The CyanogenMod team has been working on a secure messaging component for the popular ROM in recent months, and the time has come for some real world testing. The new encrypted WhisperPush messaging system is being rolled out to CyanogenMod 10.2 nightlies for compatibility and server load testing. If all goes as planned, it will reach the CM11 branch soon.
CyanogenMod's secure messaging is an implementation of TextSecure, a cross-platform encrypted SMS platform maintained by Open WhisperSystems.
Back in October, Google announced a rewards program that would give financial incentives for "down-to-earth, proactive improvements" to security across third-party open-source projects that Google deems "vital to the health of the entire Internet."
Starting with core infrastructure services, Chrome foundations and other "high impact libraries," Google vowed to expand the program soon. Today, in an entry to the official security blog, Google announced that the program has been expanded in scope to include open-source bits of Android, found in AOSP, and several other projects.
An XDA member recently unveiled serious vulnerabilities in all three root packages used to gain superuser access on devices. The developers have been contacted, and the two active projects are working to address the issues. If you're running an older version, you might want to get on the update train.
According to cernekee on XDA, the vulnerabilities allow for a malicious app to obtain root access without going through the proper channels.
There's a new Google Play Services app in town, and it includes all kinds of goodies for developers. But there's a nasty surprise waiting inside Google Play Services 4.0, at least for users on some devices: it may have disabled the Android Device Manager's permission to act as a Device Administrator. This is what allows users to access the new remote lock and device wipe features from the web... which some of them might not realize they can no longer do.
Yet another facet of KitKat worth pointing out today is the addition of new security enhancements to the OS. Security is one area that's frequently sensationalized with Android - it seems that every few days a scare story about Android malware creeps onto my Google News page. Google's eliminating security arguments (and possible arguments) one at a time, though, and has made a few key enhancements this time around.
First among them is a change to SELinux.
According to Google, less than one hundredth of a percent of apps out there are both malicious and capable of evading the built-in defenses in both Android and the Google Play Store. But if you really feel like you need a defense from that one-in-100,000 app, a trusted name in software protection has just entered the fray. Malwarebytes, makers of the popular eponymous Windows software, is now offering its services on Android.