Thanks to our two-dozen (or so) previous book giveaways, you probably now know how to develop for Android. If so, it's probably time to kick your game up to the next level by mastering application security. Luckily for you, O'Reilly Media recently published a new book on the topic, titled "Application Security for the Android Platform: Processes, Permissions, and Other Safeguards." Written by Jeff Six, the book is a concise (112 page) treatise on the subject.
Users of the popular VoIP app Vopium (here's the older version with many more installs) may want to put all usage of the app on indefinite hiatus, at least for the time being. It was recently discovered that the app sends basically all of the sensitive information, including username, password, device IMEI, geolocation, and contact list in plaintext.
After doing some of our own analysis, we discovered that the password is stored in the app's settings using plaintext as well (as opposed to at least basic encryption or an auth token - thanks for doing the leg work here, jcase).
We know, we told you our holiday giveaway series would feature some of our largest contests to date. And it did - we gave away over a dozen tablets and nearly as many phones to our readers. But we thought we'd start the new year off with our biggest giveaway yet (an international one, to boot) - 10 Samsung Galaxy Nexus smartphones, courtesy of our amazingly generous friends at AVAST Software.
After getting a glimpse of Avast's new mobile security solution a few weeks ago, I just had to dive in and give the app a full review. Avast, the long-awaited marriage of Avast and IT Agents' Theft Aware (see our review), certainly doesn't disappoint. It has an insane number of features, all of which appear to work perfectly, and it sounds like things will only be improving with time.
And did I mention the full-featured, root-enhanced app is completely free with no paid version in sight? As in, even the previously paid (Theft-Aware used to cost 10EUR) features.
Check out this handy feature matrix:
And this video, which provides us with a quick overview of just a few of Avast's capabilities:
At A Glance
Avast Mobile Security is stunning not only in terms of functionality, but also in its design and usability.
According to Verizon's system update documentation, owners of big red's Samsung Galaxy Tab 10.1 can expect a software update any time now. While it isn't the Ice Cream Sandwich users are undoubtedly craving, the update (bringing system software to I905-EL01) offers quite a few interesting features.
Among these are improvements to Samsung's Touchwiz UX, a new Social Hub widget, built-in photo editing capabilities, and The Daily – a news app that allows users to "access the best of print, web, and broadcast news from around the world."
The update also brings Bluetooth 3.0 compatibility, additional support for more Wi-Fi routers, DivX, security patches, enhancements to TouchWiz's music and video players, and built-in support for "industry standard VPN clients." There's no word yet on just when the update will be available, but we'll be here to keep you updated.
Avast has just launched its Mobile Security app for Android, integrating the pure power of Theft Aware (see our review) with some amazing new features. If you remember, Avast swallowed up ITAgents, the small company behind Theft Aware, back in September and promised to integrate it with its upcoming software. Even in its beta state, Avast's Mobile Security looks to be a very strong contender among the dozens of other security apps floating around in the Android Market. I dare say it has the potential to overshadow just about all of the apps in our Mobile Security App Shootout.
You might remember mention of a new AT&T service called Toggle last month, a service which promised to allow enterprise users to access corporate email, calendars and contacts securely from whatever Android device they choose to purchase, while separately maintaining their personal data. AT&T's official Toggle app hit the Android Market today, heralding the beginning of the service, and bringing hugely useful functionality to enterprise users concerned with keeping their business and personal activities separate.
AT&T Toggle essentially allows users to operate in two different modes on a single device: a personal mode, which acts just like your stock device, and a business mode, which allows access to corporate email, calendars etc.
Amid the turmoil surrounding Carrier IQ, the company's VP of Marketing, Andrew Coward, has come forward in a series of interviews with a few clarifications.
For those not in the loop, the controversy around Carrier IQ is based on developer Trevor Eckhart's findings which indicated that Carrier IQ's software was indeed collecting a vast array of information, and his demonstration showing that said data could be read using a simple command – one that could be executed by any malicious app with access to logcat. This data includes location information, SMS messages, and key taps.
Before we dive into Coward's remarks on the issue of security (and why he says CIQ is not to be blamed for insecure logs), it's important to look at how CIQ actually functions on a device.
According to a group of computer scientists at North Carolina State University, a vulnerability exists within many Android devices that would allow hackers (or malicious apps) to bypass the permissions request process and tap into audio and location, wipe apps and data, or send unauthorized SMS messages, all without the user knowing.
This news may sound a bit sensational, but the researchers have created and tested a dummy app which effectively demonstrates the exploit:
Among the eight phones tested with the researchers' diagnostic app (Woodpecker), HTC's Evo 4G seemed to be the most vulnerable, able to "leak" eight different capabilities to their dummy app, which was not explicitly granted appropriate permissions by the user.
Trevor Eckhart, a developer involved in uncovering a huge security vulnerability that affected several HTC devices, was recently threatened by Carrier IQ (CIQ), a company involved in gathering various forms of user data and sending it to carriers or manufacturers for analysis. For those who haven't been following the story, here's what happened:
Trevor Eckhart found several training manuals on CIQ's website. These were publicly available. Trevor shared them with the community, explaining just how far-reaching CIQ's data collection practices are. At this point, CIQ became aware of the fact that sensitive information had been exposed, and pulled the files from their website.