Back in October, Google announced a rewards program that would give financial incentives for "down-to-earth, proactive improvements" to security across third-party open-source projects that Google deems "vital to the health of the entire Internet."
Starting with core infrastructure services, Chrome foundations and other "high impact libraries," Google vowed to expand the program soon. Today, in an entry to the official security blog, Google announced that the program has been expanded in scope to include open-source bits of Android, found in AOSP, and several other projects.
We started with a fairly conservative scope, but said we would expand the program soon. Today, we are adding the following to the list of projects that are eligible for rewards:
All the open-source components of Android: Android Open Source Project
Widely used web servers: Apache httpd, lighttpd, nginx
Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
Virtual private networking: OpenVPN
Network time: University of Delaware NTPD
Additional core libraries: Mozilla NSS, libxml2
Toolchain security improvements for GCC, binutils, and llvm
According to the patch rewards guidelines, rewards can range from $500 to $3,133.70, with higher rewards going to solutions with unusually high impact or solutions to exceedingly complex issues.
An XDA member recently unveiled serious vulnerabilities in all three root packages used to gain superuser access on devices. The developers have been contacted, and the two active projects are working to address the issues. If you're running an older version, you might want to get on the update train.
According to cernekee on XDA, the vulnerabilities allow for a malicious app to obtain root access without going through the proper channels. You wouldn't see a notification at all – the app could just do its business in secret. Superuser from ChainsDD is no longer in development, but some folks are still using it.
It's a simple fix: just check the version number of your Google Play Services app (it seems to be affecting both 4.0.30 and the slightly newer 4.0.31), then check the Device Administrators section of your Security settings page.
Yet another facet of KitKat worth pointing out today is the addition of new security enhancements to the OS. Security is one area that's frequently sensationalized with Android - it seems that every few days a scare story about Android malware creeps onto my Google News page. Google's eliminating security arguments (and possible arguments) one at a time, though, and has made a few key enhancements this time around.
First among them is a change to SELinux. For those not up to speed, SELinux - introduced in Android 4.2 - is essentially a set of kernel add-ons and tools that restricts pieces of software to run with only the bare minimum privilege set they require to function properly, and minimizes the damage a malicious program can do by tightly controlling security policy.
According to Google, less than one hundredth of a percent of apps out there are both malicious and capable of evading the built-in defenses in both Android and the Google Play Store. But if you really feel like you need a defense from that one-in-100,000 app, a trusted name in software protection has just entered the fray. Malwarebytes, makers of the popular eponymous Windows software, is now offering its services on Android.
The anti-malware app works on the familiar and relatively ancient principle of a scanner paired to an updated database of naughty apps. According to the company's press release, the app actively scans for "over 200 malware families" in real-time in both apps and general files.
You hear a lot of reports about malware and other undesirable third-party apps these days, especially from security researchers (and people who want to sell you something to make you feel safe). It's undeniable that malicious apps are a problem on an open system, but new data from Google indicates that the amount of actual harm being done might be negligible. QZ.com reports on a presentation from Google's Android Security Chief Adrian Ludwig at the Virus Conference in Berlin. He estimates that .001% of Android apps are able to get past Google's defenses.
Google will soon roll out changes to Voice intended to prevent unauthorized access to our voicemail inboxes. To access accounts via phone, you will now have to call from a verified forwarding number. If you're calling from a number Google doesn't recognize, you will be prompted to enter a verified number instead. In addition to this, PIN codes can now be up to 10 digits long. These changes will take effect starting on the first day of October, and anyone who signs in via a web browser should receive a notification giving them a head's up.
If you want to tinker with your phone forwarding or voicemail settings before these changes take effect, here are instructions for doing so straight from Google.
When Google launched the Android Device Manager in early August, I applauded the initiative because we finally got a much-needed security solution that was built into every Android devices that ships with Google's services. Rather, it was a good start, since the functionality was so limited: location, remote wipe, and alarm.
For the last two days, I've been digging around the new Google Play Services APK 3.2.64 that started rolling out to Android devices everywhere. If you remember, Google Play Services is the company's secret weapon to combat lack of device updates, as Google can push new functionality to everyone without the need for OS patches.
These days, it seems like everybody is trying to make Android more secure. As usual, rooting and modding are often casualties of this effort. Just over a month ago Android 4.3 broke the existing model for root, forcing updates to existing methods, and now Samsung is rolling out updated Android 4.2.2 firmwares for the Galaxy S 4 which fully enable the company's heavily secured KNOX environment. Fortunately, Chainfire is already on top of it and has updated his popular root software, SuperSU, to be compatible with the new system.
Samsung has been charging full steam ahead on the movement towards corporate security.
Piper is a nifty little gadget that combines a number of recently deployed technologies to create a connected and hyper-aware home automation hub. The project has been getting a lot of press since it appeared on Indiegogo a couple of weeks ago, and it passed its $100,000 funding goal today. There's another twenty days before the project ends, so the creators won't be wanting for funds.
Piper is essentially is a little box that's stuffed with a ton of sensors and WiFi connectivity, making it the hub of a connected house. It functions as a security and monitoring tool first and foremost, thanks to a panning wide-angle webcam and microphone.