There's some disturbing news today on the Android security front: an vulnerability has been discovered for Samsung's Exynos 4-powered devices. While the related exploit is useful for the mod scene in that it can be harnessed to gain superuser permissions and root pretty much any device running on an Exynos 4 chip, it's also got some rather disturbing implications. According to an XDA member with the handle "alephzain", who developed the exploit, using this security hole can also grant an app access to all physical memory on a given device - basically, anything stored in RAM is fair game.
While there is no shortage of security apps on the Play Store, aeGis one stands out a bit for a few reasons. For starters, it's dead simple to use. Set up a specific trigger phrase and you can text your phone to lock the display, remotely wipe, find the address of, or sound an alarm from your phone. There's no web interface, unfortunately, but this app trades the elaborate suite of services of something like Avast for simplicity.
Google has been on an update roll lately, with Voice, YouTube, Google+, Calendar, and Music all getting updates in the last week. I've been dutifully doing teardowns on all of them, but there's been no hidden goodies, and thus, no articles. There was a Play Store update this weekend, however, and that does have some interesting, new stuff in it, so we're back!
Google+ App Reviews
Android is quickly becoming the Google+ OS.
The Nexus 4 retail software update is out! Previously, all Nexus 4 were running pre-release software, which was missing a few things. I reviewed the Nexus 4 as best I could with the beta software, but I wanted to update it once I had a few days to play with the final build.
Now that the final software is out, I've updated my review, and, to save people that have already read it from digging through 6000 words looking for updates, I'm putting all the new info in this article, too.
We knew that Android 4.2 would see the introduction of new security features both on your device and in the Play Store, but Computerworld got a chance to speak with Android's VP of Engineering, Hiroshi Lockheimer, about the platform's beefed up security measures, specifically Android's new real-time app scanning utility.
The scanner builds on the functionality of the Play Store's existing security features by bringing app-scanning security to the frontend, scanning incoming apps from third party sources (including apps like Amazon's App Store).
We've got an LG Nexus system dump and endless desire to spoil every Googley surprise we can. Today's edition of the Android 4.2 Teardown could be alternatively subtitled "The Super-Serious Security Edition," because we're talking about the sort of stuff that should make your sysadmin jump for joy.
Please keep in mind this is just as forward-facing and time-ambiguous as all my other teardowns. This is a list of new stuff in the 4.2 dump, not a list of "confirmed for 4.2" features.
The last time we heard from Lockitron the company was trying to sell a $300 smart deadbolt lock that you could open with NFC. This time Lockitron is taking a different, less expensive approach. The new device is mounted on top of your existing deadbolt, allowing you to control it without buying and installing a whole new lock. The product isn't quite ready to ship, but the company has a handy video demo ready to go.
Several weeks ago, Dropbox suffered a small security breach that gave wrong-doers access to a few unlucky users' email addresses. On the good side, it also brought the vulnerability to the Dropbox staff's attention. Since then, they've been working hard to beef up security, and today, they introduced two-step verification.
Much like Google's two-factor authentication, once enabled this requires you to login using two different sets of verification: your password and a unique identifier sent in either a text message or generated locally on the device using the authenticator app (which you have the option to get via QR during the set up process).
Piracy is a major issue for Android, and even more so for Android developers, which is why Jelly Bean introduced App Encryption. But this may be a case of the cure being worse than the disease: hundreds of developers of paid apps have chimed in on a Google Code thread, claiming that the encryption (or more accurately, the location of installed and encrypted apps from the Google Play Store) makes their apps entirely unusable, as account information and other stored data is removed after a device reboot.
If you're serious about security on your Android phone or tablet, you probably know that the Face Unlock feature introduced in Ice Cream Sandwich is a long way from secure. While Google didn't make any claims to the contrary, it looks like the extra "Liveness check" (which requires the user to blink after the initial scan) is almost as susceptible. A group of YouTube users demonstrated how to get past the check with a photo taken off of Facebook and just a few minutes of Photoshopping.