Bitcoin is still emerging as an online currency, and that means issues are sure to pop up in the way it's implemented. This time there's an Android-specific problem. It turns out there's a weakness in the way Android generates random secure numbers (the Java SecureRandom class), which most Bitcoin apps use to create wallet IDs. That means an attacker could possibly figure out your wallet key and swipe your digital cash.
How much would you pay for an Android security suite that may occasionally be of use? Maybe $1.99? $4.99? How about $149.00? No? Well, that's what Kaspersky Lab is currently asking for its Mobile Security app in Google Play. Got a lot of cash to burn and very little common sense? Kaspersky Tablet Security is only $199.00. What?
See, the apps for phones and tablets used to cost $4.95 and $9.95, respectively.
Today's Twitter update has a keen focus on security. Back in May, the company introduced an SMS-based two-factor authentication system for signing into the service. Now login requests can be be verified using just the mobile app. Users can sign into Twitter and enjoy the extra security of two-factor authentication without having to provide a phone number or worry about cell reception. The app also generates backup codes just in case your phone isn't available when you want to sign in later on.
Remember when Google's app verification and malware scanning service debuted with Android 4.2? No? Well, that's probably because statistically speaking, you're likely to be one of the 95% of Android users rocking 4.1 or earlier. To help address this, it looks like Google has moved the Verify Apps system to Google Play Services, which at this point should be installed on all Google Play Store-equipped Android devices running Gingerbread or higher.
Samsung announced this spring that security app LoJack would soon be built into the Galaxy S4. The necessary firmware arrived on most North American variants of the S4 in recent weeks, and now the service is live to take advantage of it. LoJack can be activated on your Galaxy S4 today for $29.99 per year. In return for your money you get phone tracking, remote wipe, and recovery assistance.
The LoJack app is built into the firmware of the device, making it persistent through factory resets (but probably not ROM flashes).
If you're having reception issues or dropped calls at your home or office, Verizon Wireless (and other carriers) might recommend you pick up a femtocell. This is a small device that plugs into your router and acts like a miniature cell tower. However, a pair of security researchers have revealed how they managed to use that same device to snoop on phone calls and other communications.
A few weeks ago the "Master Key" APK verification vulnerability rocked the Android security landscape... then immediately stopped rocking it, once Google revealed that they had patched the vulnerability months ago. Still, that's little comfort to users who aren't on a brand-new 4.2 phone (or, you know, a Nexus device that gets real updates). CyanogenMod has responded by patching all of its official ROMs (twice), and now noted security firm Duo has teamed up with Northeastern University's SecLab to do the same for all Android rooted users, regardless of their device.
Second verse, same as the first. Two days ago the CyanogenMod ROM team announced a security update to the CM 10.1 platform, incorporating the "Master Key" security patch that Google had already issued back in February. Yesterday another, more intricate exploit in the same vein was posted by a Chinese blog, and again, Google has rapidly moved to patch the problem in Android... which won't be much comfort to those running an older release.
Hot on the heels of Bluebox's disclosure of the "Master Key" exploit, a Chinese blog has posted details of a similar vulnerability. This attack also sidesteps a bug in the signature verification step and allows seemingly innocent APKs to include a potentially dangerous payload; and like its brethren, Google has already patched the flaw and posted it to the Android Open Source Project (AOSP). The information comes to us from a China-based group (or possibly individual) calling itself the Android Security Squad.
While most Android users are waiting on updaters that might patch some of the recently reported security holes, CyanogenMod is already getting a bug fix update out the door. CyanogenMod 10.1.1 is now hitting the stable channel for all supported devices.
The Master Key exploit will be presented by Jeff Forristal at Black Hat 2013 as "One Root To Own Them All." It's essentially a bug in signature verification which can be used to insert malicious code into an APK.