Hot on the heels of Bluebox's disclosure of the "Master Key" exploit, a Chinese blog has posted details of a similar vulnerability. This attack also sidesteps a bug in the signature verification step and allows seemingly innocent APKs to include a potentially dangerous payload; and like its brethren, Google has already patched the flaw and posted it to the Android Open Source Project (AOSP). The information comes to us from a China-based group (or possibly individual) calling itself the Android Security Squad.
While most Android users are waiting on updaters that might patch some of the recently reported security holes, CyanogenMod is already getting a bug fix update out the door. CyanogenMod 10.1.1 is now hitting the stable channel for all supported devices.
The Master Key exploit will be presented by Jeff Forristal at Black Hat 2013 as "One Root To Own Them All." It's essentially a bug in signature verification which can be used to insert malicious code into an APK.
Scary tales about Android malware have been told since before people started guessing what dessert name would start with the letter 'D' (it's "Donut," in case anybody has forgotten.) Most of those claims came and went, amounting to little more than ghost stories. Unfortunately, there are a few real ghouls and goblins for which we should be afraid. Back in February, one such monster was discovered lurking about that allowed modified APKs to be installed on your device while successfully side-stepping the cryptographic signature used to prevent that very thing.
After a few months of testing, Sony has announced its my Xperia service will be hitting all regions in the next few weeks. This system will provide remote management of 2012 and 2013 Xperia devices. Smartphones are expensive – it's nice of Sony to help you keep track of it.
Once it is deployed in your country, my Xperia will come in the form of a new app that can be enabled in settings.
We don't need no NSA up is our business, right? CyanogenMod recently added the Privacy Guard feature to nightlies to protect user data from sketchy apps, but the next innovation might go deeper than that. Koushik Dutta (Koush) has started development of a secure messaging platform for CyanogenMod devices.
Koush expressed his admiration for the elegance of iMessage in his post, and he wants to do the same for CyanogenMod. To that end, Koush has built an encrypted open source push messaging plugin for CM that would stand in for regular SMS.
Have you ever refused to install an app because it wants too many permissions? Yeah, a lot of people have, and we don't blame them. A little too much trust can lead to stolen information, mysterious charges on your cellular bill, or worse. Thanks to developer M66B, we've got a simple way to lock down potentially misbehaving software. His new mod, XPrivacy, can block several types of activities and queries, despite the permissions granted at installation.
Most people make do with a PIN or pattern lock to secure their Android devices. If you need something a little stronger (or just want to feel like Ethan Hunt) EyeVerify has just released the beta version of an app that uses honest-to-goodness eye scans. Eyeprint takes a photo of your face, then matches the pattern of blood vessels on your eyeballs to a previous photo to access locked apps. The beta is extremely limited - none of my devices are showing compatible on the Play Store.
Google has quietly rolled out two new features in account settings that give you a quick overview of everything going on with your account security. The security dashboard shows all your important security settings, and the recent activity page tracks account sign-in history. These features could potentially help users track down suspicious behavior in a snap.
The security dashboard tells you how long ago you changed your password, what your account recovery options are, how you receive notifications, 2-step verification status, and lists your connected apps.
If you're paranoid about losing both your smartphone and your tablet... well, you probably shouldn't be carrying both in an area where either is likely to get stolen. But if you do, and feel like you need an extra layer of protection, McAfee is here to indulge your fear. Smart Perimeter Plus (in the Security Innovations app) links your Android phone and tablet, then sets off an alarm if either are separated from the same WiFi network.
There may be many ways to root an Android phone, but there's allegedly one root to rule them all. At this year's Black Hat USA 2013 conference, security researcher Jeff Forristal will detail how to gain system access and control on nearly any Android device. The bug was disclosed back in February, and Google presumably has worked to patch the vulnerability in the months since, so don't get too excited.