In what I am sure was on purpose due to it being Friday the 13th, some mild form of privacy panic has hit the world due to The Guardian's article this morning about a critical backdoor in WhatsApp. It postulates that, due to how encryption keys are handled when a device goes offline and messages are not sent (for whatever reason), WhatsApp or its parent company Facebook can intercept user communications. Meanwhile, Gizmodo has reported that this is not the case — how WhatsApp handles encryption is a feature and works as intended.
Mobile security is a huge issue, but most consumers tend to think that at least a brand new phone is safe. That assumption may be in error, according to security research firm Kryptowire. In a new report Kryptowire documents the inclusion of software tools collectively called Adups, which allegedly shipped on phones like the Blu R1 HD and other devices sold internationally, including the US market via Amazon and Best Buy.
Security has been a hot topic on Android for many years, particularly as smartphones take on increasingly significant roles both at home and at work. A single device acts as your main form of communication, contains personal photos and confidential documents, and may even have access to your finances. Google and other companies have made significant investments in time and money to ensure these devices are very hard to break into. However, a vulnerability was recently discovered in some phones that compromises important security measures and opens devices up to various types of attacks. The worst part is that it was created intentionally by a manufacturing partner contracted to build the phones, and the OEMs that designed the phone had no idea.
Two bills recently passed in the states of New York and California that aim to weaken smartphone security in order to combat crime. The laws would prevent the sale of smartphones with full-disk encryption that could not be unlocked by the manufacturer (at the request of law enforcement). In response, Rep. Ted Lieu of California, a Democrat, and Rep. Blake Farenthold of Texas, a Republican, have proposed a bill, the Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act of 2016, that would block state-level attempts to ban encryption on smartphones sold in the US.
Have you seen Mr. Robot? The show is only three episodes in, but it's already shaping up to be a surprisingly awesome hacking drama. And I don't mean "hacking" in the CSI/NCIS/Scorpion "120WPM and 60 flashing windows" kind of hacking - the protagonist and his Anonymous-style compatriots use real methods and technology, mostly relying on a combination of known vulnerabilities, social engineering, and brute force attacks to play at being cyber-vigilantes. You should check it out - USA has the first three episodes available for free on its website.
The third episode features a pretty cool segment where (extremely mild spoiler alert) the antagonist gains physical access to an Android phone in order to digitally tap it.
In a report released today, security researchers claim to have identified a vulnerability in as many as 24 Coolpad devices. The backdoor, which the researchers at Palo Alto Networks call "CoolReaper," reportedly installs adware without user consent or notification. More problematic is the fact that Coolpad built the backdoor into the operating systems themselves. The cherry on top is that Coolpad even had the nefarious app impersonate the Google Play Services framework file to avoid alerting users.