Archive for Android

Android Phone Owners With Skype Installed Are Vulnerable To A Passcode Bypass Exploit

Posted in Commentary with tags , , on January 4, 2019 by itnerd

If you use Skype for Android, you should pay attention. Someone who is in possession of an Android phone with Skype installed on it simply has to to receive a Skype call and answer it without unlocking the handset. They can then view photos, look up contacts, send a message, and open the browser by tapping links in a sent message, all without ever unlocking the phone. The Register first reported this and I have a video below that demonstrates the exploit:

The vulnerability was reported to Microsoft and a fix is already out there via updating to the latest version of Skype. By doing so, you will ensure that you do not get pwned.


Android Pie Is Now Shipping….. Though You May Never Actually Get It On Your Device

Posted in Commentary with tags on August 7, 2018 by itnerd

Google’s latest Android operating system update, Android 9 Pie, has been officially released to customers. Here’s a video that shows you what this new version of Android brings to the table:

Here’s a quick list of notable features:

  • A new gesture-based system interface that’s similar to the interface of the iPhone X
  • There’s a new Android Dashboard, designed to tell you how much time you’re spending on your device. Which sounds like Apple’s Screen Time feature that’s coming in iOS 12.
  • A new Do Not Disturb option called “Shush” which silences Android devices when placed facedown
  • A Wind Down option lets Android users select a specific bedtime to turn the interface gray to discourage smartphone usage at night.
  • An Adaptive Battery feature that maximizes battery power by prioritizing the apps you’re most likely to use next,
  • App Actions for predicting what you’ll want to do next. Which to me sounds a lot like Siri Suggestions,
  • There’s a future feature Slices which is a feature that brings up information from your favorite apps right in search.

Android Pie is available to Pixel phones today. For everyone else, you may get an update if your device is recent enough. But as typical for Android devices, your ability to get a major update to Android largely depends on who makes your phone, what carrier it is on, and how old it is as many devices use customized versions of the Android OS. Which means that both device manufacturers and/or carriers have the ultimate say as to what updates users get. Thus it is entirely possible that you may never get this update on your phone, and you may need to get a new phone to get Android Pie.

Buy A Low Cost Android Phone, And Get Pwned For Free

Posted in Commentary with tags , on May 25, 2018 by itnerd

More than 100 different low-cost Android models from manufacturers such as ZTE, Archos, and myPhone ship with malware pre-installed, researchers at Avast Threat Labs reported on Thursday. Users in more than 90 countries, including the U.S., are affected by this, the researchers said:

The malware, called called Cosiloon, overlays advertisements over the operating system in order to promote apps or even trick users into downloading apps. The app consists of a dropper and a payload. “The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under ‘settings.’ We have seen the dropper with two different names, ‘CrashService’ and ‘ImeMess,'” wrote Avast.

The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone. “The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. However, we’ve never seen the country whitelist used, and just a few devices were whitelisted in early versions. Currently, no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded in the APK.”

Well. That’s not cool. These companies need to explain why their phones ship with this stuff. Or better yet, I say that governments should say that if this stuff is on phones when they ship, then they can’t be sold. But I suspect that neither is going to happen and consumers will have to fend for themselves by sticking to iOS or the Samsungs or LGs of the world and avoiding this low end market entirely.

When It Comes To Privacy For In Car Infotainment Systems, It’s An Open Question As To What Data Google And Apple Collects From You

Posted in Commentary with tags , , , on April 20, 2018 by itnerd

The issue of privacy when it comes to in car infotainment systems like Android Auto and Apple CarPlay flared up again yesterday when it came to light that Toyota took a pass on Android Auto because of privacy concerns. They joined Porsche who famously did the same thing a few years ago.

That made me wonder if it is spelled out clearly what data either of these systems collects and how it is used. Why does that matter? I’d like to know if Google or Apple is motioning how aggressively I drive. And what they do with that information and who gets to see it.  Thus I spent a day looking around the Internet to see if such documentation exists. The net result of my research is that neither company does a great job of spelling out what data they collect via their infotainment systems and how it is used. To illustrate this, I want to use Tesla as an example of what I am looking for. Their privacy policy makes it very clear what they collect in terms of data. And they go into a great amount of detail about how it is used. That way, you know exactly what Tesla is doing. As far as I am concerned, this is the gold standard when it comes to this sort of thing as it removes any questions from my mind about what Tesla may or may not be doing.

Now let’s go over to Apple. They have a privacy microsite that is better than most and specifically mentions Apple CarPlay here where it says this:

All the rigorous privacy measures built into your iPhone and apps carry over to CarPlay. Only essential information that enhances the CarPlay experience will be used from your car. For example, data such as your car’s GPS location can be used to help iPhone produce more accurate results in Maps.

That’s something I suppose, but beyond that there’s no specific mention in their privacy policy or anywhere else on their microsite about what CarPlay collects and what is done with that information.

In the case of Google and Android Auto, I was unable to find anything that specifically mentions Android Auto, and I looked at the Android Auto site and their privacy and terms microsite which if you dig for bit lists pretty much every product that they make except Android Auto. Which means that I have no idea what info Google collects. And that’s a step behind Apple who at least gives me some minimal information on this front.

So in either case, both Android Auto and Apple CarPlay fall well short of telling their users about what data they collect and how it is used when compared to Tesla. That’s a problem given how privacy and the security of data is now a top of mind issue. As a result, we’re left with rumor rather than fact. And that’s a huge problem for both companies if they want their infotainment systems to be adopted widely.

My challenge to both companies would be for them to make their data collection and usage policies for their infotainment systems as clear as Tesla does. At least when Tesla spells it out, I know what I am getting myself into up front assuming that I read the document. I believe that Google and Apple owe us the same.

So how about it Apple and Google? Will you do what’s right for users of Android Auto and Apple CarPlay, or will you continue to keep them in the dark about what data you collect and how it is used in terms of those products? Inquiring minds want to know.


Your Android Phone Might Not Be As Secure As You Think

Posted in Commentary with tags on April 13, 2018 by itnerd

If you own a Android phone from Google, Samsung, Motorola, LG, HTC, Xiaomi, OnePlus, Nokia, TCL, and ZTE, but really any Android phone, you might not be getting the security patches that you need to keep your phone safe based on a recently released study:

The study found that outside of Google and its Pixel phones, well-known phone makers had devices that were missing patches that they claimed to have. “We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” says SRL founder Karsten Nohl.

The number of missing security patches on phones varied between device makers. For example, Google, Samsung, and Sony devices were found to be missing 0 or 1 patches on average. Xiaomi, OnePlus, and Nokia devices were missing 1 to 3 patches on average, while HTC, Huawei, LG, and Motorola were missing 3 to 4 patches on average. Devices from TCL and ZTE fared the worst, missing an average of 4 or more patches that they claimed to have.

One of the huge problems with Android is that is is now so fragmented, and every vendor has filled it with their own custom stuff and they’ve done god knows what to the core of it. That’s horrible for the consumer as you are guaranteed to get this situation because it’s easier to fudge things than to come out with proper patches on a regular cadence.

Contrast that to those on team iOS where everything comes from Apple. Thus every iPhone user that has an iPhone made in the last five years give or take gets every security update that comes out. Sure iOS is a walled garden unlike the freedom that Android provides its users, but the wall surrounding that garden is pretty secure unlike Android.

While people are going to buy Android phones regardless of how insecure they are because they are cheap, Google and company need to do something about this. The fact is that you can’t have millions of phones running around out there which are wide open to being pwned. That’s just a disaster waiting to happen.

Android P Developer Preview Hits The Streets

Posted in Commentary with tags on March 7, 2018 by itnerd

Google today launched the first Android P developer preview which available for download now at

Some notes on what’s on offer for download:

The preview includes an updated SDK with system images for the Pixel, Pixel XL, Pixel 2, Pixel 2 XL, and the official Android Emulator. Unlike last year, there is no emulator for testing Android Wear on Android P.

Interesting that there’s nothing there to test Android Wear devices. I guess that has something to do with the fact that Android Wear devices pretty much got hammered by Apple Watches in the marketplace. Or they haven’t gotten around to it yet. Who knows?

But I digress.

Why should you care? Here’s what Android P…. One has to wonder what food item that will be used to market this OS…… Popsicles perhaps?…… Has going for it:

  • Android P offers support for “the latest edge-to-edge screens with display cutout for camera and speaker,” with a new “DisplayCutout” class for outlining the size and shape of a notch on an Android device. Seeing as Android device makers are copying the iPhone X and its notch.
  • Indoor positioning APIs so that your phone will more accurately grab a location indoors.
  • Enhanced notifications
  • Multi-camera support
  • HEIF image support
  • Restricted access to the mic, camera, and other hardware
  • Open Mobile API for NFC payments and secure transactions

Expect this OS to ship sometime in Q3.

#Fail: Google Play Protect Can’t Protect You From Malware

Posted in Commentary with tags on October 26, 2017 by itnerd

Google has a new initiative to reduce malware in the Android ecosystem. Called Google Play Protect, it’s supposed to catch the bad stuff before it ends up on your Android  smartphone. Because lots of bad stuff ends up on Android smartphones. And that’s a big problem.

However, it appears that it will not do much for you. Tests by German malware experts AV-Test indicate that Google Play Protect detected just 65.8 percent of recent malware samples, rising to 79.2 percent of malware of around a month old. Meanwhile, third party solutions caught pretty much everything that was thrown at it. The net result was that Google Play Protect finished dead last in this test.

I’m not sure what Google is going to do about it, but I know what you should do. Forget Google Play Protect and invest in a third party anti-virus app that was tested by AV-Test as it seem Google can’t protect you from the bad stuff that’s out there.