gmane.comp.handhelds.android.security.discuss

RE: New Android vulnerability app

Sumin Tchen — 2013-05-19T00:44:30

HI Jeff,

Keep in mind that if you're on the host, i.e. Android device, you don't need to pen test the ports, etc.  The Belarc Security Advisor runs as an App on the host device, so it know's the apps and OS versions.

That and some "secret sauce" - Tony Sager's* term, does the trick.

Regards,
Sumin

* Tony Sager is the former technical head of the NSA's Information Assurance Directorate, and a great guy.


________________________________________
From: android-security-discuss< at >googlegroups.com [android-security-discuss< at >googlegroups.com] On Behalf Of Jeffrey Walton [noloader< at >gmail.com]
Sent: Saturday, May 18, 2013 16:57
To: Shawn Valle
Cc: android-security-discuss< at >googlegroups.com
Subject: Re: [android-security-discuss] New Android vulnerability app

On Sat, May 18, 2013 at 3:18 PM, Shawn Valle <shawnvalle< at >gmail.com> wrote:
From Valle's description, it looks like his app also scans other apps.

I was wondering if it was a straight port of Metasploit, Mercury, or
something else. I presume the device needs to

RE: New Android vulnerability app

Sumin Tchen — 2013-05-18T21:51:51

HI Shawn,

Similar concept to xray in that both are checking for vulnerabilities, but the implementation is quite different.  Also the Security Advisor is checking for over 300 vulnerabilities and when I last looked it appeared that xray is checking for <10.  

There is a reason that xray is not on Google Play.  It actually tries to exploit the vulnerabilities and that is a no-no on Google Play for obvious reasons.  The Security Advisor discovers whether the apps or OS are vulnerable versions, and does this without trying to hack into the device.

Let us know if you would like any additional info.

Regards,
Sumin


________________________________________
From: android-security-discuss< at >googlegroups.com [android-security-discuss< at >googlegroups.com] On Behalf Of Shawn Valle [shawnvalle< at >gmail.com]
Sent: Saturday, May 18, 2013 15:18
To: android-security-discuss< at >googlegroups.com
Subject: [android-security-discuss] New Android vulnerability app

How does this compare / differ from xray at www.xray.io?

--
You receiv

Re: New Android vulnerability app

sumin tchen — 2013-05-18T21:51:41

HI Shawn,

Similar concept to xray in that both are checking for vulnerabilities, but 
the implementation is quite different.  Also the Security Advisor is 
checking for over 300 vulnerabilities and when I last looked it appeared 
that xray is checking for <10.  

There is a reason that xray is not on Google Play.  It actually tries to 
exploit the vulnerabilities and that is a no-no on Google Play for obvious 
reasons.  The Security Advisor discovers whether the apps or OS are 
vulnerable versions, and does this without trying to hack into the device.

Let us know if you would like any additional info.

Regards,
Sumin


On Saturday, May 18, 2013 3:18:22 PM UTC-4, Shawn Valle wrote:

Re: New Android vulnerability app

Jeffrey Walton — 2013-05-18T20:57:35

From Valle's description, it looks like his app also scans other apps.

I was wondering if it was a straight port of Metasploit, Mercury, or
something else. I presume the device needs to be rooted to break out
of the sandbox, but its speculation.

Jeff

New Android vulnerability app

Shawn Valle — 2013-05-18T19:18:24

How does this compare / differ from xray at www.xray.io?

New Android vulnerability app

Shawn Valle — 2013-05-18T19:18:22

How does this compare / differ from xray at www.xray.io?

Re: New Android vulnerability app

sumin tchen — 2013-05-18T14:48:27

HI Kris,

Good question!  Anti-virus is based on signature files which identify the 
security threats.  While this worked somewhat in the past, it's pretty 
ineffective against today's threats which can change their signatures much 
faster than AV products can update their signatures.

Belarc's Security Advisor is based on discovering and helping you update 
the existing vulnerabilities, both apps and operating system, and thereby 
not allowing the security threats to affect your Android device.  This 
works no matter how often the threat signatures change.

Naturally there are always new vulnerabilities being discovered, and this 
is why we are planning to release new updates to the Security Advisor on a 
regular schedule.  We have a discussion of this topic, with links to 
security papers from the NSA and SANS, here: 
 http://www.belarc.com/sa_full.html and here for mobiles :)) 
http://m.belarc.com/sa.html

Feel free to contact us if you have any additional questions.

Regards,
Sumin


On Thursday, May 16,

Re: Android 4.2.2 USB Debugging Permission

Jeffrey Walton — 2013-05-18T14:27:44

Hi Ondřej,

On Thu, May 16, 2013 at 4:30 PM, Ondřej Holkup <holubbisko< at >gmail.com> wrote:
Well, Apple's solution appear to allow anyone to claim the account of
the device owner even without possession of the device
(http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/);
and its more than happy to provide all your data to any authority,
even without the proper paperwork
(http://appleinsider.com/articles/13/05/10/police-asking-apple-to-decrypt-seized-iphones-must-wait-their-turn.

Have you tried http://productforums.google.com/forum/#!category-topic/mobile/android-devices/S_oB-ELv2oY
and http://support.google.com/android/bin/answer.py?hl=en&topic=2500700&ctx=topic&answer=2569768?

Sorry to hear about your troubles.

Jeff

Re: New Android vulnerability app

Kristopher Micinski — 2013-05-18T14:12:38

Sumin,

What kind of technology does your app use (if you don't mind sharing,
of course)?  It looks like it's mostly just an anti-virus technique
from the screenshots.  The commercial tools I've seen for Android all
have this flavor.

Kris

On Thu, May 16, 2013 at 2:30 PM, sumin tchen <stchen< at >belarc.com> wrote:

Android 4.2.2 USB Debugging Permission

Ondřej Holkup — 2013-05-16T20:30:27

Dear Google, you are super awesome, I don't know what else to say, I can't 
find decent words which can describe my anger.

I have set up PIN lock on my Nexus 7, unfortunately I think I missclicked 
somewhere, so I can't unlock my tablet and can't figure out the code.
I have ENABLED USB debugging, BUT I didn't really know that you have 
implemented this "awesome" security feature, which makes you enable ceratin 
devices usage of USB debugging. I have wifi only version, of course wifi is 
turned off, so I can't even login to my Google account.
I know this feature is another protection how to protect user data in case 
of stolen device, but what can I do now? Do you want to tell me I have to 
reset it, if I don't remember code I have set up? I've already reset it one 
time because one of my schoolmates have set up pattern lock and have 
forgotten it. I thought that when I have USB debugging enabled everything's 
going to be okay, well it seems, it won't...
I don't really want to reset it again. Apple iTunes ma

New Android vulnerability app

sumin tchen — 2013-05-16T18:30:36

We've just released a free App that protects your Android phones and 
tablets by testing for all known software and operating system 
vulnerabilities.

https://play.google.com/store/apps/details?id=com.belarc.securityadvisor<http://www.linkedin.com/redirect?url=https%3A%2F%2Fplay%2Egoogle%2Ecom%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom%2Ebelarc%2Esecurityadvisor&urlhash=r5lH&_t=tracking_anet>

Please send us your comments.  (e) apps< at >belarc.com

Sumin

set permission WRITE_APN_SETTINGS not enough

Jindřich Matouš — 2013-05-14T13:13:55

Hallo Collegue,
I want to change current APN by following code:
And this error raised.
In manifest already filled:
<uses-permission *android:name="android.permission.WRITE_APN_SETTINGS"*/>
 
java.lang.SecurityException: No permission to write APN settings: Neither 
user 10051 nor current process has android.permission.WRITE_APN_SETTINGS.
It is protected by system? Haw can I change it?
 

 public static boolean setActiveAPN(Context context, int id) throws 
IllegalArgumentException {
  boolean res = false;
  ContentResolver resolver = context.getContentResolver();
  ContentValues values = new ContentValues();

  values.put("apn_id", id);
  try {
   resolver.update(PREFERRED_APN_URI, values, null, null);
   Cursor c = resolver.query(PREFERRED_APN_URI, new String[] { "name", 
"apn" }, "_id=" + id, null, null);
   if (c != null) {
    res = true;
    c.close();
   }
  } catch (SQLException e) {
   Log.d(TAG, e.getMessage());
   throw new IllegalArgumentException("APN cannot be set! (probably wrong 
name");
  }

Re: GET_TASKS and data sent to private Activity

Giancarlo Capone — 2013-05-13T21:24:21

Hello* *Maciej Górski,
I know this is a common problem. This issue has been resolved by Google 
since Android 4.1.1: in fact from this version on, they have introduced a 
new class that allows you to retrieve data (ActivityManager.RecentTaskInfo) 
that doesn't allow you to get "extras" from other applications.
In my opinion if you want to pass data in such a secure way between two 
activity, you can pass crypted data or you can only pass a kind a simple 
variable (for example an Integer or a String) and in the second activity 
you can retrieve data from a Db or from the shared preferences. 

Let's consider that you want to send the number of a credit card from 
FirstActivity to SecondActivity.
Now in FirstActivity you can save the number of the credit card in a Db or 
using a SharedPreference, then you can pass to SecondActivity a number or a 
string that has no real meaning (for example you can pass the name used to 
save the sharedPreferences). In the SecondActivity, you receive that String 
and you can r

Re: Android Application Signing

Keith Makan — 2013-05-13T13:34:18

The use of Certificates and Signatures can also augment/modify the 
effectiveness of the permissions framework.

If two apps have a certificates that share a public key---indicating that 
they are from the same developer(s)---they may be granted access to 
non-exported components and/or files that belong to either app and be 
granted a special permissions under the "signed" and "signedOrSystem" 
permission group. Two applications may also share the same user ID if they 
share the same public key.
 
For instance if you've ever installed facebook home you'd notice that it 
requests NO permissions but only requires that you have the facebook app 
installed! This is because it gets all the permissions it needs from the 
facebook app by means of "signature" permissions.

A good mindset to have---from the perspective of application security---is 
to assume that whenever developers publish apps under that same public key, 
they can effectively increase the attack surface of all other apps signed 
with the same key,

GET_TASKS and data sent to private Activity

Maciej Górski — 2013-05-11T19:29:53

Hello everybody,

I've noticed that when an application has GET_TASKS permission it can 
retrieve the data sent between two Activities in other application, where 
second Activity is not exported like in this example:

        <activity android:name=".FirstActivity" >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <activity android:name=".SecondActivity" />

somwhere in FirstActivity:

    Intent intent = new Intent(this, SecondActivity.class);
    intent.putExtra("any_key", "any_value");
    startActivity(intent);

any_key + any_value pair can be read from application that has GET_TASKS 
permission.

Does that mean we should not send sensitive data between exported and 
private Activity?

Re: about RSA

Brian Carlstrom — 2013-05-11T17:18:20

Android is using implementations from http://www.openssl.org/ and
http://www.bouncycastle.org/java.html as found in external/openssl and
external/bouncycastle in the Android source tree.

-bri

On Sat, May 11, 2013 at 6:39 AM, Soumen Debnath
<soumendebnath.cse< at >gmail.com> wrote:

about RSA

Soumen Debnath — 2013-05-11T13:39:16

Hi Android Geek world..
I am a hard core android application developer. 
Now I want to dip into the serious android development issues for that I 
have taken the area of the Security algorithms.
I want  to start with *rsa algo for ginger bread*. Can any want give me the 
path of the RSA algo implementation file inside the android core system. 
So that I can get an idea how it works.
Please give me a basic dea

Re: Android Application Signing

Brian Carlstrom — 2013-05-10T14:50:49

I've never used Google Play, but it validates the signature for
updates their as well as I understand it.

Like Jeffrey, I recommend you look at Nikolay Elenkov's blog entry on
Android Code
Signing: http://nelenkov.blogspot.com/2013/05/code-signing-in-androids-security-model.html

I also recommend looking at the code in frameworks/base in an AOSP tree.

-bri

On Fri, May 10, 2013 at 7:34 AM, Sebastian Bachmann <me< at >free-minds.net> wrote:

Re: Android Application Signing

Sebastian Bachmann — 2013-05-10T14:34:29

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So its just for ensuring upgradeability?
does the certificate information has any impact on google play?

On 2013-05-10 16:23, Brian Carlstrom wrote:
For the academic treatments, Google is your friend:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJRjQV1AAoJEAhgHfpCPcybvrAIAISuZJkD7v2eDyNP5XOexzcw
1OO5HKSHy3QlvcaxLEz3ghe8sWxofB/QF5ugw5w537gcQH7AJ4YSFFCxLhPGbEmo
0LEVHKvg+ti2gcWv6Hk20tB/nkIXB/itDFSdaAyLfF+RAIPd7wUbWKROqZNmA3ys
UWNlb1MTURelPQYqmrlIWrAO4x80ISbFkUKJmnvk92NrsfeBAQNx/aPrpvB+n6PC
vA1OzX6IfZgb99JjmtYGWLqJlXNk0PfvWjhl3qntmK9+KujByQmFEiaMpvx5+Utl
vLiOUJd5BQOtihqyMqdwSnC2x2WZjRDI6mX1z4xlOzRNv4cuBoSFmPQCbYRAv5Q=
=2hEO
-----END PGP SIGNATURE-----

Re: Android Application Signing

Brian Carlstrom — 2013-05-10T14:23:37

The certs are self signed, not issued by a public authority. They are
used to validate on upgrade that the new apk came from the same source
as the old apk. given that, the subject/issuer information isn't
relevant, just the public key in the certificate.

-bri

On Fri, May 10, 2013 at 2:11 AM, Sebastian Bachmann <me< at >free-minds.net> wrote:

Re: Android Application Signing

Sebastian Bachmann — 2013-05-10T09:11:49

But is there any enforcement of the signature policy in practise?
i dont know if signatures are in any time validated up its chain?
You can not install apps that are not signed, but is there a check for
known bad signatures?

and if a developer is blocked by his sigtnature, he can easily generate a
new one.
i see many apps that have this kind of signature:

Issuer: C=US, L=, S=, O=Android, OU=, CN=Android Debug, E=
Subject: C=US, L=, S=, O=Android, OU=, CN=Android Debug, E=

so there are many people that dont even care about the signature...


On Thu, 9 May 2013 19:06:46 -0400, Jeffrey Walton <noloader< at >gmail.com>
wrote:
wrote:
http://nelenkov.blogspot.com/2013/05/code-signing-in-androids-security-model.html.