gmane.comp.handhelds.android.security.discuss

Google, please separate the unlock passcode from the encryption passcode

seattleandrew — 2013-05-21T21:30:54

If you haven't been following issue 29468<http://code.google.com/p/android/issues/detail?id=29468> for 
Android, a couple of people are upset that the unlock passcode is tied to 
the encryption passcode. From a usability stance, this makes perfect sense, 
this way users don't have to memorize two passwords, the less the better. 
The issue is, once a FDE (Full Disk Encryption) Android has been unlocked 
the first time, the device is decrypted until it's powered off. This means 
once the device has been unlocked once, there isn't a need to continue 
requiring complex passcodes since all it does is unlock the device.

With the current schema, I argue it actually impacts security and usability 
since users will either choose a complex passcode (for more entropy in FDE) 
and suffer every time the device re-locks or a user will choose a simpler 
passcode (PIN or 6 char) in order to make the unlock process easier (but 
now FDE has less entropy).

With the addition of multiple-users in Android, I argue it wouldn't b

Android 4.2.2 USB Debugging Permission

Ondřej Holkup — 2013-05-16T20:30:27

Dear Google, you are super awesome, I don't know what else to say, I can't 
find decent words which can describe my anger.

I have set up PIN lock on my Nexus 7, unfortunately I think I missclicked 
somewhere, so I can't unlock my tablet and can't figure out the code.
I have ENABLED USB debugging, BUT I didn't really know that you have 
implemented this "awesome" security feature, which makes you enable ceratin 
devices usage of USB debugging. I have wifi only version, of course wifi is 
turned off, so I can't even login to my Google account.
I know this feature is another protection how to protect user data in case 
of stolen device, but what can I do now? Do you want to tell me I have to 
reset it, if I don't remember code I have set up? I've already reset it one 
time because one of my schoolmates have set up pattern lock and have 
forgotten it. I thought that when I have USB debugging enabled everything's 
going to be okay, well it seems, it won't...
I don't really want to reset it again. Apple iTunes ma

New Android vulnerability app

sumin tchen — 2013-05-16T18:30:36

We've just released a free App that protects your Android phones and 
tablets by testing for all known software and operating system 
vulnerabilities.

https://play.google.com/store/apps/details?id=com.belarc.securityadvisor<http://www.linkedin.com/redirect?url=https%3A%2F%2Fplay%2Egoogle%2Ecom%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom%2Ebelarc%2Esecurityadvisor&urlhash=r5lH&_t=tracking_anet>

Please send us your comments.  (e) apps< at >belarc.com

Sumin

set permission WRITE_APN_SETTINGS not enough

Jindřich Matouš — 2013-05-14T13:13:55

Hallo Collegue,
I want to change current APN by following code:
And this error raised.
In manifest already filled:
<uses-permission *android:name="android.permission.WRITE_APN_SETTINGS"*/>
 
java.lang.SecurityException: No permission to write APN settings: Neither 
user 10051 nor current process has android.permission.WRITE_APN_SETTINGS.
It is protected by system? Haw can I change it?
 

 public static boolean setActiveAPN(Context context, int id) throws 
IllegalArgumentException {
  boolean res = false;
  ContentResolver resolver = context.getContentResolver();
  ContentValues values = new ContentValues();

  values.put("apn_id", id);
  try {
   resolver.update(PREFERRED_APN_URI, values, null, null);
   Cursor c = resolver.query(PREFERRED_APN_URI, new String[] { "name", 
"apn" }, "_id=" + id, null, null);
   if (c != null) {
    res = true;
    c.close();
   }
  } catch (SQLException e) {
   Log.d(TAG, e.getMessage());
   throw new IllegalArgumentException("APN cannot be set! (probably wrong 
name");
  }

GET_TASKS and data sent to private Activity

Maciej Górski — 2013-05-11T19:29:53

Hello everybody,

I've noticed that when an application has GET_TASKS permission it can 
retrieve the data sent between two Activities in other application, where 
second Activity is not exported like in this example:

        <activity android:name=".FirstActivity" >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <activity android:name=".SecondActivity" />

somwhere in FirstActivity:

    Intent intent = new Intent(this, SecondActivity.class);
    intent.putExtra("any_key", "any_value");
    startActivity(intent);

any_key + any_value pair can be read from application that has GET_TASKS 
permission.

Does that mean we should not send sensitive data between exported and 
private Activity?

about RSA

Soumen Debnath — 2013-05-11T13:39:16

Hi Android Geek world..
I am a hard core android application developer. 
Now I want to dip into the serious android development issues for that I 
have taken the area of the Security algorithms.
I want  to start with *rsa algo for ginger bread*. Can any want give me the 
path of the RSA algo implementation file inside the android core system. 
So that I can get an idea how it works.
Please give me a basic dea

Android Application Signing

Keith Makan — 2013-05-09T19:37:03

At the moment I'm writing a bunch of white papers on android security. 
As a result I've been trying to hunt down some academic style papers on 
Android's Application Signing mechanism, 
I have some high level understanding of how things work---you know the 
whole .jar signing, public key, cryptographic hash story---but I 
need a good set of academic papers on the subject to reference.

Please Help?

Thanks ;)

Android 4.2 and Developer Permissions

Jeffrey Walton — 2013-05-09T14:47:34

Hi All,

I've been reading Nikolay Elenkov's blog on Android Code Signing
(http://nelenkov.blogspot.com/2013/05/code-signing-in-androids-security-model.html).

The blog talks about developer permissions that are revocable at
runtime, such as READ_LOGS and WRITE_SECURE_SETTINGS. The permissions
are listed at http://developer.android.com/reference/android/Manifest.permission.htm.

A few questions:

(1) How do we determine development permissions? The Manifest does not
denote them.

(2) Should these permissions show up in production apps?

(3) For the permissions to be in effect (i.e., the capability is
granted), does the phone have to be in development mode?

(4) How do we revoke them? Is there an alternative to `adb pm revoke`?
Is there a GUI component?

Some of these have been around for quite some time (API 1), but the
blog appears to indicate they are new. For example,
Manifest.permission.html states READ_LOGS has been available since API
1.

Is there any more reading on the subject? Google and Bing are
re

I want to know some uesful website about Android Security in your country,I am from china .Thank you so much .

Weuzhu Liu — 2013-05-09T01:53:30

I want to know some uesful website about Android Security in your  country ,I 
am from china .Thank you so much .

Is a device safer if supplied with 4.0 than if it is upgraded from 2.3.4?

Victor Pettersson — 2013-05-07T13:40:05


I have a short question regarding the security in Android.

I have a Sony Xperia S device that was sold with Android 2.3.4, later I 
upgraded to 4.0.4 via Sony’s PC companion software. My employer claims that 
my Sony phone is more vulnerable than a Samsung Nexus which was shipped 
with 4.0.4 just because I have upgraded it from 2.3.4 to 4.0.4.

I have not rooted my phone or anything like that. 

I would like to know if a device with 4.0.4 stock from the manufacturer is 
“safer” than a device that is upgraded from 2.3.4?

Google Play changes bring cautious optimism on Android security

Jeffrey Walton — 2013-05-02T00:06:12

Hi All,

Out of curiosity, why did the change occur? Has Google published any
numbers correlating Play Downloads with Malicious Updates? Or: how
frequently did this happen in the wild?

Is there a paper out there that I missed discussing the trend?

Jeff

http://www.pcadvisor.co.uk/news/mobile-phone/3445092/google-play-changes-bring-cautious-optimism-on-android-security/

Google's decision to have Android apps on Google Play updated only
through the online store will likely improve security on the mobile
platform, but by how much remains to be seen, experts say.

Google recently changed its Play Developer Program Policies to say,
"an app downloaded from Google Play may not modify, replace or update
its own APK binary code using any method other than Google Play's
update mechanism." The APK, or Android application package file, is
the format used to distribute and install apps onto the operating
system.

The move makes it much more difficult to turn a benign app into a
malicious one once it leaves Google Play

Secured IPC BESIDES the component security or enforcing permission in Android

tkHWANG — 2013-04-28T11:46:32

Personally I know that Android recommends to use the enforcing permission 
when declaring the component for the secured IPC operation.

But sometimes it's quite not easy to use the unified single enforcing 
permission when it should operate with bunch of applications 
which are signed by their own signing key.

I know that those application *SHOULD* be signed by considering this 
enforcing permission, 
but practically sometimes those applications run in real world and later we 
need to protect their unprotected IPCs : broadcasting, service, content 
provider and activity.

Is there any other method available for the secured IPC besides the 
component security or enforcing permission 
which restricts the IPC by requiring the Android permission ? 

* Checking the signing certificate ?
- For bound service, it can be used, but in other case, it's difficult to 
apply.

* Is the EXPLICIT intent secure ?
- If intent is resolved by intent.setPackage(packageName), can only the 
specified package take the intent secur

Is it possible to use Android Credential Storage for storing application secrets?

Sandesh — 2013-04-27T05:33:08

Hi,

Is there a Android standard API based approach to store application secrets 
(such as third party services password etc) in Android Credential Storage? 
iOS provides a KeyChain API, which provides application to leverage the iOS 
credential storage for storing application secrets. Is there something 
similar available for Android?

Thanks,
Sandesh

Verify Applications Process

Oliver Hill — 2013-04-25T14:11:11

So I recently discovered the rather useful "verify apps" feature introduces 
in Jelly Bean, and I was wondering if anyone could point me towards the 
area of the source code where the Verification is performed. If the actual 
verification code is hidden or not part of the open source code, then I'd 
at least like to see exactly where the verification is called from. I'm 
looking to hook into the verification process and run my own checks on 
applications which want to be installed, so doing them at the same time as 
the Verification checks makes sense.

Thanks,

Oliver.

How do we verify Android in-app billing receipt on the server side?

尉迟山 — 2013-04-23T05:39:32


I am implementing in-app billing into an Android game and we want to use a 
server to store the purchase information.

According to what I understood so far, Android Market will return a 
callback to the app in the form of Broadcast receiver about the purchase 
status. But since we are persisting the transaction information on the 
server, my app has to make some http post request and update my server. 
There is a very high chance that this http post request could be imitated 
by some hacker manually. How do I validate that Android market receipt 
information from my server code?

OT: Google I/O 2013?

Jeffrey Walton — 2013-04-25T04:54:39

Hi All,

I'm trying to locate Google I/O 2013's speakers and topics.
Specifically, I'm interested in the security related talks. The
conference's page does not provide the details
(https://developers.google.com/events/io/).

Would anyone have a list of what's being presented?

Jeff

Network programming in the link layer. Possible?

2013-04-18T13:58:09

Hi,
as part of my software M.Sc degree I'm looking to do a proof of concept 
that requires me to do some programming between level2 and level3 of the 
network stack, basically to look at, and possibly modify, packets in the 
link layer. 
Is this possible on the Android platform? On Windows I'd use something like 
Pcap, but totally clueless on the Android platform (although liking what I 
see so far)

Many thanks,
Jem

Android: Getting the Email ID of the Account that uses Certificate Authentication

Deepaksudu Rs — 2013-04-18T11:09:12

 
Hi All,
 
I had setup my corporate mail account in Samsung S3 with a user certificate 
(certificate.pfx). My accounts got synced. My question is, I need to 
programattically fetch the Mail ID which is setup in my device. 
 
I did the following steps to get this done,
 
 
android.accounts.Account[] accounts = AccountManager.*
get(context).getAccounts();*

*This array will hold all the accounts that is configured in my device. I 
ll filter this array to get my corporate mail ID, bcoz i know it.*

*But my problem is , While i setup my mail account, the default Email 
client (Native Email app) accepts different Email Id and password also for 
my certificate i.e I could setup my email account with the name abc< at >cba.com  
and "password" with my certificate.pfx file.*

** 

*Now if i run the above code its giving the cofigured email id as 
abc< at >cba.com but if i send any mail from this ID to someone , there in the 
receiver end its showing ,the mail had come from my original ID*

*I need to get my original email ID

Android Developer Phone with default CardManager keys on embedded Secure Element on NFC

Tanuj Mittal — 2013-04-15T17:27:20

Hi there

We are doing some research work involving secure element and NFC on 
portable devices. We wanted to develop prototype applications to demo our 
work. For that we require access to embedded Secure Element of NFC chip. Is 
there any developer device from Google Wallet team that we can possibly get 
hold of to carry this work further? The developer device should have 
complete access to the embedded Secure Element.

ACLU to FTC: Mobile carriers fail to provide good Android security

Jeffrey Walton — 2013-04-17T19:40:39

http://news.cnet.com/8301-1035_3-57579978-94/aclu-to-ftc-mobile-carriers-fail-to-provide-good-android-security/

The America Civil Liberties Union filed a complaint with the Federal
Trade Commission today asking the agency to investigate the four major
mobile carriers' security practices in regards to smartphones.

The civil liberties group claims that AT&T, Verizon, T-Mobile, and
Sprint are not doing enough to protect users' private and personal
data -- specifically on Android devices. The gist of the complaint
(PDF) is that these carriers aren't providing users with timely
security updates, which the ACLU says is akin to "deceptive and unfair
business practice."

"The major wireless carriers have sold millions of Android smartphones
to consumers," the ACLU wrote in its complaint. "The vast majority of
these devices rarely receive software security updates."

The ACLU claims that while Google has published updates to fix
exploitable security vulnerabilities, these fixes have not been sent
out to consumers.

why android does not include AddTrust External CA Root ?

류수원 — 2013-04-15T02:25:47

why android does not include AddTrust External CA Root ?