Jaikumar Vijayan, ComputerWorld, 4/11/14
Many banking, mobile payment apps connect to servers vulnerable to OpenSSL flaw, says Trend Micro
Android and IOS mobile applications are just as vulnerable to the Heartbleed bug as websites are, security vendor Trend Micro warned in a blog post on Thursday.
Because of the threat, consumers should avoid making in-app purchases via their mobile devices until permanent fixes are available for Heartbleed, the company said.
According to Trend Micro, a scan of about 390,000 applications on Google Play uncovered about 1,300 apps that connect to servers vulnerable to Heartbleed.
Among those at risk are more than a dozen banking apps, about 40 payment apps and 10 online shopping apps.
The company said it also found several popular apps to be vulnerable. because they connect to servers likely compromised. “Mobile apps, like it or not, are just as vulnerable to the Heartbleed Bug as websites are because apps often connect to servers and web services to complete various functions.”
A significant number of those servers are affected by the vulnerability, Trend Micro noted.
“We also found several popular apps that many users would use on a daily basis, like instant messaging apps, health care apps, keyboard input apps — and most concerning, even mobile payment apps,” Trend Micro said. “These apps use sensitive personal and financial information — data mines just ripe for the cybercriminal’s picking.”
JD Sherry, vice president of technology and solutions at Trend Micro, said the company did not perform a similar scan of applications available via Apple Store. But there is no doubt many of them are also at risk, he said.
Many view the Heartbleed vulnerability as one of the most serious Internet threats in a long time. The vulnerability stems from a basic programming error in OpenSSL versions 1.0.1 through 1.0.1f that is used to encrypt data by various browsers, operating systems and mobile applications. The flaw lets attacks grab confidential data like passwords and session keys from systems using the vulnerable software.
According to Trend Micro, mobile applications that support in-app purchases can connect to servers that use affected versions of the OpenSSL software. “As such, cybercriminals can take advantage of the Heartbleed bug to target that server and milk it of information (like your credit card number). It’s as simple and easy as that.”
Even applications that do not support in-app purchases are at risk if the application connects to an online server that is vulnerable. “For example, your app could ask you to ‘like’ them on a social network, or ‘follow’ them on yet another for free rewards” and eventually lead users to a vulnerable server.
“Heartbleed further complicates the BYOD conversation that many organizations are struggling with,” Sherry said. “This raises more questions and further exacerbates the challenge.”
In: Mobile Technology · Tagged with: BYOD
Tom’s Guide / Jill Scharr, Yahoo News, 4/11/14
Google yesterday (April 11) announced plans to increase security on its Android mobile operating system by continuously monitoring installed apps for malicious or otherwise problematic behavior. This update is an addition to Google’s “Verify apps” feature, which already checks all apps for potentially harmful code before installing them on a device.
Why is this necessary? An app might start off as perfectly benign, but then receive updates that change its code, turning it into something other than what you installed, especially if that app comes from somewhere other than the Google Play store.
The post-installation monitoring feature is being pushed out to all devices running Android Gingerbread 2.3 and later with Google Play installed. (Users will not have to wait for a carrier software update.) To disable the feature, you can simply turn off “Verify apps” in an Android device’s security-settings menu, but doing so would also disable the device’s ability to screen apps upon installation.
Android owners will be able to perform manual scans of installed apps, or schedule regular scans. If the scanner finds something problematic, users will see messages such as “Google recommends that you immediately uninstall this app” or “To protect you, Google uninstalled this app.” These will look similar to the other messages that the “Verify apps” feature sends out when it encounters a problem.
“Verify apps” is part of the “service layer” of the Android operating system, which Google compares to a home alarm system. Adding constant on-device monitoring to its service layer brings the Android operating system a step closer to the security found on Apple’s iOS platform, which blocks most installed apps from changing code after installation.
Google thinks most people won’t need this new feature, as “potentially harmful applications are very rare,” it said in a post on the Official Android blog. “But we do expect a small number of people to see warnings…as a result of this new capability.”
In: Android, Mobile Technology · Tagged with: Malware
Tammy Parker, FierceWireless, 4/11/14
Comcast announced that it now has 1 million U.S. Wi-Fi hotspots. The news was released amid rumors that the cable MSO is thinking of launching a Wi-Fi-centric wireless service. The operator noted it has deployed its Xfinity-brand Wi-Fi hotspots in a vast array of public venues across major cities such as San Francisco, Chicago, Boston, Philadelphia, Washington, D.C., and Atlanta as well as areas of New Jersey, Maryland, Virginia and Delaware. In addition, most Comcast Business Internet customers, including cafes and retailers, are eligible to receive an Xfinity Wi-Fi hotspot for no additional charge when they order service. Comcast also provides its residential customers with Xfinity Wireless Gateways that have a second “xfinitywifi” SSID for use by other Xfinity Internet subscribers without the need to know a homeowner’s private network password. For more, see this Comcast release.
In: Mobile Technology · Tagged with: WiFi
Mozilla promised that Firefox OS was getting a gigantic interface redesign later this year, and it’s now clear just how ambitious that remake will be. Ahmed Nefzaoui and Soren Hentzchel have provided a detailed look at Firefox OS 2.0 that shows off its thoroughly modern style. There are flat surfaces everywhere, and even more transparency than in current versions; both the lock screen notifications and task switcher have taken on a decidedly iOS 7-like (not to mention more useful) layout. The preview also gives a better glimpse at EverythingMe’s contextual search, which produces both app and web results. You’ll still have to wait a few months to see 2.0 reach shipping hardware, but this close-up suggests that your patience will pay off.
In: Mobile Technology
The Alliance has updated its Wi-Fi Protected Setup certification program to support NFC verification. Instead of entering a password or holding down buttons, you simply tap two Wi-Fi devices with NFC chips together to establish a connection. The technology can be used to connect devices to a local network by tapping a router, or two end-user devices by tapping them together.
For example, I’ve been testing out Whistle’s dog activity tracker for the last few months, which uses both Bluetooth to connect to my phone and Wi-Fi to connect to home network. Connecting my Whistle to my home network is a multi-step task, requiring first pairing the gadget with my phone with Bluetooth and then configuring the device to connect to my Wi-Fi through Whistle’s smartphone network. Whistle is more useful the more networks it connects to, but if I wanted to add additional Wi-Fi networks to the device – say at my parents’ place or at the kennel — the owners of those networks would have to go through the same process.
The new Wi-Fi Protected capability (and an NFC chip) would make Whistle connect instantly to the network over a secure WPA2 connection with a mere bump against the router. Of course, that’s assuming you want to give that kind of easy access to the world of internet-of-things devices. Wi-Fi Protected uses proximity as security, assuming if you can get close to a router or gadget, then it’s authorized to share connectivity. Not everyone wants their Wi-Fi networks — or devices — to be so open.
A small startup called Pylon is exploring some interesting use cases for NFC-brokered connections in the home that may address some of those security concerns. It has developed a Wi-Fi beacon that creates a guest wireless network that can be accessed with an NFC tap or a “bump” of the iPhone (the accelerometers in the devices trigger the handshake). Instead of granting all network rights to those guest devices, Pylon could restrict users to internet access only and for a short interval, say 30 minutes.
The Wi-Fi Alliance said it is now certifying devices using the new technology, and among the gadgets on its test list is Google’s Nexus 10 tablet. I wouldn’t, however, expect a huge flood of new gadgets using the capabilities. While NFC is making it into more and more smartphones, it’s still rare in devices like wearable and smart appliances. The goal of many these device manufacturers is to make their devices as inexpensive as possible, and adding an additional radio contradicts that trend.
Still, there could be a lot of use cases for NFC-brokered connections in smartphones. Instead of trying to dig up passwords whenever a friend wants to connect to your home network, they could just tap to connect. And as Wi-Fi hotspots make their way into connected cars, Wi-Fi Protected could be a brilliantly simple way to connect a tablet to the in-car network.
In: iPhone, Mobile Technology · Tagged with: Bluetooth, NFC, WiFi
Mark Elliott, Sprint, 4/10/14
Samsung Galaxy S 4® with Sprint Spark™ (enhanced LTE) becomes a fourth Wi-Fi Calling enabled smartphone from Sprint through an over-the-air update that started rolling out today. The update notification will be pushed to all our customers automatically during the next few weeks.
Wi-Fi Calling is a FREE service that lets you use voice and messaging services over existing home, office and public Wi-Fi networks. With Wi-Fi Calling, you will experience improved voice, data and messaging services in locations that previously had limited or no mobile network coverage.
How will customers benefit?
- Enhanced coverage for in-building coverage or areas with challenging network conditions
- Easy setup: Once activated, everything is seamless and happens in the background
- Unlimited voice calling and messaging on Wi-Fi: All domestic calling and messaging is FREE (standard CDMA international rates apply for international calls)
Once the download is complete, you will be prompted to install the update. Installation will take a few minutes during which the device will be disabled. Once installation is completed, the device will be ready for use and Wi-Fi Calling can be activated by going to your Apps folder and selecting the Wi-Fi Calling icon.
Sprint plans to expand Wi-Fi Calling to additional devices in 2014.
In: Mobile Technology · Tagged with: CDMA, LTE, Samsung, Sprint, WiFi
With companies like Verizon pushing into its broadband turf, Comcast may be pushing back with its own mobile network, according to a report from The Information. Insiders claim that, like Google, it’s considering a service that would work using a combination of Comcast’s million+ WiFi hotspots and leased cellular capacity from other operators. Those could include Verizon, with which it already has a deal in place for wholesale network access. In addition, it has over 8 million customer WiFi routers that could also function as hotspots. If all that is accurate, Comcast could offer such a service separately, as part of a bundle or even as a cheap WiFi-only package à la Scratch Wireless. Take it with a big dollop of skepticism, though — Comcast has gone down that road before.
In: Mobile Technology · Tagged with: Verizon, WiFi
David Talbot, Technology Review, 4/8/14
Google believes open hardware innovation could help it find industries and markets for its software and services.
On workbenches sit prototypes of memory modules, battery modules, and processor modules, all designed to slide easily in and out of an aluminum smartphone “endoskeleton.” A prototype infrared imaging lens module for night photography would protrude about a half-inch from the device. Another module would let you read your blood oxygen levels with a swipe of your finger.
Knaian runs a small electrical engineering company called NK Labs, one of the main contractors working on “Project Ara” (which is named after him). By now, though, more than 100 people at a dozen companies are involved in this modular smartphone venture from Motorola’s Advanced Technology and Projects (ATAP) group, a division Google retained when it agreed to sell the handset maker to Lenovo earlier this year (see “Why Google Kept Motorola’s Research Lab”).
Hardware modularity has been tried in the phone market before, but the awkward, bulky results fell well short of displacing sleek all-in-one devices that need frequent replacement. In 2007, Modu, an Israeli startup, developed smartphones that fit into electronic jackets to become cameras, fitness trackers, or music players. The idea failed in part because of the proprietary interface but also because of a clunky design and the limited number of available modules. The company folded soon after launching (though Google bought its intellectual property a few years later).
Google thinks modularity may succeed now thanks to the shrinking cost and size of the underlying electronics and because innovation in conventional mobile hardware is slowing down (see “The New Smartphone Incrementalism”). Also, by fostering open hardware innovation in smartphones and other mobile devices, Google believes it could gain footholds for its software and services in fresh markets and fresh industries.
“We believe that the smartphone hardware ecosystem should be, and can be, a lot more like the Android app ecosystem: with a low barrier to entry, lots and lots of developers, and faster, richer innovation,” says Paul Eremenko, a former office head at the Defense Advanced Research Projects Agency who leads the project (his boss, Regina Dugan, was DARPA’s director and now runs ATAP for Google).
The hardware ecosystem Eremenko envisions would be entirely open. Google would provide the endoskeleton, which has eight rear slots for modules, two front-facing slots for components such as a screen and a button panel, and onboard power and data transmission. Parts could be replaced or upgraded without discarding the rest of the phone, and the finished device could be adapted to serve any number of special functions—professional photography, environmental sensing, medical monitoring—depending on what hardware emerges. Though the project is still in the research and development stage, a working prototype is expected to be ready this month.
It’s an alluring idea, but Google will have to persuade both customers and hardware makers to think different.
At least now smartphone components are much smaller and cheaper than they once were. The electropermanent magnets that connect the modules without snaps or hinges and the simple wireless interfaces “help us make modules with as little added complexity, cost, and weight as possible,” Knaian says.
In fact, the size, power, and weight penalty that comes with making something modular is now under 25 percent, a level that is an acceptable tradeoff for the benefits that flexibility will bring, Eremenko argues. “Modular things tend to be brick-like,” he says. “We think we’re at an inflection point where the penalty is down to something that can comport with things that would be beautiful.”
At least one other smartphone maker seems to agree that modularity’s time has come. In January the Chinese smartphone giant ZTE proposed design concepts of quasi-modular phones, called Eco-Mobius. ZTE’s concept is more limited. It allows users to change only four types of components—screen, battery, camera, and a combination of processor and memory—but not to add new kinds of components.
Google may have an easier time convincing buyers to try a modular device if they aren’t yet accustomed to trading in their smartphone every few years. Customers in poorer parts of the world represent the next huge wave of smartphone adopters, and by next year Google hopes to conduct a pilot test of Ara devices with a Wi-Fi module, basic processor and memory, battery, and screen. These are projected to cost $50 apiece to make (the retail price has yet to be determined). Google expects to conduct the test in a South or Central American country where cellular minutes are expensive but Wi-Fi hotspots are common.
For customers to embrace modular hardware, Google will need to convince hardware companies to build a sufficient variety of Ara modules to make the idea of a hardware ecosystem credible and satisfying. Without a proven market, that may prove difficult, but there’s evidence the concept is gaining traction. Some 3,328 registrants—from companies that make medical diagnostics and imaging sensors to those making displays and batteries—have signed up for the first Ara Developers Conference, scheduled for April 15 and 16 in Mountain View, California, says Eremenko.
Peter Semmelhack, founder and CEO of Bug Labs, a San Francisco–based developer of hardware and software modules, says outside hardware makers will be important. “You have to drive enough sales to the third parties” who make the hardware, he says. “They aren’t going to make an investment without that. But Google, being Google, might be able to break through that because of their size.”
Even before Google got into the game, some people were agitating for longer-lasting mobile devices. David Hakkens, a 25-year-old industrial designer based in the Netherlands, leads a community of enthusiasts who want the smartphone industry to change its ways and come up with common designs and interchangeable parts (see “Where Cell Phones Go to Die”). Hakkens and his comrades are actively championing Project Ara. “My main goal is I just want to have a modular phone—and I don’t care who makes it,” he says.
As modular hardware becomes more sophisticated, it could perhaps include custom manufactured components. Google has partnered with the manufacturer 3D Systems in Andover, Massachusetts, to develop high-speed-3-D-printed plastic cases. This customization will allow cases to be manufactured in a wide range of colors and designs chosen by consumers. As the technology advances, the plastic casings could include some electronic components such as printed antennas or batteries.
In: Android, Mobile Technology · Tagged with: WiFi
Intel wants to take the lead in 64-bit Android. This week, it offered some proof of how it’s doing that.
Intel said this week that it’s going 64-bit on 32-bit Android. Confused? Intel offered some clarification at its China developer conference this week.
Here’s the initial statement Intel released this week:
“Intel…released Android KitKat 4.4 with a 64-bit kernel optimized for [Intel Architecture]. With this release, the company ported, validated, and tested the Android Open Source code on IA, taking on the work that developers typically would need to do on their own. This release will provide the…64-bit kernel support for development of next-generation devices.”
Intel’s Doug Fisher, general manager, Software and Services Group, expounded on this during his presentation.
He began by saying that Intel is moving everything to 64-bit now. That means it’s moving all of its mobile silicon. More-traditional hardware like servers, desktops, and laptops have been 64-bit for years (servers since 2001, desktops since 2004).
But that’s just half the battle, because the software needs to be 64-bit too.
So, he went on to explain and demonstrate how a kernel — a core piece of the operating system — that’s 64-bit can begin to provide some of the benefits of a full 64-bit OS.
“So all of these devices that have 64-bit capability [in hardware] will now have a 64-bit kernel running on that. So, when you run Android, which is a 32-bit environment on top of that 64-bit kernel, you’re getting the advantages, even in a 32-bit environment, of the 64-bit kernel,” he said.
Needless to say, the application taking advantage of a 64-bit kernel and its libraries offered better performance.
“You can see the performance difference already,” he said.
Why all the fuss about 64-bit? Well, when Apple did its big 64-bit reveal at the last Worldwide Developers Conference, it shocked everyone, including heavyweights like Qualcomm. And, yes, Intel too.
Qualcomm, in short order, started making 64-bit chip announcements. It galvanized Intel too. The company finally moved the Windows 8.1 tablets to 64-bit this year and is now trying to set the pace for Android.
In: Android, Mobile Technology
Tero Kuittinen, Forbes, 3/27/14
Tired and disgusted with free apps that try to hawk in-game purchases and ads to you at every turn? There is no escape; the entire app market is going freemium. The reason for the rapid transition is spelled out by App Annie’s new survey. It claims that revenue from paid apps dropped by a drastic -29% in 2013 from the previous year. Over the same one-year period, freemium app revenue growth topped 210%. This explains the speed with which the entire mobile content industry has migrated to the freemium model. The app revenue information covers both Apple’s iOS ecosystem and the Google Play content empire.
The portion of the entire global app revenue generated by paid apps tumbled from 8% in 2012 to merely 4% in 2013. App Annie believes that in-app advertising is going to grab a growing piece of revenue generated by freemium apps in coming years, rising as high as 60% in USA, Europe and Brazil by 2017. An interesting exception is the largest app market in the world – in Japan, ad revenue may remain at around 40% of in-app sales. This can probably be attributed to the free-wheeling spending of Japanese consumers on in-app purchases, a trend that turned the country to the world’s most lucrative app market at the end of 2013.
Of course, there are always exceptions to the rule – and in the mobile app market, Swedish powerhouse developer Mojang has demonstrated that it is still possible to generate massive revenue with a premium-priced app. The cult hit world-building game “Minecraft” has turned into an evergreen mainstream cash machine despite its $7 price tag, clinging to Top 20 status on US iPhone revenue chart over the past year. But at the moment, “Minecraft” and “Grindr” are the only paid apps in the US iPhone Top 80 revenue chart; all other items are free downloads.