Huge number of Android devices vulnerable to new catastrophic Wi-Fi attack

The Next Web, 10/16/17

Earlier today, reports emerged that the popular WPA2 Wi-Fi encryption protocol was fundamentally flawed, and could allow an attacker to intercept and read traffic sent across a wireless network. Now, details are emerging about the scale and severity of the problem.

The attack – known as a key retransmission attack (or KRACK) – sees a malicious actor trick a victim into using a compromised encryption key. Troublingly, Linux and Android-based users are most at risk. According to Matty Vanhoef, who uncovered the issue, 41 percent of Android devices vulnerable to an “exceptionally devastating” variant of the WPA2 attack, which makes it “exceptionally trivial” to manipulate and intercept traffic.

That said, it’s worth noting that the researcher stressses that the issue isn’t with the implementation of the WPA2 protocol, but rather the protocol itself. In the blog post describing the issue, Vanhoef said “if your device supports Wi-Fi, it is most likely affected.”

Showing the breadth of the issue, Vanhoef named names, saying “During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.”

And ultimately, people tend to be bad at patching things. Even in 2017, it’s not uncommon to hear echoes of servers still connected to the Internet that are vulnerable to Heartbleed and Shellshock.

It’s also often the case that users aren’t presented the option to patch their devices. Android users are most at risk of this vulnerability. And yet, the Android landscape is notorious for its fractured nature, with manufacturers issuing software updates and security patches at an excruciatingly slow pace. That is, if they bother at all.

Share
Posted on October 16, 2017 at 6:21 pm by lesliemanzara · Permalink · Leave a comment
In: Android, Mobile Technology

Microsoft’s Edge browser now has iOS, Android versions

, ArsTechnica, 105/17

The Arrow Launcher on Android has been renamed and promoted from the Garage.

In a bid to improve cross-device user experience, Microsoft today released betas of its Edge browser for iOS and Android. The browsers have been developed to address a gap in the current Edge experience: with Windows Mobile all but unused, using Edge is a strictly PC-only experience. There’s no easy way to, for example, switch from reading a site on your PC to reading it on your phone or vice versa. The new mobile versions of Edge fill that gap and provide that cross-device experience.

As is often the case with mobile browsers, the new browsers are Edge in name only. They provide a user interface that looks quite Edge-like, and they sync with your Microsoft Account, but they don’t use the Edge rendering engine from the PC. On iOS, the browser wraps the WebKit browser engine from Safari. This is essentially unavoidable on that platform, as Apple’s rules preclude the development of third-party browser engines. On Android, where the rules do permit the development of third-party engines, Edge is built on top of Chromium, the open source counterpart to Google’s Chrome.

Currently, syncing is limited to favorites and items on the reading list. Synced tabs and browser history are being worked on, but those will take longer to arrive.

On Android, Microsoft is rebranding the Arrow app launcher as the Microsoft Launcher.  Arrow started life as an experimental project produced in the Microsoft Garage, a kind of incubator for new apps. With the rebranding, it’s graduating to become a bigger, better-supported piece of software. The big Launcher features Microsoft is promoting are the ability to pin contacts to your home screen and a slick at-a-glance view of appointments, recently used documents, news, and frequently used apps.

As with Edge, the important part of the Launcher is the cross-device experience. Documents and photos have a “continue on PC” option that will open them up on a computer, making it easier to start working on the phone and then resume on a computer.

Both Edge’s syncing and Launcher’s “continue on PC” depend on having the forthcoming Windows 10 Fall Creators Update installed. The Settings app in the new Windows version has a new section that allows Windows to be paired with iOS and Android phones. Microsoft is planning much richer capabilities for moving between devices and bringing the things you’re doing—whether it be the e-mail you started writing or the webpage you’re reading—to the device you’re using. While the full array of abilities was initially spoken of as a feature of the Fall Creators Update, the more complex scenarios have been delayed until a later release. What we have today with Edge and Launcher, and in a couple of weeks with the release of the Fall Creators Update, is just the first step.

Launcher and Edge for Android are both available in the Google Play Store. The Edge for iOS beta uses Apple’s Testflight beta system; this means that numbers are limited, but you can sign up here.

Share
Posted on October 5, 2017 at 11:37 am by lesliemanzara · Permalink · Leave a comment
In: Android, iOS, Mobile Technology

iOS 11 is here with improved multitasking and AR

Steve Dent, Engadget, 9/22/17

It’s update (and backup) time.

With multitasking, ARKit and more AI smarts, iOS 11 is one of Apple’s biggest iOS updates yet. It just started rolling out around the world, so don’t be surprised to see a message on your iPhone or iPad soon. If you’ve been procrastinating, now would be a good time to backup your photos, videos and other precious data — in the past, iOS updates have been buggy, gone less than smoothly and eaten up precious storage.

Warnings aside, you’re probably going to like it, especially if you have an iPad Pro and use it to do work. iOS 11’s marquee feature is better multitasking, with a macOS-style dock on the bottom of your screen that lets you seamlessly switch between apps or run two side-by-side. That will particularly handy for, say, programmers or graphics professionals.

Apple is also keying in on AI with iOS 11, with a better, more natural-sounding version of Siri and Core ML machine learning for developers. It will also usher in the age of augmented reality on iPhones with ARKit. Though that app is mostly just useful for developers, you’ll soon get games and apps that use the tech, and what we’ve seen so far looks promising.

Another feature that takes advantage of the new smarts and sensors is animated emojis — it basically maps your face in real time and transfers your expressions to the characters. That only works on the iPhone X, however, since it requires the dedicated front-facing depth sensor.

There’s a lot more, including things like screenshots during Facetime calls, a “do not disturb” setting for driving and a blue banner that shows when apps track your location (for more see our preview). Now, back to the nagging. Remember that the install could take a while, so be sure you’re not expecting a job interview callback when doing it. And things do go wrong — Apple has released many a buggy iOS update in the past — so make sure everything you value is saved.

Share
Posted on September 22, 2017 at 3:42 pm by lesliemanzara · Permalink · Leave a comment
In: iOS, Mobile Technology

US carriers partner on a better mobile authentication system

Steve Dent, Engadget, 9/22/17

Two-factor authentication (2FA) via SMS and a smartphone provides a heavy dose of additional security for your data, but as the US government declared last year, it’s not without its flaws. To fix that, the big four US mobile operators, Sprint, T-Mobile, Verizon and AT&T have formed a coalition called the Mobile Authentication Taskforce to come up with a new system. Working with app developers and others, they’ll explore the use of SIM card recognition, network-based authentication, geo-location, and other carrier-specific capabilities.

The idea is to marry current 2FA with systems that “reduce mobile identity risks by analyzing data and activity patterns on a mobile network to predict, with a high degree of certainty, whether the user is who they say they are,” according to the news release.

The problem with SMS authentication is that skilled hackers have successfully hijacked SMS codes in the past, often simply by contacting the carrier and impersonating the victim. It also falls apart if thieves grab your smartphone along with your PC, gain access to your phone via malware, or just steal a glance at a 2FA message on your lockscreen.

Through strong collaboration, the taskforce announced today has the potential to create impactful benefits for US customers by helping to decrease fraud and identity theft, and increase trust in online transactions.

The system will be an open one that can work the four carriers and others. “We will be working closely with the taskforce to ensure this solution is aligned and interoperable with solutions deployed by operators,” said Alex Sinclair, CTO of mobile industry group GSMA.

The goal to improve 2FA security sounds like a noble one, but Congress, at the urging of carriers and ISPs, recently eliminated certain customer privacy protection rules. As such, consumer protection groups might have concerns about 2FA systems that could be used by operators to track customers, for example.

The new system is supposed to arrive for “enterprises and customers in 2018,” the group says. In the meantime, if you’re still not using two-factor authentication (SMS or otherwise), you really, really should be.

Share
Posted on September 22, 2017 at 3:38 pm by lesliemanzara · Permalink · Leave a comment
In: Mobile Technology · Tagged with: , , , ,

Google rushes to curb Oreo’s massive appetite for your 4G mobile data

Shaun Nichols, The Register, 9/7/17

The latest version of Android, version 8.0 aka Oreo, contains an unfortunate bug that causes phones to burn through their monthly mobile data allowances.

Since installing the operating system update, folks’ devices have been forgoing Wi-Fi connections and using wireless broadband for all data transfers. This, as a result, has left many punters in danger of going over their monthly data limits or, if on an unlimited plan, having their speeds throttled for heavy use.

The Register understands from people familiar with the programming cockup that Google engineers are working on a fix for the issue.

According to posts to the Android reddit community, people have been able to get around the bug by turning off the “cellular data always active” setting under the developer option menu in Oreo’s network settings menu.

Still, peeps within the community are not pleased with the bug.

“This may be an unpopular opinion but I really wish Google would look over these updates more thoroughly. This is a huge issue, not sure how they missed this before releasing Oreo,” wrote one Redditor. “It’s like teachers telling you to proof read something before submitting it. Now a whole bunch of people have probably used up all their data and some more which comes with extra fees.”

“That might explain why I have 6gb of data usage 2/3 of the way through my cycle,” wrote another. “That’s pretty bad on Google’s part. They’re directly ruining people’s bills.”

Word of the bug comes just over the two week mark of Oreo’s general availability. Google released the new Android flavor to its Pixel and Note hardware lines, other device makers are set to push the upgrade out to their devices over the remainder of the year.

Among the new features Google touts for Android are improved power consumption and better management of Wi-Fi devices, two things that are more or less thwarted by a bug that makes handsets default to LTE data.

Google has not said when a fix for the issue could be released.

Share
Posted on September 7, 2017 at 5:45 pm by lesliemanzara · Permalink · Leave a comment
In: Android, Mobile Technology

Inside Android Oreo’s quest to protect your phone

Share
Posted on September 7, 2017 at 5:43 pm by lesliemanzara · Permalink · Leave a comment
In: Android, iOS, Mobile Technology

The first water-resistant BlackBerry will ditch the keyboard

Daniel Cooper, Engadget, 8/31/17

And it’s coming next month.

TCL, the Chinese conglomerate that produces phones under the BlackBerry name, is going to broaden its appeal to more than just keyboard devotees. The company has revealed to Engadget that it will launch a full touchscreen device under the BlackBerry name at some point in October. It may not be a Z10, or even a Storm (or Thunder), but if you were looking to get your mitts on a keyboard-free BlackBerry, it’s coming.

Granted, TCL’s DTEK 50 and 60 phones were also all-screen, but this is different. Details are, perhaps obviously, fairly scarce about the as-yet unannounced device, but we managed to glean tidbits from TCL’s François Mahieu. Mahieu explains that TCL will respect BlackBerry’s reputation for building hard-wearing devices for clumsy international travelers who will be working in all weathers. The main feature, beyond the full-touchscreen, is the (planned) IP67 water and dust-proofing, as well as a battery rated to last for more than 26 hours of mixed use. Mahieu believes that durability and longevity will be two of the biggest selling points, a long-lasting phone that’ll keep going long after your iPhone has conked out.

Mahieu feels bold enough to claim that he expects a number of iPhone and Galaxy users to “make the switch” to BlackBerry come October. Of course, these handsets now run Android, which means that it’s far harder to make it stand out from the crowd. Mahieu continues to believe that BlackBerry’s security know-how will enable TCL to deliver the “most secure Android phone in the world.” Although given the failure of so many ultra-secure Android devices to sell, his confidence seems — at least right now — misplaced.

But TCL is used to combating cynicism with people looking down their nose at BlackBerry in its new after-life as a white label brand. Mahieu said that users shouldn’t write off BlackBerry just because it doesn’t stand toe-to-toe against Apple and Samsung. “We are there to play,” he explained, “we’re just playing with different cards,” mostly by pushing its strengths of battery life, security and durability. As for pricing, it’s likely that the device will cost less than other flagships.

Of course, we’ve already seen a BlackBerry device with a large display unencumbered by a physical keyboard. The Priv hid its physical input device in its slider, and so could actually work as a phone for touchscreen devotees. And given how well that device sold — prompting BlackBerry to abandon producing hardware altogether — it’s going to be interesting to see how TCL can avoid history repeating.

TCL is banking on certified water and dust-resistance as a draw, and it’s not clear how many people were waiting for that as a reason to make the switch. But Mahieu is hinting that the company is “marching towards millions” of device sales, although it’s not clear how many models it needs to shift before it can be considered a success.

Share
Posted on August 31, 2017 at 3:09 pm by lesliemanzara · Permalink · Leave a comment
In: Android, Blackberry, Mobile Technology

How Android Oreo and iOS 11 features compare to each other

Karkssa Bell, Mashable, 8/31/17

There’s a good chance your phone will be receiving a major update in the near future.

Both Apple and Google are gearing up to launch the next versions of iOS and Android respectively. Google finally shipped Android Oreo (version 8.0) earlier this week, and Apple is putting the finishing touches on iOS 11 as we creep closer to iPhone launch in September.

Although neither update has rolled out to phones just yet, they’ve been in beta for months for developers to play with. Now that we’ve had enough time to test them test them, we’re ready to put the two head-to-head to see how some of the most important features stack up. So, here are some of the key features you need to know about.

Multitasking and productivity

In iOS 11, Apple is finally making the iPad a top priority, and it shows. With new split-screen and app-switching features, plus a vastly improved dock, moving between apps has never been easier.

IMAGE: APPLE

If, however, you’re using an iPhone, you won’t find many new productivity features. Sure, there’s a new Files app, some nifty markup tools, and nice improvements to stock apps like Notes and Mail, but you still can’t truly multitask on your phone the way you can on an iPad.

While Android Oreo doesn’t bring much to the table in terms of multitasking, it doesn’t really have to — because it added a split-screen multitasking for all devices last year with the Nougat update.

Picture-in-picture

Speaking of multitasking, Android Oreo opens up support for Picture-in-Picture to any app (previously the feature was limited to YouTube only for Android). Better yet, it works on phones as well as tablets.

Sure, Apple introduced picture-in-picture for iPads with iOS 9, but the feature still doesn’t exist on iPhones, and it still only works with newer iPads. (Even if you have a fourth gen iPad that was eligible for iOS 9, it doesn’t support PiP.)

Emoji 👀

If this were an older Android update, there wouldn’t be any question about which platform had the better emoji. But with Oreo, Google is finally, finally redesigning its hideous yellow blob emoji (though they’ll live on in at least once app).

A sampling of Android's redesigned emoji.
A sampling of Android’s redesigned emoji.

IMAGE: EMOJIPEDIA

Now, instead of the shapeless, indecipherable lumps, Android users will get actually get a set of emoji that look like they belong in this millennium. Not only that, but Android Oreo comes with 56 brand new characters.

Google is also taking steps to fix Android’s broken emoji problem, so you won’t have to worry about texting all those new emoji to friends who may be running an older version of Android (and, spoiler alert, there’s a good chance that they are).

All that said, Apple has also confirmed it will have a big emoji update coming later this year, as it will also be adopting the new Unicode 10.0 update. We don’t know exactly when, but the emoji update is likely to go live with iOS 11 in the fall.

Notifications

Both platforms are getting major updates to notifications, particularly Android. With Oreo, Google is adding a ton of new ways to customize and interact with notifications. For one, they’re borrowing a bit from iOS with new notification indicators on app icons and new 3D Touch-like gestures that let you peek at a notification by long pressing on an app.

Aside from that, there are also notification channels, which lets you control many of the same types of notifications all at once and custom background colors for notifications.

Apple also made a few other tweaks that will have a noticeable impact. Apple has removed its old “Notification Center” for good. Now, instead, when you swipe down from the top of the screen, it will bring up your lock screen, though you can still view your push notifications. While the whole interaction is a little awkward, it’s nice to be rid of the hideous Notification Center.

Keyboard and Autofill

Google is adding a much-needed autofill feature, which makes it easier to sign into apps without typing your full password. It’s another feature iOS has had for a few years, but anything that (securely!) makes passwords easier to manage is a win.

On the iOS side, Apple made a small but welcome improvement: the addition of one-handed keyboard layouts, so you can type with one hand without a mess of typos.

So while there are some major differences between the two updates (and yes, some people say we shouldn’t compare them in the first place), in a lot of ways, the two updates are fairly evenly matched. There’s also much more that’s uniques to each one, so be sure to check out our deep dives on Android Oreo and iOS 11.

Share
Posted on August 31, 2017 at 3:06 pm by lesliemanzara · Permalink · Leave a comment
In: Android, iOS, Mobile Technology

New Android malware that spreads via text can steal victims’ credit card details from other apps

, BusinessInsider, 8/18/17

It’s wise not to enter your credit card details into shady-looking apps and websites if you don’t want your details stolen.

But sometimes, not even the apps you know and trust are safe.

A piece of malware detailed in a blog post from security firm Kaspersky is able to quietly steal victims’ details when they enter them into apps, as well as spy on their texts and phone calls.

It’s called Fakedtoken, and has been evolving over the last year — growing increasingly sophisticated.

It began as a banking trojan that intercepted texts to steal two-factor authentication codes. Today, Kaspersky’s researchers say they suspect it spreads via bulk SMS text message to potential victims, asking them to download some pictures.

If they do — well, things don’t go well for them. Once installed it hides its icon and places a covert overlay over “several banking and miscellaneous applications, such as Android Pay, Google Play Store, and apps for paying for traffic tickets and booking flights, hotel rooms, ans taxis.”

If the victim then enters their card details into any of those apps, they fall into the hands of the malware’s unidentified operators — opening them up to the risk of fraud and identify theft.

The malware can even intercept SMS messages, meaning it can get around the two-factor authentication required by some banks to authorise payments and transfers.

The threat of Fakedtoken appears (for now) to be largely limited to Russian and ex-Soviet countries, the researchers wrote: “To this day we still have not registered a large number of attacks with the Faketoken sample, and we are inclined to believe that this is one of its test versions. According to the list of attacked applications, the Russian UI of the overlays, and the Russian language in the code, Faketoken.q is focused on attacking users from Russia and CIS countries.”

(Kaspersky was alerted to the latest version “thanks to our colleagues from a large Russian bank.”)

But it is nonetheless an example of the crafty and evolving threats facing smartphone users trying to keep their data safe.

Security experts recommend that Android smartphone users should not install apps from third-party sources or download unknown files. By default, Android phones only allow users to install apps from the official Google Play Store.

Share
Posted on August 18, 2017 at 8:47 am by lesliemanzara · Permalink · Leave a comment
In: Android, Mobile Technology · Tagged with: ,

Android phones could follow Apple’s lead with new 3D facial recognition

Brett Williams, Mashable, 8/18/17

Android phones sometimes follow Apple’s lead when it comes to key functionality features, and the next generation of smartphones could be no different. Future Android devices are expected to mimic one of the upcoming iPhone 8‘s most anticipated new features: 3D facial scanning.

Qualcomm’s next generation of Snapdragon chips, which will be announced at the end of the year, will have greatly improved, new image signal processors (ISP) and will likely enable even better depth-sensing capabilities for smartphone cameras, according to a report from CNET.

That new processing power could potentially allow phones with the highest-tier Qualcomm chips — which in the current generation of devices include the flagships from OnePlus, Samsung, and HTC — to offer the same 3D facial sensing feature expected to replace Touch ID in the iPhone 8 as its go-to biometric security feature.

The new 3D scanning capability will ostensibly change the way we interact with our phones yet again, like when the iPhone 5S introduced Touch ID in 2013 and other phonemakers adopted it to follow suit. So Android devices will probably want to adopt the tech as soon as possible to stay competitive.

The new Qualcomm chipset will reportedly use infrared light sensors, which would likely be attached to a smartphone’s camera module, to “measure depth and render high-resolution depth maps for facial recognition, 3D reconstruction of objects and mapping.” Biometric security features would be one of the most obvious uses for the functionality, although it could also be harnessed for other things, like VR.

The chips could also help to improve Android cameras, which for many, specifically ex-Google SVP of Social Vic Gundotra, lag behind Apple’s latest dual lens setup in the iPhone 7 Plus.

The iPhone 8’s 3D facial sensors (and everything else about the phone) haven’t been confirmed yet, so it might be premature to call the feature the future of smartphone security. The rumor mill is strong however, and Qualcomm is ready to stake its own claim in the functionality — so you shouldn’t be surprised if we’re all unlocking our new phones with our faces by this time next year.

Share
Posted on August 18, 2017 at 8:42 am by lesliemanzara · Permalink · Leave a comment
In: Android, iOS, Mobile Technology