Categories
Latest
Popular

Clandestine Photo Snapping and Other Recently Discovered Android Vulnerabilities You Must Know

By West Midlands Police from West Midlands, United Kingdom [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons

By West Midlands Police from West Midlands, United Kingdom [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons

Android does not have the reputation of being the most secure operating system for  mobile devices. It had been through a number of security related issues in the past. At present, Android vulnerabilities continue to exist and can be exploited by those who have enough tech-savviness. Users of Android smartphones need to be aware of these flaws, especially the recently discovered ones, to do what needs to be done to avoid problems.

Spy Camera

By Everaldo Coelho and YellowIcon [LGPL (http://www.gnu.org/licenses/lgpl.html)], via Wikimedia Commons

By Everaldo Coelho and YellowIcon [LGPL (http://www.gnu.org/licenses/lgpl.html)], via Wikimedia Commons

Computer scientist and blogger Szymon Sidor, in one of his posts, exposed the possibility of covert data collection and the snapping of photos by writing an application designed to take over the cameras of Android devices without the owner’s knowledge. The snaps taken by the app can then be uploaded to some server silently.

The Android operating system requires all applications that make use of the camera to show an on-screen preview of what the camera is taking. Basically, as a security measure, all photo-taking app activities should be visible on the screen and that the phone’s display should also be turned on. However, Android does not require a specific minimum size for the preview. As such, it is possible to “show” a microscopic preview that is essentially invisible.

Sidor attempted to make the preview invisible but his efforts ended in a failure. He also tried making the preview transparent and it similarly failed. The third option he tried was to cover the preview with another image but this was adjudged to be a pretty useless approach. The last he did was to make the preview a microscopic 1×1 pixel resolution and it was allowed by the Android OS.

Technically, Sidor’s espionage-enabling application met Google’s requirements for a camera-using app. Hence, his application would have easily made it through the Google Play Store. Google will still require him to divulge the detail that his app is going to access a device’s camera but since nobody pays critical attention to this, the app would have become a successful spying tool.

The solution to this loophole is pretty simple. Google only needs to make Android have the requirement for camera-using apps to show visible and conspicuous previews. The preview does not have to occupy the entire screen. It should only be big enough for users to know that an app is doing something with their device’s cameras, so they can do what they should do about it.

Vulnerable Outlook for Android

By Micrososft [Public domain], via Wikimedia Commons

By Micrososft [Public domain], via Wikimedia Commons

Include Security researchers discovered a vulnerability in Outlook for Android that can enable access to private messages. To emphasize, this is not a problem with Outlook itself but with a free application that enables access to Outlook. The researchers found that the on-device email storage of the application does not secure messages and attachments. The messages are bereft of any encryption within the SD card. This means that any app can access the contents of the email, including attachments, if they have the permission to access the SD card. Rooting would not even be required. Malware developers can come up with apps that would use the ADB shell or another application to locate and extract attachments.

Device owners can protect themselves from this vulnerability by disabling USB debugging and ensuring that full encryption is enabled on the Android and SD card file systems. It is also possible to modify  the download directory for email attachments.

Security Flaws in Messaging Apps

By Suchadaaloha (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons

By Suchadaaloha (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons

Computer researchers from the University of New Haven revealed security flaws in Viber and WhatsApp, two of the most popular apps on Android. Viber was found to be transmitting unencrypted data to Viber’s servers. These unencrypted data are also stored in the servers in such an unprotected state. In the case of WhatsApp, there were multiple vulnerabilities discovered. First, the application makes use of non-secret information to come up with supposedly secret encryption keys. Another issue is the two-time use of a one-time pad, which, as the name implies, should only be used once. Additionally, WhatsApp was found to be “calling out” to Google Maps without using a secure (https) channel whenever users shared their location. This “calling out” makes it easy for attackers to pinpoint someone’s location by sniffing network traffic between a device and Google’s servers.

Android has the advantage of being an open and free system. Hopefully, this advantage makes it easier for the security flaws or threats to get patched up as soon as possible. It may not be possible to completely get rid of security threats but there’s always something that can be done.