Saturday, August 20, 2011

Linus Torvalds on Android, the Linux fork

During his question and answer session at the Linux Foundation’s LinuxCon, Linus Torvalds, founder of Linux, revealed that while mainstream Linux and its popular smartphone and tablet son Google’s Android still aren’t as close as they should be, they’re slowly—ever so slowly—coming back together.
Over the last several years, some people have been seeing Android as not being Linux at all. Google didn’t help matters at all when in the fall of 2010, “Google engineer Patrick Brady stated unambiguously that Android is not Linux” That was never true. Android has always been Linux.
What’s also true though is that Google took Android in its own direction, a direction that wasn’t compatible with the mainstream Linux kernel. As Greg Kroah-Hartman, head of the Linux Driver Project and a Novell engineer, wrote in Android and the Linux kernel community, “The Android kernel code is more than just the few weird drivers that were in the drivers/staging/androidsubdirectory in the kernel. In order to get a working Android system, you need the new lock type they have created, as well as hooks in the core system for their security model. In order to write a driver for hardware to work on Android, you need to properly integrate into this new lock, as well as sometimes the bizarre security model. Oh, and then there’s the totally-different framebuffer driver infrastructure as well.” As you might imagine, that hasn’t gone over well in Android circles.
This disagreement sprang from several sources. One was that Google’s Android developers had taken their own way to address power issues with WakeLocks. The other cause, as Google open source engineering manager Chris DiBona essentially said, was that Android’s programmers were so busy working on Android device specifics that they had done a poor job of co-coordinating with the Linux kernel developers.
The upshot was that developer circles have had a lot of heated words over what’s the right way of handling Android specific code in Linux. Linus Torvalds dropped the Android drivers from the main Linux kernel in late 2009. This doesn’t mean that Android isn’t, but it has become something of a Linux fork.
That doesn’t, however, as some recent reports had it that Android and Linux are somehow in a fight with each other. Or, even, as one claim had it in March 2011, that Android was somehow in danger of being sued by Linux because of  Gnu General Public License, version 2 (GPLv2)violations. As Linus himself said at the time, claims that the Android violated the GPL were “totally bogus. We’ve always made it very clear that the kernel system call interfaces do not in any way result in a derived work as per the GPL, and the kernel details are exported through the kernel headers to all the normal glibc interfaces too.”
Still, it seemed as if Android and Linux were moving more on parallel paths than together, and that is indeed the case. At LinuxCon, Torvalds explained, that “there’s still a lot of merger to be done. … but that eventually Android and Linux would come back to a common kernel, but it will probably not be for four to five years.”
Kroah-Hartman added that one problem is that “Google’s Android team is very small and over-subscribed to so they’re resource restrained It would be cheaper in the long run for them to work with us.” Torvalds added that “I’m not at all afraid of forks… even when forks happen there are all these points of pain where two groups have had different issues, it just takes a while for people to join back, but the joining will happen. We’re just going different directions for a while, but in the long run the sides will come together so I’m not worried.”
Kroah-Hartman,pointed out that for years Google’s in-house Linux that it uses for servers, was a fork of the Linux 2.4 for many years. Torvalds explained that Google did this because they had made so many performance tweaks to improve it for Google’s search engine. He also added that many other companies tweak Linux for their particular uses. Fortunately, thanks to the GPLv2, all the significant changes come back to the mainstream kernel.
So, for the next few years, Android, while still a Linux, is indeed a Linux fork. In the long run, though, Torvalds is sure that Android will return to the mainstream Linux kernel. For better or worse though that may not be until 2016. Fortunately, for all end-users and almost all Android developers none of this will make any real world difference.

Enhanced by Zemanta

Thursday, August 11, 2011

Near Field Communication (NFC)

Near Field Communication: A Quick Guide to the Future of Mobile

NFC Transmit ImageBefore it became a hot topic sometime early last year, few civilians had come across the term “near field communication” (NFC). Corporations, however, had been excited about the technology’s potential since at least 2004 — when Nokia, Sony and Royal Philips Electronics founded the NFC Forum. Samsung, Motorola, Microsoft and more than 140 other organizations all joined the party shortly after.
NFC allows a device, usually a mobile phone, to collect data from another device or NFC tag at close range. In many ways, it’s like a contactless payment card that is integrated into a phone. In other ways, it’s similar to Bluetooth, except that instead of programming two devices to work together, they can simply touch to establish a connection.
So why are some of the world’s most influential companies so excited about it? We’ve compiled notes on what NFC is, why its useful and how it’s starting to permeate the product world.

How Does NFC Work?

NFC devices share a core technology with RFID tags, contactless payment cards and inductive-coupling. In the words of the NFC Forum, “loosely coupled inductive circuits share power and data over a distance of a few centimeters.”
According to the Forum, NFC can operate in three modes:
  • Reader/writer mode: A reader/writer can collect and write information on a smart tag. “The tag is essentially an integrated circuit containing data, connected to an antenna,” explains a white paper from NFC-developer Innovision.
  • Peer-to-peer mode: Two NFC devices can exchange data between each other.
  • Card emulation mode: An NFC device appears to a reader like a contactless payment card or contactless transportation card.

What Can NFC Be Used For?

Personal Rosetta Stone Image

  • Transportation: NFC works with most contactless smart cards and readers, meaning it can easily be integrated into the public transit payment systems in cities that already use a smart card swipe.
  • Ease of Use: Unlike Bluetooth, NFC-enabled devices don’t have to be set up to work with each other. They can be connected with a tap. If NFC-enabled phones become prevalent, you’ll likely be able to initiate a two-player game by touching two phones together. You’ll be able to link a headset to your phone or print a photo just by touching your device to a printer.
  • Smart Objects: NFC can have similar applications as bar codes do now. You can put one on a poster and let pedestrians scan it on their phones for more information. But being able to add more information to any object by integrating a tag has led to some interesting applications that go far beyond billboards. A company called Objecs, for instance, sells an NFC tablet for gravestones. Touching an NFC-enabled phone to the Personal Rosetta Stone provides additional information about the deceased.
  • Social Media: Before Foursquare took off, a German company called Servtag was working toward a similar concept for NFC-enabled phones called Friendticker. The company applied more than 250 NFC-tag stickers at various locations in Berlin that users would swipe their phones past in order to alert their friends that they were “checked in” at that location.
While Foursquare may have stolen the thunder for location-based networking, there are still plenty of social media applications for NFC in the works. In 2009, a German university (Technische Universit√§t M√ľnchen) submitted a prototype to the NFC Forum competition that integrated with Facebook. The application,NFriendConnector, allowed people who met in a physical space to exchange profile data through their phones. Their respective statuses would automatically be updated (for example, “I just met so and so”), and they could choose to include their location (“I just met so and so at this bar”). Instead of stalking a new acquaintance’s profile after a night out, this application provides an option to run a matching method based on variables the user provides (such as interest, dislikes and hobbies) while still chatting with them in the bar.

What’s The Fuss About Mobile Payments?

In the news, NFC is most often discussed in relation to mobile payments or “the digital wallet.” Unlike many other wireless technologies, NFC has a short range of about 1.5 inches. This makes it a good choice for secure transactions, such as contactless credit card payments.
Credit card companies, mobile network providers and startups are all gunning for the opportunity to facilitate digital transactions when NFC-enabled phones become widely available.

What Major Players Are Interested in NFC?


  • Google: In May, Google revealed a contactless payment system called Google Wallet. Citi, MasterCard, Sprint and First Data partnered on the effort to make an app that enables mobile payments and loyalty cards using NFC. At first, it will support Citi MasterCard and a Google prepaid card and be compatible with the Nexus S 4G.
  • Amazon: Amazon is also exploring an NFC-enabled mobile payment system.
  • Apple: One of the most popular Apple rumors of late is that the iPhone 5 will be NFC-enabled. The same rumor turned out to be false regarding the iPad 2.
  • Microsoft: Not one to be left out of a party, Microsoft is also rumored to be planning NFC capabilities for its next phone releases.
  • PayPal: The company has partnered with Bling Nation, a Palo Alto startup that has been installing contactless payment terminals at local merchants since 2008. When users attached an NFC-enabled sticker to their phone, they could swipe to make payments and receive rewards. Previously, Bling Nation users were paying from accounts at partner banks. Since last summer, they’ve also had the option to pay using their PayPal accounts.
  • Credit card companies: Contactless payment stations that use cards can easily accept payments that use NFC as well. Thus, pretty much every major credit card company that has started the process of distributing payment stations to provide tap-and-go payments using cards is also interested in NFC-enabled payments.
  • Mobile phone providers: Verizon, AT&T and T-Mobile partnered to launch an NFC contactless payment network called Isis last year. Initially, it was partnered with just Discover. Since then, Visa, MasterCard and American Express have signed on.

Enhanced by Zemanta

Monday, August 8, 2011

Vulnerability Found In Android That Allows For Phishing Scams and Pop-up Ads

You hated them on your PC and now those annoying pop-up ads and phishing attempts could find their way into an Android device near you. This year at Defcon 19 (a hacking conference held every year in Las Vegas) a couple of researchers managed to find a vulnerability in Android that could allow for apps in the Android Market to steal a users data via phishing or by be used by advertisers to bring the most annoying idea of the 21st century, pop-up ads.
Apparently, it’s possible for someone to create an app that will display a fake bank app log-in page while the user is using a legitimate banking app. Currently, apps that want to communicate with a user while a different apps is being used can only push an alert to the notification bar. But in the Android Software Development Kit (SDK) there is an application programming interface that allows for an app to be pushed into the foreground while another is being used.
The guys over at Trustwave have named this issue as Focus Stealing Vulnerability. Sean Schulte, an SSL developer at Trustwave explained how, “Android allows you to override the standard for (hitting) the back buttons.” Nicholas Percoco, senior vice president and head of SpiderLabs at Trustwave further explained that, “Because of that, the app is able to steal the focus and you’re not able to hit the back button to exit out.”
To further expose this issue, the researchers even created a proof-of-concept tool that is a game but also triggers fake displays for Facebook, Amazon, Google Voice and Gmail. They demoed the tool by showing a user opening up a legitimate app and then almost instantaneously, a “fake” login screen for Facebook appears. Percoco further explains, “With this design flaw, game or app developers can create targeted pop-up ads. The ads could be merely annoying, like most pop-ups are, but they could also be targeted to pop up an ad when a competitor’s app is being used.”
If you think you could avoid these apps by simply reading over the permissions page for a particular app, you would be mistaken. This kind of pop-up functionality is found in many legitimate apps and is known as an Activity Service.
Google has addressed this issue by stating the following,
“Switching between applications is a desired capability used by many applications to encourage rich interaction between applications. We haven’t seen any apps maliciously using this technique on Android Market and we will remove any apps that do.”
Nicholos Percoco responded by saying,
“Application switching is not the issue. The real issue is ability for other apps to identify which app is in the foreground and then decide to jump in front of that running app without the user giving it permission to do so. We also don’t see how they could determine the difference between a malicious app or a legitimate one since they would both look almost identical until a user reports it to them as malicious. The ‘wait until an app is reported bad before removing’ stance is dangerous and will likely prove out to be a fruitless effort as attackers could post apps much faster than Google could identify and remove them from the Market.”
I will now turn this to our readers. How does the potential of pop-up ads and phishing scams coming out of the Android Market sound to you? I’m not so sure Google’s statement is enough peace for me. Do you feel like Google needs to do more to address and further prevent this exposed Android “design flaw?”

Enhanced by Zemanta

Android App Turns Smartphones Into Mobile Hacking Machines

Dangerous hacks come in small packages.
Or they will, perhaps, when an app called Anti, or Android Network Toolkit, hits the Android market next week. The program, which Israeli security firm Zimperium revealed at the Defcon hacker conference in Las Vegas Friday and plans to make available to Android users in coming days, is designed for penetration testing–in theory, searching out and demonstrating vulnerabilities in computer systems so that they can be patched. Anti aims to bring all the hacking tools available to penetration testers on PCs to smartphones, with an automated interface intended to make sniffing local networks and owning remote servers as simple as pushing a few buttons.
“We wanted to create a penetration testing tool for the masses, says Itzhak “Zuk” Avraham, founder of Tel-Aviv-based Zimperium. “It’s about being able to do what advanced hackers do with a really good implementation. In your pocket.”
Anti, a free app with a $10 corporate upgrade, will offer a wi-fi-scanning tool for finding open networks and showing all potential target devices on those networks, as well as traceroute software that can reveal the IP addresses of faraway servers. When a target is identified, the app offers up a simple menu with commands like “Man-In-The-Middle” to eavesdrop on local devices, or even “Attack”; The app is designed to run exploits collected in platforms like Metasploit or ExploitDB, using vulnerabilities in out-of-date software to compromise targets.

A screenshot from Anti displaying target machines on the local network. (Click to enlarge.)
For now, the demonstration app Avraham showed me was equipped with only a few exploits: One aimed at a bug in Windows–the same flaw exploited by the Conficker worm in 2009–another targeting default SSH passwords in jailbroken iPhones, and a third exploiting a vulnerable, older version of Android. Zimperium has also built a Windows trojan that allows Anti to perform automated commands on hijacked machines like taking a screenshot, ejecting a CD, or opening the calculator, a common penetration-testing demonstration.
Even in its current form, the app raises the possibility of dangerous, stealthy attacks. A hacker could, for instance, walk into a coffee shop or a corporate office with his phone and start sussing out machines for data theft or malware infection. But Avraham says Zimperium will ask users in its terms of service to limit their hacking to “white hat” penetration testing.

Another screenshot showing command options on a target machine, including "man-in-the-middle" and "attack." (Click to enlarge.)
“Hacking is not for the chosen few,” reads one description in the app’s documentation, formatted in Star Wars-style scrolling text. “Anti is your perfect mobile companion, doing it all for you. Please remember, with great power comes great responsibility. Use it wisely.”
Penetration testers who saw the app at Defcon were impressed. “It’s just sick,” says Don Bailey, a researcher with security firm iSec Partners. “The way it populates the screen with vulnerable targets…it’s really elegant.”
Another professional penetration tester for a defense contractor firm who asked that his name not be used called the app a “quick and dirty Swiss army knife for mobile pen testing.” “It’s so polished it’s almost like playing a video game,” he says, comparing it to penetration testing suites that cost thousands of dollars.
With its sheer simplicity, Anti’s impact could be comparable to that of Firesheep, a proof-of-concept tool released in October of last year that allowed anyone to easily snoop on devices on unsecured wi-fi networks that connected to unencrypted web pages. That tool was downloaded more than 1.7 million times, and no doubt used in some instances to spy on web users unawares. But it also helped inspire both Twitter and Facebook to encrypt traffic to their site and prevent such eavesdropping.
“People might use it in dangerous ways,” Avraham says with a shrug. “I really hope not. But I know this might be the risk to help people increase their security, and that’s our goal.”

Enhanced by Zemanta