Android .apk reengineering tool

It is a tool for reengineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.

Find more at http://code.google.com/p/android-apktool/

Malware in Android Market

Every day, we see more reports about malware in the Android Market. This time three developers known as MYOURNET, Kingmall2010, and we20090202, possibly the same person, were offering a number of Android apps for free download.

Many, if not all of the apps, were trojanized copies of legitimate apps from other developers.

I downloaded one app in particular called Super Guitar Solo. Upon reviewing the app, Its been found that, it contains the popular “rage against the cage” root exploit commonly used to “root” Android phones and gain superuser privileges. As any Linux guru will tell you, once you have superuser rights, you have full, administrator level access to the phone’s operating system. In this case the exploit is launched without the owner’s consent.

So what is the purpose of this Trojan? The application will attempt to gather product ID, device type, language, country, and userID among other things, and then upload them to a remote server. Unlike most of the other samples seen so far, there is no attempt at sending or receiving premium rate SMS messages.

This discovery is important because up until now most of the Android malware has been found outside of the Android Market, which requires a number of special steps to be taken in order to infect the phones. In this case, users are even able to install from the web with the new Android Market format.

UPDATE: Google has now removed the malicious apps and the corresponding download page from the Android Market.

An Update on Android Market Security

Image via Wikipedia

Google has acknowledged that it removed “a number” of malicious malware applications from the Android Market on March 1, and it has now reached out over the airwaves to remove the apps from end users devices as well.

Last week, reports indicated that more than 50 Android apps had been loaded with info-pilfering software known as DroidDream. Google immediately responded by pulling the apps from the Market, but the company remained silent on the matter until tossing up a blog post on Saturday evening.

According to Google, the malware exploited known vulnerabilities that had been patched in Android versions 2.2.2 and higher. Google “believes” the attacker or attackers was only able to gather device-specific information, including unique used to identify mobile devices and the version of Android running on the device. But the company added that attackers could have accessed other data.

In addition to removing the apps from the Android Market, Google suspended the accounts of the developers involved and contacted law enforcement about the attack, and as it did on one previous occasion, the company used the “kill switch” that lets it remotely remove mobile apps that have already been installed by end users.

So Google does have a kill switch for software already installed on end user devices, some may complain – but honestly it’s only responsible to have such a thing (Apple has one for iOS of course).

And it’s all well and good saying it only effects phones with Android versions lower than 2.2.2…but sadly that is still the majority of phones. Only the phones directly pushed out by Google get the most recent version of Android, all the other (HTC, Samsung, Motorola etc.) models out there still have older (vulnerable) versions.

Image via CrunchBase

Google maintains a persistent connection to Android phones that let the company not only remotely remove applications from devices but remotely install them as well. The remote install tool is used when Android owners purchase apps via the new web incarnation of the Android Market. The Android Market Web Store lets you browse and purchase applications via a browser, as opposed to Android client loaded on handsets.

Apple maintains its own “kill switch” for the iPhone. In 2008, an iPhone hacker told the world that Apple had added an app kill switch to the iPhone, and Steve Jobs later confirmed its existence. “Hopefully, we never have to pull that lever,” Jobs said, “but we would be irresponsible not to have a lever like that to pull.”

On Saturday, Google also said that it is pushing a security update to all Android devices affected by the malware in question. If your device was affected, the company said, you will receive an email from android-market-support@google.com, and you’ll get a notification on your phone that a package called “Android Market Security Tool March 2011” has been installed. You may also receive a notification that the offending apps have been removed.

The company is taking additional measures to stop such attacks in the future, but it did not provide specifics. “We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues,” the blog post read.

Google will also be pushing out a security update to all Andoird hansets that were affected, if you’re an Android user you’ll see package called “Android Market Security Tool March 2011″ installed which combats the malware.

Apparently it was quite easy to foil the malware if you were handy on the command line, all you needed to do was a create a file at /system/bin/profile/ using the terminal and the touch command then chmod 644 and you’re done.

Source: The Register

Android vs. Apple: The 2011 cage match

Throughout 2010 there were escalating tensions between Google Android and Apple iOS, as the two platforms emerged as the rising superpowers in the mobile world. But, if you thought things were heated between them last year, then as the saying goes, you ain’t seen nothing yet. These two ecosystems are on course for a massive collision in 2011 and the stakes are about to get a lot higher.

The arrival of the iPhone on Verizon is a major incursion into what had previously become Android territory. Android 3.0 “Honeycomb” (the tablet OS) is about to unleash an army of Android tablets in a full frontal assault on the iPad. There is going to be blood, but as my colleague Larry Dignan notes, the carnage is likely going to have a greater impact on the other competitors in the mobile market more than on Apple and Google themselves.

To help evaluate the race between Android and iOS in 2011, I’d like to approach it from the perspective of where the two platforms are vulnerable. That will help give us an idea of where they might go after each other and where upstarts may try to challenge them.

Weak spots for iOS

For the iPhone and iPad the number one draw is ease of use. Your toddler and your grandmother (the one who is intimidated by computers) can both pick up one of these devices and figure out how to use it. As Jerry Pournelle says, with Apple products “everything is either very simple or it’s utterly impossible.” The utterly impossible side is where we find Apple’s first weak spot.

1. Software inflexibility: There is very little tweaking and customization allowed by iOS. You have to do it Apple’s way or else it’s probably not an option. These limits allow iOS products to function very well within the protected space carved out by Apple. However, if you have the need or desire to do something that is not within the boundaries Apple has set for iOS (and can’t create an app to handle it), then you’re out of luck.

2. Productivity limitations: Both the iPhone and iPad are far better devices for consuming information than creating it. Part of the problem is with the on-screen keyboard, which works magnificently for short bursts of data entry but is not something you want to use for writing an email or document of greater length. The operating system itself is not especially tailored for multi-tasking or work-focused tasks such as building presentations, editing files, and juggling several bits of information at once.

3. Fewer hardware choices: Some people prefer really big screens while other people like ultra-small and portable devices. Some want a high-resolution camera lens and all the multimedia bells and whistles in their mobile device, while others don’t need any of that stuff (and don’t want to pay for it) but want a really nice hardware keyboard so that they can do longer data entry more comfortably. With Apple products, you have very few choices. In fact, with both iPhone and iPad there are really only two choices to make when buying the product: storage and connectivity. You get to pick how much storage you want and you get to pick the wireless carrier on the iPhone or the Wi-Fi only model vs. the mobile broadband model on the iPad. That’s it.

Weak spots for Android

The best thing about Android is that its Open Handset Alliance includes some of the biggest and best vendors in the mobile world, including Samsung, Motorola, HTC, LG, Dell, Sony-Ericsson, and many more. The Android partners make devices in all shapes and sizes and in virtually every iteration you can imagine. That’s also part of the problem.

1. Ecosystem chaos: The Android operating system is open source and so hardware makers can take it and do almost anything they want with it. The only real carrot-and-stick that Google has is whether to allow the hardware makers the ability to include the Android Market for applications on their devices. And, frankly, Google has not used this as effectively as it could to keep vendors from doing bad things like launching with long-outdated versions of Android like the Dell Streak did and loading up the device with a bunch of uninstallable crapware like AT&T did with the HTC Aria and Verizon did with the Samsung Fascinate.

2. Wildly inconsistent experiences: One of the main consequences of the ecosystem melee is that there is not enough of a consistent experience across different Android devices. For example, nearly all of the hardware vendors put the Android menu buttons in a different order at the bottom of the screen, and many of them even use different types of button icons, further confusing users. Then there’s the issue of Android software updates. Google releases major updates to the Android OS at least twice a year. However, in 2010, the only device that got those updates right away was Google’s Nexus One, which runs the stock Android OS. All of the other Android devices have a vendor-supplied skin (which typically makes the devices worse instead of better) that runs on top of Android. The hardware vendors have to update their custom Android skins to make them compatible with the newest Android software and then submit it to the wireless carriers, who have to make sure it doesn’t conflict with any of their Android apps, and then it finally gets pushed to the consumer. The timing of these updates is very inconsistent across the Android ecosystem.

3. Leadership vacuum: A lot of these Android problems boil down to the fact that Google needs to show stronger leadership of its ecosystem. Even if it can’t ultimately force the hands of hardware vendors since Android is open source, it can use the Android Market as a bigger stick against gross violators and it can publicly suggest best practices that it would like to see Android vendors adopt in order to pressure (and occasionally inspire) the hardware makers and wireless carriers into better behavior.

How will it turn out?

In the smartphone market, you have to wonder how well these two will be able to market against each other to exploit their weaknesses. The two are fairly well solidified in people’s minds. Unless more people get sick of being locked into the iTunes ecosystem on iPhone (no sign of that yet) or get fed up with the crapware and delayed updates with Android (only a few instances where the masses have noticed), then the 2010 growth trajectory of both platforms will likely hold.

The game is a little more wide open in tablets. Companies like ASUS are targeting Apple’s weak spots in productivity and hardware choices. Hewlett-Packard could combine its long experience in tablet hardware with Palm’s webOS to create a tablet with much better multi-tasking and business features than Android and iOS. But, again, Apple has a big lead here and Google’s tablet OS that it showed off at CES looked very impressive and there are already a lot of big hardware vendors that have lined up to use it.

The bottom line is that both Android and iOS are going to be wildly successful in 2011 and continue to gobble up mobile marketshare. In most cases, it won’t come at the expense of each other, although we should expect Apple to initially steal some Android sales on Verizon and Android will eat away at some iPad sales when its first wave of tablets hit the ground in the spring.

Nevertheless, there will be a ton of new customers coming into the market in both smartphones and tablets in 2011. Look for Google and Apple to dominate most of the new sales in both of those markets. That will keep both Android and iOS on major growth trajectories. Android will have a lot more devices and a lot more companies pushing its devices, so it will ultimately grab greater market share in smartphones, although Apple is very competitive on price (unlike in the Mac vs. PC battles of 1980s and 1990s) so it won’t just be relegated to the high end of the market. It will take a much larger chunk of market share than it did in the PC wars.

And, in tablets, Apple is out to a huge lead with the surprising success of the iPad. Android and others will start to eat into that cushion in 2011, but Apple will still command a majority of that market by the end of the year.

What about Microsoft, HP, BlackBerry, and Nokia?

Unfortunately, it looks like all four of these behemoths are on the wrong side of history. These guys are all going to be reduced to challenger status in 2011. They’ll be on the outside looking in. Both Microsoft (with Windows Phone 7) and HP (with Palm webOS) could have snatched some of the momentum away from Apple and Google a year ago in the smartphone market, but they’re a little late now. Even though both have solid products, their timing is off and they have a lot of ground to make up in winning over software developers to their platforms.

As for BlackBerry and Nokia, they both have a large installed base of customers to draw on and build from, but it’s not going to be enough to stem their losses in 2011. They are both too far behind when it comes to product innovation. Oh sure, they will continue to hold on to nice chunks of old market share in some places, but both will likely continue their decline at accelerating rates in 2011.

Apple's strategy: active curation creates value... | ZDNet

Apple's strategy: active curation creates value... | ZDNet

Market strategies of both Android Market as well as Apple App Store.

Two Faces Of Android

The Two Faces of Android

Kevin Marks:
"The most remarkable thing about Android is that it is the first widely adopted Open Source client operating system. It's long been clear that Open Source is the best way to preserve infrastructural code from the vicissitudes of corporate and governmental volatility, but using it for client applications has so far not taken off as well. There has often been a separation between an open source underlying layer and a proprietary user experience that is built atop it.
Android does follow this pattern to some extent - the underlying OS code is fully Open Source under an Apache License, so anyone can bend it to their own uses, but in order to get the "with Google" logo on your device, you need to conform to Google's Compatibility Definition Document. That has changed over time; for example the 2.1 version specifies that your device MUST have a camera and 1.6 requires telephony.
If you do this, you might then get access to what I call the top half of Android - the closed source Google apps that integrate the device closely with their web services - Contacts, GMail, Talk, Android Market, Google Maps, Navigation, Listen, Earth, Places and so on. However, this requires an explicit partnership with Google.
a lot of the day-to day utility of an Android device is in the proprietary, partners-only layer - that you only get after doing a business development deal with Google of some kind. What we will start to see is alternatives for these Applications being developed. To some extent we're already seeing this from US carriers, but I think this year we'll see both an Open Source suite of apps to swap in many of these functions, and other proprietary offerings to compete with the Google upper half." (http://epeus.blogspot.com/2011/01/two-faces-of-android.html)

Criticism of the Openness of Android

"Android is proprietary, despite being marketed as open source. Android has a compatibility pledge, signed and kept behind closed doors. Android has no governance model, nor any indication there will be one. Android has no spec, and the license prohibits alternative implementations, as that’s not a use licensed by Google in the SDK license. Android is completely controlled by Google, and Google reserves the right to kill off competitors applications if they hurt Google financially, etc. It’s only as open as it is in Google’s financial interest to allow openness, by design.” (http://ianskerrett.wordpress.com/2007/11/13/what-does-android-mean-for-suns-openjdk/)

From the Wikipedia:
"Android has been criticized for not being all open-source software despite what was announced by Google. Parts of the SDK are proprietary and closed source and some believe this is so that Google can control the platform. The Android Software Development Kit License Agreement states that:
- 3.2 You agree that Google (or Google's licensors) own all legal right, title and interest in and to the SDK, including any intellectual property rights which subsist in the SDK. Use, reproduction and distribution of components of the SDK licensed under an open source software license are governed solely by the terms of that open source software license and not by this License Agreement. Until the SDK is released under an open source license, you may not extract the source code or create a derivative work of the SDK. [2]
However, Google has since announced that all parts of the OS will be released under the Apache License where applicable and under the GPL elsewhere. Google's applications that interact with Google's systems, such as their email service, are not open source.
Also, at least for now, software installed by users must be written in Java and will not have access to lower level device APIs.[41] This provides end-users with less control over their phone's functionality than other free and open source phone platforms, such as OpenMoko.
Another issue is related to Android's disregard of established Java standards, i.e. Java SE and ME. This prevents compatibility among Java applications written for those platforms and those for the Android platform. Android only reuses the Java language syntax, but does not provide the full-class libraries and APIs bundled with Java SE or ME."

Sources:
The creation of the Dalvik virtual machine which is the basis of the Android platform, has also raised concerns that the first major fracturing of the Java platform may be in progress.
Dalibor Topic on the Android License: "There is a bunch of other rather objectionable stuff, but dear me, this is pretty bad as far as license agreements for pseudo-open-source software go." [3]

From LaForge:
"As many other people have been blogging and news sites have been reporting: The Android source code has been released. This is definitely good news. However, freedom-loving people already discover in blog posts that there's a remote kill switch by which Google can disable an already installed application and that some features are reserved to vendor-signed applications.
To me, those things are not a big surprise. As soon as you try to get in bed with the big operators, they will require this level of control. Android is not set out to be a truly open source mobile phone platform, but it's set out to be a sandbox environment for applications.
And even with all the android code out there, I bet almost (if not all) actual devices shipping with Android and manufactured by the big handset makers will have some kind of DRM scheme for the actual code: A bootloader that verifies that you did not modify the kernel, a kernel that ensures you do not run your own native applications.
Thus, Android so far was little more to me than yet-another-J2ME. Some sandbox virtual machine environment where people can write UI apps for. In other words: Nothing that gets me excited at all. I want a openness where I can touch and twist the bootloader, kernel, drivers, system-level software - and among other things, UI applications.
I actually think it's a bit of an insult if people think of Motorola's EZX or MAGX (and now Android) phones as "Linux phones". Because all the freedoms of Linux (writing native applications against native Linux APIs that Linux developers know and love, being able to do Linux [kernel] development) are stripped.
In the end, to what good is Linux in those devices? Definitely not to any benefit of the user. It's to the benefit of the handset maker, who can skip a pretty expensive Windows Mobile licensing fee. Oh and, yes, they get better memory management than on Symbian ;)
That's the brave new world. It makes me sick." (http://laforge.gnumonks.org/weblog/)

Gemini - The Android Trojan

Android systems have been attacked before, but the Geinimi Trojan seems to take things to another level. Once it’s installed in the form of a game or app from a third-party app store, it starts giving out some relevant user information like the IMEI or ISMI number. Thankfully, the Lookout security app has listed out quite a few things for us.

The Trojan shows botnet-like capabilities by letting remote servers access user information and, in simple terms, let them control the affected user’s phone. Geinimi connects to remote servers that use one of the ten embedded domain names. Some of these subsets include www.widifu.com, www.udaore.com, www.frijd.com, www.islpast.com and www.piajesj.com.


Don't let this affect your precious Android handset

There’s some really sensitive information that’s been given out once Geinimi strikes. Here is what they do:
Send location coordinates (fine location)
Send device identifiers (IMEI and IMSI)
Download and prompt the user to install an app
Prompt the user to uninstall an app
Enumerate and send a list of installed apps to the server
The remote servers will only prompt users to install or uninstall apps, the user still has to confirm the installation or uninstallation.

If you’re using the Lookout security app (free or premium), be rest assured, your phone is protected. Otherwise, try not downloading apps from Chinese app stores. There’s a basic list of dos and don’ts below :
Only download applications from trusted sources, such as reputable application markets. Remember to look at the developer name, reviews, and star ratings.

Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.

Be aware that unusual behavior on your phone could be a sign that your phone is infected. Unusual behaviors include: unknown applications being installed without your knowledge, SMS messages being automatically sent to unknown recipients, or phone calls automatically being placed without you initiating them.

Download a mobile security app for your phone that scans every app you download. Lookout users automatically receive protection against this Trojan.

- courtesy Google Android Developers Group