Google plans to close Android hole as soon as possible

Google says that it has started "to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third-party access to data available in Calendar and Contacts". The fix will roll out globally over the next few days, said a Google spokesperson in an official statement. No user action will reportedly be required to close the security hole.

However, the company didn't provide any details on how exactly it intends to solve the problem. According to some reports, Google will expected to configure its servers in a way which forces communication to be encrypted using HTTPS when synchronising calendar items and contacts.

For the Picasa app, this is apparently not an option and Google is said to be working on an alternative solution. The company also doesn't appear to have solved the Picasa problem in Android firmware either. The Picasa app continues to transmit the authentication token in plain text even in version 2.3.4, where Google Calendar and Contacts no longer synchronise without encryption.

Researchers at the university of Ulm in Germany had discovered an Android data transmission vulnerability that allows attackers to gain unauthorised access to, and manipulate, other users' Google Calendar, Picasa Web Album and Google Contact data. The issue exists because an authentication token (AuthToken) which is received when logging into the Google server is then subsequently transmitted, in plain text, by some applications when they make further requests of the Google servers. In unencrypted Wi-Fi networks and in networks where all users use the same key, attackers can use Wireshark to intercept the token and use it for their own purposes

Android Open Conference

Introducing Android Open

The Android juggernaut is gaining force and momentum, rocketing past the iPhone and Blackberry to become the dominant smartphone platform. And the opportunity goes beyond phones—Android is powering tablets, set-top boxes, and a host of new embedded and connected devices.

Android Open is the first conference to cover the entire Android ecosystem. Whether you're a developer, IT pro, business decision-maker, or marketer, you'll find the latest and best information for maximizing the power of the Android platform. But this new O'Reilly conference is not just about today's Android opportunity—it also spotlights tech, projects, and companies that point to Android's bright future.

Android Open is a big-tent meeting ground for app and game developers, carriers, chip manufacturers, content creators, OEMs, researchers, entrepreneurs, VCs, and business leaders to share best practices, tools, models, and lessons learned. If it's your business to create, sell, or market products in the Android space, if you're launching an Android-centric venture or need to take stock of the competitive landscape, Android Open is the place to be.

Insightful keynotes, practical workshops, and expert-led sessions will explore:

• Building Android apps: best practices
• Android internals—under the hood
• Development tools
• New frameworks
• Alternative languages
• Gaming and game development
• Enterprise solutions and considerations
• Performance and security
• Analytics and revenue models
• Multiple Android markets
• Promotion and consumer needs
• and much more

Android Open happens October 9-11, 2011 at the Hyatt Regency San Francisco. Expect to encounter actionable insight, alternative hardware and services, announcements and product launches, and a "hallway track" that takes networking to a whole new level. Join with other Android professionals who are passionate about making the Android universe open, inclusive, and successful at the very first Android Open.

- Android Open

Installing non-Market Android Apps made easy

Now you can install apps on your Android powered phone or device without having to get them through the Android Market.

Android Injector allows you to quickly and easily install apps that you have downloaded to your computer in the form of ".apk" files onto your Android phone or device. Some phones do not allow you to install apps from any other source except the Android Market. However, some app authors do not release their apps to the Android Market and elect to put them on other sites such as Getjar.com. Android Injector allows you to download apps from those other sources to your computer and then install them onto your phone from your computer quickly and easily via USB connection.

Just install the USB drivers for your phone or device onto your computer (check your carrier or device manufacturer for drivers), connect your phone to your computer via a USB cable, select any amount of Android app files (.apk) and click "Install to device". No rooting or any of that complicated stuff.

- xda developers forum

Link for the tool is here: Android Injector

GTALK with video chat in Android 2.3.4 O.T.A update

Video Chat on Your Android Phone

Thursday, April 28, 2011 | 1:49 PM

Sometimes, the expressions on a person's face can mean much more than what they say. To help you stay in touch with your friends and family, we’re launching Google Talk with video and voice chat for Android phones.

You can now video or voice chat with your friends, family and colleagues right from your Android phone, whether they’re on their compatible Android tablet or phone, or using Gmail with Google Talk on their computer. You can make calls over a 3G or 4G data network (if your carrier supports it) or over Wi-Fi.

In your Google Talk friends list, a video or voice chat button will appear next to your contacts and you can simply touch the button to connect with them. Any text chats from the person you’re talking with will be overlaid on your phone’s screen so you can read them without having to leave the video. And, if you need to check something else, the video pauses automatically so you can go back to your phone’s home screen or another app. The audio will keep going even though the video has paused. Check out how this works:




Google Talk with video and voice chat will gradually roll out to Nexus S devices in the next few weeks as part of the Android 2.3.4 over-the-air update and will launch on other Android 2.3+ devices in the future.

- Google Mobile Blog

Botnets controlled via SMS

Shmoocon 2011 Smartphone Botnets over SMS Demo from Georgia Weidman on Vimeo.

10 Android Security Risks

Top 10 Android Security Risks

SMShing: This phishing variant uses texting to trick smartphone users into visiting fraudulent or malicious links. Hackers are now being drawn to Android's popularity and openness. For example, last summer, unlucky SMS recipients were invited to download Trojan-SMS.AndroidOS.FakePlayer, a free Movie Player. Once installed, FakePlayer started texting premium-rate numbers, without user knowledge, ringing up huge bills. To block potentially-costly texts, users can add SMS controls such as SMSLinkGuard. Enterprises may also consider using a Mobile Device Manager (MDM) that can monitor Android wireless expenses (e.g., SMS, roaming).Last year, Android became the world's second favorite mobile OS, racing past BlackBerry and Apple. 67 million of the nearly 300 million smartphones sold in 2010 were Android-powered devices like the Samsung Galaxy S, Motorola Droid X, and HTC EVO. New Android 3.0 ("Honeycomb") tablets will spur even more growth this year.

As a result, approximately half of enterprises are working to embrace Android devices. One of IT's biggest challenges: Android's consumer roots mean minimal support for enterprise-class security. Here, we consider today's biggest Android security risks and what can be done to mitigate them.

1. AWOL Androids: The top concern about any mobile device is loss. In a Juniper survey, 58 percent of smartphone and tablet users feared not being able to recover lost content. Apple iPhone users can restore nearly everything from iTunes, but Androids are not managed via desktop sync. Data loss can be avoided in two ways. First, install an auto-backup app (e.g., WaveSecure, MyBackup) to enable quick restoration of all that matters to you. Second, enroll your Android with one of the many available "find me" services to locate and recover lost devices.

2. Flimsy passwords: If your Android falls into the wrong hands, more is needed to prevent thieves from stealing broadband service, ringing up SMS fees, reading your email, or abusing VPN connections. In Juniper's survey, 3 out of 4 users locked their smartphones. This is an excellent first line of defense, but users need to understand Android's limitations.

   Researchers report using smudges to guess Android swipe-lock patterns over 90 percent of the time. Instead, Androids should be locked with PINs or passwords (2.2 or later) or third-party lock apps such as Norton Mobile or AppProtector. Users may also want to enroll in a remote lock service (often combined with find) but beware of SMS dependencies. Enterprises should use either Exchange ActiveSync or the Android 2.2 Device Admin to remotely enforce password policies, ensuring that devices are routinely locked and lost passwords can be reset.

3. Naked data: A major business risk posed by Android is lack of hardware data encryption. Fortunately, Android 3.0 ("Honeycomb") adds an API to let manufacturers offer encryption and IT enforce use. Unfortunately, existing Androids cannot yet perform hardware encryption. Until self-encrypting Androids appear, stored data can be protected in two ways. First, those remote lock apps and APIs can request remote wipe as well, resetting the device to factory defaults – but only when reachable, without wiping SD card data. For more rigorous protection, enterprises should scramble sensitive data such as email and contacts using self-encrypted apps (e.g.,Good for Enterprise, Exchange Touchdown)

Unsafe surfing: Think web browsing on your Android is safe? Last fall, M.J. Keith showed that a known WebKit browser vulnerability could be exploited on Android 2.0 or 2.1. Thomas Cannon reported an Android 2.2 browser flaw that could give hackers full SD card access. Recently, Google fixed an Android Market cross-site scripting (XSS) vulnerability that enables arbitrary code execution, found byJohn Oberheide. Unfortunately, Android users cannot quickly patch around bugs, because OS updates are deployed infrequently by carriers. One work-around: Using an app like BadLink Check or TrendMicroto avoid known-malicious websites.

Nosy apps: Speaking of the Android Market, telling friend from foe can be hard. According to the App Genome Project, Android Market apps more than doubled in the past 6 months. A whopping 28 percent of those apps now access device location, while 7.5 percent access stored contacts. Do these apps really need to know that info and what are they doing with it? Android apps must request permissions during installation – users need to seriously review those requests, exercise caution, and avoid apps that seem too nosy. To flag intrusive apps already installed on your Android, check out Lookout Mobile Security's Privacy Advisor or Webroot.

Repackaged and fraudulent apps: Some apps aren't what they appear to be. Many repackaged apps found on third-party Android markets are legitimate free apps, repackaged to generate ad revenue. But repackaging is also used to implant Android trojans, such as the Android.Pjapps trojan (included in modified versions of the Steamy Windows app) and the Android.Geinimi trojan (turns infected phones into bots). Most of these can be avoided by installing apps only from the Google Android Market. Don't frequent unregulated third-party markets or manually install Android packages from untrusted sources.

But even apps distributed by the Google Android Market receive no official review. Last year, "09Droid" sold about 40 different mobile banking apps at the Android Market. Unfortunately, none were affiliated with those banks. It is unclear whether 09Droid intended to phish for banking passwords, but when banks complained, those fraudulent apps were pulled from the Market. Be very careful when downloading apps that access sensitive accounts. Check with banks or other institutions to confirm apps are distributed by an authorized developer and beware of look-alikes.

Android malware: According to traffic analysis by AdaptiveMobile, Android malware spike 400 percent last year. The total is still miniscule compared to other platforms, but more malware is likely to target Android's rapidly-expanding pool of potential victims. When Coverityassessed the Android kernel, it identified 359 code vulnerabilities, 88 of which posed "high risk" of exploitation. Because Android is an open development platform, hackers have ample opportunity to find and learn how to take advantage of these kinds of flaws.

Fortunately, application sandboxing is built into Android to limit potential damage by malicious apps – unless malware breaks out of that sandbox. That is apparently what DroidDream did last month. Hidden inside about 50 Android Market apps, including Sexy Girls, Advanced File Manager, Task Killer Pro, and Advanced Sound Manager, DroidDream "rooted" infected phones, sending IMEI/IMSI and OS version back to a command-and-control server. The "nature of this exploit" so concerned Google that it remotely removed installed apps from an estimated 50K phones. This "kill switch" was a fail-safe measure of last resort, but users can proactively defend themselves using Android anti-malware apps (e.g., Kaspersky, F-Secure).

Fake anti-malware: Alas, the fake anti-virus trend sweeping the PC world has now emerged for Android as well. When Google killed DroidDream, it installed a clean-up app called "Android Market Security Tool 2011." Android.Bgserv soon appeared on a third-party Chinese market, pretending to be Google's tool but carrying an SMS trojan. The lesson: Hackers prey on user emotions like fear – don't assume that security apps are legitimate. Check out sellers and read reviews. Enterprises should go further by testing apps in a lab environment, then using an MDM to suggest or auto-install verified safe apps on employee Androids. For example, Sybase Afaria now provides over-the-air app management for Android.

Lack of visibility and control: Ultimately, enterprises must embrace Androids – even employee-purchased Androids – so that IT can regain visibility into and control over business activities on these devices. Unlike iOS, Android does not yet offer native MDM to enable third-party device management. However, Android does provide APIs that MDM agent apps can use to read/write settings (e.g., password complexity), query attributes (e.g., installed apps, GPS location), and invoke remote lock or wipe. A bit of this can also be done via Exchange ActiveSync. Either way, IT can enroll Android devices, track their use, and enforce (at least limited) policies. Configurable settings are limited but rapidly expanding – more so for some manufacturers than others. But putting a management framework in place can help you leverage new Android security capabilities as they emerge.

Note: Many of the apps cited above are actually suites that include multiple security tools – for example, remote find, lock, and wipe plus password and anti-malware. We included many different examples for the sake of diversity; shop around to find Android security suite(s) that best fit your own needs
.

Android Apps on non Android Phones

The intriguing idea of running Google Androidapplications on non-Android phones is about to become a reality, courtesy of Myriad, a Zürich-based mobile applications software company.

At next week's Mobile World Congress event inBarcelona, the company will demonstrate its Alien Dalvik virtual machine solution, which enables phones running other mobile operating systems to use Android software.

The approach could be useful to consumers who own devices for which applications are limited, as well as help Android developers and carriers widen their audiences and boost revenues.

How could a non-Android device run software made specifically for Google's Android platform? It sounds like a stretch. In reality, all apps that run on Android phones or tablets run in a virtual machine, which Google calls Dalvik.

The solution is much like the Java Virtual Machine on a desktop: it's a constrained software implementation of a computer via software code. It brings greater security because apps in a VM are essentially walled off from other applications and from the device's operating system.

When the app in a VM crashes, it has no effect on other applications or on the operating system, ensuring stability. This video demo of Myriad's solution on a Nokia N900 running MeeGo shows that it performs on a level equal to that of the same app running on a comparable Android device.

Myriad's Alien Dalvik is a VM that supports Android applications, just like Google's Dalvik VM does, but it's one that can run on other devices. The company says that its first supported iteration will run on Nokia's MeeGo devices, which are also likely to be introduced next week—although they aren't likely to ship for some time.

Myriad has probably targeted MeeGo for its Linux underpinnings: Android too, is based on Linux, making for a bit of a common denominator. Palm's webOS is another Linux-based system; given the relative lack of applications when compared to other popular platforms, webOS could be a further target for Myriad.

Shadow of Oracle-Google litigation
Although its similarity to Google's Dalvik VM is clearly a positive, there could be a negative aspect, too. Last October, Oracle sued Google over the Dalvik VM, claiming that Google's implementation uses code stolen from Sun's Java VM.

Oracle purchased Sun Microsystems for $4.7 billion in 2009, gaining its Java virtualization technology and code. The suit is active and there's no indication yet if Myriad's VM uses any disputed code or if it has sought licensing or permission from Oracle.

If the Alien Dalvik solution delivers as advertised in the video demo—and if there's no fallout from the Oracle complaint—it could open Google's Android Market ecosystem up to a far wider range of consumers who use other smartphones or even higher-end feature phones.

Contrast that to Apple's iTunes App Store, which although it's the biggest platform store for software, serves only Apple iOS devices. Android software running on further platforms could draw greater developer interest in building Android applications. Carriers that adopt Myriad's VM on non-Android devices might gain a competitive advantage over peers that don't.

The proof will be in the pudding. Myriad will have to establish its Alien Dalvik as a viable way to get Android apps on other platforms. If Myriad does deliver, it could be a win for consumers, developers, and carriers alike—and could keep Android's general growth trajectory rising.