Followups
- 🇦🇺 Australia’s controversial anti-encryption law has been referred for independent review to check whether it adequately safeguards citizens rights — nakedsecurity.sophos.com/…
- 🇪🇺 The EU Copyright Directive passed the EU parliament with the two controversial articles intact (the so-called link tax and upload filter) — tidbits.com/…
Security Medium 1 — Android Security at Age 10
As Android turns 10, Google have released their 5th annual Android Security Review. The document is written in relatively human-friendly language and has lots of interesting graphs, well worth a read IMO.
I’ve chosen a few highlights that caught my eye, but before reading them, note that Google use the acronym PHA for Potentially Harmful App rather than the more common term malware.
Fundamentally, there are three areas Google has been, and continues to, fight to improve Android security.
The first is OS security controls. Just like iOS, Google has been, and continues, to add ever more OS-level protections to keep apps locked down ever more tightly. The report lists all the changes made in 2018. While none of them struck me as particularly spectacular in and of themselves, taken together they represent a nice step up in Android security, and underline the fact that Google is continuing to work hard to make Android ever more secure.
The second important area is getting security updates out to users. Historically this has been a real Achilles heal for Android, but Google are making good progress in this regard. They now have monthly security updates, and they’re working hard to get those updates out to more users more quickly.
As of December 2018, over 95% of deployed Google Pixel 3 and Pixel 3 XL devices were running a security update from the last 90 days.
In the 4th quarter of 2018 we had 84% more devices receiving a security update than in the same quarter the prior year.
Newer versions of Android are less affected by PHAs. (impressive graph showing progress from 0.65% on Lollipop to 0.18% on Pie)
It’s still not true that all Android devices get security update promptly and for at least 3 years, but, it is true that if you choose your vendor carefully, you can have an Android device that gets patched promptly.
The third important area is malware, or PHAs as Google calls them. This is a game of two halves — apps downloaded via the Google Play store, and apps downloaded outside of the the Play store.
The report makes two things very clear — firstly, Google are doing a good job of driving down overall Android malware numbers regardless of course, and secondly, the Google Play store is significantly safer than other sources of apps. It’s definitely wise to advice friends and family to stick exclusively to the Play store for their apps.
According to Google’s numbers, about one in 200 Android devices were infected with malware in 2018. Those infections were not evenly spread though. Devices that used the app store exclusively had much lower infection rates, a little less than one in 1,000.
What that tells you is that despite Google still taking a mostly reactive approach to their store, they are reacting quickly enough to seriously limit the damage done by malicious apps that do temporarily worm their way in.
What’s also interesting is that Google seem to be getting some good traction with their Google Play Protect security suite. This is basically Google-provided AV that ships as standard on modern versions of Android, and it tries to protect users who side-load apps from getting infected with malware.
In 2018, 0.45% of all Android devices running Google Play Protect had installed PHAs, compared to 0.56% of PHA-affected devices in 2017.
In 2018 only 0.08% of devices that used Google Play exclusively for app downloads were affected by PHAs. In contrast, devices that installed apps from outside of Google Play were affected by PHAs eight times more often. Compared to the previous year, even those devices saw a 15% reduction in malware due to the vigilance of Google Play Protect.
In 2018, 0.04% of all downloads from Google Play were PHAs. In 2017, the number was 0.02%. This increase is due to the change in methodology of upgrading the severity level of click fraud applications from policy violations to PHAs. If we omit the addition of click fraud for a comparision, 2018 is at 0.017% which is still a reduction from 2017.
Google Play Protect prevented 1.6 billion PHA installation attempts from outside of Google Play in 2018.
As Google tighten down their store, malware developers are turning to different avenues of attack. The following quote illustrates that point:
In 2018, there were two notable changes to the Android threat landscape: an increase in pre-installed PHAs and backdoored SDKs (software development kits).
While Google is clearly moving the needle in the right direction on all three major problem areas, Android is still far from a utopia. Just in the last two weeks three more stories broke highlighting security and privacy problems with apps in the Google Play Store (see links section below).
So, what’s the bottom line? In my opinion (Bart), it is now possible to be a security conscious Android user. You need to be careful who you buy your phone from, and you need to constrain yourself to the app store, but you can use Android and keep yourself safe. It’s also still true that it’s much easier to stay safe on iOS, so I’ll still be recommending that my non-techie friends and family confine themselves to Apple’s walled garden, but for the technologically literate Android is now a reasonable option. I’m also heartened by the fact that Google don’t appear to be resting on their laurels, and that they seem to continue to work hard to make Android ever more secure.
Note that I’ve left my privacy concerns around Google completely out of this. It goes without saying that if you use Android you accept that you will be paying with your privacy, and that you are happy with that exchange.
Links
- The full report (PDF) — source.android.com/…
- Preinstalled Android apps are harvesting and sharing your data — nakedsecurity.sophos.com/…
- Government spyware hidden in Google Play store apps — nakedsecurity.sophos.com/…
- Android banking and finance apps’ security found wanting — nakedsecurity.sophos.com/…
Security Medium 2 — Facebook Continues to Evolve
This week Facebook CEO Mark Zuckerberg released another missive titled ‘Four Ideas to Regulate the Internet’ (this time as a Washington Post Op.Ed.). The CEO used this platform to call for government regulation to address four big problems:
- Harmful Content
- Election Integrity
- Privacy
- Data Portability
Zuckerberg’s argument basically boils down to the fact that private companies like his should not be setting the standards for what is and is not OK, and that government regulation could create a universal standard that all companies could follow.
This is the same sentiment as that expressed last June by Microsoft’s president Brad Smith when he called for governments to regulate facial recognition to prevent a ‘race to the bottom’.
Zuckerberg also called attention to some changes Facebook have been making recently, including the moves they’ve made to add more transparency to election ads. To underscore that point, Facebook launched a new searchable database of political ads this week.
In other somewhat related news, Facebook also added some new features to make it easier for white-hat security researchers to study their platform.
This week’s news also shows that Facebook is still a long way from perfect though. Reports surfaced of an extremely dangerous practice that seems to have started recently — to make it easier for new users to confirm their email address, Facebook asked them to enter their email password so Facebook’s servers could use that password to verify they were the true owners of the account. Encouraging users to give up their passwords like this sets a terrible precedent and encourages all sorts of dangerous bad habits! Needless to say Facebook came under strong criticism. They quickly saw the light though and ended the practice.
Facebook’s years of poor oversight also came back to bite them this week when large caches of old Facebook data from the era when 3rd-party apps could access oodles of data with few restrictions were found on Amazon cloud servers without even so much as a password protecting them. Clearly, it was the app makers who failed to secure their copy of the data, but of course, had Facebook treated user data with respect back then, the apps would never have had it to lose!
For what it’s worth, my (Bart’s) take on this missive is that I completely agree with what Zuckerberg is calling for. I don’t know how serious he is about it, or how noble his intentions, but I don’t care, I firmly believe we need the kind of regulation he’s calling for!
It should be noted others are much more critical, as evidenced by the opinion piece from the Guardian linked below.
Links
- A re-posting of Zuckerberg’s Op.Ed sans-paywall — newsroom.fb.com/…
- Reporting on Microsoft President Brad Smith’s call for regulation of Facial Recognition last June — www.wired.com/…
- Facebook Launches Library of All Active Adverts — www.macobserver.com/…
- Facebook’s Whitehat Settings lets bug-hunters dial back app security — nakedsecurity.sophos.com/…
- ‘Beyond Sketchy’: Facebook Demanding Some New Users’ Email Passwords — www.thedailybeast.com/… & Facebook won’t ask for your email password any more — nakedsecurity.sophos.com/…
- Millions of Facebook Records Found on Amazon Cloud Servers — www.bloomberg.com/… & Facebook apps expose millions of users’ Facebook data — nakedsecurity.sophos.com/…
- Opinion: Mark Zuckerberg says he wants to fix the internet. Don’t take him seriously — www.theguardian.com/…
Notable Security Updates
- Apple have patched just about everything — www.intego.com/…
- iOS 12.2 — support.apple.com/…
- macOS 10.14.4 & Security Update 2019-002 for Sierra & High Sierra — support.apple.com/… & tidbits.com/…
- watchOS 5.2 — support.apple.com/…
- tvOS 12.2 — support.apple.com/…
- Safari 12.1 (for Mojave, High Sierra & Sierra) — support.apple.com/…
- With this update Apple have followed Google’s lead and now pro-actively mark
http://
website as ‘Not secure’ — osxdaily.com/…
- With this update Apple have followed Google’s lead and now pro-actively mark
- iTunes for Windows 12.9.4 — support.apple.com/…
- iCloud for Windows 7.11 — support.apple.com/…
- Note that these patches fix the KeySteal vulnerability that made news on February when the discoverer refused to tell Apple the details because they don’t have a bug bounty program for macOS — nakedsecurity.sophos.com/…
- Patch Android now! April updates fixes three critical flaws — nakedsecurity.sophos.com/…
- ASUS have released a security update for their Live Update app to patch a vulnerability that was found to be in use in the wild by so-called Advanced Persistent Threats (APTs) — www.us-cert.gov/…
- Update now! WordPress hackers target Easy WP SMTP plugin — nakedsecurity.sophos.com/…
- A critical security bug has been patched in Apache’s popular web server software. The bug has been named Carpe Diem. The silver lining is that it can only be exploited on systems that allow attackers to have shell access, but that’s actually a very common scenario on shared hosting platforms (Aside: Naked Security deserve a prise for best pun of the week for their headline ‘Apache needs a patchy! Carpe Diem, update now’) — nakedsecurity.sophos.com/…
- VMware patches critical vulnerabilities — nakedsecurity.sophos.com/…
- Patch now! Magento e-commerce sites targeted by SQLi attacks — nakedsecurity.sophos.com/…
Notable News
- TP-Link SR20 routers are vulnerable to a zero-day exploit that lets anyone (or any device) connected to the WiFi network to execute arbitrary commands on the router as root. Despite the researchers best efforts, TP-Link have not responded to his bug report, so after 3 months he has gone public with the vulnerability. If you have one of these routers, do not connect any un-trusted devices to it, and don’t give anyone you don’t trust your password — nakedsecurity.sophos.com/…
- 🇳🇿 New Zealand have passed a law that threatens social media companies that don’t deal with violent content quickly enough with large fines and even jail time for execs — nakedsecurity.sophos.com/…
- 🇬🇧 Related: The UK is rumoured to be considering a similar law — www.theguardian.com/…
- Security researchers are warning users of smart car like Teslas that when they sell their vehicles, they need to pro-actively wipe the data stored on them, because their research showed that second-hand Teslas, including car wrecks sold for scrap, contain a lot of un-encrypted personal data — nakedsecurity.sophos.com/…
- Security researchers have found novel ways to trick Tesla’s AI into mis-reading the road and in some cases, changing lanes into the wrong lane, the one meant for use by on-coming traffic! While headlines use inflammatory words like “into oncoming traffic”, the researchers did not find that the lane-keeping mistake would cause the car to drive into an obstacle like an on-coming vehicle, something its sensors would definitely detect — nakedsecurity.sophos.com/…
- CloudFlare have announced a new Freemium VPN service to compliment their
1.1.1.1
DNS resolver. The new service is named Warp, and is available as a limited preview ATM. The company are very explicitly promising not to track users or sell their data — www.imore.com/…
Suggested Reading
- PSAs, Tips & Advice
* - Notable Breaches & Privacy Violations
- ⭐️ Monitoring/stalking/spying app MobiiSpy suffered catastrophic breach — motherboard.vice.com/… & nakedsecurity.sophos.com/…
- ⭐️ Family locator/tracking app FollowMe was leaking real-time location data for its 238,000 users — nakedsecurity.sophos.com/…
- ⭐️ 🇺🇸 FEMA exposes sensitive data of 2.3 million disaster survivors — nakedsecurity.sophos.com/…
- ⭐️ 🇮🇪 Airbnb fail to respond adequately as another hidden camera is found in a rented home. They did eventually do the right thing, but only after reporting in the national media and a Facebook storm forced their hand: Family finds hidden camera livestreaming from their Airbnb in Ireland — edition.cnn.com/…
- Possible Toyota data breach affecting 3.1 million customers — nakedsecurity.sophos.com/…
- 🇺🇸 2M Customer Cards sold on the dark web after the Buca di Beppo (a chain of Italian restaurants) suffered a breach of their POS devices — krebsonsecurity.com/…](https://krebsonsecurity.com/2019/03/a-month-after-2-million-customer-cards-sold-online-buca-di-beppo-parent-admits-breach/) & nakedsecurity.sophos.com/…
- 🇨🇳 Chinese lesbian dating app Rela suffered a data breach which could put its users at serious risk of discrimination — www.macobserver.com/…
- News
- ⭐️ Security researchers have released a detailed report showing evidence that the Russian government is systematically using GPS/Galileo/GLONASS/Beidou spoofing on a regular basis — nakedsecurity.sophos.com/…
- ⭐️ Firefox brings Lockbox password manager to Android’s autofill — nakedsecurity.sophos.com/…
- Mastercard Sees Other Banks Ditching Card Numbers Like Apple — daringfireball.net/…
- Why ‘PWNED!’ is appearing on some GPS smartwatches — nakedsecurity.sophos.com/…
- 🇨🇦 Several webpages from Elections Canada and MPs lack basic data protections, expert says — www.cbc.ca/…
- 🇺🇸 Tech giants back bill that privacy advocates claim is toothless — nakedsecurity.sophos.com/…
- 🇺🇸 FTC slams the phone down on quartet of robocallers — nakedsecurity.sophos.com/…
- 🇺🇸 Patriot Act renewal gives privacy advocates an opening — www.washingtonexaminer.com/…
- 🇺🇸 Proposed Bipartisan Law Could End NSA Phone Surveillance — www.macobserver.com/…
- 🇬🇧 UK Body Issues Stark Huawei Warning — www.macobserver.com/…
- Opinion & Analysis
- ⭐️ Evaluating Popular Web Browsers in Terms of Security and Privacy — readwrite.com/…
- ⭐️ Are there viable alternatives to Facebook and Twitter? — nakedsecurity.sophos.com/…
- As drones fill the skies, cybercriminals won’t be far behind — nakedsecurity.sophos.com/…
- Mastercard Wades Into Murky Waters With Its New Digital ID | WIRED — www.wired.com/…
- Propellor Beanie Territory
Palate Cleansers
- The other Y2K you’ve probably never heard of: GPS’s Week Number rolls over on the 6th of April (but no need to panic) — nakedsecurity.sophos.com/…
- How to differentiate between AI, machine learning, and deep learning — www.techrepublic.com/…