Archive

Archive for the ‘Android’ Category

Adobe Flash Player 10.3 Advisory

September 18, 2011 Leave a comment

Flash Player by Adobe, consistently plagued with vulnerabilities, has under gone yet another minor version upgrade on the Release channel – to 10.3.183.7 10.3.183.10

Adobe recommends users of Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.183.5.
Users of Adobe Flash Player for Android 10.3.185.25 and earlier versions should update to Adobe Flash Player for Android 10.3.186.3.

http://www.adobe.com/support/security/bulletins/apsb11-21.html

Google Security

A Google Security researcher who fuzzed over 400 bugs in Flash Player was denied attribution by Adobe, because of the way CVE numbers are allocated.
He blogged about it in this post, and Adobe responded with their own snark..

So, what’s the right number of CVEs to allocate? In this particular case, some of the code changes we made were closely related within a single component, which would argue for consolidating them with a single CVE, while others were clearly distinct. At this point, we’d rather invest our time in continuing the hardening work that will make Flash Player more robust against attack than reviewing change logs. We’ve updated the security bulletin to include CVE-2011-2424 to describe this batch of bugs.

http://blogs.adobe.com/asset/2011/08/how-did-you-get-to-that-number.html

And the updated text of the advisory now attributes the CVE to the Google team.

This update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2011-2424).

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:
Tavis Ormandy of the Google Security Team (CVE-2011-2424)

http://www.adobe.com/support/security/bulletins/apsb11-21.html

Downloads

Android users can get the latest release version from the market here, Internet Explorer users can direct download from FileHippo.com and those running Firefox can grab it from FileHippo.com too..

Those looking for the official Adobe Flash Player download site can click here.

Aurora – The Future of Firefox

September 17, 2011 Leave a comment

Firefox - Aurora

Mozilla now offer 4 versions of their popular web browser software, with increasing levels of sophisticated new technology, interface design and developer tools, but at the expense of stability and compatibility.

Nightly, Aurora, Beta, Release

So the available builds are categorised according to their suitability for general release – the current Nightly is untested and raw, and in time becomes Aurora; and so the current Aurora becomes the next Beta and the current Beta becomes the Release version, available to everyone as Firefox – stable, patched. Software fit for a production environment.

Mozilla aim to do this every 6 weeks.

Every 6 Weeks

So from Aurora to Beta to Release is 12 weeks, or about 3 months. Currently, the Nightly build is at version 9.0, Aurora is at version 8.0, the Beta is 7.0 and Release is 6.0.2

Aurora

Let me just quickly say, if you’re still a bit confused with the Firefox releases, and don’t know which version you should run, then my advice would be to head on over to Firefox.com and download the version offered to you. This is the Release version – the most stable, most tested and most recent.

The other builds –  Nightly, Aurora, Beta – they’re for geeks, for those who like their internet cutting-edge. Want Nightly, Aurora or Beta for your Android device? Check out system requirements, compatible handsets and find downloads here.

Add-Ons Manager

A new interface and new way of handling Add-Ons is introduced. When an add-on is installed from outside of Firefox, the add-on is disabled by default, and requires explicit authorisation from the user to activate.

they can slow down Firefox start-up and page loading time, they clutter the interface with toolbars that often go unused, they lag behind on compatibility and security updates, and most importantly, they take the user out of control of their add-ons.

http://blog.mozilla.com/addons/2011/08/11/strengthening-user-control-of-add-ons

MemShrink

The MemShrink side project aims to reduce the memory usage of Firefox. Lower memory usage means a faster experience, as the overheads for paging and caching are reduced.

One nice thing about this feature is that it gives technically-oriented users a way to tell which web sites are causing high memory usage.  This may help with perception, too;  people might think “geez, Facebook is using a lot of memory” instead of “geez, Firefox is using a lot of memory”.

http://blog.mozilla.com/nnethercote/2011/07/06/memshrink-progress-week-3/

Developer Tools

Including Telemetry, Web timing spec, Azure Direct2D for Canvas and increased HTML5 and CSS3 support, including media elements and custom right click menus. Want to know more about the new developer tools?

Current HTML 5 Support

I’m already impressed with the HTML 5 support in the Release version of Firefox, when the rest of the web catches up, sites will be dynamic and media rich beyond our wildest imaginations.

Insecure Data Request/Response from Quidco RPC

September 13, 2011 Leave a comment

I recently reported some Data Protection and Privacy issues with the Quidco app for Android, and wanted to have an in-depth look at the Client/Server data sent by the app.

Packet Capture

With the newly installed tcpdump facility, I was able to capture the network traffic from my handset and watch the Quidco app for Android send a request to the remote server and receive data back. This happens when you log-in, when you check-in, when the app wants to load your personal details and display your cash-back history.

Pretty standard stuff, nothing out of the ordinary, nothing unexpected.

The problem is not what’s being sent, but how. The communication between the server and the handset is not secured – the data is sent by the server over the internet as plain-text, and includes your email, postcode, real name, date of birth and IMEI.

JSON-RPC

JSON or JavaScript Object Notation, is a lightweight text-based open standard designed for human-readable data interchange.
The JSON format is often used for serializing and transmitting structured data over a network connection. It is used primarily to transmit data between a server and web application.

http://en.wikipedia.org/wiki/JSON

JSON allows the Quidco app to makes requests to the remote server in a defined way, through procedure calls. Such procedures observed in the analysis of the packet capture include getNearbyDeals and getUserDetails.

Wireshark Analysis

The capture file is loaded into Wireshark where it can be displayed and reconstructed.
One function has the ability to reorder and display in ASCII the request and response of a specific TCP stream.

Reconstruct A TCP Stream

Reconstruct A TCP stream with Wireshark

getNearbyDeals

getNearbyDeals

The function takes several arguments, including the users latitude and longitude, and returns data on the deals close-by.

getUserDetails

getUserDetails

Evil Twin Attack

Being a mobile app, designed to be used out and about, it’s a possibility the end user will connect to a WIFI hotspot, for example Openzone, when they want to check-in at a store or search for near-by deals.

An ‘Evil Twin’ is a hotspot with the same name as a legitimate one, but which is set-up by criminal entities to harvest personal data, log-in or banking details. The Guardian ran a story about it. It’s all to do with the way your handset will automatically connect to a WIFI network based on it’s SSID or name.

Firesheep was a proof of concept plug-in for the Firefox browser, which allowed trivial Facebook session hijacking on insecure networks. Now there is a native Android app, FaceNiff which claims to do a similar job.

Disclosure

The developers of the app were contacted regarding the insecure client/server communication and now the app has been updated to v1.0.4 to address this issue.

Wireshark analysis of traffic captured for version 1.0.4 shows all request/response traffic is made over https.

The main idea of HTTPS is to create a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks

http://en.wikipedia.org/wiki/HTTP_Secure

Wireshark Analysis

v1.0.4 Application Traffic Secured with HTTPS

tcpdump on Android

September 11, 2011 2 comments

I’m interested in intercepting the data my Android device is sending – I use Wireshark under windows, using winPcap to capture packets.

WinPcap consists of a driver, that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers.

http://www.winpcap.org

WinPcap is based on libpcap, a linux tool that’s been ported to Windows.

porting is the process of adapting software so that an executable program can be created for a computing environment that is different from the one for which it was originally designed

http://en.wikipedia.org/wiki/Porting

Linux Kernel, Linux tools?

Android has a linux kernel, so surely there must be a libpcab based tool out there to capture packets?

tcpdump is a command line tool for linux that can capture and analyse packets from the console, or write them to a file. Luckily, the files generated are compatible with Wireshark, being based on the same packet capture software.
The only issue now is to find a version made for Android.. I know some basic shell command like cat, grep, ls, but not enough to do my own Android cross compile..

Strazzere.com

So I was searching around for a tool and came across Strazzere.com – A site about Android and software engineering, and very kindly they host an Android version of tcpdump. It’s based on

tcpdump version 3.9.8 libpcap version 0.9.8

and the latest versions are 4.1.1 and 1.1.1 respectively, so it’s a little out of date, but fully functional.

Installation

So this probably only works if you have root – I have root, and I’m afraid I’m not going back to stock to test it. I have VillainRom 2.4.2 and these instructions are based on the steps I’ve taken to get packet capture working.

You need the Terminal Emulator installed, or you can run the same commands from the ADB shell on your computer, but this post is specifically about the terminal.

Download the file from your phone, so now the tcpdump file is on the handset. In this example, the file is stored in /sdcard/data/

The commands, file and directory names are all case sensitive, so tcpdump is NOT the same as TCPdump.

Terminal

Just cp file to bin and chmod

Now, in the terminal type;

  1. su
  2. mount -o remount,rw /system
  3. cp /sdcard/data/tcpdump system/bin
  4. cd system/bin
  5. chmod 777 tcpdump
  6. mount -o remount,ro /system

To explain the commands; you need to request root, set /system as read-write, copy tcpdump to /system, give it read/write/exec permissions and finally remount /system as read-only.

Packet Capture

Finally, you’re ready to capture some packets. In terminal window, type;

tcpdump -vv -s 0 -w /sdcard/tcp.cap

-vv puts tcpdump into verbose mode – to give us some extra information
-s 0 sets the size of sender to look for to zero, telling the program to grab all packets
-w /sdcard/output.cap will let us set the packets grabbed to be written to the sdcard for analysis later.

http://strazzere.com/blog/?p=286

and all packets will be logged to tcp.cap – Ctrl+C ends capture. This can be done with volume down and C in the emulator.

tcpdump in the Terminal window

Categories: Android, Software Tags: , ,

Quidco App for Android is out of Beta!

September 8, 2011 Leave a comment

The Quidco App for Android has finally lost it’s Beta status, and version 1.1.0 is now available from the Android Market or visit Quidco.com/app.
If you’re not already a Quidco member, read my post and sign up!

v1.1.0

Quidco app for Android is released!

So the Quidco app moves from this early Beta, to full release version, and quickly to v1.0.2 – although the Whats New tab on the web based android market says nothing has changed, the Recently Changed section on the mobile version of the market shows crash fixes.

Using The Quidco App

Sign Up Or Sign In

Load the app, and you will be asked to sign-in with your Quidco details, or to join the Quidco service.
The first time you sign-in, you will be asked to enable Location Sources –  both Network and GPS are required for full functionality.

Location

If you choose not to enable your location, you can still choose from a general list of places.

Device Association

Again, the very first time you run the app you will be asked to associate your device with your Quidco account.
You have to enter the code exactly – if you enter it incorrectly, you will be given several more attempts. If you appear to be stuck, make sure your keyboard doesn’t automatically capitalise the first letter.

If you sign out, it will not ask you to associate again when you sign-in.

Nearby Deals

Click Nearby to be shown a list of deals and in-store cashback offers ordered by distance from location.

At the top, select Map to be taken to a fully interactive Google map with each deal a pin in the map. Click one of the deals to be given it’s name, and again to view the full details.

The Pizza Hut deal for example is a discount voucher, which gives clear instructions for use, and T&C in the details tab.

Account Settings

Under the central option in the bottom bar, My Quidco allows you to view your most recent activity and change your account settings.

You can choose to hide Gambling offers, Hide 18+ offers, and modify your in-store cashback settings, and even register a card if you’re not yet set up.

 

Smart Shopping

With digital vouchers, and  in-store cashback, the Quidco mobile app is a convenient way to earn and to save money in the real world.
Download the app, try it out today!

 

Quidco App for Android Updated – v1.0.8

September 3, 2011 Leave a comment

A new version of the Quidco App for Android has been released to the Android market.

v1.0.8

Quidco App Updated

This update resolves the following issues.

  1. fixed crash when map location shown on Motorola devices
  2. fixed category icons not displaying on some devices
  3. fixed gender toggle style on settings page
  4. fixed gambling/adult style on settings page
  5. fixed error feedback messages on settings page
  6. fixed filters not retaining previously set state
  7. potential fix for crash when loading maps on some devices
  8. potential fix for crash when viewing vouchers on some devices
  9. added greyed out checkbox to filter page to make filters more clear
Categories: Android, Beta, Patch, Quidco, Software Tags: , , ,

Quidco App for Android Updated – v1.0.7

August 31, 2011 Leave a comment

A new version of the Quidco App for Android has been released to the Android  market.

v1.0.7

Quidoco App for Android Updated - v1.0.7

This update resolves the following issues.

  1. fixed crashes on devices with no location services enabled
  2. potential fix for crashes on settings tab on some devices

Want To Know More About Quidco?

Read my post on Quidco – how it works and why you should sign up.