Fake ID bug exposes Android smartphones and tablets

An Android flaw has been uncovered that lets malware insert malicious code into other apps, gain access to the user's credit card data and take control of the device's settings.

Blue-box Labs said it was particularly concerning as phone and tablet owners did not need to grant the malware special permissions for it to act.
The company added it had alerted Google to the problem in advance to allow it to mend its operating system.
Google confirmed it had created a fix.
"We appreciate Blue-box responsibly reporting this vulnerability to us. Third-party research is one of the ways Android is made stronger for users," said a spokeswoman.
"After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to the Android Open Source Project."
However, the many thousands of devices still running versions of the operating system ranging from Android 2.1 to Android 4.3 have not been sent the fix by relevant network operators and manufacturers remain vulnerable if they download apps from outside the Google Play store.
Forged signatures Blue-box has dubbed the vulnerability Fake ID, because it exploits a problem with the way Android handles the digital IDs - known as certification signatures - used to verify that certain apps are what they appear to be.

Blue-box warns that old unpatched versions of Android remain vulnerable

The issue is that while Android checks an app has the right ID before granting it special privileges, it fails to double-check that the certification signature involved was properly issued and not forged.
Jeff Forristal, chief technology officer of BlueBox, likened the issue to a tradesman arriving at a building, presenting his ID to a security guard and being given special access to its infrastructure without a phone call being made to the tradesman's employer to check he is really on its books.
"That missing link of confirmation is really where this problem stems," he told the BBC.
"The fundamental problem is simply that Android doesn't verify any claims regarding if one identity is related to another identity."

Apps that make use of Adobe's Flash plug-in can have malware added to their code

To make matters worse, he added, a single app can carry several fake identities at once, allowing it to carry out multiple attacks.
Mr Forristal gave three examples of how a faked certification signature might be used to cause harm:

• The app pretends to be created by Adobe Systems - Adobe is granted the privilege of being able to add code to other apps in order to support their use of its Flash media-player plug-in. The malware can take advantage of this to install Trojan horse malware into otherwise authentic programs
• The app uses the same ID used by Google Wallet - the search firm's mobile payment software is usually the only app allowed to communicate with the secure hardware used to make credit card transactions via a phone's tap-to-pay NFC (near field communication) chip. By exploiting this, the malware can obtain financial and payment data that would otherwise be protected
• The app impersonates 3LM software - many manufacturers add their own skins to Android to customise their devices' user interfaces and functions. In the past, HTC, Sony, Sharp, Motorola and others did this by using extensions created by a now defunct business called 3LM. By masquerading as 3LM's software, malware could take full control of the relevant devices and both uninstall their existing software as well as adding spyware, viruses and other damaging content of its own

BlueBox made headlines last July when it revealed the Master Key bug - a coding loophole that could allow hackers to take control of Android devices. Cybercriminals were later spotted using the technique to target users in China.
Mr Forristal said he believed that the Fake ID flaw had the potential to be a bigger problem.
"Master Key did allow a whole device to be taken over... but the user had to be duped into a couple of decisions before the malware would be able to achieve its goal," he explained.
"Fake ID unfortunately occurs in a manner that is hidden to the user - there's no prompts, no notifications, no need for special permissions.
"The user can actually be told the app doesn't want any special permissions at all, which most people would think makes it relatively safe. But once Fake ID is installed it's 'game over' instantly."
Google Play scan

 

Google says it has scanned all the apps in its Google Play store for the flaw

Dr Steven Murdoch, a security expert at the University of Cambridge's computer laboratory agreed this was a serious flaw. But he added that most device owners should still be able to avoid being affected.
"Google will be looking for people who are exploiting this vulnerability in applications being distributed through its own Google Play store," he said.
"So, if that's the only place that you get apps from, you are in a relatively good position.
"But if you download applications from other sources you will be putting yourself at risk."
A spokeswoman from Google confirmed that the company had scanned all the applications in its own store as well as some of those elsewhere.
"We have seen no evidence of attempted exploitation of this vulnerability," she added.
BlueBox is releasing an Android app of its own that will check whether the host device has been patched.

Android L:The Best Looking android yet

The preview version of Android L is currently available for Nexus 5 and Nexus 7

Google announced the latest version of Android at its developer conference in the last week of June. Called Android L, which by the way is a temporary name, the new version promises users a better looking interface, faster performance, more battery life and overall a smoother experience than what they get with the existing versions of Android.Android L is going to be available to consumers in the next few months. But if you have a Nexus 5 phone (or a Nexus 7 2013 tablet), and if you are familiar with terms like ROM, Flashing and Bootloader, you can install the preview version of Android L. We are using Android L on a Nexus 5 for nearly a month now and based on our experience with it so far, we can give you a fair idea of what you can expect from it when it rolls out to consumers.
However, before we talk more about the operating system (OS), here is something important to note: Android L is a work in progress. The preview version gives a taste of it to users, but by no means it is the final version. It can, and most likely will, change before it is available to end users.
Material design is elegant
Compared to Android Jelly Bean and Android KitKat, which more or less followed the basic design and interface that Google used in Android Ice Cream Sandwich, Android L shakes up things in a more significant way. It replaces the Holo design that Google used in Ice Cream Sandwich with the Material design, which is based on a layered user interface (UI). It is a flatter and more colourful design. For end users, this means two important changes - one, the core UI elements like multitasking and notification shade have changed, and two, the basic design of apps too is going to see changes.
Of all the interface changes that Android L introduces, the following ones are most significant:

Lockscreen: The lockscreen of the phone can now show the notifications. Many Android users were using lockscreen widgets for the same functionality earlier but now it is baked in. These notifications can then be dismissed with a swipe to right or left. But if you double tap on a notification, it opens the app that is sending the notification.From the lockscreen, you can also access the quick settings by swiping down the notification shade. This works even if the phone is locked. Also, to go to the dialer, you can swipe from left edge to the right and to go to camera you can swipe from right edge to the left.
The lockscreen of Android is more dynamic now. Unfortunately, it seems that Google has removed the support for third-party lockscreen widgets. So, some of your favourite weather widgets or apps like Dashclock may not work with Android L. At least for now.

Notifications

Notification shade and quick settings: The Material design in Android L uses layers. The best example of this is seen in the way notification shade has been designed. In Android KitKat, bringing down the notification shade opens a layer which has notifications. To access quick settings, users can tap on a small toggle on the right top corner. But in Android L, the notification shade is made up of three layers: The top layer shows the basic information like date, remaining battery, and has the bar to adjust brightness of the device. The second layer has buttons that give access to most used settings like Wi-Fi and Airplane mode. The third layer is where notifications from apps are shown. When you open the notification shade, you can see the subtle animation that layers use as they slide out. It looks cool and the animation is smooth.

Multitask with cards: Multitasking UI is another big change in Android L. Unlike the filmstrip of thumbnails in Kitkat, Android L uses deck of cards as multitasking UI. It is similar to how open tabs are shown in Chrome browser on Android. The animation while shuffling the cards, which represent open apps, is smooth.With the new version of the OS, there is one more big change in the way multitasking is handled in Android. Earlier, if you clicked a link in the Twitter app, it opened a web page in Chrome but strangely considered that page a part of Twitter. But in Android L, the web page will be a part of the Chrome app, the way it is supposed to be.

User interface elements: Other than using layers, the material design adds some specific elements to UI. However, these elements will be available to users only if the app developers follow UI guidelines prepared by Google. For now, to see the UI elements part of the Material design, a user can open the phone dialer or the calculator. The idea with the new design is to provide a more consistent feedback to users and keep a uniform look & feel within the apps. For example, the touchable elements in the dialer app glow when a user taps them.Similarly, if you are scrolling through a list and reach the end, there is subtle shadowy animation that tells users that the list has ended.
Android L has better and smoother animations. This means even within apps, navigating from one element to other gives a more polished experience and makes the OS feel a lot slicker.
And yes, the onscreen navigation buttons have changed. Now they are represented by a triangle (back button), a circle (home button), and a square (multitasking button).
ART inside Android
Android L is a preview version. It is undoubtedly better looking than Android KitKat. But on the performance part, KitKat running on Nexus 5 still has the edge. Right now Android L on Nexus 5 feels a wee bit slower, most likely because of all the extra animations that have been added. Though, the difference is not that much and we feel that the final version of Android L on Nexus 5 will be as fast as KitKat if not more.
In terms of performance, here are the highlights:
ART: A new runtime, ART was part of KitKat. But it has to be enabled. By default KitKat uses Dalvik, the older runtime which has been a part of Android since its beginning in 2008. With Android L this is changing. In the new version of the Android, ART is the default runtime. But what does that mean for users?
Google says ART will make Android phone more responsive and faster. But why? Here is the explanation: When you currently install an app on an Android phone, Dalvik is used to run and compile it. The process is called Just In Time, which means that when you launch an app, elements of it are compiled and run. This is a pretty fine system but from time to time you may feel that the app you are trying to run doesn't feel as responsive as it ought to be.
ART uses Ahead Of Time process. This means when you install an app on an Android phone running ART, the necessary elements of the app are compiled and stored on the phone's internal storage in advance. So when you launch an app, the operating system doesn't have to compile anything. This results in an app that feels more responsive and has lower load time.
The disadvantage of ART is that apps take more space on the internal storage of the phone and when you are booting/restarting the phone, you may have to wait a few extra seconds before you can access homescreen.

Battery saver mode: Almost all Android smartphones nowadays come with a battery saver mode. But this mode is the work of companies that have made the phone and is not a part of the standard Android OS. With Android L, Google is giving the OS an inbuilt battery saver mode. The implementation of the battery saver mode in Android L is fantastic. It can be accessed from Battery settings but by default it is turned on. As soon as the phone gets below 15% battery, the mode kicks in. This means the brightness of the display is automatically dimmed, the performance of the phone is reduced and all the fancy animations are switched off.The battery saver mode works well. Google claims that Android L is more sensitive to the battery use compared to previous versions of Android. The company talks about Project Volta, aimed at improving battery life of Android phones. With battery saver mode on, we found the claim to be largely true. With Android L, our Nexus 5 consistently gets better standby battery life. In actual use, we found that Android L gave us around 1 to 2 hours of extra battery life compared to what we got with KitKat on Nexus 5.
Using Android L

Our overall experience of using Android L has been very positive. But it is also clear that for now the OS is not ready for the prime time. It is full of usual bugs that accompany a preview release. Many things don't work. For example, tethering doesn't work. Connecting to a Wi-Fi network using a proxy is an issue. Then there are UI glitches in apps that have not yet updated for Android L. Twitter's official app just doesn't work. The Facebook app can't show comments in a proper way.Yet, as we said, we have a positive impression of Android L. When it feels fast, it does feel fast. The animations and flatter UI elements make Android L slicker. It is definitely good enough to stand in the league of Windows Phone and iOS. Once some of the glitches are taken care of - something that we expect to happen by the time the final version comes to Nexus phones - it will be a fantastic smartphone OS to use.
Android L is light on visible new features. Battery saver mode has been added. The lockscreen is more dynamic now. There is even a Do Not Disturb mode, similar to the one in iOS.
But with Android L Google is focusing on the basics. Primarily, the company is providing developers a platform that will help them create better looking and better performing apps. And that is where it gets little complex. On its own, Android L is pretty fine. But to achieve its full potential, it requires support from app developers. They have to use the Material design in their apps. They have to make proper use of the performance enhancing features like ART that Google has put in Android L. Hopefully, before the final version of Android L hits the Nexus devices, we will see some magic from Android developers.

Read more at: http://indiatoday.intoday.in/story/android-l-the-flattest-and-best-looking-android-yet/1/374493.html

Google Nexus 5 facing battery backup issues with the new update

There have been many complaints about Google Nexus 5 battery life from device owners, even after the recent Android 4.4.3 update.
Battery drain issues was one of the reasons Nexus 5 owners had anticipated the KitKat upgrade, which came with the promise to fix battery drain, bugs and other problems.
However, it appears more issues appeared after the Android 4.4.3 update, and Nexus 4 and 5 got the biggest share of problems, such as lagging apps, connections and screen freezes.
Other issues include notification problems, lagging Google Play Store, redesign lag in the Android dialer and unknown errors in Exchange ActiveSync.
The first Android KitKat buzz came in March, and the update was said to be a massive or major bug fixer that would tackle problems brought on by Android 4.4.2, which were quite many.
Early June, Google pushed out Android 4.4.3 to stabilize Google Nexus 4, 5, 7 and 10, plus update the OS of Google Play phones: Moto E, Moto G and Moto X.


It did squash many Android 4.4.2 bugs, while at the same time bringing along some cosmetic changes. However, Android 4.4.3 also brought new bugs of its own.
One of the quickest solutions to handle the issues is to do a factory reset by going to Settings -> Backup & Reset -> Factory data reset. Needless to say, this will delete most of your data, along with your text messages and photos etc.
Last week held quite the surprise, when Google had Android 4.4.3 quickly followed up by an Android 4.4.4 update.
While minimal, the upgrade brought a completely new OS version for Google Nexus 4, 5, 7 and 10.
It includes a security fix, which is also HeartBleed-associated - an issue which has been plaguing most OpenSSL platforms.
With regard to battery drain, Nexus 5 has always shown impressive battery life, and is supposedly not affected by the updates, just as many owners say.
For those who want to manage their battery in detail, they can go to Settings -> Device -> Battery. Battery life can also be saved by turning off unneeded features and adjust settings such as screen brightness.