Fallible is a security firm which developed an automated tool for reverse engineering Android apps and used it to take a look at a large portion of the top apps on Google Play. They found quite a few things that really should not have been there, including keys to Amazon Web Services which would grant them the ability to start and stop instances under the developers account. In total they found 2500 apps with at least some sensitive information contained within them, in many cases those keys were necessary for the proper functioning of the app but in some cases they were secrets which did not need to be there. Follow The Register's advice and think long and hard before hard coding keys into any apps you might be developing.
"A security firm has reverse engineered 16,000 Android apps on Google's Play store and found that over 304 contain sensitive secret keys."
Here is some more Tech News from around the web:
- Verizon to redirect calls made from dangerous Galaxy Note 7 phones @ Ars Technica
- How to Keep Hackers out of Your Linux Machine Part 1: Top Two Security Tips @ Linux.com
- Seagate hauls out fat form factor throwback hard drive @ The Register
- A more advanced guide to total Android customization @ Ars Technica
- Qualcomm sued for allegedly bribing Apple to use its chips in iPhones and iPads @ The Inquirer
- Cordless Drill Uses no Electricity @ Hack a Day
- iMessage emoji prank is temporarily borking iPhones and iPads @ The Inquirer
- noblechairs Epic Series Gaming Chair Review @ NikKTech
I have a smart-phone but
I have a smart-phone but would pay even more for a dumb flip-phone if it had a G4/LTE radio in it instead of just GSM radio channels. I did not want all of the app bloat/update frustrations on a phone like there is with PC/Laptops. I was forced to get a smart-phone because the GSM phone channel radio bands are going away for some carriers in 2017(for Most), and even T-mobile’s GSM is worthless now that they have started transitioning some of there GSM channels to LTE usage on the way to T-mobile’s getting rid of GSM service by 2020.
So the new unlocked LG/Flip-phone(GSM) that I purchased is not getting any good reception inside my apartment anymore. So now to get the G4/LTE/whatever latest radio the gets good reception, I had to get a smart-phone(Android). I’d still pay more for a flip-phone that ran a dumb phone OS with the latest radio G4/LTE/Newer technology to just be of use for making/receiving phone calls.
Maybe Fallible/others could develop an Android/Dumb-phone OS that only allows the device to be used mostly for making and receiving calls. I have stripped out most of the bloat off of my Smart-Phone, but still there is the stuff that can not be removed and so I have dialed that back as much a possible. But I’d like the carriers to offer some new Flip-Phone options simply because I liked a smaller phone that fit nicely into the small camera case that I had attached to by belt that held the flip-phone nicely without being too bulky.
Samsung supposedly has a Android flip-phone that looks to be about the size of my new but now useless(LG/GSM) flip-phone, but that’s probably for the Japanese market where flip-phones are still popular. I don’t want to be the product for Google’s Android ecosystem anymore than I want to be the product for M$’s windows 10 ecosystem that wants to make the end user OS experience into a point of sale cash drain for milking the OS’s end users nickel and dime style like Google/Apple/M$ have become with their OS/ecosystems and monetization schemes!
And now this headline for
And now this headline for Google! Man even the School Kids:
“Google harvested school kids’ web histories for ads, claims its Mississippi nemesis”
http://www.theregister.co.uk/2017/01/18/mississippi_says_google_harvested_student_data/
So 1.9% of apps they tested
So 1.9% of apps they tested failed on security. It would be interesting to see their methodology, and how they selected those 16,000 apps. It would also be nice to see the full findings, but that is less likely.
Are they able to do the same test on iOS/Windows apps (store and/or desktop)? Wild guess: most of those 304 poorly designed apps that are on both stores will have the same error in both implementations. (If your company has apps with security failings in one environment but not another (e.g. fails in Windows Store but not Blackberry – to avoid the standard Android/iOS responses), tell the (e.g.) Windows dev to speak to the Blackberry dev and learn about security.)
I decided to have a look at the company, and its blog is quite interesting. Most recent posts (at https://fallible.co/blog/) are (apologies if I get list formatting wrong):