Double Authentication to Boost Security!!!

Google is making it harder for Gmail and other Google Apps accounts to get compromised by adding an optional feature that will send a security code to your smartphone for logging in.

The two-step verification feature will be available to Google Apps premier, education, and government customers on Monday, and to the hundreds of millions of individual Google users in coming months, as a built-in part of the free service, a Google product manager told.

Until now, Google accounts have been protected only with passwords, which are susceptible to phishing and other social-engineering attacks.

The two-step verification feature will put an additional roadblock in the way of online criminals by generating a onetime six-digit code that will be sent to the account holder in order to be able to successfully log in. The code will be sent after the password is provided.

This type of two-factor authentication--something you know (password) and something you have (smartphone with code)--is similar to smart cards and tokens, except that the code is accessed on a piece of hardware you most likely already carry.

Google users will sign up for the service through the Settings page and will be able to specify whether they want to get the security code sent to them via text message or automated voice call, or through a Google Authenticator app they can download to their Android device, BlackBerry, or iPhone. The code is randomly generated and changes every few minutes.

Many people might find it inconvenient to have to check their phone and type in an additional code every time they want to check their Gmail. To solve this problem, Google has made it so that people using the same computer to access their accounts can check a box to "remember verification for this computer" so that they won't be asked for a code on that computer for a month.

And for those who are happy with their one-factor password security, they don't have to opt in to this new feature. Google Apps enterprise administrators will be able to turn the feature on for any user in the organization.

The impetus for the feature came about a year and a half ago, when Google engineers asked themselves, "what's the single thing we can do to improve the security for our users the most?," said Travis McCoy, a security product manager at Google.

Google is open-sourcing the software so companies can do customization and port the app to other platforms. Google also is using an open standard to generate the codes so "vendors can offer a token that will work with Google Apps," McCoy said.

Alert! Adobe Flash Player 10.1.82.76 Got Loophole in It!

Adobe has disclosed a newly-discovered vulnerability in current versions of the Flash Player and says there are reports that it is being exploited in the wild.

According to Adobe, a critical vulnerability exists in Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date. 

Adobe is in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player Android operating systems during the week of September 27, 2010. 

While Adobe cautions owners to “follow security best practices by keeping their anti-malware software and definitions up to date”, this advice leaves Android owners in the lurch as there are no best practices or virus definition updates for this mobile OS. There are several security apps available for Android including Norton Mobile Security, droidSecurity, and Lookout, but Google’s mobile OS is a relatively young and untested platform for security applications. We really have no idea how quickly and effectively these applications will respond to a circulating threat.

The Latest Android Hacks: Jailbreaking A PS3 With A Nexus One!

If Sony’s PS3 gaming system took a step backward in functionality when Sony disabled its ability to install Linux, it’s just taken two steps forward again.

t4nav, a Senior Member of xda-developers has just discovered a method to hack the PS3 using a Nexus One or a Desire! All you have to do is:

"Download this 

http://www.mediafire.com/?cgst1aw26i26b60

and place it’s contents onto the root of your SD-card.

Then download my flashable boot.img 

http://cl.ly/83b21dd1818a791d857e 

Place that on the root of your card, Reboot into recovery and flash the PS3-signed.zip

Reboot your phone.

Launch terminal emulator…

Then type the following… 

Code: 

#cd sdcard 

#su 

#insmod psfreedom.ko 

Now turn your PS3 off at the wall, and plug in your phone. 

Turn the PS3 back on at the wall. 

Press the PS3 power button followed by the eject key in quick succession…"

"To get back to normal…

Download this… 

http://cl.ly/428e11e2b0c81369761e

Go into recovery… 

Enable USB-storage 

Copy .zip 

Flash .zip"

So far, it’s only been confirmed to work with the Nexus One and Desire, though we’re sure that with proper attention from the dev community, the hack could be ported over to other devices, such as the EVO 4G or Droid X. 

Source: Android Police

Samsung Galaxy Tab Rooted Even Before Release!!

Samsung grabbed a fair bit of attention with the announcement of the Samsung Galaxy tablet and also entertained us with the tablet commercial. But rooting Android OS devices is something that strikes our attention all the time.

The folks at Sera-Apps, a German group of Android developers, have not only managed to get the Samsung Galaxy Tab a month before the device goes on sale, but they managed to root the device at IFA, the world’s largest consumer electronics show being held in Germany.

Whether the final version of the Galaxy Tab that’ll be released in the US can be rooted the same way as the trade show model remains to be seen. And how exactly Tim at Sera-Apps did the rooting isn’t exactly clear, but he did get a screen that shows he’s been granted superuser rights.

Now that Samsung Galaxy tablet has been rooted successfully, the absurd pricing for the device seems to be justified. But then, Samsung may patch up the loopholes before making the product publicly available in US and UK. In anyway, this is an encouraging sign for the Android enthusiasts and those who are looking forward to buy the Galaxy tablet.

Will this lead to Samsung’s locking down of release models of the Galaxy Tab? Or will Samsung let hackers do what they want with this tablet? Or will this pave the way for performance upgrades, improved keyboards, and more implementation of multitouch for the Galaxy Tab? Let us know your ideas in the comments!

Froyo Leaked Again!! This Time for Samsung Galaxy S!

The Samsung Galaxy is one of Samsung’s most popular handsets of all time. Not only is it running the great Android mobile OS from Google but it has recently been made known that Samsung has shipped over 1 million units in the United States.

Unfortunately, just like about every other device currently on the market the manufacturers have delayed the Android 2.2 roll out. While not giving an official confirmation as to what is causing the delay we can only assume that it has something to do with the TouchWiz UI that Samsung developed to lay over the Android platform.

Luckily, for those of you who have an international version of the phone, reports have surfaced today that say the official Android 2.2 update has leaked out. If, however, you have a Vibrant or Cpativate, you’re out of luck as this version is made specifically for the international versions, as I already mntioned.

A number of smartphones recently have had Android 2.2 builds leaked with all of them being Beta builds with a few things broken. You might want to take this in to consideration if deciding to test the leaked build.

It isn't clear when the official build will land, but we have head September as well as later this year. It all really depends on which Galaxy S model you have got and when your network gets it ready to be pushed out.

Of course, it’s expected that Samsung will roll out the update for the platform soon enough so for those who don’t like to break any rules... 

Android app licensing cracked in less than a month!!

There has been some concern about smartphone apps in recent weeks after a malware app worked its way into the Android store that sent premium-rate text messages to make money for criminals.  What’s more the BBC demonstrated a proof-of-concept Java app that seemed to be a simple game of noughts and crosses, but was copying contacts and emails in the background.

A spokesperson for Google told the BBC about the malware app…

“Google has a system in place that can revoke malicious applications and stop them running on handsets.  Our application permissions model protects against this type of threat.  When installing an application, users see a screen that explains clearly what information and system resources the application has permission to access, such as a user’s phone number or sending an SMS.  Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time.  The spokesperson said the firm advises users to “only install apps they trust”.

In response to developers’ complaints of unauthorized usage of their wares, Google has set up a licensing service, by which – via a set of libraries – an application can hit Google’s server, which stores sales records. Every time an app with this protection is launched, it checks with Google to be sure the copy is legit.

The new system was to replace the old copy protection method within few months, and were considered to be more secure and less problematic. 

Now, NeoWin is reporting that the new licensing scheme for Android apps has been cracked less than a month after coming on-line!!!

The “Licensing Service for Android applications” was supposed to provide developers a “secure mechanism to manage access to all Android Market paid applications.”  In theory, the new licensing system would verify against the Android Market licensing server, which would in turn verify the application against existing sales records. If no sales records were found, the application would show an error explaining that it was not properly licensed.

The man responsible for cracking the security has published a paper on his website in which he details how to reprogram a Java app, which is the language most Android apps are written in, to change its status from unlicensed to licensed.

He says…

I am very much against piracy, and very much pro-Google. I have spent more time researching copy protection for my applications than development of the applications themselves.  Our findings show that most (any?) apps can be easily patched and stripped of licensing protection, making them an easy target for off-Market, pirated distribution. By corollary, this means that sites dedicated to pirating apps can continue to do so, using a few automated scripts mixed with some smarts.

He also provides a video demonstrating his findings.  Google have not yet commented on the crack.

Android App Licensing Mechanism Still Easy to Break!!

According to Android Police, Google's new app licensing mechanism designed to protect developers against app piracy is still relatively easy to break. The site says that since the License Verification Library isn't a core component of the Android operating system, "an app developer needs to package it with the app that uses it, making it an easier patch target, without requiring root access." As such, running a few simple scripts may break the licensing code. The conclusion is such that "Google’s Licensing Service is still, in my opinion, the best option for copy protection; however, we really need to see a better solution, such as checking the apk for alterations or ways to confirm an application was installed through official means."

News of how easy it is to crack and break license codes for Android Market titles may dissuade some developers from seriously looking at Android. This in turn may hurt consumers if the development community doesn't grow due to concerns about piracy.