Cryptographic Vulnerabilities in Android Applications

January 23rd, 2015

fireeye.pngFireEye has some new research that has found that of the free apps with over a million downloads, 88% use some cryptographic functionality provided by the Android platform and 62% of these have cryptographic vulnerabilities. What this means is that while the authors and the end users of these apps might think data is secure, it’s easier to decrypt the data that they would expect.

There seems to be trend at the moment for researchers to spot vulnerabilities, on all platforms, but not really explain how developers can prevent or fix such problems. Many of the cryptographic concepts are beyond all but the most experienced (or highly curious) developers. While developers of highly secure apps might have the time to look deeply into encryption, the average casual developer needs examples or libraries on which they can base their work.

As it happens, a library java-aes-crypto became available this week that’s a simple Android class for encrypting and decrypting strings, aiming to avoid the classic mistakes. There are also more libraries mentioned in my article on Encrypting Your Sensitive Data. I also have tips on Taking Care with Encryption. You might also like to read Tozny’s post on Making Better Mistakes 

Related Articles:

Mobile Threat Report

January 15th, 2015

lookout.gifThere’s an interesting new free (no registration needed) Lookout Mobile Threat Report (pdf) that describes the trends in mobile security that occurred during 2014. Ransomware has replaced SMS billing scams and Adware threats. Malware in the US increased from 3% to 7%. The report gives more details, numbers and charts for the US, UK, France, Germany and Japan.

One anomaly is that the report only mentions and considers Android threats. There’s no mention of iOS … at all. Maybe the report should have been titled the "Lookout Android Threat Report".

Related Articles:

Older WebViews Not Being Updated

January 12th, 2015
securitystreet.pngIf you have been following my posts on Android WebView security concerns then you might be interested to know that Google No Longer Provides Patches for WebView Jelly Bean and Prior. However, as one of the post comments points out "Even if Google does continue support, would the devices even get it?". Learn more about Android WebView vulnerabilities

Related Articles:

Tablet Shipment Growth Slowed

January 6th, 2015

gartner136.gifGartner has some new research and forecasts for tablet (and PC) shipments. The initial growth in tablet sales has slowed considerably.


Despite this, tablet shipments are still growing and tablet shipments are now of the similar order as desktops. The above table shows that Android tablets might see a larger share of the growth in the coming years.

UK Mobile Coverage

December 18th, 2014

telecoms.pngUK mobile coverage is in the news today with the Government and network operators claiming it’s a win for consumers. However, as the article says, the money is "unlikely to be any more than the operators were going to spend anyway in that time period".

From a consumer angle, I have suffered from the network operators trying to get away with a minimal rather than comprehensive coverage. I don’t even live in a rural area or "not spot" as they call it. I live in an semi-urban area close to London.

The main problem at the moment is that operators are swapping out or moving 3G masts for 4G masts. At one time, my home, where I mainly work and hence use mobile data for testing apps, was well covered by T-Mobile. 18 months ago, the low signal became unusable. After a 45 mins talk with 4 people at EE (T-Mobile and Orange are now EE), I got through to someone technical who told me the 3G mast had been reconfigured for 4G and even the new projected 4G coverage didn’t look that good at my location. I obtained/purchased SIMs from all the non-MVNO UK network operators and did a survey. Vodafone came out best so I moved all my test SIMs.

18 months later, I am back where I was. The Vodafone signal is poorer, I suspect due to 4G ‘improvements’. The difference this time is that 4G SIMs are not extortionately priced any more and the 4G signal is actually excellent. The cynical side of me wonders if poorer 3G signals are being used to gradually move people to 4G.

Back to the article and it says the money will "provide reliable signal for voice over 2G, 3G or 4G, all by 2017". On all of these? I don’t think so. Also, what about data?

Smartphone Sales Grew 20%

December 15th, 2014

gartner136.gifGartner has some new research that shows smartphone sales grew by 20% for Q3 2014. However, the respective OS market shares stayed roughly the same…  


What’s more interesting is that three of the top five smartphone vendors are Chinese: Huawei, Xiaomi and Lenovo. Samsung continues to see a double digit decline in percentage market share. I suspect we might eventually end up in a situation of Apple vs Chinese Android.

Related Articles:

State of Mobile Commerce

December 11th, 2014

criteo.pngCriteo has some new analysis "State of Mobile Commerce Q4 2014", covering over $130 billion of annual sales across more than 3,000 online retailers globally. There are lots of insights and the research upends many assumptions.

Consumers are buying on mobile. Smartphones have overtaken tablets and the average order value is reaching desktop level. Criteo say "It’s now important to reach Android shoppers"

If you are using apps to sell something real then you can’t ignore mobile and you can’t ignore Android.

Related Articles:

Learn About Mobile Dark Social

December 10th, 2014

fusion.pngThere’s an interesting article on on dark social and mobile dark social. This isn’t some illicit part of the Internet but instead is about traffic on web sites that has no referrer. i.e. The previously visited ‘place’ wasn’t a conventional web site and hence isn’t known for analytics purposes. For example, the user might have typed a URL into their web browser, cut and pasted a web address or clicked on a link in an app.

The article explains how we already spend more time in apps than in desktop or mobile web browsers (originally from Benedict Evans)…


The article then continues to make a case for much of the mobile dark social (traffic) to be coming from Facebook and the Facebook’s mobile apps. If true, this has consequences for Search and the continuing prominence of Google. Coincidentally, only yesterday there were many media articles on how the new, much better, Facebook Search might also be a threat to Google.

What does this mean for app developers? There are two main areas, linking out and linking in…

  1. Apps with links. Users are increasingly getting used to linking out from apps to web sites. What about in your app? Think how you might leverage this for your own app’s purposes. As I previously mentioned, using webviews has usability and security implications. Hence, I prefer linking out to the mobile web browser rather than opening your own or 3rd party sites within the app. You might, for example, link out to your own ad funded or affiliate link funded sites in order to gain indirect revenue. Alternatively, if you are a brand or offer a service, the app might just be a lead in to your main content offering on the web.
  2. If Facebook is becoming the new Google, it makes sense to market your app via Facebook. Apart from having a Facebook presence for your app, consider Facebook’s Open Graph API to increase app uptake. The idea is that an iOS or Android app can create actions that are published to the user’s timeline. When their friends click on the actions, they are either pointed to the app or deep linked into the app depending on whether they already have the app installed. Many top apps use this mechanism. 

Related Articles: