Android Click on Web Link to Run Arbitrary Code

tancentIn the past I have mentioned the need to be careful about using WebViews in apps, particularly apps that are security sensitive. The number and complexity of WebView vulnerabilities are such that a pragmatic approach might be to not use WebViews in security sensitive apps. Recent news has shown that the same vulnerabilities can be a security problem for the Chrome web browser app itself.

If you have been following the IT news, particularly the security news, you will know that the Italian spyware company Hacking Team recently got hacked themselves and their source code was posted on the Internet.

It turns out they developed an Android ‘remote2local‘ exploit that cleverly combines three known Chrome vulnerabilities and the root-enabling put_user or TowelRoot vulnerabilities to allow pre-defined code to be executed as root from the user simply clicking on a link in the browser. The details are on the Tancent blog (Google translated).

How bad is this? The Hacking Team have a compatibility file that says it covers Android 4.0 to 4.3 and lists some tested devices…

remote2localcompatibility

One of the vulnerabilities, CVE-2012-2825 Arbitrary memory read, was fixed in June 2012 and another, CVE-2012-2871 Heap-buffer-overflow was fixed in August 2012 so end users allowing Chrome and WebView to update via the Play Store will have had these vulnerabilities fixed a long time ago.

However, this demonstrates how vulnerabilities can be combined to run code as root without the user even knowing. The Hacking Team compatibility file and subsequent vulnerability fixes show that in some ways, Android’s fragmentation aids security. It’s difficult for exploits to cover all types of Android OS and device and they usually only work on smaller subset of devices. As I previously mentioned, this won’t be much consolation to large companies with thousands of employees or customers which greatly factor up the chances of encountering exploits that might end up accessing sensitive company information.

Android for Embedded Development Survey Findings

viaVIA Technologies have a new survey (pdf) of their customers from a range of embedded backgrounds asking them about their use of Android for embedded applications.

viaembeddedandroidfindings

TI SensorTag

texasinstrumentsUp to now most low power Bluetooth beacons have been fairly limited devices that only transmit simple information that can be used for ‘presence’ based applications. Some can send extra information such as battery life to the phone and some you can remotely cause to beep or flash but most of the innovative ideas have revolved around using them to detect presence and trigger content to be shown, for example, in retail stores or museums.

TI have something interesting with their new CC2650 SensorTag that connects to Android or iOS (as an iBeacon) providing support for up to 10 low-power sensors for ambient light, digital microphone, magnetic sensor, humidity, pressure, accelerometer, gyroscope, magnetometer, object temperature and ambient temperature.

tisensortag

 

sensortagblockdiagram

The possibilities suddenly become far more exciting and seemingly endless. For example, in sport you might attach one to your sports equipment (racquet, golf club or whatever) to analyse technique. In health, you might attach one to yourself or someone else (elderly?) to detect movement. In security, they might be attached to high-value items to protect in various (theft, dampness, extreme movement) ways or used as the basis for a home security system.

The CC2650 is available as a tag for $29 or the chip that does the work is available in large quantities, for use in your own hardware designs, for around $6.

Update: Looking closer at the one I have purchased, the $29 tag has a very restricted license that says you can’t use it in a finished product or production solution – presumably mainly because it’s not FCC approved . It’s for evaluation purposes only. That’s a shame as it’s a large step to have to integrate the chip in your own board, even if you base it on their ‘open’ hardware design.

Future Opportunities in Mobile

gartner136Current opportunities in mobile have been driven by the huge growth in mobile device shipments. So, what types of connected devices are people using now and how is this likely to change in the next few years?

Gartner has some new research that shows that while the PC market will decline about 4% this year it will recover in 2016 and grow in 2017. However, the non-phone market of 540 million devices/yr is small compared to the mobile phone market which is 1,940 million devices/yr. By 2,107 these are expected to be 566 million/yr and 2,628 million/yr respectively.

gartnerdevices

What does this mean for developers? We have reached a period of relative stability where both the PC and phone markets have levelled off. If you develop generic apps for the PC/Mac or for mobile you can expect your market to remain about the same size for the next few years.

I believe that if you are seeking growth areas then you need to be more specialised and also look for B2B or white label opportunities. Health, insurance, retail, interfacing with IoT devices, security, cloud and big data seem to be the obvious areas.

Malware Motivations

gdataYesterday I wrote about how we shouldn’t necessarily ignore malware. GDATA has new research into current Android malware. They also have a free report (pdf). There are about 4900 new malware samples every day – that’s a new malware sample every 18 seconds.

financiallymotivatedmalware

About 50% of the malware is financially motivated and is attempting to steal financial details, send premium SMS or locks the device (ransomware).

If you are an Android user, you might want to read my advice for consumers. App developers should read my guidelines on securing data and code.

Risks to Sensitive Information

nowsecureNowSecure sent a tweet today saying the chances of encountering malware is very low and that the chances of apps leaking sensitive or personal information is very high and that’s the real problem.

I suppose that depends on what type of user you are or whether you are looking at the risks from the point of view of a company supplying a service through apps. Some kinds of user are more promiscuous, root their devices and obtain apps from 3rd party app stores where there’s a much higher risk of malware. Also, large companies with thousands of employees or customers greatly factor up the chances of encountering malware that might end up accessing sensitive company or personal information.

Mobile and Retail

criteoCriteo has a great free report and slides on the State of Mobile Commerce Q2 2015. The slides include some very useful country specific data towards the end of  the presentation.

Takeaways include…

  • Mobile is very significant in all retail categories with 1 in 3 transactions being in fashion and luxury.
  • The majority of transactions come from smartphones as opposed to tablets.
  • In the US, iPhone makes up 66% of transactions compared to 5.6% for Android.
  • Quality apps can currently generate up to 42% of mobile transactions for sellers.
  • Cross device shopping is important and makes up 40% of purchases in the US.
  • Android produces more transactions in many countries…

androidecommerce

Using Notifications to Drive Engagement

localyticsLocalytics have new research that shows that in-app messages drive 3.5X higher user retention. But, as Localytics say…

“Many app owners wonder how to create content that isn’t viewed as spam and doesn’t detract from the user experience.”

localyticsmonthlyapplaunches

The problem is that unless the message is event/content triggered and is useful to the user then the notification is likely to be seen as an annoyance. For example, as some developers do, reminding the user about some feature of the app that isn’t pertinent to specific new content in the app is likely to be viewed unfavourably. If your app isn’t event/content driven then in most cases I’d avoid notifications as it’s harder to justify their use.

Localytics also have some recommendations for you to consider to help drive use of notifications…

  • Get the user to opt in (rather than have to opt out)
  • Provide personalised recommendations (rather than serving them with everything)
  • Provide notifications for upgrade or achievement notifications
  • Get users to share app content (I am less sure this is a good idea)
  • Provide app quick tips (I personally think this will annoy all but the most ardent fans of your app who will probably already know about the feature anyway)

You might also consider filtering notifications based on what content the user has previously viewed or what they have favorited/saved. Whatever you do, provide the option in the app for the user to turn off notifications otherwise some people might uninstall the app instead.