Silicon Shecky

Infosec Practitioner

Connect

Security Slimebags or How to be forced to pay for security

By Leave a Comment

Android is the most popular mobile OS in the world. It also has some of the most frightening security holes, currently Stagefright. The carriers know this and use it to legally to seemingly extort their customers.

Apple has one thing that Android doesn’t have, and that is a decent patch cycle. You can see people still using the iPhone 4s today. They don’t have to get a new device just to be secure, but not everyone likes the iPhone. Android, on the other hand, is awash in situations. From the heavy fragmentation of the OS, to the majority of phone snot getting critical security updates thanks to the carriers, it really is the wild west. The best bet is to get an unlocked phone that will get updates directly from Google, but the cost of an unlocked phone is high, and the everyday person might not realize that is an option.

Carriers such as Verizon, AT&T, T-Mobile, and Sprint know this and use it against the everyday person. Heck, last year when Android 5 came out, the list of phones to get it included mine. I still have not seen that update, even though Android 6 was just announced. So in my wisdom with Stagefright out there, now in two versions original and even better, I went through my phone settings to see when the last update was pushed out to me. The answer was June, before Stagefright, even though there have been patches made by Google and approved by the phone makers to patch Stagefright version 1, and soon version 2. Now why would a carrier not push out such critical patches? The only answer I can come up with is profit.

Think about it, they don’t send out the patches, you need a new phone to be secure! With the changes all the companies have been making this year to move away from plans and phone subsidies, it is the perfect plan. Extort the customers to make them secure! It is a perfect plan, especially considering no one has done the one thing that could end this. Sue the carriers once hacked. Lawsuits, especially class action ones are going to be the only way to get non-rooted, locked phones timely updates. The carriers have to be held responsible. The problem is those of us that know the carriers are doing this, root our phones, or get the Nexus line of phones. The lack of communication with the layman who uses an Android phone, continues to allow this pattern to continue.

The only other option is for everyone to move to iPhones, but without the competition how bad will the iPhone get? Think about it, most of the “great new features” on a iPhone are features that were already available on an Android phone. Apple just refines the feature a bit and whammo, now people are saying how Apple invented x, y, and z. Without Android what would spur iOS’s development?

One last thought though on all of this, and that is mobile payment, buying things online. Maybe someone else out there knows, but doesn’t being able to use your phone to make payments and the way it does subject the phones or carriers to some part of the PCI standard? If so, how many of us or them are truly compliant?

Android Security: Google or Carriers issue?

By Leave a Comment

In the world of Android a couple of disturbing articles have come out recently. Google is no long patching 4.3 (Jellybean) and earlier versions. Also the amount of malware for Android increased by 75% last year. This begs, who is to receive blame on the vendor side?

We all know people do not patch apps. Maybe they don’t like “new” terms that come with the update (most terms are the same as the prior versions). A lot get not the best information. Patching is important, and we all know that. In the world of PC’s we all know about Patch Tuesday (Microsoft, Adobe), and know how long it can take Apple to patch flaws in OSX and iOS (which they completely control and is out of the carriers hands). So what about Android, the worlds most popular phone OS?

The announcement this week that Google is no long patching WebView for versions 4.3 and earlier started me thinking more about this. Yes, Google is “abandoning” 930 Million users. Yes, They come out with new versions of Android so fast that the OS is fractured all over the place. The question is though, is Google doing the right thing? I personally think so. The reasoning why places a bunch of blame on the carriers.

Outside of iOS (iPhone), the carriers control when consumers get updates to their Android (and Windows) phones. In the world of Android, Google announces a patch, update, new version, then it gets sent to the device manufacturers. They have to test against their hardware and customization that they have done to Android for their devices (the look and feel of the OS you see). Then it gets sent to the carriers (Verizon, AT&T, Sprint, etc.) where even more testing has to be done against the carriers modifications to the OS (special built in apps, their radios, any network lock downs or features such as tracking cookies). Basically once Google releases the new version/patch/update getting it onto most peoples phones is out of their hands, the exception being the Nexus devices which Google controls. The longer an update take to get out there, the more chance there is for a breach. The easier it also may be for malware to get on the phones, and could be a reason the amount of malware for Android increased by 75% last year.

So the question arises, why does it take so long to hit our phones. the obvious and simple answer to me is money. Why bother pushing patches and updates, let alone new versions of the OS to phones especially ones that are only a year or two old, when you can try to force people to get new hardware, and either extend or get new contracts to get the latest? Security as a Service you can almost think of it as, but not quite. Seriously, the carriers have a cash cow on their hands with Android and doing things this way. The lastest verion of iOS is out and works on phones that are years old. Apple has it available for those older phones through their updater, although some features may not work on the older phones, it is still available. I am by no means an Apple fan, but the control they have over their updates is what Google needs to have over Android. The carriers don’t care, and won’t unless they lose some major lawsuit because someone’s phone got hacked due to a security update not having been available for that model. When I tweeted to my carrier (Verizon) about this, they sent me a link to their “news” page which has no information on updates. I also tweeted them back as they asked about what I was looking for (latest Windows Phone update, Android Lollipop) for specific devices. Never heard back from them.

The bottom line on this, from my perspective, is that both Google and the carriers are to blame. Google is to blame, not for not patching, but for not controlling the push out of patches and updates to the OS, and the carriers for not pushing out updates and patches in a timely fashion. Until this gets resolved, Android is going to stay heavily fragmented, and security for everyday peoples phones is going to be shaky at best.

There are 3 tablets, which one I prefer

By Leave a Comment

I have in my possession a Surface, an iPad, and an ASUS T300 Android Tablet. After having spent time with all three, I look at the pluses and minuses of them, from my perspective, which means that there are opinions in here that are just that, opinions.

Tablets are the new big thing. Everyone wants one, and plenty of companies are making them. Some tend to be designed for specific things (Nook, Kindle) while others make what seem like empty promises to me. I started out with a Nook Color e-reader not long after it came out. I had figured that it would be the tablet of choice for me. Problem was, the 7″ screen and lack of apps, especially free (Ad Supported) apps made me think of getting something else.

That something else came from my work. As we were getting iPads and starting to support them at client sites, they gave me one. this was for me to play with, learn about and use so I could support them. I enjoy the iPad experience. It is quick, and solid. I don’t like Apple, their holier than god and we know what is right for you attitude, and the lack of decent tech apps. Video playback on it has been nice on trips, but I am limited to the Apple formats, as usual.

The Surface is the newest of the Tablets I have. I really had high hopes for this machine, and maybe in the future it will reach those aspirations, but not at the moment. Right now, I deal with the frustration of not finding either the apps I use or an equivalent. Flip Toast is ok, but has bugs (They have told me they are working on fixing them). I can’t find decent Network tools, most apps that I can get free with Ads on other platforms, cost money, or are more expensive than they are on other platforms. Then there is also my Nook issue. I have the Nook app, or my Nook Color on everything else. My Library is there on all my other devices. Microsoft, which bought an 18% stake (IIRC) in Nook has no Nook App for Windows 8. In Fact if you search for Nook in the App Store, you get 2 choices as of writing this article, Kobo or Kindle. So much for partnerships. Don’t get me wrong, there is good about the Surface. Office works nicely, the hardware is responsive and the tile system looks nice. Plus there is the keyboard cover, which is pretty sweet.

Both the Surface and the iPad I got through my office for testing and learning purposes. We want to make decisions on what our sales and service techs are going to use going forward. Honestly, I would lean to the Surface, because of Office, and because of the ease at which it integrates into a Microsoft environment. I can access network shares easily (even though I cannot join an RT device to the domain), and it will do everything that our sales and service teams need. The iPad integration we were trying with a Mac server and we just could not get it to do what we wanted.

The ASUS Transformer T300 is a personal item. It was a birthday gift back in Sept. To tell the truth, I love it. Outside of Flipboard not being available for it, I have everything I want or need on it right now. Yes, I am using Pulse on it, but the lack of new sources I like, and the lack of aggregation from the social media world, makes Pulse a bit annoying, especially in regards to World/U.S. news. Still, I have everything else, including a free Office Suite (which is amazingly useful in its own right). The only drawback to the T300 as compared to the Prime, is the plastic back. I also got a 3rd party case/bluetooth keyboard for it which works as nicely as the Surface’s keyboard cover.

My recommendation right now to people would be the Android Tablet. The T300 does it all, and while a bit sluggish at times, is still is plenty responsive. There are more free apps available for it, and you are not tied into iTunes or Apple’s network. The Surface might be the thing in the future, bight right now, it doesn’t have enough to make it worthwhile, especially on price point. The T300 costs under $400 for a 32GB model. The iPad and Surface (with Type touch cover) are both at $600 for 32GB (Without the Cover the Surface is $499 for 32GB).