On Tue, Oct 25, 2011 at 3:08 PM, Tai Nguyen tainguye...@gmail.com wrote:
Does anyone know why it take so long ( hour) to turn on data encrypt
in HoneyComb? Does it really take that much time to enable dm-crypt?
It takes that much time to encrypt your data and copy it into the new
dm-crypt
On Oct 22, 2011, at 6:36 AM, Kevin Veroneau wrote:
Wouldn't it be more secure if they hashed the imei before placing it into the
header? This way a unique hash can be used as an authentication key. Hashes
are more difficult to match. Or to make it more difficult, slit the imei
into 2,
On Mon, Sep 26, 2011 at 1:53 PM, James Burns jfbu...@gmail.com wrote:
This is not the same as data at rest encryption but rather relies on
the Android (Linux) OS access control restrictions. accessed /
available only by the main user login information implies that the
user credentials are
On Thu, Sep 8, 2011 at 9:33 AM, nlsp niels.po...@gmail.com wrote:
This boils down to whether it is okay to prioritize availability over
security.
Availability is a security guarantee just like confidentiality or integrity.
Still, the actual question remains: does the android browser
support
Having OCSP/CRL will help.
Actually, that is not at all clear.
http://www.imperialviolet.org/2011/03/18/revocation.html
http://www.ietf.org/mail-archive/web/websec/current/msg00296.html
Compound the generally low reliability and performance of CAs' OCSP
and CRL endpoints, multiply that times
Since when did 56% of an install base become retrocomputing?
https://developer.android.com/resources/dashboard/platform-versions.html
If you have the ability to patch your 2.2, and if you care about
security, then you might as well patch up to 2.3.4.
--
You received this message because you
On Aug 15, 2011, at 7:27 PM, Earlence wrote:
Rodrigo: true. But this will be helpful in curbing malware. Even after
the device has been rooted, setuid HAS to be called to elevate.
Therefore, this should prevent that.
No, this is not true. For example, if you exploit a bug in the kernel, your
On Aug 9, 2011, at 1:05 PM, Thomas Hardjono wrote:
One of the things we need to learn about is the privilges-model used in
Android.
Well, it's actually pretty simple: each application is sandboxed in its own
UID, and then sharing is explicitly and minimally re-enabled through rich,
By having the application and the content packages use the same
sharedUserId, the Java classes contained in the content packages are
available to be directly used by the application. However, in order
to be able to install two APKs wishing to use the same sharedUserId,
they must have common
There might be an oppy to use selinux to make android more impervious to
malware in general (departing from the app-based discussion for a moment).
With selinux you can lock down the rights of every daemon to do only what it
explicitly needs to do in order to function. So an exploit in one
Also, as on the Internet, it's up to the individual apps to protect
themselves, rather than the infrastructure providing systemic safeguards.
And they can, and do.
But, the easiest way to make sure only authorized callers invoke your
IPC endpoints is to declare in your Manifest that all
SELinux implements mandatory access control, which provides more
fine-grained control than UID/GID-based permissions. Processes have
security contexts associated with them, and detailed policies describe what
those processes can and cannot do -- everything from file system access
control to
We're conducting a research project at Virginia Tech this summer to
add SELinux into the Android distro. This would go beyond the some of
the previous work into actually extending Binder to pass the
appropriate security context information to SELinux for application
policy enforcement. I'm
Is it possible to detecting kernel level rootkit without root permission?
Perhaps you could detect the most incompetent kernel rootkits that
way. It would probably be more work that it was worth, though.
(Consider that an honest kernel can, by design and as a feature, hide
information from
On Fri, May 13, 2011 at 10:59 AM, Twinkie ns1...@gmail.com wrote:
I was hoping to find a whitepaper/online article/book to bolster my
argument that an All-Dalvik app is as good security-wise as an app
with sensitive logic hidden in native code.
Some of my favorite examples of why native code
I know there exist C/C++ decompilers too, but my colleagues think the
decompiled version is far more difficult to read.
My colleagues don't.
Don't make your security or your business model depend on the
obscurity of client-side code. End of story.
--
http://noncombatant.org/
These days,
Is there a way that App B can use App A's data using RPC?
Yes, there always is (the internet, the sd card, ...). This is not
specific to Android. Why would it be?
--
You received this message because you are subscribed to the Google Groups
Android Security Discussions group.
To post to this
On Wed, Feb 23, 2011 at 10:12 AM, Brian Carlstrom b...@google.com wrote:
http://code.google.com/p/android/issues/detail?id=11231
yes, I created that request to funnel all the angst at myself.
So let's all be nice to Brian. :)
Internally I have the CAs reviewed with our security operations
On Wed, Feb 23, 2011 at 10:13 AM, Anh-Duy Vu vuanhduy1...@gmail.com wrote:
Could I develop a service like installd and fire intents to other
Android component and services without permission checking?
Whether written in C or Java, an app can always fire any Intent it
wants to. But no other
On Wed, Feb 23, 2011 at 12:04 PM, Rahul Potharaju rahul...@gmail.com wrote:
I understand when you say the receiver should ask Do I know or care about
the sender of this Intent? and Is the Intent well-formed according to my
input validation rules?. But I don't quite understand why the receiver
http://www.movements.org/blog/entry/5-reasons-why-android-is-becoming-the-go-to-mobile-device-for-activists/
Compared to other types of mobile devices on the market, Android
seems to offer the most security.
--
You received this message because you are subscribed to the Google Groups
Android
On Fri, Feb 11, 2011 at 10:25 AM, peterw pet...@tux.org wrote:
Is this more evidence that a fear a number of us have expressed
recently, that Google doesn't bother backporting security fixes to
older Android OS releases, is justified? E.G., anyone who can't
upgrade past Android
On Tue, Feb 8, 2011 at 6:11 AM, rohith rohith.mo...@gmail.com wrote:
I am doing a proj on Android Security uzing SELinux. The main idea of
it is to design SELinux policies so that the application so designed
can be used as a replacement for anti-virus solutions in android.
Why?
How will
So one could, in theory, create an app that
snatches up all of the apks on every phone that installs it?
One could even get all the APKs from Android Market!
I would go as far as to say that you should not put secrets in APKs.
--
You received this message because you are subscribed to the
http://privacyappcamp.eventbrite.com/
Join us on February 10th at Google's Mountain View campus for a
chance to meet other technologists and privacy advocates who share the
desire to protect privacy while also developing exciting, and
profitable, applications for social networking, mobile, and
Please ask questions about DRM on the android-drm-disc...@example.com
list. This list is the Android security discussion list, and is thus
the wrong venue for discussions about how to make software worse.
that eventually can be used for storing confidential information that
cannot be either
1a. There is no defense against a physically local attacker.
1b. That's a good thing.
2. Earlence is right: The Linux kernel is weak. We should focus our
efforts on making it a smaller and harder target, not a bigger and
dumber target. (All COTS kernels are weak. Non-COTS kernels usually
come
OpenSSL and the usual Java crypto API (Bouncy Castle provider) are available
on Android.
On Dec 16, 2010 9:38 AM, mdev sebastian.sch...@mobiledev.ch wrote:
I'm new to java and android. for my current app, i need to create a
p12 (pkcs12) file on my device.
Did anyone do this before and got a hint
Well, it is an open source operating system. Let's find out.
~/android/frameworks ; find . -iname '*account*manager*'
./base/docs/html/sdk/api_diff/8/changes/android.accounts.AccountManager.html
./base/core/java/android/accounts/IAccountManager.aidl
On Fri, Dec 10, 2010 at 12:24 PM, Kipling Inscore k...@bijna.net wrote:
For strength of security, it's probably best to put this in the
kernel, making it more difficult to circumvent by malicious users or
malicious applications and unsuspecting users.
Please explain.
Also, none of this
aww come on Dianne help me out here LOL..ok let me rephrase this
question.. Is there any way to stop rooting of a device and if so how?
There is not now, and probably never will be, any fully effective
defense against a physically local attacker trying to gain root
privilege. Even sophisticated
On Wed, Oct 27, 2010 at 2:22 PM, Brian Carlstrom b...@google.com wrote:
I think that is the goal of 11231. I'll note that there are some advantages
of Windows Vista and later's ability to not ship with 100s of CAs on the
device but dynamically add them, but I consider that separate from 11231
On Mon, Oct 18, 2010 at 11:00 AM, Dianne Hackborn hack...@android.com wrote:
There may be one or too very suid binaries, but that is all.
And there is a CTS test to ensure that no new setuid binaries are created.
--
You received this message because you are subscribed to the Google Groups
Could someone help me in doing my project or explain me the feasibility of
my project???
And he said unto them, Ye will surely say unto me this proverb,
Researcher, research thyself.
http://en.wikipedia.org/wiki/Physician,_heal_thyself
--
You received this message because you are subscribed
How are you going to stop regular web browsers from accessing the service?
--
You received this message because you are subscribed to the Google Groups
Android Security Discussions group.
To post to this group, send email to android-security-disc...@googlegroups.com.
To unsubscribe from this
On Fri, Oct 1, 2010 at 6:05 AM, Disconnect dc.disconn...@gmail.com wrote:
The only difference between this and the
microsoft attempt is that android doesn't pop it up as often, and doesn't
allow you to say no. (That, personally, is still where I think it is
Microsoft Windows Vista/7 UAC
On Fri, Oct 1, 2010 at 11:52 AM, Disconnect dc.disconn...@gmail.com wrote:
Also, the problem is not specific to Android --- Android just surfaces
these pre-existing concerns and deals with them better. Not perfectly,
but better. Other platforms give all apps all the goods all the time,
no
Runs as a distinct ID, great, but that goes out the window with sd support
and shared UIDs.
Yes, the shared storage area is shared. Not all storage is shared.
Shared UIDs only work when all apps asking to share a UID are signed
by the same developer. If that developer is malicious, the apps
processes running as the same UID. If somebody pops Firefox, your SSH
keys, email, documents, et c. are all at risk.
Arguably that is a security flaw, not a design/interface flaw.
I don't know what distinction you're trying to draw there. OS X,
Firefox, SSH, et c. are working as intended.
OSX in your example isn't working as intended - the intended use of gdb is
not to allow users to bypass keychain access restrictions any more than the
Ok. How would you report the bug to Apple? If you worked at Apple, how
would you fix this bug?
Before you answer, read ptrace(2) and
On Thu, Sep 30, 2010 at 1:42 PM, Ryan Mattison rmattis...@gmail.com wrote:
I'm just saying users are going to wise up at some point.
In what way(s) do you think they are unwise now?
--
You received this message because you are subscribed to the Google Groups
Android Security Discussions
The kernel is updated periodically, and released when new Android
releases are published. Additionally, patches make it into OTA
updates. Google only knows about and can update Google Experience
Devices; Google has no knowledge of or ability to update non-GEDs.
There is no necessary link between
On Wed, Sep 29, 2010 at 1:56 AM, Neil neilb...@gmail.com wrote:
Geocoder is one class. I think the original post was suggesting a
permission to use that class without requiring internet permission.
But permissions don't apply to individual classes.
They can apply to Services, Receivers, and
On Tue, Sep 7, 2010 at 10:23 AM, Earlence earlencefe...@gmail.com wrote:
but this is only thru the adb shell.
Yes. And that's a good thing.
Rooted phones give normal application processes access to su and hence
privileged commands.
Sounds like a horrible security risk to me! :)
How can
From the first time the user registers himself he should be logged
on permanently, except the user logs out explicitely
What's the common approach for this?
My intention is to store a simple value as SharedPreference when the
user is logged in.
On application startup this value will be
That is why the superuser app (standard root provider for almost 2 years)
prompts the user to get permission for the app before allowing su.
Of course. Unfortunately, Superuser is a veritable bestiary of Android
security bug classes. We reported them when we discovered them, but
they have gone
Regarding hardware key storage: The Android Compatibillity Definition
Document (http://source.android.com/compatibility/android-2.2-cdd.pdf)
does not specify one, so no.
Therefore, applications would have to get keying material from
somewhere else, such as a user's PIN or password. Failing that,
Can you tell me a good library for password en/decryption which works
on android and google app engine. I have to send an encrypted string
via webservices between android and gae.
I don't know anything about App Engine, but in one minute I was able
to find out that it has PyCrypto:
Do you mean Secrets by Brandon Stecklein? That is not a Google app. It uses
Coarse Location and Internet permissions; if it can access email or SMS
messages that would he a problem. Are you saying that it can?
On Jul 26, 2010 1:27 PM, sharedwd share...@gmail.com wrote:
The user will see when
http://android-developers.blogspot.com/2010/06/exercising-our-remote-application.html
On Jul 27, 2010 7:42 PM, Duane Blanchard dblanch...@gmail.com wrote:
Can you tell me more about the occasion that they used the kill button?
Thx,
D
On Tue, Jul 27, 2010 at 3:10 PM, Xenplex
is unknown and will stay so because it is only the
released code that is open in Android.
That doesn't mean that Google or Android are bad, it just means that there
are fairly big limits to what externals can contribute with.
- Original Message - From: Chris Palmer To:
android-security
You can load and use the classes, but they will execute with the permission
of your app, not of the app whose code you're borrowing. Or are you saying
the code runs as the other app?
Even if Android did stop app A from borrowing app B's code as found on the
device, app A (or the developer of A)
Best of luck to you; I'm all for web auth alternatives. However, I think
you've got an uphill battle here. The usability concerns you raise and that
your commenters raise are not ancillary to the key problem -- they *are* the
key problem.
The set of secure systems is a subset of the usable
On Mon, Oct 19, 2009 at 7:03 AM, Grizzly griz...@grizzlylabs.com wrote:
remote location. Is it possible to implement a API that allows a data
provider the ability to list security settings before allowing access?
In other words can my VPN ask the device if a password is set?
Don't think of Java, perhaps especially Dalvik, as a way to protect against
kernel bugs. Userland can't generally defend in depth against kernel
flaws.
Like all operating systems, Android trusts the kernel to uphold the kernel's
own design guarantees. If the guarantee is broken, that's a kernel
immediately,
but there is a reason why skydivers carry two parachutes.
-Will
Chris Palmer wrote:
Don't think of Java, perhaps especially Dalvik, as a way to protect
against kernel bugs. Userland can't generally defend in depth against
kernel flaws.
Like all operating systems, Android
As always, I don't speak for my employer or any of my employer's clients.
On Mon, Aug 3, 2009 at 6:43 AM, juanfeandr...@inalambris.com wrote:
http://www.mail-archive.com/android-security-discuss@googlegroups.com/msg00193.html
Have you tried this scenario recently, with Cupcake or the latest
On Tue, Jul 14, 2009 at 4:07 AM, Akhilesh
Guptaakhilesh.iitde...@gmail.com wrote:
I basically want that on the press of a button(or a command), the
device switches to a mode in which certain services such as bluetooth,
wi-fi, camera and/or gps be disabled (i.e. no application can access
It sounds like a good item for Market. Maybe you could e.g. port GNU Privacy
Guard to Android, then hack the Email app to use it (and enable it to use
SSH-style server auth while you're at it...).
On Jun 2, 2009 4:40 AM, chrismrutherf...@googlemail.com
chrismrutherf...@googlemail.com wrote:
Hi
59 matches
Mail list logo
