Researchers at Bluebox Security have revealed a disturbing flaw in Android’s security model, which the group claims may affect up to 99 percent of Android devices in existence. According to Bluebox, this vulnerability has existed since Android 1.6 (Donut) , which gives malicious app developers the ability to modify the code of a legitimate APK, all without breaking its cryptographic signature — thereby allowing the installation to go unnoticed. To pull off the exploit, a rotten app developer would first need to trick an unknowing user into installing the malicious update, but hackers could theoretically gain full control of a user’s phone if the “update” posed as a system file from the manufacturer. Bluebox claims that it notified Google of the exploit in February. According to CIO , Bluebox CTO Jeff Forristal has named the Galaxy S 4 as the only device that’s currently immune to the exploit — which suggests that a security patch may already exist. Forristal further claims that Google is working on an update for its Nexus devices. In response to our inquiry, Google told us that it currently has no comment. We certainly hope that device manufacturers do the responsible thing and distribute timely security patches to resolve this issue. Absent that, you can protect yourself by installing updates through the Play Store and Android’s built-in system update utility. Filed under: Software , Mobile , Google Comments Source: Bluebox Security , CIO
Read More:
Bluebox reveals Android security hole, may affect 99 percent of devices
If there’s one thing we all hate, it’s losing a yacht race. Owning a yacht and taking the time to think up a really clever name for it, only to become the laughingstock of the marina because it’s too slow, is a feeling few of us enjoy. That’s why when my next paycheck comes in, I’m going to pick one of these Adastra superyachts up. The trimaran design keeps most of the boat out of the water, allowing for swift speed with less fuel consumption; as soon as I’m skipper, I’ll ensure my old yacht-racing nemesis, Blake Chambers, will regretta his next Regatta. Every time I turn these lights on, I whisper to myself: “Boo-yah” (more…) 
alphadogg writes “The founder of an eavesdropping-resistant instant messaging application called Cryptocat has apologized over a now-fixed bug that made some types of messages more vulnerable to snooping. Cryptocat, which runs inside a web browser, is an open-source application intended to provide users with a high degree of security by using encryption to scramble messages. But Cryptocat warns that users should still be very cautious with communications and not to trust their life with the application. The vulnerability affected group chats and not private conversations. The encryption keys used to encode those conversations were too short, which in theory made it easier for an attacker to decrypt and read conversations.” The bug report/merge request, and an analysis of the bug (although, in light of the Cryptocat’s gracious response, overly acerbic and dismissive of the project). Read more of this story at Slashdot.