Android vs iPhone

[powerglide]

http://www.idg.se/2.1085/1.471186/allvarligt-fel-i-apples-id-hantering
Det kan bli dyrt att använda Apples produkter..

Tja, sitter du och surfar på öppna nät så

Men man kunde iofs förvänta sig att hanteringen fungerade bättre.

 

[powerglide]

Mer problem med Android-Appar

Android apps used by millions vulnerable to password, e-mail theft

Researchers uncover faulty encryption in apps available in Google's Play Market.

by Dan Goodin - Oct 22 2012, 5:27am CEST
ANDROID PRIVACY
43

By exploiting inadequate SSL protections in an anti-virus app, researchers were able to force it to download a malicious virus signature.
Fahl et al.
Android applications downloaded by as many as 185 million users can expose end users' online banking and social networking credentials, e-mail and instant-messaging contents because the programs use inadequate encryption protections, computer scientists have found.

The researchers identified 41 applications in Google's Play Market that leaked sensitive data as it traveled between handsets running the Ice Cream Sandwich version of Android and webservers for banks and other online services. By connecting the devices to a local area network that used a variety of well-known exploits, some of them available online, the scientists were able to defeat the secure sockets layer and transport layer security protocols implemented by the apps. Their research paper didn't identify the programs, except to say they have been downloaded from 39.5 million and 185 million times, based on Google statistics.

"We could gather bank account information, payment credentials for PayPal, American Express and others," the researchers, from Germany's Leibniz University of Hannover and Philipps University of Marburg, wrote. "Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted." Other exposed data included the contents of e-mails and instant messages.

A Google spokesman declined to comment. There was no evidence any of the vulnerable apps were developed by Google employees, although the researchers said there are steps Google engineers could take to better ensure Android apps implement the encryption more securely.

The findings underscore the fragility of the SSL and TLS protocols, which together form the basis for virtually all encryption between websites and end users. While the technology itself is generally considered secure, its protection can be undermined when certificate authorities fail to secure their infrastructure or websites don't take proper precautions. The paper, presented at this week's Computer and Communications Security conference, exposes yet another point of failure, which is poor implementation by app developers.

"All things said, it's generally good research that should make developers more aware of these basic security deficiencies that shouldn't have made it through any respectable QA process," Jon Oberheide, CTO of mobile firm Duo Security, told Ars. "Needless to say, security isn't top of mind of most mobile developers."

The scientists began their research by downloading 13,500 free apps from Google Play and subjecting them to a "static analysis." Those tests checked whether the SSL implementations of the apps were potentially vulnerable to "man-in-the-middle" exploits, in which attackers are able to monitor or tamper with communications flowing over public Wi-Fi hotspots or other unsecured networks. The results identified 1,074 apps, or eight percent of the sample, that contained "SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks."

From the list of the 1,074 potentially vulnerable apps, the researchers picked 100 of them to subject to a manual audit that connected them to a network that used an SSL proxy to test whether the SSL implemented in the devices could be defeated. In some cases, the apps accepted SSL certificates that were signed by the researchers rather than a valid certificate authority. In others, the accepted certificates authorized a domain name other than the one the app was accessing. In still other cases, the apps were defeated by attacks including SSLstrip, which researcher Moxie Marlinspike demonstrated in 2009. Some apps also accepted certificates signed by authorities that are no longer valid. (It appears the Android operating system gives end users a means to manually disable various CAs.)

Example of vulnerabilities included:

An anti-virus app that accepted invalid certificates when validating the connection supplying new malware signatures. By exploiting that trust, the researchers were able to feed the app their own malicious signature.
An app with an install base of 1 million to 5 million users that was billed as a "simple and secure" way to upload and download cloud-based data that exposed login credentials. The leakage was the result of a "broken SSL channel."
A client app for a popular Web 2.0 site with up to 1 million users, which appears to be offered by a third-party developer. It leaked Facebook and Google credentials when logging in to those sites.
A "very popular cross-platform messaging service" with an install base of 10 million to 50 million users exposed telephone numbers from the address book.
While the researchers didn't identify the vulnerable apps, descriptions such as a "generic online banking app" suggest that most if not all of them were offered by third-party developers rather than the websites or services they connected to. Readers who are concerned their apps are vulnerable should start their inquiry by looking at those that are developed by outside firms.

Locking down Android

The paper lists a variety of ways SSL protection can be improved on the Android platform. One is for the type of static analysis they performed to be done at the time a user is installing an app. Another is to use a technique known as certificate pinning, which makes it much harder for an app or browser to accept fraudulent certificates like the ones used in the study. The researchers also recommended Google engineers develop new ways for Android to make it clear when the connection provided by various apps is encrypted and when it's not. Google may be equipping Android phones with their own malware scanner, recent reports indicate.

The paper made no attempt to measure the security provided by apps available for Apple's competing iOS platform. One possible reason the researchers focused on Android apps exclusively is that the openness of the Google platform made it easier to perform static analysis. That, in turn, made it possible to zero in on the apps with SSL implementations that exposed sensitive user data. It would be interesting to see the results of a similar analysis performed on the 13,000 most popular iPhone apps.

 

[TomK]

Mer problem med Android-Appar

Android apps used by millions vulnerable to password, e-mail theft

En klassisk svaghet som vi knappast sett för sista gången. Förr om åren var det ofta problem med detta även i vanlig Linux, Windows m.m. Applikationer som inte är genomtänkta i sitt beteende och inte använder de styrkor som finns i t.ex. SSL. Fördelen med Android är i alla fall att man lätt kan upptäcka problemen och inte behöver fullt så mycket reverse engineering som i iOS (om man inte tillhör Apple-koncernen och har tillgång till källkod). "Security by obscurity" är aldrig hållbart i längden.

 

[Putte]

Då fick man äntligen chans att ta ställning igen.. Ipad mini eller Nexus 7

Vart skärmen som fick sista ordet för mig.. Bara för dålig skärm i ipad mini!

 

[powerglide]

På pappret eller sida-vid-sida?

 

[imaster]

Då fick man äntligen chans att ta ställning igen.. Ipad mini eller Nexus 7

Vart skärmen som fick sista ordet för mig.. Bara för dålig skärm i ipad mini!

Det kändes ändå som en ganska schysst trade-off: lägre upplösning mot att alla appar ser vettiga ut.

Ska däremot bli riktigt intressant att se vad HTC och LG kan leverera för Nexusar på måndag, Samsung känns som de har levererat alldeles för mycket under epitetet redan...

EDIT: måndag var visst lite optimistiskt: http://m.engadget.com/2012/10/27/go...-hurricane-sandy-worries/?icid=eng_latest_art

 

[Putte]

Det kändes ändå som en ganska schysst trade-off: lägre upplösning mot att alla appar ser vettiga ut.

Ska däremot bli riktigt intressant att se vad HTC och LG kan leverera för Nexusar på måndag, Samsung känns som de har levererat alldeles för mycket under epitetet redan...

EDIT: måndag var visst lite optimistiskt: http://m.engadget.com/2012/10/27/go...-hurricane-sandy-worries/?icid=eng_latest_art

Tror bara LG kommer släppa en nexus, alla andra har ju varit fejk

 

[Putte]

På pappret eller sida-vid-sida?

Nä på papper bara.. Minin ska ju ha samma kvalité som ipad2 och den är ju inte jätte imponerande. Sen är det väl mycket annat som apple skulle behöva väga upp för med hårdvara men det gör de ju inte.

 

[imaster]

Tror bara LG kommer släppa en nexus, alla andra har ju varit fejk

Galaxy Nexus 10 verkar vara the real deal men HTC:s Butterfly verkar inte bli nån Nexus... Hade varit rätt sweet annars, 5"-skärm med full HD-upplösning.

 

[Putte]

Galaxy Nexus 10 verkar vara the real deal men HTC:s Butterfly verkar inte bli nån Nexus... Hade varit rätt sweet annars, 5"-skärm med full HD-upplösning.

Ja nexus 10 borde bli verklighet. Även om jag tror att det är mindre plattor som kommer va hetast ett tag nu. Tror många lessnat på ipadens storlek.

 

[powerglide]

Verkar som om iPad Mini skrämmer skiten ur konkurrenterna varav en del nu dumpar priserna långt under tillverkningskostnaden.

Amazon and Microsoft Launch Attacks on Apple

BY ADDY DUGDALE | OCTOBER 29, 2012



The iPad Mini has really set the cat amongst the pigeons, with two rivals launching attacks on Apple's newest product. Amazon has used its front page to claim that its Kindle Fire is cheaper, better, and high-deffer than the Mini, while Microsoft called it "a $329 recreational tablet." It's unlikely that Apple gives two hoots about the digs: the Mini has sold out of all models, with shipping times pushed back to two weeks.

The third horseman of the Apple-calypse-- that's Google-- has dropped the price of its 16GB Nexus 7 to $199. Today's launch of new Nexus devices in New York has had to be postponed due to the incoming Hurricane Sandy (although Office Depot is already displaying the availability of a 32GB version, the wraps of which were due to come off today).

Tech nabobs are normally keen to rise above the sniping, leaving that to the fanboys and girls in the comments of online reviews, but Steve Ballmer, Tim Cook, Jeff Bezos, and Windows President Steven Sinofsky have all spent the past few days swinging wild punches at their opponents' offerings.

And finally, there's the Barnes & Noble Nook. By and large it's been keeping itself above the fray, but today it seeks to conquer a new territory, with a pair of e-readers available in the U.K., along with a supporting website. B&N tablets will be available in Britain from next month.

 

[imaster]

Ja nexus 10 borde bli verklighet. Även om jag tror att det är mindre plattor som kommer va hetast ett tag nu. Tror många lessnat på ipadens storlek.

Stora plattor är ju å andra sidan the shizzle från företagen nu, kolla bara Microsoft Surface på 10.9", nya Nexus 10 och Asus PadFone. Sen ska ju kunderna fatta det också...

Nexus 4 ser riktigt najs ut, blir kanske en sån så småningom. Induktionsladdning är sjukt coolt.

 

[Putte]

Stora plattor är ju å andra sidan the shizzle från företagen nu, kolla bara Microsoft Surface på 10.9", nya Nexus 10 och Asus PadFone. Sen ska ju kunderna fatta det också...

Nexus 4 ser riktigt najs ut, blir kanske en sån så småningom. Induktionsladdning är sjukt coolt.

Ja det är ju så Kört ipad sen 1an kom och slutar alltid med att datorn är smidigare.. Lika stor men har ett riktigt tb

Ska bli kul att se om en nexus 7 är bättre.

Induktionsladdning låter spännande, men tanken som slog mig är att de här telefonerna drar ju så mycket ström, så hur ska de lösa att man ska kunna ladda och använda den samtidigt?

 

[powerglide]

Ja det är ju så Kört ipad sen 1an kom och slutar alltid med att datorn är smidigare.. Lika stor men har ett riktigt tb

Så varför skaffar du inte ett Bluetooth-tangentbord till Paddan?

 

[xibalba]

Så varför skaffar du inte ett Bluetooth-tangentbord till Paddan?

Då blir den dubbelt så stor?

 

[powerglide]

Då blir den dubbelt så stor?

Finns kombinerade t-bord och fodral.
Blir inte större än en liten laptop.

 

[Putte]

Så varför skaffar du inte ett Bluetooth-tangentbord till Paddan?

Då kan man väl lika gärna använda laptopen?

Fick min nexus 7 nu iallafall, grymt smidig!

 

[powerglide]

Då kan man väl lika gärna använda laptopen?

Inte 10 timmar i sträck

 

[Putte]

Inte 10 timmar i sträck

Hehe nja, hävdar ändå att 10" är för stort för annat än soffan så då kan jag lika gärna använda nätström

 

[powerglide]

Som jobbmaskin tror jag starkt på 10":arna (när väl Apparna börjar falla på plats).
Vet inte hur många jag ser dagligen som balanserar runt med sina halvöppna Laptops på jobbbet mellan mötena. Innan möten är slut så är det minst en som desperat försöker jacka i laddaren innan datorn dör