The Privacy Enthusiast’s Guide to Using Android

With everyone from local scammers to government agencies trying to get hands on your data, there’s never been a better time to beef up your privacy game. Fortunately, there are a ton of options out there to keep your messages, files, and phone safe on Android.

Before we begin, we should point this out: using a smartphone is always going to be a risk. Especially one running services from Google. You can use these tips and apps to protect some of your communication, but you’re never going to be totally off the grid as long as you’re using an Android phone. That doesn’t mean you have to make it easy on an attacker, though.

25 Android libraries you definitely want to try out in early 2017

This is a list of 25 best Android libraries released in January and February 2017. All of these are worth trying out — they are not in ranked order. Let’s get started!

https://medium.freecodecamp.com/25-new-android-libraries-which-you-definitely-want-to-try-at-the-beginning-of-2017-45878d5408c0#.h2thp6drh

Amazon Pinpoint – Hit your Targets with AWS

Today we are launching Amazon Pinpoint, a new service that makes it easy to run targeted campaigns to improve user engagement. Pinpoint helps you understand your users’ behavior, define who to target, what messages to send, when to deliver them, and tracks the results of the campaign.

Pinpoint enables real-time analytics with dashboards for analyzing user engagement, monetization, user demographics, custom events, and funnels so you can understand how users engage with your application. You can analyze and understand your user data by drilling down based on the segments you’ve defined, segmentation attributes, or time.

With Pinpoint, you can define target segments from a variety of different data sources. You can identify target segments from app user data collected in Pinpoint. You can build custom target segments from user data collected in other AWS services such as Amazon S3 and Amazon Redshift, and import target user segments from third party sources such as Salesforce via S3.

Once you define your segments, Pinpoint lets you send targeted notifications with personalized messages to each user in the campaign based on custom attributes such as game level, favorite team, and news preferences for example. Amazon Pinpoint can send push notifications immediately, at a time you define, or as a recurring campaign. By scheduling campaigns, you can optimize the push notifications to be delivered at a specific time across multiple time zones. For your marketing campaigns Pinpoint supports Rich Notifications to enable you to send images as part of your campaigns. We also support silent or data notifications which allow you to control app behavior and app config on the background.

Once your campaign is running, Amazon Pinpoint provides metrics to track the impact of your campaign, including the number of notifications received, number of times the app was opened as a result of the campaign, time of app open, push notification opt-out rate, and revenue generated from campaigns. You can also export the resulting event data and run custom analytics using your existing analytics systems. You can also A/B test different messages, track results, and then send the best message to your target segment.

With Pinpoint there is no minimum fee, no setup cost and no fixed monthly cost based on your total user pool. You only pay for the number of users you target or collect events from, the messages you send, and events you collect, so you can start small and scale as your application grows.

Now lets take a look at how Pinpoint makes it easy to setup a campaign.

https://aws.amazon.com/blogs/aws/amazon-pinpoint-hit-your-targets-with-aws/

Using Rowhammer bitflips to root Android phones is now a thing

Researchers have devised an attack that gains unfettered “root” access to a large number of Android phones, exploiting a relatively new type of bug that allows adversaries to manipulate data stored in memory chips.

The breakthrough has the potential to make millions of Android phones vulnerable, at least until a security fix is available, to a new form of attack that seizes control of core parts of the operating system and neuters key security defenses. Equally important, it demonstrates that the new class of exploit, dubbed Rowhammer, can have malicious and far-reaching effects on a much wider number of devices than was previously known, including those running ARM chips.

Previously, some experts believed Rowhammer attacks that altered specific pieces of security-sensitive data weren’t reliable enough to pose a viable threat because exploits depended on chance hardware faults or advanced memory-management features that could be easily adapted to repel the attacks. But the new proof-of-concept attack developed by an international team of academic researchers is challenging those assumptions.

An app containing the researchers’ rooting exploit requires no user permissions and doesn’t rely on any vulnerability in Android to work. Instead, their attack exploits a hardware vulnerability, using a Rowhammer exploit that alters crucial bits of data in a way that completely roots name brand Android devices from LG, Motorola, Samsung, OnePlus, and possibly other manufacturers.

 

http://arstechnica.com/security/2016/10/using-rowhammer-bitflips-to-root-android-phones-is-now-a-thing

Full(er) House: Exposing high-end poker cheating devices

This post exposes how real-world highly advanced poker cheating devices work.

In 2015, I stumbled upon a post in an underground forum, discussing how someone was ripped off at a poker table by a very advanced poker cheating device. From what I understood at that time, the post being in Chinese, the device was able to remotely read card markings to inform the cheater who will win the next hand.

Intrigued, I decided to follow the trail of this fabled device to see if people were indeed cheating at poker using devices that would fit naturally into a James Bond movie.

Without spoiling too much of the rest of this post, let’s just say that the high-end cheating device that I was able to get my hands on far exceeded my expectations and it really is an outstanding piece of technology.

As a matter of fact, it is so advanced and cool that with Celine and Jean-Michel, my co-conspirators, we decided to do a Defcon talk about how it works. You can watch the recording of our talk below and grab the slides here:

 

https://www.elie.net/blog/security/fuller-house-exposing-high-end-poker-cheating-devices

Quiet for Android – TCP over sound

org.quietmodem.Quiet

org.quietmodem.Quiet allows you to pass data through the speakers on your Android device. This library can operate either as a raw frame layer or as a UDP/TCP stack.

This package contains prebuilt library files for libquiet and quiet-lwip as well as their dependencies. On top of that, it adds Java bindings which closely mimic the familiar interfaces from the java.net.* package.

This package is provided under the 3-clause BSD license. The licenses of its dependencies are also included and are licensed under a mix of BSD and MIT.

Quiet comes with support for armeabi-v7a, arm64-v8a, x86, and x86_64. It requires Android API 14 for 32-bit mode and API 21 for 64-bit mode. It requires only the RECORD_AUDIO permission.

For testing purposes, Genymotion is highly recommended over the default emulator. Genymotion provides access to the microphone while the default Android Studio one does not and will throw an exception when Quiet attempts to use the microphone.

Why sound? Isn’t that outdated?

If you are old enough, you may remember using dial-up modems to connect to the internet. In a sense, this package brings that back. While it’s true that this is somewhat of a retro approach, consider the advantages of using sound.

  • Highly cross-platform. Any device with speakers and a microphone and sufficient computational power can use this medium to communicate.
  • No pairing. Unlike Bluetooth, sound can be used instantly without the need to pair devices. This reduces the friction and improves the user experience.
  • Embeddable content. Similar to a QR code, short packets of data can be encoded into streaming or recorded audio and can then be later decoded by this package.

https://github.com/quiet/org.quietmodem.Quiet

Spying on Android events without modifying source code

Let’s say you want to intercept events in an Android app, but don’t want to modify your source code. As a simple example, you want to add logging whenever the user clicks on any button in your app. I got a bit curious about whether it was possible so I spent some time last week figuring out how this might work. This was extra fun because I’ve never written and Android app, and it’s been years since I did anything in the Java ecosystem.

http://kamalmarhubi.com/blog/2016/10/03/android-events/index.html