Samsung Encryption Flaw
news.movim.eu / Schneier · Wednesday, 2 March, 2022 - 20:45 · 1 minute
Researchers have found a major encryption flaw in 100 million Samsung Galaxy phones.
From the abstract:
In this work, we expose the cryptographic design and implementation of Android’s Hardware-Backed Keystore in Samsung’s Galaxy S8, S9, S10, S20, and S21 flagship devices. We reversed-engineered and provide a detailed description of the cryptographic design and code structure, and we unveil severe design flaws. We present an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack. We demonstrate working key extraction attacks on the latest devices. We also show the implications of our attacks on two higher-level cryptographic protocols between the TrustZone and a remote server: we demonstrate a working FIDO2 WebAuthn login bypass and a compromise of Google’s Secure Key Import.
Here are the details:
As we discussed in Section 3, the wrapping key used to encrypt the key blobs (HDK) is derived using a salt value computed by the Keymaster TA. In v15 and v20-s9 blobs, the salt is a deterministic function that depends only on the application ID and application data (and constant strings), which the Normal World client fully controls. This means that for a given application, all key blobs will be encrypted using the same key. As the blobs are encrypted in AES-GCM mode-of-operation, the security of the resulting encryption scheme depends on its IV values never being reused.
Gadzooks. That’s a really embarrassing mistake. GSM needs a new nonce for every encryption. Samsung took a secure cipher mode and implemented it insecurely.
News article .
Hundreds of scam apps hit over 10 million Android devices
news.movim.eu / ArsTechnica · Saturday, 2 October, 2021 - 10:50 · 1 minute
Google has taken increasingly sophisticated steps to keep malicious apps out of Google Play. But a new round of takedowns involving about 200 apps and more than 10 million potential victims shows that this longtime problem remains far from solved—and in this case, potentially cost users hundreds of millions of dollars.
Researchers from the mobile security firm Zimperium say the massive scamming campaign has plagued Android since November 2020. As is often the case, the attackers were able to sneak benign-looking apps like "Handy Translator Pro," "Heart Rate and Pulse Tracker," and “Bus - Metrolis 2021” into Google Play as fronts for something more sinister. After downloading one of the malicious apps, a victim would receive a flood of notifications, five an hour, that prompted them to "confirm" their phone number to claim a prize. The “prize” claim page loaded through an in-app browser, a common technique for keeping malicious indicators out of the code of the app itself. Once a user entered their digits, the attackers signed them up for a monthly recurring charge of about $42 through the premium SMS services feature of wireless bills. It's a mechanism that normally lets you pay for digital services or, say, send money to a charity via text message. In this case, it went directly to crooks.
The techniques are common in malicious Play Store apps, and premium SMS fraud in particular is a notorious issue. But the researchers say it's significant that attackers were able to string these known approaches together in a way that was still extremely effective—and in staggering numbers—even as Google has continuously improved its Android security and Play Store defenses.
We are looking for some help for the Movim Android application
Timothée Jaussoin · pubsub.movim.eu / Movim · Monday, 31 May, 2021 - 20:17 edit · 2 minutes
I am maintaining #Movim for more than 10 years now, mostly without asking for any help from the hundreds of daily users that we have now (on the servers we're aware of, at least). I am also maintaining and updating the infrastructure hosting the website, the official pod and the #XMPP server and related services.
However Movim is a little more than that, there is also an Android app, and a desktop app (currently abandoned).
I am maintaining the Android app with the really thin knowledge that I have on this platform. Most of the code of the application is basically copy/pasted from StackOverflow and a bit hacky. Fixing and developing this app is always really time consuming as the environment, and the way of dealing with it, is really different than the knowledge that I have on the web development side.
So basically today I'm asking from some help for the official Movim Android application. If you have a little bit of experience in Android development (or if you want to learn !) and if you're willing to help me to improve the application do not hesitate to contact me through our official chatroom, directly on Github or as a comment of this post.
The app is quite simple. It is basically a WebView that shows one of the configured pods. And… that's mostly it.
What would be really helpful would be to have (non exhaustive list):
- Another pair of eye to check and maybe refactor the few classes that are contained in the application
- Create two flavors of the app, one "Play Store ready" and one "free of Google Play" integration (the current app cannot be published on F-Droid because there is some strong dependencies there)
- Fix the mic/camera support and authorizations
- See if the current notification system can be improved
- Send an event to Movim when the app is "put in background" in a chat conversation to ensure that the notifications are re-enabled in this specific case
- And any other nice feature that you would like to see integrated
There is no pressure or deadline, any pull requests that could help improving or fixing things in the application would be really appreciated.
I am currently dealing with Google to re-enable the application on the Play Store as well, I will keep you updated about that.
Forget multiple cameras—Sharp phone has one giant 1-inch camera sensor
news.movim.eu / ArsTechnica · Monday, 17 May, 2021 - 16:46 · 1 minute
On the back, you get a single giant camera, a time-of-flight sensor, and an LED flash. That's it. [credit: Sharp ]
Is filling the back of a smartphone with several small camera lenses really the best camera solution? Sharp is bucking the multi-camera trend with the Aquos R6 , a phone with—get this—a single massive camera on the back. Sharp is skipping all the wide-angle zoom lenses out there and going with a giant 1-inch camera sensor instead. This is either the single biggest smartphone camera sensor ever or it's tied for the largest ever, depending on how you categorize 2014's Panasonic Lumix CM1 , which isn't so much a "phone" as it is a point-and-shoot camera that runs Android and can make phone calls.
Sharp is not talking about its camera sensor supplier, but there's a good chance the part is from fellow Japanese company Sony, which has had a 1-inch "IMX800" sensor circulating around the rumor mill for some time. Sony is the leading smartphone camera sensor manufacturer, so don't be surprised to see a few more 1-inch sensor phones this year. The rest of the specs look pretty good, too. The phone comes with Android 11, a Snapdragon 888 SoC, 12GB of RAM, 128GB of storage, a 5000 mAh battery, a microSD slot, a headphone jack, and a USB-C port.
The display is a Sharp-made OLED with a whopping 240 Hz refresh rate. Sharp has made 240 Hz displays before, but it says this one is the "world's first" display to have a dynamic refresh rate that goes from 1 Hz to 240 Hz, depending on the content.