close
  • Sc chevron_right

    Leaked Signing Keys Are Being Used to Sign Malware

    news.movim.eu / Schneier · Tuesday, 6 December - 20:14 · 1 minute

A bunch of Android OEM signing keys have been leaked or stolen, and they are actively being used to sign malware.

Łukasz Siewierski, a member of Google’s Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung , LG , and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart’s Onn tablets .

This is a huge problem. The whole system of authentication rests on the assumption that signing keys are kept secret by the legitimate signers. Once that assumption is broken, all bets are off:

Samsung’s compromised key is used for everything: Samsung Pay, Bixby, Samsung Account, the phone app, and a million other things you can find on the 101 pages of results for that key. It would be possible to craft a malicious update for any one of these apps, and Android would be happy to install it overtop of the real app. Some of the updates are from today , indicating Samsung has still not changed the key.

Collabora Office (@CollaboraOffice@mastodon.social)
/e/OS Murena, Android sans Google ? - Critique complète
  • Sc chevron_right

    Samsung Encryption Flaw

    news.movim.eu / Schneier · Wednesday, 2 March, 2022 - 20:45 · 1 minute

Researchers have found a major encryption flaw in 100 million Samsung Galaxy phones.

From the abstract:

In this work, we expose the cryptographic design and implementation of Android’s Hardware-Backed Keystore in Samsung’s Galaxy S8, S9, S10, S20, and S21 flagship devices. We reversed-engineered and provide a detailed description of the cryptographic design and code structure, and we unveil severe design flaws. We present an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack. We demonstrate working key extraction attacks on the latest devices. We also show the implications of our attacks on two higher-level cryptographic protocols between the TrustZone and a remote server: we demonstrate a working FIDO2 WebAuthn login bypass and a compromise of Google’s Secure Key Import.

Here are the details:

As we discussed in Section 3, the wrapping key used to encrypt the key blobs (HDK) is derived using a salt value computed by the Keymaster TA. In v15 and v20-s9 blobs, the salt is a deterministic function that depends only on the application ID and application data (and constant strings), which the Normal World client fully controls. This means that for a given application, all key blobs will be encrypted using the same key. As the blobs are encrypted in AES-GCM mode-of-operation, the security of the resulting encryption scheme depends on its IV values never being reused.

Gadzooks. That’s a really embarrassing mistake. GSM needs a new nonce for every encryption. Samsung took a secure cipher mode and implemented it insecurely.

News article .

  • Ar chevron_right

    Hundreds of scam apps hit over 10 million Android devices

    news.movim.eu / ArsTechnica · Saturday, 2 October, 2021 - 10:50 · 1 minute

Never put a GriftHorse on your phone.

Enlarge / Never put a GriftHorse on your phone. (credit: John Lamparsky | Getty Images)

Google has taken increasingly sophisticated steps to keep malicious apps out of Google Play. But a new round of takedowns involving about 200 apps and more than 10 million potential victims shows that this longtime problem remains far from solved—and in this case, potentially cost users hundreds of millions of dollars.

Researchers from the mobile security firm Zimperium say the massive scamming campaign has plagued Android since November 2020. As is often the case, the attackers were able to sneak benign-looking apps like "Handy Translator Pro," "Heart Rate and Pulse Tracker," and “Bus - Metrolis 2021” into Google Play as fronts for something more sinister. After downloading one of the malicious apps, a victim would receive a flood of notifications, five an hour, that prompted them to "confirm" their phone number to claim a prize. The “prize” claim page loaded through an in-app browser, a common technique for keeping malicious indicators out of the code of the app itself. Once a user entered their digits, the attackers signed them up for a monthly recurring charge of about $42 through the premium SMS services feature of wireless bills. It's a mechanism that normally lets you pay for digital services or, say, send money to a charity via text message. In this case, it went directly to crooks.

wired-logo.png

The techniques are common in malicious Play Store apps, and premium SMS fraud in particular is a notorious issue. But the researchers say it's significant that attackers were able to string these known approaches together in a way that was still extremely effective—and in staggering numbers—even as Google has continuously improved its Android security and Play Store defenses.

Read 7 remaining paragraphs | Comments

index?i=UOgrXnww4t4:uXscYr35SV4:V_sGLiPBpWUindex?i=UOgrXnww4t4:uXscYr35SV4:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • Mo chevron_right

    We are looking for some help for the Movim Android application

    Timothée Jaussoin · pubsub.movim.eu / Movim · Monday, 31 May, 2021 - 20:17 edit · 2 minutes

Hi,

I am writing this little post today to ask for (a bit) of help on the official Movim #Android application that is currently available there.

I am maintaining #Movim for more than 10 years now, mostly without asking for any help from the hundreds of daily users that we have now (on the servers we're aware of, at least). I am also maintaining and updating the infrastructure hosting the website, the official pod and the #XMPP server and related services.

However Movim is a little more than that, there is also an Android app, and a desktop app (currently abandoned).

I am maintaining the Android app with the really thin knowledge that I have on this platform. Most of the code of the application is basically copy/pasted from StackOverflow and a bit hacky. Fixing and developing this app is always really time consuming as the environment, and the way of dealing with it, is really different than the knowledge that I have on the web development side.

So basically today I'm asking from some help for the official Movim Android application. If you have a little bit of experience in Android development (or if you want to learn !) and if you're willing to help me to improve the application do not hesitate to contact me through our official chatroom, directly on Github or as a comment of this post.

The app is quite simple. It is basically a WebView that shows one of the configured pods. And… that's mostly it.

What would be really helpful would be to have (non exhaustive list):

  • Another pair of eye to check and maybe refactor the few classes that are contained in the application
  • Create two flavors of the app, one "Play Store ready" and one "free of Google Play" integration (the current app cannot be published on F-Droid because there is some strong dependencies there)
  • Fix the mic/camera support and authorizations
  • See if the current notification system can be improved
  • Send an event to Movim when the app is "put in background" in a chat conversation to ensure that the notifications are re-enabled in this specific case
  • And any other nice feature that you would like to see integrated

There is no pressure or deadline, any pull requests that could help improving or fixing things in the application would be really appreciated.

I am currently dealing with Google to re-enable the application on the Play Store as well, I will keep you updated about that.

Regards,

edhelas

  • wifi_tethering open_in_new

    This post is public

    mov.im

  • Pictures 1 image

  • visibility
  • favorite

    8 Like

    arne, bung, kefah, arie, thuraht, adbenitez, quatta, chunk9

  • 2 Comments

  • person

    24 August, 2021 kefah

    First of all: Hats off for the amazing accomplishment. I just came across movim today and I'm pretty impressed.

    How can I learn more about the codebase? What technologies did you chose? I can see that the android app is almost identical to the web, so I assume that the web version is embedded into the android app.

    Do you have the code/issues on github?

  • person

    24 August, 2021 kefah

    My bad! just noticed the github link on your post https://github.com/movim/movim_android
    Will look into it and come back. Thanks!