November 24, 2010

Android Browser Flaw Discovered

Security researcher Thomas Cannon recently demonstrated a vulnerability in Android that could allow an attacker access to a user’s private information.  In essence, it is possible for a malicious website to convince the Android browser to download a file to a predictable location, rendering and executing JavaScript in a local context. This happens without prompting the user and can result in exposing local files, for example photos, that are in a predictable location.

Cannon demonstrated this flaw via video yesterday by retrieving a file from the phone and then posting it to a remote site. As expected, the Google security team responded very quickly and is committed to a fix in the upcoming Gingerbread (Android 2.3) maintenance release.  Until a fix is available for your device, you may consider the following options to stay extra safe:

  • Only visit websites you trust.
  • Disable JavaScript in the browser.
  • Watch for suspicious automatic downloads, which should be flagged in the notification area. Downloads shouldn’t happen silently in the background.
  • Use a browser such as Opera Mobile, which prompts the user before downloading files.
  • Unmount the SD card. To unmount the SD card, go to Settings –> SD & phone storage and click “unmount SD card”. According to Cannon, this could have an impact on the usability of the device for some situations.

We’ll keep you updated as we hear from the carriers and manufacturers as to when they release a fix for this vulnerability.

Category:   Android  •  exploits  •  Vulnerability
November 16, 2010

Come and get it! Lookout Premium is here.

It’s not every day that you launch a new product. But when one of those days rolls around, you certainly feel a sense of accomplishment.  Today is one of those days and I’m happy to say that Lookout Premium is available to all Android users.  It is easy to download and try Lookout Premium. If you haven’t already, download the free Lookout application from the Android Market, and from there you can easily upgrade.

Lookout Premium provides added security and privacy protection with all the great features in Free, plus:

  • Additional Security + Privacy: Privacy Advisor + Remote Wipe and Remote Lock
  • Enhanced Backup & Restore: Photos and call history, in addition to contacts. Transfer data to a new phone.
  • Premium Support: Priority response to your issues and questions

And of course, we will continue to offer our award-winning free product. On behalf of the entire Lookout team, I want to thank our amazing users who have been a tremendous force in the market — for being our advocates and sharing Lookout with their friends and family. Please take a moment to try Lookout Premium, we hope you love it!

*** If you don’t see the “Try Premium” button yet, please check back again tomorrow. Early this morning, we started rolling-out Premium to all users, but it will take some time (as roll-outs normally do). You should see the updated version by the end of the week. If you are already a Lookout user click this link to upgrade directly and get an extra month for free: Upgrade Now!

Thank you for your patience!

Category:   Android  •  Lookout News  •  Lookout Premium
November 15, 2010

Lookout’s Privacy Advisor Protects your Private Information

These days, new mobile apps come out every day, and it’s difficult to keep up. As smartphones become more capable, the apps on smartphones become more of an integral part of our lives. Our phones know who we call, text, email, where we bank, who our friends are, and where we hang out. And it isn’t just our phones that have access to this private information; apps can access this information too.

For most people, the process of deciphering the capabilities of each app is overwhelming. Instead you assume (or hope for) the best: that your phone is working fine and your data is protected. Unfortunately, leaving these things to chance can put you and your phone at risk.

If your smartphone usage is near the average, you’ll find that more than half the apps you’ve downloaded access your identity information (including your mobile number, email address, or phone ID number) and as many as ten of them know your current location. In most cases this is fine: the apps work as advertised and your phone and your data remain safe. But there are certain apps that do pose a problem, or you might find yourself uneasy with the amount of private data an app can access.

The idea for Privacy Advisor was born because we – a group of smartphone security professionals – wanted an easier way to tell which apps could access private data on our own phones. We wanted a clean and simple way to see which apps have which sensitive capabilities, and we think all mobile users deserve the same transparency. Empowered with this information, you can make informed decisions about which apps you want to keep on your phone.

Privacy Advisor gives insight into which apps access private data, and will help you keep track of all the great (and not so great) apps on your phone.   It includes three primary components: a Privacy Scan, Privacy Dashboard, and detailed App Reports.  With Privacy Advisor, you can scan every app you’ve downloaded and quickly view a comprehensive list of apps that can access your private data, such as identity information, location, and messages.  If you need more information, detailed app reports explain the risks and capabilities of each application you download.

  • Privacy Dashboard: View a consolidated list of which apps can access your private information, including Location, Text Messages and Identity Info.
  • App Reports: Read a detailed report on the capabilities and risks for any given application.
  • Privacy Scans: Automatically scan every app you download or run on-demand scans.

Our job at Lookout is to protect you so you can partake in all the wonderful things the mobile world has to offer.  Privacy Advisor is the newest way we help you keep your private information safe.

Jonathan is Lookout’s Principal Product Manager, and is responsible for our mobile apps, premium product line, and threat response products. His mobile phone privacy experience goes back to the year 2000, when he designed Vodafone’s first Location-Based-Services privacy management system.

Category:   Android  •  Lookout News  •  Privacy
November 11, 2010

Three New Android Vulnerabilities Released

Smartphone security has become a popular topic amongst security researchers, with three new vulnerabilities released in the last two weeks alone. Speakers at BlackHat Abu Dhabi, HouSecCon, and Intel’s Annual Security Conference have released new vulnerabilities in Android that allow attackers to execute arbitrary code or install apps without user intervention.

Last week, Alert Logic released exploit code that targets the browser in Android smartphones running 2.1 or earlier. This vulnerability is fixed in the latest version of Android (Froyo); however, there are many devices still running earlier versions of Android that could be affected.  Just like vulnerable PC web browsers, a vulnerable smartphone just needs to visit a website infected with malicious code to be exploited. Net: if you are running 2.1 on your Android, be very careful what sites you visit.  To tell if you are running 2.1 on your phone, navigate to Settings –> About Phone. Scroll down to Android Version, if it says 2.1 your phone is vulnerable.

This week, security researchers Jon Oberheide and Zach Lanier demonstrated a flaw whereby a malicious application that requests a few critical permissions can then install other applications without user intervention.  A seemingly benign application can use this attack to discreetly download additional applications to gain access to far more permissions on a device.  To demonstrate what an application exploiting this vulnerability might look like, the researchers created a fake add-on for a popular game, Angry Birds, and uploaded it to the Android Market.

Lastly, at Blackhat Abu Dhabi, a security researcher with MWR InfoSecurity, Nils, will disclose another vulnerability that can also be used to install applications on vulnerable devices without user intervention.  While the vulnerability discussed above requires a user to install a vulnerable app, the vulnerability that Nils will present is reported to only requires a user to visit a malicious website.  While details are not yet public, this vulnerability likely only affects HTC devices.

Ordinarily when installing an Android app, you see what capabilities on your device the app requests permission to access; however, vulnerabilities–such as the three above–could be exploited to allow an attacker to install malicious apps on your phone without your permission.  Apps installed via these vulnerabilities can potentially access a variety of sensitive capabilities such as sending text messages, making phone calls, reading browser history, accessing contacts, and locating your device.

When protecting smartphones, it’s helpful to understand how attackers can make money by targeting them.  Most importantly, smartphones are like a credit card: they can charge money to your phone bill by making expensive phone calls, sending premium text messages or buying fake paid applications.  Attackers can use these mechanisms to monetize malware, such as in an outbreak that was reported in China yesterday.  According to the Shanghai Times, more than 1 million cell phone users in China have been infected with a virus that automatically sends text messages, and the attack is costing users a combined 2 million yuan ($300,000 U.S.) per day.

To reduce your exposure to these and future vulnerabilities, be careful to only visit trustworthy web sites when browsing the web and clicking links en email or text messages.  When downloading apps, it’s important to be vigilant and only download applications from trustworthy developers. Pay especially close attention to apps that mention known brands or other popular apps but come from an unknown developer.

Category:   Android  •  exploits  •  Security
November 8, 2010

Flaws Discovered in Multiple Mobile Banking Apps

In just two days, several mobile banking app security flaws were found that affect both iPhone and Android phones. Last week alone, a security flaw was found in PayPal’s iPhone banking app and Wells Fargo, Bank of America, and USAA announced security updates to their Android mobile banking apps.  The updates fixed security flaws found that could allow attackers to access sensitive data such as usernames, passwords and financial information.

Last week, Paypal released an update to its iPhone app that fixes a security flaw that could have exposed users’ passwords.  Before the update, the PayPal iPhone app did not verify the authenticity of the server it communicates with, making it possible for an attacker to impersonate the legitimate server and intercept sensitive data.

The security flaws found in Wells Fargo, Bank of America and USAA’s Android apps are very similar to the security flaw announced by Citibank in July. The banking apps stored sensitive data on a phone’s memory which could be accessed by an attacker if they were to exploit the phone (e.g. through a malicious web site) or gain physical access to it.   All three banks have released updates via the Android Market and we encourage you to download the updates immediately if you have any of the affected apps on your phone.

This is not the first time we’ve seen apps inadvertently expose sensitive data and it’s unlikely to be the last.  As a user, your best bet in staying safe is to:

  • Download app updates regularly
  • Make sure you keep control of your phone
  • Only visit websites and download apps you trust
  • Stay off of unencrypted public Wi-Fi hotspots

Remember to download any available updates if you have the PayPal iPhone app or the Wells Fargo, Bank of America, or USAA Android apps on your phone. For more information, check out our mobile banking security tips.

Category:   Android  •  exploits  •  iPhone  •  Security
November 5, 2010

Android App Permissions Dissected

Based on our recent research and feedback from our users, we know that Android permissions can sometimes be confusing. Often it is hard to tell what data apps are accessing on your phone and why they are accessing it. In this post we explain what permissions are and why developers ask for them. We want you to feel more knowledgeable about permissions so you can make good decisions when you download apps on your phone.

What are permissions?
In order to access certain data or capabilities on your phone, an app needs to request permission from you before you install it. When you download an app from the Android Market, you can see an outline of exactly what data and capabilities the app wants to access. Some permissions allow access to standard phone capabilities such as the internet, while others involve accessing sensitive information such as your location or your text messages, so it’s important to pay attention to what permissions each app requests. When installing an app, Android flags particularly sensitive permissions in orange so that you pay closer attention to them.  Other, less sensitive permissions are displayed in white.

Why are there permissions?
Permissions exist so that you can understand what types of data and capabilities an app accesses.  Permissions also make sure that apps can’t access more than they need to. For example, a map app needs to access your location (GPS) to display the right map, but may not need access to your text messages. It’s important to remember that apps accessing multiple permissions are not necessarily bad. Before downloading an app, a user should determine whether or not the permissions an app requests are appropriate for its features. For example, a task killer app will need access to your system tools, a text messaging app will need access to your text messages, and so on. Some apps need to access multiple permissions to deliver all of their features. One example is Google Maps, which not only requests permission to access your location, but also to “directly call phone numbers” for the click-to-call feature, and access to “record audio” for the voice search feature.  If the permissions an app requests map to the features it provides, then it makes sense to install it; however, if the app’s permissions don’t seem to match its features, you should take more care to review it further.

Lookout’s Permissions for Android
In order to protect your phone from malware and spyware, backup and restore your data, find your phone, and wipe your phone, Lookout needs access to a number of permissions. For example, to locate your phone the app accesses “location”, to communicate with your phone from myLookout.com the app accesses “receive SMS,” and to wipe your phone the app needs to access a variety of data including your bookmarks and search history so it can remove them from your phone (of course only at your request). It’s important to us that we only access the minimum set of permissions necessary to provide you with all the great features you know and love from Lookout. As always, our goal is to keep you safe and provide the best possible experience in doing so.

We’ve dedicated an entire page on our site to explain Lookout’s permissions in detail, which we will keep up-to-date as features evolve.  If you would like to understand what permissions Lookout requests access to and why, click here to view our extended permissions page.

Category:   Android
November 2, 2010

Lookout Premium Unveiled

We know how important it is to protect the mobile experience and today we are announcing a premium version of Lookout’s award-winning free product that includes new security and privacy capabilities for added smartphone protection. Mobile security has become a growing concern for users as evidenced by Lookout’s tremendous growth to more than three million users in less than one year.  And we’ve found that consumers are concerned about privacy on their phone.  They realize that they have a ton of private information on their phone they want to protect, including their identity information, location, personal data and messages. Lookout Premium now offers better control over the personal information that smartphone apps access with the new Privacy Advisor.

On November 16th Lookout Premium will be available to all Android users. For our existing users, nothing changes – unless they want it to! They get to continue using the same great free Lookout product they currently have, free of charge.  In additional to new premium features, a few of our free features will become premium features for new users. If you want to upgrade to Lookout Premium, you’ll have the option to do so on November 16th.

Lookout Premium includes all the same features at Free, plus:

  • Additional Security + Privacy: Privacy Advisor + Remote Wipe and Remote Lock
  • Enhanced Backup & Restore: Photos and call history, in addition to contacts. Transfer data to a new phone.
  • Premium Support: Priority response to your issues and questions

Lookout Free includes:

  • Essential Security: Malware, virus and spyware protection
  • Data protection: Backup and restore contacts
  • Missing device: Locate a missing phone and remote “scream”

Between now and November 16th we’ll be providing you with more information on the great features in Lookout Premium on our blog.  Stay tuned for more details and as always, thanks for being a Lookout user.  Our job is to protect your mobile experience.

Category:   Android  •  Lookout News  •  Privacy  •  Security  •  spyware
November 2, 2010

Profile of a Smartphone

*While apps may access private information on the phone, it does not mean that the app is malicious.

Our phones are our most personal computer.  They may know more about us than our closest friends. They know who we call, text, email, where we bank, who our friends are, and where we hang out (in the real world).  And it isn’t just our phones that have access to this private information, apps can access this information too. As apps continue to play a more important role for smartphones, it’s more important than ever for users to make themselves aware of what information is on their phone and who has access to it.

Lookout Mobile Security wants you to get the most out of your smartphone experience and provide you with the protection to do that safely.

Category:   Android  •  Lookout News  •  Privacy  •  Security  •  spyware