August 31, 2011

For Rooted Android Device Users: Open Heart Surgery on Your Android CA Store

For Android power users, a rooted Android device can be a gateway to gain full access to the operating system. One thing you can do with rooted Android devices is maintain your Certificate Authorities store, which designates the parties who verify secure sites for your device. There is increasing scrutiny on Certificate Authorities as a weakness of SSL/TLS, and in the last year there have been two specific cases where fraudulent certificates have been traced to compromised CAs. Websites using compromised certificates can take the identity of official sites, even if you are connecting over HTTPS and your web browser will not warn you about the site’s fraudulent certificate. Most recently, an issue was discovered in Iran where people have claimed that the government is performing a Man in the Middle attack on gmail using a fraudulent certificate issued from a Certificate Authority called DigiNotar. DigiNotar has since issued a report on the security incident which can be found on Vasco.

What does all this mean for an Android users? Well, unless you’re on a rooted Android device, you can’t do anything at this point. If you are rooted and not afraid to play with some command line tools, you can remove the suspect Certificate Authority certificates and disallow them from being used on your device. As a warning, this is definitely not for the faint of heart or novice Android user and can be a bit time consuming. This process will require some command line knowledge using the java keytool, ensuring that Bouncy Castle is in your classpath and using adb.

First we need to pull our CA cert bundle which is located in /system/etc/security – I’ll be using the one pulled from a Asus Transformer for this example;

tstrazzere@m0ya:~$ adb pull /system/etc/security/cacerts.bks cacerts.bks
1255 KB/s (142331 bytes in 0.110s)
tstrazzere@m0ya:~$shasum cacerts.bks
47f4789b9d03f7f8b0ff8165fc079125be314eee  cacerts.bks

Before we use the keytool, we need to make sure we have a copy of BouncyCastle in our $JAVA_HOME/jre/lib/ext/ – I used Download http://bouncycastle.org/download/bcprov-jdk16-141.jar and put it in $JAVA_HOME/lib/ext. After this is all set we need to check out whether the cacert.bks has the CA’s we would like to remove. I personally was looking to remove both DigiNotar and Comodo and used the following commands to look for them;

tstrazzere@m0ya:~$ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -list | grep -A 7 -B 4 -i comodo
Alias name: 48
Creation date: Feb 8, 2011
Entry type: trustedCertEntry
Owner: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO Certification Authority
Issuer: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO Certification Authority
Serial number: 4e812d8a8265e00b02ee3e350246e53d
Valid from: Fri Dec 01 00:00:00 UTC 2006 until: Mon Dec 31 23:59:59 UTC 2029
Certificate fingerprints:
MD5:  5C:48:DC:F7:42:72:EC:56:94:6D:1C:CC:71:35:80:75
SHA1: 66:31:BF:9E:F7:4F:9E:B6:C9:D5:A6:0C:BA:6A:BE:D1:F7:BD:EF:7B
Signature algorithm name: SHA1WithRSAEncryption
Version: 3
--
Alias name: 78
Creation date: Feb 8, 2011
Entry type: trustedCertEntry
Owner: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO ECC Certification Authority
Issuer: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO ECC Certification Authority
Serial number: 1f47afaa62007050544c019e9b63992a
Valid from: Thu Mar 06 00:00:00 UTC 2008 until: Mon Jan 18 23:59:59 UTC 2038
Certificate fingerprints:
MD5:  7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23
SHA1: 9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11
Signature algorithm name: SHA384WITHECDSA
Version: 3


Alias name: 62
Creation date: Feb 8, 2011
Entry type: trustedCertEntry

Owner: C=GB,ST=Greater Manchester,L=Salford,O=Comodo CA Limited,CN=AAA Certificate Services
Issuer: C=GB,ST=Greater Manchester,L=Salford,O=Comodo CA Limited,CN=AAA Certificate Services
Serial number: 1
Valid from: Thu Jan 01 00:00:00 UTC 2004 until: Sun Dec 31 23:59:59 UTC 2028
Certificate fingerprints:
MD5:  49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0
SHA1: D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
Signature algorithm name: SHA1WithRSAEncryption
Version: 3

Make sure the above certificates are in fact the ones you want to remove – then remove them by using the -delete -alias ALIAS_NAME command. After performing a delete on these, make sure you try to grep them again to ensure they are removed;

tstrazzere@m0ya:~$ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -delete -alias 48
[Storing cacerts.bks]
tstrazzere@m0ya:~$ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -delete -alias 78
[Storing cacerts.bks]
tstrazzere@m0ya:~$ keytool -keystore cacerts.bks -storetype BKS -provider             org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -delete -alias 62
[Storing cacerts.bks]
tstrazzere@m0ya:~$ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -list | grep -A 7 -B 4 -i comodo
tstrazzere@m0ya:~$

Next I wanted to remove the DigiNotar CA cert, so performing the same steps like above for similar results;

tstrazzere@m0ya:~$ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -list | grep -A 7 -B 4 -i diginotar
Alias name: 99
Creation date: Feb 8, 2011
Entry type: trustedCertEntry
Owner: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Issuer: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Serial number: c76da9c910c4e2c9efe15d058933c4c
Valid from: Wed May 16 17:19:36 UTC 2007 until: Mon Mar 31 18:19:21 UTC 2025
Certificate fingerprints:
MD5:  7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98
SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C
Signature algorithm name: SHA1WithRSAEncryption
Version: 3
tstrazzere@m0ya:~$ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -delete -alias 99
[Storing cacerts.bks]
tstrazzere@m0ya:~$ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -list | grep -A 7 -B 4 -i diginotar
tstrazzere@m0ya:~$
tstrazzere@m0ya:~$ shasum cacerts.bks
0e2a3db5d4fc82688832d2b4433a7acdb4546772  cacerts.bks

Now the last thing to do is to push this new bundle to the Android device. To do this we must have root on the phone, which will allow us to remount the /system partition. If adb is privileged as root, you can do this by simply issuing a remount command;

tstrazzere@m0ya:~$ adb remount
remount succeeded

Otherwise you will need to manually remount inside adb after running ‘su’ with something like the following;

tstrazzere@m0ya:~$ adb shell
$ su
# mount -o remount,rw /dev/block/mmcblk0p25 /system

Once you’ve remounted the /system partition, you can now push the new cacert.bks to the device;

tstrazzere@m0ya:~$ adb push cacerts.bks /system/etc/security/
1255 KB/s (142331 bytes in 0.110s)

Now simply reboot your device and be happy that you no longer have to trust unwanted CA’s!

Category:   Uncategorized
August 29, 2011

Making The List: Fortune Magazine’s “Smartest People In Tech”

“Plenty of people have high IQs, creative ideas, management savvy, and an uncanny ability to always be working on timely projects,” but the winners of Fortune Magazine’s “Smartest People in Tech” possess all these qualities—and more.  Fortune recently unveiled their list of exceptional players in the industry for 2011, and we’re very proud to announce that Lookout’s founder and CEO, John Hering, was singled out for this prestigious award!  And he was in great company: Susan Wojcicki  (Senior Vice President-Advertising, Google), Andrew Jassy (Director-Web Services, Amazon), Fared Adib (Vice President-Product Development, Sprint Nextel), and Kevin Chou (CEO, Kabam) were also honored.

The individuals selected as the “Smartest People In Tech” are innovators who have turned great ideas into great businesses.  Long before the smartphone explosion, John recognized the importance of securing mobile devices and set out to found a company specifically designed for the mobile world.  John’s insight, entrepreneurial nature, and passion to build great products makes him the “perfect guy to help consumers and businesses secure their mobile phones from viruses, spyware, and other malfeasance.”  Fortune commends John for driving Lookout’s user base to over 10 million “putting it ahead of traditional data-security companies like Symantec and McAfee.”

Congratulations to everyone who was featured this year–it’s a tremendous honor to be selected as one of the tech world’s “sharpest players and future giants.”

Category:   Android  •  Lookout News  •  Security
August 25, 2011

Safeguarding Your Backpack: Tips To Keep Your Tech Gear Safe

As summer winds down—and “back to school” season grows near—it’s time to think about protecting all of your tech gadgets purchased for the school year.

Today’s backpack now represents a hefty price tag (and a attractive target for theft).  On the first day of class, many students will be toting around a smartphone, tablet, and laptop.  With as much as $3,000+ gear in a one bag (and important data stored on each device), it will be important for students to protect their tech gadgets.

Follow these tips to help safeguard your gear.

LAPTOP
Physical Locks.  Most notebooks come with a built-in security/microslot that you can easily fit a lock into.  Many locks also can be used to secure LCD monitors, tablet PC’s, and scanners.  Purchase online: $10-$40 (a reasonable price for the peace of mind).

TABLETS  & SMARTPHONE
Password Protect Your Device.  Setting a strong password for your tablet is the simplest way to keep your personal information private during the school year.

Download A Security Application. If school life keeps you on the go: it’s easy to lose tabs on your phone.  Download a mobile security app like Lookout that can help you locate your device if it suddenly goes missing.  It can even lock the phone to make sure no one gets their hands on your sensitive personal info.

Back It All Up:  Added Backup Protection For Files And Documents. You can also download an app to your phone or computer that allows you to store and share your docs, files, and videos (like Dropbox).

KEYS AND WALLET
Download An App That Helps You Keep Track Of Other Valuables. Your keys aren’t technically a tech gadget, but they are easily lost!  A cool app called CobraTag from Phone Halo app will automatically record the GPS location of your keys or wallet, and send an email with the Google map.

As you head out the door for the first day of school, we hope these safety tips will help keep your gear secure!

Category:   Android  •  Lookout News  •  Lost Phone  •  Missing Device  •  Privacy  •  Security
August 25, 2011

‘Lookout One’: Winner of the San Francisco Triathlon at Alcatraz!

On Sunday, August 21st, 6 stellar athletes from Lookout competed in the San Francisco Triathlon at Alcatraz – a 1.2 mile swim, 25 mile bike ride and 7 mile run.  These athletes were grouped into two teams competing in the Corporate Mixed class: ‘Lookout One’ and ‘Lookout Behind You.’

‘Lookout One’:

  • Swimming: Brian Noble, Director of Customer Support
  • Cycling: Joseph Ansanelli, Chairman of the Board
  • Running: Alex Shoyket, Senior Software Engineer

‘Lookout Behind You’

  • Swimming: James Burgess, CIO
  • Cycling: Michele Baca, former Lookout accountant
  • Running: Alex Bovee, Senior Product Manager

Highlights of the race included: a celebrity appearance by David Duchovny (who competed in the race), our very own Brian Noble finishing 13th out of 804 competitors in the swim, and, oh yeah… out of 18 corporate teams competing in the event, ‘Lookout One’ came in 1st and ‘Lookout Behind You’ placed 8th!  You can check out the full results here.

Apparently, our modest crowd of employees left the race before the awards ceremony – and Kevin Hartiz, CEO of EventBrite, member of their 2nd place relay team and also a member of our Board was left to pick up our winner’s plaques.

Congratulations to all who competed!

Category:   Lookout News
August 24, 2011

AppMaster: You Do Not Want This Managing Your Device

Starting on August 11, we began investigating several revisions of an Android app in alternative Chinese markets that contained exploit code.  This app, called AppMaster, is the first observed app using the “GingerBreak” exploit to escalate privileges for purposes other than a user specifically wanting to root their device (note: AppMaster was independently discovered and reported by Xuxian Jiang as “GingerMaster”). While the app does not appear to have malicious intent, it does engage in risky behavior that includes “rooting” a device without user consent.  Given that, we have pushed protective updates to our users to notify them of the app’s behavior.

To date, we have acquired and analyzed three instances of AppMaster distributed both in alternative Android Markets and from the developer’s website (http://mustmobile.com/).  The marketing content on the site suggests a device organizer and app manager, and when the app is initially installed, it does create organized groupings of apps on the device desktop.  The app also contains an image browsing service that provides “daily pictures of beautiful women”.  It is capable of self-updating when prompted by its host servers, though that update process currently requires user approval.

If a device is detected as previously rooted (determined by presence of /system/xbin/su or /system/bin/su on the device’s filesystem) the app does not attempt to escalate its privileges.  If the device is not rooted, the app will execute the GingerBreak exploit and attempt to root the device and drop a file (/system/xbin/appmaster/sh) that allows it to retain root in the future.  The code currently in AppMaster will only execute privileged commands after a user confirms the action, indicating that the application is not trying to hide its actions from the device’s user (a key consideration in determining whether to classify an application as malicious or not).  Even though the application requires user interaction to perform an action today, there is no guarantee that future updates will do the same.

The operator of mustmobile.com and presumed developer of the app is  “Yun (Cloud) Guan Jia (Manager).  If you take the marketing content of their web site at face value, they are developing and operating a new alternative market/device management service.  We have acquired several applications from the service and thus far none of them appear malicious.  Lookout is even among the apps and verified to be an unmodified version of our application as distributed on the Official Android Market.

At this point, facts on the table point to extremely poor judgment on the part of the developers on how to develop such a service.  Nonetheless, Lookout users are notified and protected from potential damage caused by this app.

Category:   Android  •  malware  •  Vulnerability
August 23, 2011

Quick Guide: Grand Theft Mobile! What To Do If Your Phone Is Stolen

According to the NYPD, 41% of all theft complaints involve a stolen cell phone, and reports of stolen cell phones skyrocketed 18% in the first three months of the year. If that pace holds, reports for stolen cell phones could hit 11,328 this year, up from 10,650 in 2009.

In most cases when a phone is stolen, it is nearly impossible for police to track down the thieves.  Thankfully, technology can now help.   For those of you who may find yourself in this unfortunate situation, this quick step-by-step guide will tell you what you can do to locate and secure your phone.

If you have an Android phone, you’re in luck!  Hopefully, you’ve already downloaded a find my phone app like Lookout to your phone, and the first thing you should do is remotely lock your phone.  This will stop the thief from being able to access anything on your smartphone.  If you need a refresher course on how to use Lookout to locate, lock, or wipe your phone, visit our step-by-step guide on our blog.

If you do not have Lookout installed on your phone, you can now use the web version of the Android Market to download Plan B to locate your Android. Plan B is available for Android 2.2 platforms and earlier.  This can help you and the authorities track down your stolen device. Using Plan B is simple, but requires access to the Android Market website and your Google account. (If you have an Android phone, you already have a Google account.)

If you do not have an Android phone, or want to take an extra step to keep the data on your phone safe, follow these simple steps:

1) Change all of your passwords, email, social networking, banking.  If you can’t remotely lock your smartphone, your next best bet is to change your passwords.  Think about all of the apps you use on your smartphone that have a lot of personal information about you: Gmail, Facebook, Skype, banking apps. Changing the passwords to these apps will stop the thief from accessing your personal info.

2) Notify your carrier. It’s always a good idea to notify your phone carrier as soon as your phone is lost.  They can suspend your service to ensure that no unauthorized calls are made.  And if you find your phone, you can easily reactive service.

3) If you’re very concerned you could freeze your credit card. If you use your smartphone to purchase goods over the web or pay bills online, you may want to freeze your credit card when your phone is lost.  Freezing your card will prevent any fraudulent charges from being made. Taking this final step will help give you peace of mind—knowing for certain that your bank account is protected.

4) Download a find my phone app like Lookout.  If you haven’t already, and to stay one step ahead, consider downloading an app that can locate lost and stolen devices.  Why wouldn’t you, it’s free!

Category:   Android  •  Lookout News  •  Lost Phone  •  Missing Device  •  Privacy  •  Security
August 19, 2011

How Plan B found the Droid [Jon] was Looking For

Imagine for a moment that you are hundreds of miles away from home and you’ve just stepped out of a taxi at the airport.  After you watch the cab drive off,  you reach for your phone and realize…it’s gone!  A few weeks ago we received a remarkable story from a writer named Jon Barrow who experienced this exact situation and was able to use Plan B to track down his beloved device:

“A small seed of optimism sprouted as I read the Android Market description for Plan B from Lookout Labs.  A remotely installable app that would instantly e-mail me the phone’s location?  It sounded too good to be true!”

On Ars Technica, Jon gives every detail of what ended up being a “16-hour game of cat-and-mouse, spanning half the country and involving a cast of disinterested bureaucrats, helpful strangers, and one witless would-be criminal.”

Be sure to check out Jon’s extremely humorous story on Ars Technica, complete with images documenting the entire ordeal.

If you have a “find my phone” story about how Lookout (or Plan B) came to the rescue for you, we’d love to hear it!  Please send your story to superusers[at]lookout.com.  We look forward to reading your stories.

Plan B is available for Android 2.2 platforms and earlier.

Category:   Android  •  Lookout Labs  •  Lookout News  •  Lost Phone  •  Missing Device  •  Security  •  User story
August 18, 2011

Googlerola: What the Google-Motorola acquisition means for Android

David is the lead Android engineer at Lookout, who’s been developing for Android for three years.

Earlier this week, Google announced it intends to acquire Motorola Mobility for $12.5 billion.  This move has far-reaching implications for Android, and at its core, Google may have made the purchase to boost its patent portfolio. Because of the explosive growth and success of Android, Google needs to defend Android against the lawsuits coming at it from all angles.  The deal with Motorola Mobility gives Google access to over 17,000 patents – patents that can be used to protect all Android manufacturers and Android developers from the looming threat.

However, Google assimilating the Motorola Mobility products (to be fair, they say they intend to run Motorola Mobility as a separate company) will likely play a role in the direction in which Android moves in the future.

First and foremost, Android is still open and will continue to be so – Google has made this clear in its announcement. You can still expect great phones from Samsung, HTC and the hundreds of other Android device manufacturers.  Chief executives from these other leading OEMs have welcomed the news –patent protection is something the entire Android ecosystem wants.

Android has always been advancing, but the OEMs play a key role in this process too.  New features, even new pieces of hardware, aren’t limited to Google’s Android roadmap.  HTC popularized the front facing camera with the Evo 4G.  Now nearly every new Android device has a front facing camera.  Motorola (with Verizon) popularized the iconic “Droid” and its marketing and TV commercials put Android on the map. (Other examples of some Samsung or Motorola innovations: SAMOLED, 3D displays, WebTop, laptop docks, the Xoom)

Of all the major OEMs, Motorola has been one of the most focused on bringing Android into the workplace.  They acquired 3LM to provide a platform on Android devices for IT administrators to bring enterprise-grade security to Android devices.  They launched devices specifically targeted at enterprise users, such as the Droid Pro.  MotoBlur, love it or hate it, provides some of the best corporate sync of any Android device I’ve owned.

So what changes should we expect to see from Motorola?

I would guess that WebTop – the cloud-based OS you can access by plugging select Motorola phones into a TV, monitor or laptop shell – will be replaced with ChromeOS or a GoogleTV-like interface.

The bootloaders will be unlockable  I repeat, the bootloaders will be unlockable.  Literally speaking, a bootloader is code that is executed before a operating system starts to run.  By unlocking the bootloader,  Android enthusiasts can easily install custom firmware on their Android phone, rather than using a root exploit to root the phone.    This is great for consumers and great for security.   The more bootloaders that are unlocked, the sooner root exploits will be reported as bugs rather than kept secret by tinkering communities.

I hope Motorola will take a page from Google’s playbook and allow consumers to easily buy the devices without contracts online or buy them subsidized but choose the device and the carrier independently.

So what changes should we expect to see from Google?

Motorola has actually never manufactured a “Nexus” device.  The Nexus One was made by HTC and the Nexus S by Samsung.  The rumor is that the next Nexus device, the Nexus Prime, will also be a Samsung device.  However, Motorola did launch the first Honeycomb tablet months before the competition when they debuted the Xoom.  So will Google transfer the exclusive rights to the Nexus name over to Motorola? I don’t think so.  I suspect we’ll still see Nexus devices coming out from all manufacturers because Motorola already has a more important marketing term… the Droid.

Motorola may also cause Google to focus more and more on the enterprise user.  Will 3LM’s platform enhancements become the standard for Android? Maybe.

I’d like to see more reference devices like the Nexus line coming much more frequently out of Motorola, and I’m  hopeful new Motorola device owners can expect the same rapid updates to the latest and greatest versions of Android that Nexus owners have come to expect.

A superphone must be in the oven, and I’m not talking about the Droid Bionic.  Google and Motorola will want to seal their relationship with a major flagship device, but they likely won’t have one in time for the Ice Cream Sandwich launch.  I’d bet on seeing something big around whatever comes next… Jellybean?

Overall, I think the Google Motorola deal is good for Android, good for users and pretty good for Android security. Only time will tell, and it will be interesting to see what comes out of the new Googlerola.

Category:   Android  •  exploits  •  Lookout News  •  Security
August 18, 2011

Gaming App Developer Tips: On Time Traveling in Mobile Applications

At DefCon Kids this year, 10 year old “CyFi” talked about “Time Traveling” vulnerabilities in mobile games.  By manipulating the system time, CyFi found that she could cause timed events (crop growth, for instance) to happen outside the bounds of normal play.  Some of the games that she exploited even have a secondary market for virtual items on E-Bay.

This illustrates a pretty important point about developing mobile applications, particularly when they interact with back-end services:  the client is always in the hands of the enemy.

CyFi found that some games would actually sanity check the advancement of the clock, but would still allow a significant jump on the order of an hour to occur.

It might be better for a game engine to enforce a smaller “tick” in evolution of the game state, and keep system time advances bound to this window.  While that doesn’t prevent precocious manipulation of the state of the game within a tick cycle, it does significantly raise effort that has to be invested in gaming the system.

In a game system with a persistent back-end world (even simply the persistence of virtual goods) one should consider putting sanity checks on the progress reported from clients.  If a time-limited virtual good takes an hour to “develop” in-game, but a client reports that it has developed 4 of them since it checked in 15 minutes ago, strange things are definitely afoot.

This is a good opportunity to consider the impact that a hostile client has on your overall system, whether you’re developing games or other types of client-server applications.

Trust is a funny thing, even at play.

Category:   Uncategorized
August 11, 2011

Lookout Security Team Presenting at Blackhat

We had a great time at BlackHat and DEFCON this weekend! Check out our security team presenting Don’t Hate the Player, Hate the Game: Inside the Android Security Patch Lifecycle.

We hope everyone learned a lot from the conferences, had a good time, and isn’t having too much trouble recovering from Sin City!

Category:   Android  •  Lookout News  •  Security