Slatedroid info

Everything about android tablet pc [slatedroid]

Google addresses WebView security concerns, makes recommendations on how to stay safe

Posted by wicked January - 24 - 2015 - Saturday Comments Off

Android Security

If you are still waiting for Google to do something about the WebView vulnerabilities in older Android releases, you may not be a fan of their official response to the matter. Google says they’ve already fixed it, sort of, but at least offered ways that you can protect yourself and your data going forward.

In a recent Google+ post, echoing an older DevBytes video and our own take on the matter, Google has addressed the WebView issues that have been of growing target for complaints of the free and open source Android OS. Android releases prior to KitKat, that is, versions 4.3 and older, have a known code injection flaw in the WebView element.

WebView is broken, don’t use it

WebView is a tool within Android that allows apps to display web content within the app, you’ve all seen these before as ads at the bottom of a free game or an in-app web based help page. Although the Google+ post goes on to describe a few best practices, the underlying message is unforgiving and clear, WebView is broken, so don’t use it.

Perhaps Google’s advice is easier said than done, especially for the casual gamers in the crowd, but disabling the default Android browser and installing Chrome, Dolphin or another full web browser is good advice regardless the issues. Developers, please familiarize yourself with the best practices for your apps, to keep us secure.

android 4.4 kitkat logo 4

Now, didn’t you say that Google fixed the issue? Well, yes, sort of. Google took the time in the Google+ post to explain that they have limited resources for working on older versions of Android. Plainly put, Android 4.4 KitKat included the fix to the WebView bug. Keeping in mind that KitKat is over a year old now itself, having been through versions up to 4.4.4 before giving way to Android 5.0 Lollipop, which is also a couple versions in already. Android 5.0.2 Lollipop is already shipping out to some devices.

Bottom line, users of devices running Jellybean and older are just out of luck. Please take the precautions discussed, or have a look at installing a custom ROM, if one is available for your Android unit.

Is this an acceptable response from Google, or should they dedicate more staff to fixing older Android releases? Before you answer, I might suggest taking a look at the latest Android distribution numbers.

adrian_ludwig_picture1

It was reported by Talk Android’s Jeff Causey on the 12th of January (link here) that Google would no longer be providing security updates to WebView on devices running Android 4.3 (Jelly Bean) and earlier. In fact, it is even deeper than that: Google will not be managing the entire WebKit for these versions any longer, from which WebView is derived.

In a post on Google+ today, Android Security’s lead engineer, Adrian Ludwig, provided clarification and guidance to those nearly 1 billion device owners running Jelly Bean or earlier Android versions.

WebKit is a software component for web browsers that creates the layout engine for the browsers to render web pages. WebKit is used for both Google Chrome and Apple Safari, whereas Trident is used for Internet Explorer and Gecko is used for Firefox. WebKit is also found in the browser utilized by the Tizen Operating System.

WebView, a part of WebKit, is what allows apps to display web pages inside of the app itself. This is done to keep the user inside of the app, instead of exiting the app you’re in and redirecting you to the browser app.

WebKit, and thus WebView, is mostly open-source, with companies like Google pitching in and supporting the development of the software. By ending support for WebKit on Jelly Bean and earlier versions (from here forth, I will just say Jelly Bean), Google raised alarms that certain known exploits involving WebView may leave users running Jelly Bean exposed to malicious malware.

According to Ludwig, maintaining the legacy code for Jelly Bean in WebKit’s open-source environment was actually creating more security issues than abandoning support for it. Ludwig stated, “Until recently we have also provided backports for the version of WebKit that is used by WebView on Android 4.3 and earlier. But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely.”

Ludwig went on to say that the best practices that a user of Jelly Bean devices can do is to open web materials inside of the Chrome or Firefox browser, which is updated with the latest security patches regardless of what Android version they are running. This negates the ability for any exploits made possible by WebView, which again, is something that is used inside of third-party apps not wanting to redirect to the browser. “Using a browser that is updated through Google Play and using applications that follow security best practices by only loading content from trusted sources into WebView will help protect users.”

For developers of apps maintaining support on Jelly Bean devices, Ludwig encourages redirecting to the browser or making sure WebView only accesses content from local sources or over HTTPS. Additionally, he suggests that app developers abandon WebView altogether and instead incorporate a webpage renderer of their own design so they can maintain security patch updates on their own.

Adrian Ludwig came to Google after serving in technical leadership positions held at Adobe, Macromedia, and Joyent. He also worked for the National Security Agency. Since his arrival on the Android Security team, he’s been very vocal about Android’s minuscule vulnerability to malicious attacks.

android_security_picture1

During a speech to the Virus Bulletin conference in Berlin back in 2013, Ludwig claimed that Google and its data-driven methodology made it extremely difficult for it to be attacked by malcontents. He also pointed out the many layers of security that are in place to prevent malware from finding its way onto your Android device.

Source: Adrian Ludwig via Google+

Come comment on this article: Android Security lead engineer provides further insight to WebView security issues on devices running Jelly Bean and older versions

Making sense of the latest Android security updates scare

Posted by wicked January - 12 - 2015 - Monday Comments Off

Personal Data Privacy and Security Act

TheHackerNews

Some of the world’s biggest publications including the Wall Street Journal and Forbes are running a story about how Google is no longer fixing security bugs in older versions of Android. The prize for the most sensationalist headline probably goes to Forbes for “Google Under Fire For Quietly Killing Critical Android Security Updates For Nearly One Billion.”

A headline about critical security updates that aren’t going to be available for nearly one billion devices is enough to worry even the most non-technical of people. With publications like the WSJ and Forbes pushing out this story, I think we can officially call this a “scare.”

It all started with a post by Tod Beardsley on the Metasploit blog. Metasploit is a tool that security experts use to test different computers and devices to see if they are susceptible to security vulnerabilities. The Metasploit tool has a large following in the security world and it garners a huge amount of respect.  Tod Beardsley himself is a respected engineer with years of experience working in the security industry. He has often been a speaker at security conferences and is a member of the IEEE.

The whole business of distributing patches downstream is a whole other problem that needs to be addressed.

Tod wrote a blog post about how Google is no longer accepting security related patches for the WebView component of Android prior to Android 4.4. The WebView component is a core part of Android. It allows any app to create a mini web browser within the app itself. This can be useful for displaying simple static HTML, like help or instructions, or it can be used to build an entire app using HTML5 and Javascript. If any of these apps actually connect to the web to download content or to visit a site then the potential exists for a hacker to trick a user into opening a web site that exploits bugs in the WebView. Once exploited the hackers can take control of the device and install malicious software.

For example, if you use a RSS reader that relies on using WebView as a way to read the full story from an item listed in an RSS feed, then it would be possible for an attacker to get a story published that takes users to a malicious site. The mini web browser in the RSS reader could then be exploited, if it is vulnerable.

Beardsley does some maths and demonstrates that some 930 million Android devices are no longer receiving any security patches from Google. Everything that Beardsley has written is factually correct and the threat is real. “Without openly warning any of the 939 million affected, Google has decided to stop pushing out security updates for the WebView tool within Android to those on Android 4.3 or below,” wrote Thomas Fox-Brewster for Forbes.

January distribution numbers

But the situation isn’t as black and white as Beardsley and Fox-Brewster are suggesting. Ask yourself this question, when was the last time that Samsung, or HTC, or LG posted an update for devices running Android 4.1, 4.2 or 4.3? Obvioulsy, I am unable to keep track of every update pushed out by every company in the world, so I am sure there will be some exceptions to this, but the answer is – rarely.

Even if Google does continue support, would the devices even get it?

So even if Google fixed the source code in Android 4.3, the chances of it arriving on a actual handset are quite small. One of the first comments on Beardsley’s post was by dr.dinosaur who wrote, “Even if Google does continue support, would the devices even get it? As you mentioned, getting updates on these old devices is not an easy process as it has to get approved by the manufacturer, approved by the carrier, pushed to the device itself, and downloaded and installed by the user.”

Tod acknowledges this with a follow-up reply, “The whole business of distributing patches downstream is a whole other problem that needs to be addressed. That said, if the handset manufacturers or the carriers weren’t picking up Google-sourced patches before, I somehow doubt they’ll be faster to pick up patches from Some Guy On The Internet…”

What is really broken with Android is not if and when Google supplies patches for Android, but the ‘whole business of distributing patches downstream.’

And his point is valid in that OEMs are unlikely to pick-up security fixes to AOSP that have been published by random people on the Internet. But he also points out that the handset manufacturers weren’t picking up Google-sourced patches anyway. What is really broken with Android is not if and when Google supplies patches for Android, but the “whole business of distributing patches downstream.”

android system update

Google has done a lot to address this problem over recent years. Firstly it started de-coupling various components and services from the main Android build and offering them as updates via the Play Store. For Android 5.0 Lollipop, Google has also unbundle the WebView component and is offering that as an automatic update from the Play Store. That should stop the current situation with Android 4.3 occurring in the future.

If you are using Android 4.x then you should consider installing a browser like Chrome or Firefox to do you main mobile browser

Second, Google has various programs like the Nexus range and Android One, which allow people to buy handsets which get updates directly from Google. The result is that the downstream update model is slowly changing. It isn’t perfect by a long way, and while the OEMs and carriers remain slow in updating devices then the potential for this kind of problem still exists.

It is also worth mentioning that alternative firmwares, like Cyanogenmod, probably pick up the fixes from Google quicker than the OEMs. So technically anyone running CyanogenMod 10.x will no longer get any security updates unless a non-Google engineer patches the the AOSP or Cyanogenmod code for known vulnerabilities.

If you are using Android 4.x then you should consider installing a browser like Chrome or Firefox to do your main mobile browsing, rather than using the built-in browser. This will at least ensure that you are protected from known vulnerabilities when surfing the web, regardless of what patches are available for your version of Android. If you use an app that opens up a WebView to connect to the Internet then you should consider finding an alternative, unless the app only accesses some limited hard-coded URLs.

Report claims Google not patching older versions of WebView leaving users exposed

Posted by wicked January - 12 - 2015 - Monday Comments Off

android-security

A new report that surfaced today claims that Google has ended support for WebView on Android devices running Android 4.3 or older, a move that could leave users exposed to malicious attacks. WebView is considered a “core component” of Android and is used by applications to display web pages without opening an actual browser session. Starting with Android 5.0 Lollipop, Google decided to unbundle WebView from the core system so updates could be pushed out via the Google Play Store.

The source of the news regarding a lack of updates for Android versions 4.3 or older came from a response by Google’s Android security team to a report of a bug in the AOSP browser which is based on WebView. According to the response to Joe Vennix of Rapid7 and independent researcher Rafay Baloch:

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”

Taken at face value, that response seems to suggest that Google is relying on third parties to develop patches for problems in Android 4.3 or older. If those third parties can develop a solution, Google will push it out, but Google is not working on solutions themselves. Google has declined thus far to issue a response or comment regarding this apparent development.

It is unclear how big a problem this issue may be. On the one hand, some security professionals like Tod Beardsley with Rapid7 claim, WebView, for many, many attackers, is Android, just as Internet Explorer [Microsoft's browser] is usually the best vector for attackers who want to compromise Windows client desktops.” Rapid7 provides 11 WebView exploits in their Metasploit penetration testing tool. Those same exploits could be used by unethical or criminal hackers to try to launch an attack on Android devices.

On the other hand, security consultant Andreas Lindh and others note that hackers who want to use WebView to launch an attack face some hurdles. High on the list is the need to get exploit code onto a web page that is being displayed by a targeted app or to somehow trick users into visiting a page with exploit code included in it. The latter option seems like the most probable attack vector.

While the issue gets sorted out and security professionals wait to see whether Google may issue clarifying information about their end-of-life plans for WebView in older versions of Android, estimates put the number of Android devices running Android 4.3 or older at close to 1 billion out of the 1.5 billion devices in the hands of customers.

source: Forbes

Come comment on this article: Report claims Google not patching older versions of WebView leaving users exposed

Android customization – Device security, intrusion detection using Tasker

Posted by wicked January - 9 - 2015 - Friday Comments Off

Tasker Intruder security detection photo capture

Last week in our Android customization series, we looked at clearing device cache and wiping out the somewhat overloaded photo thumbnail cache on your Android device. These actions will be valuable if you follow along today.

Today we are looking at creating custom device security using Tasker, the idea is simple, we’ll show you how to make your device take a photo of any person accessing your phone. As a bonus, we’ll make sure the device location is saved in the name of the image file.

Before we get started

Get it on Google Play ButtonTo follow along today, you’ll need to have Tasker installed on your device. Tasker is $2.99 in the Google Play Store. Further, you are going to want to have a device with a front facing camera, but we can get by without, if you need.

Keep track of who is accessing your Android device

Let me explain again what we are up to, we are looking at security here today. We want to capture an image of anyone that turns on the display of your device. Then we save the current GPS coordinates, as well as the date and time, as a part of the image file name.

Tasker Intruder Security Front Cam

Let’s do this. Open up Tasker and head to the Tasks tab. We will start by creating a variable that includes the device location, then we’ll take the photo.

Create a new Task, name it concisely and uniquely, I’ll call mine “SecurityPic“.

Tap the “+” button to add a new Action.

Tasker Intruder security Task variable set

Select Variables.

Select Variable Set.

In the Name field, create a local variable to the GPS coordinates. I entered “%securegps“.

In the To field, tap the label icon and look for Location, or just enter “%LOC“.

Tap the system Back button to save and exit.

Truth is, only storing the GPS location in the variable is a bit of a waste. I used a variable here so that you can easily include more information in your save file. Tasker will cover the date and time, but you may add battery level, keylock status, and so much more.

Tap the “+” button to add your next Action.

Tasker Intruder security Task take photo

Select Media.

Select Take Photo.

Under Camera, choose Front.

Under Filename, tap the labels icon and choose your location variable. Or just enter it manually, mine was “%securegps“.

Under Naming Sequence, choose Chronological. This is where it adds the date and time.

De-select the check box to turn off Insert In Gallery.

Select the check box to turn on Discreet. This makes it so that the photo app does not display on the screen, taking the photo in the background.

Feel free to change the Resolution if you desire.

If you see the option called Flash Mode, I suggest turning it off.

Hit the system Back button to save and exit, then hit it again to exit out of the Task.

Tasker Intruder security Tasks overview

Now that we have our Task in place, we need to decide how and when to use it. That is a simple decision based on the goal of our project today. So, head on over to the Profiles tab so we can set the trigger for our picture taking Task.

Tap the “+” to add a new Profile.

Name it uniquely and concisely, I called mine “SecurityCam“.

Tasker Intruder security Profile Display

Select Event.

Select Display.

Select Display On. (You could select Display Unlocked, if you suspect your device is being accessed by someone who knows your unlock code/pin/pattern.)

Tap the system back button to save and exit.

From the list of available Tasks, choose your security cam Task, mine was called “SecurityPic“.

That is all there is too it. From here on out whenever your device is turned on (or unlocked) your device will take a quick snapshot of the user accessing it. These photos will be saved in the DCIM/Tasker folder. So be sure to head in there frequently to clean out, if needed.

What’s next

This is obviously not a great Tasker Profile to have running full time, unless you like to see hundreds of awkward photos of yourself, so we should look at creating a trigger to turn on the Profile when needed.

For these purposes, I would like to use a SMS trigger. This really should be a tutorial all its own, but let’s do it.

Tasker Intruder security SMS Task start Profile

Create a new Task, name it something like “StartSecurityCam“. Create your task, hit the “+” button, choose Tasker -> Profile Status, tap the label icon beside Name and choose your SecurityCam Profile. Set Set to On. You’re finished here.

Tasker Intruder security Profile SMS

Create your Profile, name it as needed. Select Event -> Phone -> Received Text. Although you can mess with the details here, I would recommend simply entering a secret code into the Content field. Keep in mind that if your phone is lost and in the hands of an intruder, they will see this message, so enter something truly unique and inconspicuous. I have entered “Is this HAL?

Hit the system Back button to exit out, then choose your “StartSecurityCam” Task from the previous step.

What you do now is turn off the SecurityCam Profile. When your device is lost, stolen or you suspect someone is tapping into it behind your back, find a service or another phone to send yourself a text. Be sure to enter the exact phrase entered above. When your phone receives the SMS, the SecurityCam Profile turns on and pictures begin snapping away of the person touching your phone.

Tasker Intruder security SMS starts Profile

You could also look at having your device automatically send a discreet return SMS that includes the GPS coordinates of your phone, to help find it if it is not where it should be. While it is not as easy to send the captured images of your culprit, if you make sure the folder auto-uploads images to a service like Google+ or Dropbox, you will have the date, time, GPS coordinates and a picture to take to law enforcement, or otherwise recover your phone.

Next week

Did we go overboard today with creating a security cam in our Android customization series? I hope not, and I hope that this project saves you some grief over a missing or compromised Android device. Next week, we would like to continue with the idea of recovering a lost phone – besides the lock screen contact info tutorial we had a while back, Google themselves have a tool for you, called Android Device Manager. We’ll be walking through how to set up Android Device Manager on your device, and how to use it from the web.

Do you use any similar type of security measures for your Android devices?

17 best Android VPN apps

Posted by wicked January - 2 - 2015 - Friday Comments Off

best Android VPN apps
Virtual Private Networks (VPNs) are among the best security tools a web surfer can have. You can use them to surf otherwise seedy public WiFi with more security and privacy. They can even be used to get around firewalls if your work has, say, Facebook blocked. Many people use them to overcome regional restrictions with Google Play content. Whatever the reason, VPNs are powerful tools. Here are the best Android VPN apps!

Don’t know what a VPN is or how it works? Check out our guide here!


F-Secure Freedome VPN best Android VPN appsF-Secure Freedome VPN

[Price: $4.99 per month / $29.99 per year]
First up is F-Secure Freedome VPN. On top of all of the inherent features that a VPN brings, F-Secure also features a very slick and easy interface for those who may not have a lot of experience with VPNs. It also contains a built-in virus scanner for those who want to kill two birds with one stone. It’s simple and comes with a week’s free trial before you need to get the subscription. It also boasts unlimited bandwidth.
Get it on Google Play


fast secure vpn best Android VPN appsFast Secure VPN

[Price: Free / $2.5 per month / $7.10 for 3 months / $13.00 for 6 months / $16.70 for 12 months]
Fast Secure VPN is another simple VPN. The interface is self-explanatory even if it is a little bit out-of-date. You can connect to various servers based on country which is great for those who need to get around regional restrictions. There is a free version but it’s bottlenecked. Unlocking all of the features requires dealing with Fast Secure VPN’s admittedly confusing pay structure. It’s good for basic stuff like getting around regional restrictions for a bit but those looking for a full featured VPN may want to look elsewhere.
Get it on Google Play
fast secure vpn best Android VPN apps


best Android VPN apps finchvpnFinchVPN

[Price: Free / $1.61 per month for Pro / $3.21 per month for Premiere]
FinchVPN is another solid VPN option that is somewhat bottlenecked by a complicated pricing scheme. The interface is a splash of Holo which makes FinchVPN easy to use and pleasing to look at. You also get the standard features that all VPN apps get. If you get the pro version, you’ll get 25GB while Premiere members get unlimited. You’ll also get access to the paid servers. There is a free version for those who need basic protection and it has no data restrictions. It’s a solid option.
Get it on Google Play


flashvpn best Android VPN appsFlashVPN

[Price: Free]
FlashVPN scales down the VPN experience to its most basic ideas. There is one button to connect and it requires no configuration and you can choose between Japan, England, or US servers. It’s entirely free which is a rarity in the VPN field. Thanks to its bare-bone set up, you won’t get all of the features you may get from larger apps that you have to pay for, but if you just need something simple and quick (and free), this is the ticket.
Get it on Google Play
flashvpn best Android VPN apps


hideman vpn best Android VPN appsHideman VPN

[Price: Free / $1.00 per 10 hours to $9.50 for 100 hours / $2.90 per month / $24.90 per year]
Hideman VPN is one of the more popular, well-known options. It features a more sleek and simple interface than many and uses a unique but still complicated pay structure. You can pay by the hour if you just need something quick like browsing at the airport or you can engage in subscription services by the month or year. It sounds like a rip off but some people only need VPNs sometimes and Hideman’s ability to let you pay for it only when you actually intend on using it instead of maintaining a subscription for something you may only rarely use. is something unique. It works well for a VPN app and it’s worth checking out.
Get it on Google Play
hideman vpn best Android VPN apps


hideninja best Android VPN appsHideninja VPN

[Price: Free / $2.99 to remove ads / $19.99 per year for pro version]
Hideninja VPN is another very popular and well-known VPN app on Android and one of the few that carry a very simple pay structure. You can use the free version which gives you access to a limited number of servers with unlimited bandwidth or you can go pro and get everything the app has to offer. The interface is based on Holo so it’s nice and easy to use. The advertising is intentionally and truly obnoxious but if you can get passed that, it’s a decent VPN app.
Get it on Google Play
hideninja best Android VPN apps


hotspot shield vpn best Android VPN appsHotspot Shield VPN

[Price: Free / $4.99 per month / $29.99 per year]
Hotspot Shield VPN is one of the more complete VPN apps on the list. It has some extra features like Smart protection which automatically connects you to a VPN based on what kind of network you’re on. It has a colorful and simple interface and there is a free version as long as you don’t mind limited bandwidth and advertising. The pro version will get unlimited bandwidth and no advertising. Also, bravo to Hotspot Shield for putting the pricing right on the front page of the app. More VPN apps should do that.
Get it on Google Play


openvpn connect best Android VPN appsOpenVPN Connect

[Price: Free]
OpenVPN Connect is one of the precious few truly free VPNs available on Android. It’s also open source which is always a plus with security apps like this. Most of the apps so far have been the “fire and forget” variety but OpenVPN Connect requires a little more knowledge and, thus, has quite the learning curve. You can do things like import .ovpn profiles and engage in a number of advanced settings. This VPN also uses PolarSSL which was, most notably, not affected by the Heartbleed issue from months back. If you don’t mind getting your hands dirty and actually learning the ins and outs of VPNs, this is a fantastic option. Do note that you’ll need to create and set up an OpenVPN server yourself in order to use this application.
Get it on Google Play
openvpn connect best Android VPN apps


openvpn for android best Android VPN appsOpenVPN for Android

[Price: Free]
OpenVPN for Android is a branch off of OpenVPN Connect and has a lot of the same functionality. The interface is a bit more friendly compared to the official app but you’ll still need to learn how to set everything up on your own. This app just makes it look less confusing and more modular to help you make your way around. At its very core, OpenVPN for Android and OpenVPN Connect accomplish the same goals in very similar ways and they’re both free so you can’t go wrong with either one. Do note that you’ll need to create and set up an OpenVPN server yourself in order to use this application.
Get it on Google Play
openvpn for android best Android VPN apps


speedvpn best Android VPN appsSpeedVPN

[Price: Free]
SpeedVPN is another rare option that is totally free to use. It boasts a simple interface, totally free use, and the ability to use the app without signing up for anything. Each connection is 60 minutes and then you’re kicked off but you can extend or reconnect whenever you want. This is so people who aren’t using the service get kicked off to free up bandwidth for others. The developers expressly state that things like torrent use will get your banned so this is for those who just need to browse the web or do other low-bandwidth activities. For most, that’s more than good enough.
Get it on Google Play
speedvpn best Android VPN apps


surfeasy vpn best Android VPN appsSurfEasy VPN

[Price: Free / $4.99 per month or $49.99 per year for 5 devices / $2.99 per month or $29.99 per year for 1 mobile device]
SurfEasy VPN is a VPN app with a little bit of flair. When initiated it will show you where you appear to be along with your new IP address which, while not overly functional, is a nice visual touch. Free accounts get 500MB per month which should be good enough if all you do is web surf. You can also earn more through things like referrals. Paid accounts get unlimited bandwidth and ad blocking if you prefer.
Get it on Google Play


tigervpns best Android VPN appsTigervpns

[Price: Free / $2.50 for 5GB, $25 for 50GB, $45 for 100GB / $3.50 per month, $10.50 for 3 months, $33.60 per year]
Tigervpns is a “one click” solution that tries to focus on ease of use. Unfortunately, their pricing plans don’t agree with their mission statement but you can get 500MB for free every month if you just need it to surf the web a little bit. It was one of the longer lists of countries available for free users with 11 and the app is easy to use once you figure out how much you plan on paying for it.
Get it on Google Play
tigervpns best Android VPN apps


tunnelbear vpn best Android VPN appsTunnelBear VPN

[Price: Free / $2.99 per month / $29.99 per year]
TunnelBear VPN is probably the most adorable and most user-friendly VPN available. It shows you what’s going on using an animation of a bear tunneling. It’s great for beginners and is functional. It also has a simple, straightforward pricing structure which is refreshing. Free users get 500MB per month so it’s still great for those who need to browse the web a bit and don’t want to pay for it. If you need something simple with a bit of flair and you like bears, this is the way to go.
Get it on Google Play
tunnelbear vpn best Android VPN apps


vpn by private internet access best Android VPN appsVPN by Private Internet Access

[Price: Free / $6.95 per month / $39.95 per year]
VPN by Private Internet Access is a VPN app with a no-frills interface but a lot of features. On top of the standard VPN, the app will also help compress data to make your browsing a bit faster. There is a free option that doesn’t require you to make an account but it is extremely basic and you can’t pick what servers you connect to. For pretty much all of the features, you’ll have to buy a subscription which is a little more strict than most. There are more advanced options for pro users as well for those that need that.
Get it on Google Play


vpn master best Android VPN appsVPN Master

[Price: Free / $2.97 per month / $9.93 for a 6-month subscription]
VPN Master is an app that boasts speed, consistent uptime, and loose restrictions on free users. It’s based on OpenVPN so it carries with it many of the same kind of features minus the need to create your own server. While it does boast fast internet speeds, it does strictly prohibit the download of torrents and the like so this is not the thing you want to use for that. There aren’t a whole bunch of servers but the service seems pretty stable which is a good thing for a VPN app.
Get it on Google Play
vpn master best Android VPN apps


vpn vaitun best Android VPN appsVPN Viatun

[Price: $1 per month / $5 for 6 months / $9.50 for 12 months]
VPN Viatun carries a sleek interface with all of the basic VPN features you need. The only downside is that aside from a free trial (with a 200MB limit), there is no free version of this app. Thankfully the subscription isn’t expensive. The interface is minimal but it gets the job done and the VPN service does actually function. Other than the basics, the app doesn’t offer much so if you’re looking for simplicity and you don’t mind paying for it, this is a good place to start.
Get it on Google Play
vpn viatun best Android VPN apps


zpn connect best Android VPN appsZPN Connect

[Price: Free / $3.99 per month / $4.99 per month (adds 100GB and one additional user) / $6.99 per month (adds 100GB more GB and one more additional user)]
Last on our list is ZPN Connect. Unlike most VPN apps, ZPN uses a tiered pricing structure like most mobile service carriers. For $3.99 you get 50GB per month and one user, $4.99 gets you 150GB and two users, and $6.99 per month gets you 250GB per month and three users. The app interface is no-frills but it gets the job done and it contains the basic VPN features that most need. It boasts OpenVPN support and no traffic logging. Free accounts still get 3GB per month which is better than most free accounts.
Get it on Google Play
zpn connect best Android VPN apps


Wrap up

If we missed any great Android VPN apps or if there is anything wrong with these, let us know in the comments! It’s also important to note that due to the way VPNs are, your mileage will likely vary a great deal. If an app doesn’t work, just try another one.

To see our complete list of Android apps and games lists, click here!

The 11 biggest hacks and security breaches of 2014

Posted by wicked January - 1 - 2015 - Thursday Comments Off

SecurityKnox New York Post

2014 was a year like no other for technology. Security was on the forefront of many people’s minds, all while Android truly came into its own in the public eye – not just for enthusiasts but for the typical consumer as well. Numerous verticals received the Android treatment, namely in the domain of wearables and the living room, with automobiles and the home not too far behind.

Google’s push to assist us in all aspects of our lives continued its march forward, with the release of the first Android Wear smartwatches, Android TV for the living room, Android Auto for the car and their purchase of Nest, bringing smarts to the home, if only your thermostat and smoke detector, for now. These efforts have been fairly worry free for users, and Google pushes forward making it even more secure with rumors of future integration of Nest with services from the home security provider ADT.

Google and Android are not alone in expanding the offerings of technology around the globe. As more and more of our lives sync across the web, in our push for the internet of things, so too do the risks of a security breach increase.

freescale-internet-of-things-wm-aa

Although 2014 was not a huge departure from years past in terms of the magnitude and severity of hacks and security breaches, there was an impressive shift in the approach to these attacks.

In previous years it was not uncommon to see security breaches resulting in the loss and exposure of millions of usernames, passwords, credit card numbers and other private user data. These attacks had an air of financial gain for the hackers.

A number of the larger events in 2014 did not seek to attack us as individual users, instead, an idealism behind hacks presented itself, with the target seemingly to free information for the public from governments and large corporations.

The White Hat Hacker Bundle

Without further adieu, here is our list of the top 11 hacks and security breaches of 2014:

11. Secret

The app that allows you to anonymously share your thoughts and confessions was hacked, revealing email addresses and phone numbers of users. Not so anonymous after all.

10. eBay

User information, including usernames, passwords, phone numbers and even home addresses were compromised for over 145 million users. If you haven’t changed your eBay password since before March, you really should get on that.

9. Tinder

tinder

Praying on individuals looking to find their soul mate, seductive photos found their way onto Tinder, but instead of reading a profile and potentially hooking up, users were directed to malware infected websites.

8. Target 

The large retail chain is popular for its great prices on your average everyday stuff, they are also popular for a major breach at the end of 2013 that bled well into 2014. About 110 million records were compromised, including customers’ personal and banking info, with an estimated total loss for the company coming in, coincidentally, at about $110 million. The scary part about this breach is that it was not a vulnerability of a server or database, hackers managed to install malware on the POS (Point of Sale) machines, directly collecting credit and debit card info as customers swiped to pay.

7. Sony and Microsoft

Christmas day is a great day of the year for many video game enthusiasts, receiving brand new video games to enjoy. However, Christmas day in 2014 saw an attack that brought down both the Sony Playstation network and the Microsoft Xbox network. As a result, the services were taken offline for as long as three days, leaving all players of cloud saved games out in the cold.

6. Celebrity iCloud

Ellen celebrity selfie at Oscars 2014

At least one of these celebrities, from the 2014 Oscars, lost private photos in the 2014 iCloud breach.

Hackers managed to breach Apple’s iCloud service in 2014. The culprits stole hundreds of private photos and videos, and I do mean private, from a long list of celebrities. These images were then released to the world. While the event itself was likely the most embarrassing thing to ever happen to the victims, the reach of this attack sparked the conversation of privacy and even ones legal rights as pertains to cloud storage.

5. Snapchat

In the same light as the celebrities in the iCloud attack, hackers managed to score almost one hundred thousand private images and videos from the Snapchat service. While many users shared in a moment of embarrassment all their own, this brought to light the unfortunate and disturbing reality that many of the under-aged users of the service have posted content that has been classified as child pornography.

sony xperia z3 compact camera sample (8 of 9)

If I may take a moment to speak to the under-aged users, and the parents of those users, please be aware of how you are using these services. I will not place any moral judgement or opinion here, but please be aware of what actions and content are against the law, no need getting in some serious trouble that can haunt you for the rest of your life.

4. NSA

While we can debate the ethics of a certain Mr. Edward Snowden’s actions, that’s not what we are here to do, we cannot overlook the impact he has had. The extent to which the NSA has stopped at nothing to grab every single bit of electronically communicated data, both in the US and abroad – regardless of whether it is encrypted or not – is simply staggering. No one can deny that these revelations shocked the world, with massive geopolitical and financial implications for the US and its incumbent tech industries.

3. Heartbleed

heartbleed logo

If you have ever received instruction on computer usage, I am hoping that your instructor explained the difference between HTTP and HTTPS. While the ‘S’ is there to keep you and your data safe, the Heartbleed bug was found this year that compromises the SSL that is behind the ‘S’ of most websites. The vast reach of this bug did not rightly mean that you or your data was ever compromised, but if you have not changed your passwords for most of your online accounts in the last 10 months, well, you should change your password by this point regardless the Heartbleed bug.

2. U.S. Dept. of Homeland Security

If you thought that all U.S. governmental agencies took care of their own business in-house, you’d be wrong. A private contractor for Homeland Security was hacked in 2014. The contractor was responsible for conducting high-level background checks of government officials, allowing hackers to walk away with personal information for employees.

1. Sony

sony xperia z3v first look aa (1 of 30)

Yes, Sony is on the list once again. As the target of a major breach in December 2014, Sony lost a significant amount of crucial data to hackers. Private business affairs, salary info, employee Social Security Numbers, scripts for potential new films, private communications, a few full length movies and more all walked out the door. In all, nearly a full terabyte of information was compromised.

Sony’s breach itself may not have placed it as number one on a list like this if it were not for the circumstances surrounding the event. Sony had a new film scheduled to release on December 25th called The Interview. Due to the nature of this film, many believe that North Korea is responsible for the breach on Sony.

What is more important, and scary, is the follow up threat by the hackers for terrorist acts upon individual movie theaters, and innocent lives, should they air the film. If nothing else, because of these threats, the hack on Sony almost led to international conflict between nations.

The Interview

Honorable mentions

With a list like that, it is scary to think that there were more attacks out there in 2014. Sadly, we only scratched the surface of it all. Our honorable mentions list includes a few big ones as well:

  • JPMorgan – The banking firm was hacked, exposing credit card info for more than 80 million Chase bank customers. The ‘attack’ survived for a couple months, dodging all the security checks.
  • Shell shock – Proving that nothing is safe, a vulnerability was identified in Linux and Unix based operating systems, like Apple’s OS X. The Bash injection bug was quickly patched, but proved once again that no system is perfect.
  • LinkedIn – With a little bit of elbow grease, researchers found that faking one’s own address book could trick LinkedIn into revealing actual email addresses of users in their system. Nothing end-of-the-world here, but a patch was issued for our protection.

linkedin logo Credit: TheSeafarer/Flickr

  • Forbes – Putting your published content behind a pay wall means collecting customer info, which was compromised by the Syrian Electronic Army (SEA), who then posted online all 1,071,963 user email addresses and passwords stolen.
  • Kickstarter – Unaware of any wrongdoing until law enforcement brought it to their attention, a whopping two accounts were maliciously accessed. Of course, Kickstarter‘s entire user base had their usernames, email addresses, mailing addresses, phone numbers and encrypted passwords accessed.
  • Network Time Protocol (NTP) – the service that nearly every computer and router uses to keep the clock in sync was found to allow a little code injection of its own. With carefully crafted packets, a hacker could run code with the same permissions as the NTP service. Patches have been issued.
  • European Central Bank – A rather minor breach occurred early in the year, resulting in the theft of customer email addresses, postal addresses and phone numbers.

european union flags Credit: tiseb/Flickr

  • Home routers – An estimated 300,000 home routers have been hacked, resulting in a change to the DNS settings. Look for DNS servers 5.45.75.11 and 5.45.75.36 on your router, as these servers are known to perform man-in-the-middle attacks, providing you fake web results and ads designed to steal your info.
  • Fingerprints – Including a fingerprint scanner on a few high-end smartphones, bio-metrics appeared to take a giant leap forward for device security. Too bad hackers are now stealing your fingerprints from your photos, defeating the scanners with faux fingerprints and U.S. courts determining that law enforcement does not require a warrant to search a fingerprint protected phone. Otherwise, great work manufacturers.

security-breaches

Near miss:

BadUSB – With no known hacks yet found in the wild, a vulnerability was found this year in many USB devices. Called BadUSB, the potential hack allows code to be saved onto a USB device, such as a USB flash drive. The malicious data is even saved such that it is immune to a full formatting of the drive. Scary stuff.

Of course, if you are not scared off, why not check out this how-to article showing how to connect a USB flash drive to your Android device.

Android USB OTG flash drives

Conclusions (how you can be more secure in 2015)

If you are reading this, you obviously have not been scared away from the internet. And you shouldn’t be. There are always lessons to be learned about online security and the rights and obligations of both the users and the companies behind the services, but it still remains true that some common sense will keep you and your data safe and happy.

The topic of security is a dear one for us. We’ve looked at many tools, tips and tricks to keep your devices and your data safe. We even frequent deals on tools in our AA Store, like Sticky Password Premium from a couple weeks back.

I could ramble on about our other stuff, but I best just link you over to our long list of security related posts from throughout the year, 17 apps to secure your Android device and this great video:

Google, as well as other smartphone OS developers, have taken action within Android to help you stay secure. One option has been available for some time now, but Android 5.0 Lollipop is the first Android release to ship by default with full device encryption. This means that without your password, not even Google can crack into your phone to view your stored data.

While device encryption is a powerful tool, it is not a means to secure your communications over the internet. With this in mind, one might follow my simple rule, if it goes online, there is a chance it can go public. This goes for communications through SMS, chat, email and social media, all the way through to the files you store on your private cloud storage.

Protecting yourself from hacking is also the same formula as yester-year, change your passwords frequently, and be certain that they are well structured and not easily guessed. Where possible, employ two-factor authentication, just as Google offers through the Authenticator app for Android.

VPN Unlimited

Another great tool that users around the globe have been using not only for security, but for anonymity and as a way to get around regional restrictions, is VPN. VPN is a method of routing your internet traffic through another computer. The result is for the web sites visited believing you are is located at the location of the VPN server, instead of your actual location. This really isn’t supposed to be a sales pitch, but we’ve got VPN solutions in our AA store as well.

If all else fails, you might consider looking at the Boeing Black phone, it is designed for government grade privacy, and will be coming soon infused with a little BlackBerry enterprise encryption technology.

What do you think, is online security a personal matter, or should companies, or the government, be doing more to protect us?

Smart Unlock App Brings Trusted Devices Feature To Non Lollipop Devices

Posted by wicked December - 23 - 2014 - Tuesday Comments Off

Smart_unlock_picture1

Are you envious of the Trusted Devices feature introduced in Lollipop? Not content to wait until your OEM updates your phone to Android 5.0? Good news, everybody, XDA recognized developer, hazex, has recently released an app to the Play Store that can bring this functionality to any Android device running 4.1 and above. Furthermore, if you’re shy of rooting your device, this app will not require you to be rooted!

Hazex and his company, Loading Home, not to be one-upped by Google, are also adding in the ability to add WiFi routers to your list of trusted devices. So even if you’re running Android 5.0, you may want to check out this app simply for that feature. Check out the rest of this article after the break for the app’s link to the Play Store, plus some added information if you’re not quite sure what the Trusted Devices feature is.

Trusted Devices is a feature found on the latest Android OS that let’s a device disable the secure lock-screen should certain user-approved conditions be met. A Bluetooth connection to a device like a smart-watch, for example, can be added to your list of Trusted Devices. When your watch is connected to your smartphone or tablet, Trusted Devices will recognize the connection and disable your lock-screen. Please note that it is the connection itself to the smart-watch, not the smart-watch alone, that’s what is added to your list of Trusted Devices. So if the connection is broken, the lock-screen comes back.

Another option is using the GPS of your device to set a secure location, like your home. If you get outside of your trusted location, the lock-screen re-engages.

These types of connections create what’s referred to as a geo-fence for your device. A geo-fence is a term used to describe fencing in your device based on proximity to an area or connection. Should your device wander too far from the perimeter or connection, the lock-screen re-engages. There are some programs and apps out there, like those offered by Avast, that will completely lock-down your device and report it missing should it get outside of the fence; however, so far as I know, Avast only uses GPS. Trusted Devices, on the other hand, merely turns the lock-screen back on.

Note: Be advised that Hazex has said there’s been some bugs with regard to Samsung’s Galaxy devices, mainly due to TouchWiz being, well, TouchWiz…

If you’d like to follow Loading Home, check out their Twitter page here. The Smart Unlock app is free for 7 days, then costs a $0.99 purchase to use the app after that.

qr code
Google Play Download Link

Source: XDA Developer Forums

Come comment on this article: Smart Unlock App Brings Trusted Devices Feature To Non Lollipop Devices

Boeing enlists BlackBerry to help build their military grade secure phone

Posted by wicked December - 21 - 2014 - Sunday Comments Off

boeing

Boeing has long been building aircraft for commercial flight and military application alike, but did you know that they have also been supplying tools for secure communications to the U.S. military and government? Those tools include their self destructing Boeing Black smart phone.

Taking the Boeing Black to the next level, the Chicago headquartered company has teamed up with BlackBerry to leverage the Canadian smartphone maker’s BES 12 Enterprise Service software.

BlackBerry has not been on the greatest roll in the last few years. They were once considered innovators in the smartphone industry, but quickly fell off the radar when Android powered smartphone powerhouses began rapidly iterating their own hardware. Failing to keep up with the specs of the big-name phones from the likes of Samsung, Motorola, HTC, LG and Sony, has all but sent BlackBerry to bankruptcy.

Struggles in the hardware market are not the end for BlackBerry.

BlackBerry Z10 review

I was given a lesson once on BlackBerry’s software, with emphasis on the medical industry and enterprise solutions. I know now, 4 years later, that I should have paid more attention. What I do recall is that, at that time, BlackBerry was the only smartphone vendor that was approved through the Canadian medical system’s requirements for secure communications. Primarily due to their encryption and data compression techniques.

These tools are, in part, what Boeing will leverage for their Black phone, which itself offers full encryption of voice and data using Boeing’s PureSecure architecture.

The Boeing Black promises to be an interesting beast, for those few that will have the pleasure. They tout it as being tamper proof. Not to say that you can’t crack one of these guys open, but to do so will be very difficult, with epoxies holding things shut and fancy screws with heads that are very tamper evident. Worst of all for would-be bad guys, functions are built into the unit that will trigger a full data wipe and software lockdown, a self-destruct protocol.

Finally, the Boeing Black comes with two SIM slots, so users can securely connect to government networks and commercial networks alike, and an expansion port for things like more power or a satellite hook up. Otherwise, the folks at Boeing and BlackBerry are very tight lipped about the terms of their collaboration, as you would hope they would be for a U.S. defense and homeland security project.

Do you think BlackBerry should focus on their future as a securities software company, or do you think their latest consumer hardware is enough to keep them rolling?

Android customization – how to use LG’s Guest Mode

Posted by wicked December - 12 - 2014 - Friday Comments Off

LG Guest Mode enter from lock screen

Last week on our Android customization series, we took to the default Android settings menu to control your display timeout. As an added bonus, we showed you where the automatic security lock lives as well, giving you the simplest and most basic control of your device to make it so that your display stays on longer, if that is what you desire.

Today, we would like to break the ‘good for all’ trend, by looking at an LG specific feature, Guest Mode.

The idea of a guest mode, as we will review today, is not exclusive to LG, Android introduced multiple user accounts a while ago. However, LG’s Guest Mode does not create a full separate user account, as the Android solution does. Guest Mode simply creates a new environment with limited access to apps and features, which operates on top of the existing user account.

Before we get started

There are no downloadable apps to install today, but you will need an LG device that is equipped with Guest mode. Guest Mode first became popular on the LG G2, but I will be showing it off on a brand new LG Realm. If this $20 phone, running LG’s skin on top of Android 4.4.2 KitKat, can handle Guest Mode, there is a good chance your newer LG device can too.

Finally, Guest Mode requires that you secure your device with the Pattern type security lock. If you are not already using a Pattern to secure your device, you’ll want to set that up now before you can proceed.

Enable and configure LG Guest Mode

If you are still a little unsure of what Guest Mode is on an LG device, be sure to head back to our previous coverage of the LG G2 and Guest Mode itself. The info is a little over a year old, but the premise remains the same.

To enable Guest Mode, simply head on into your main system Settings.

Under the Personal header, choose Guest Mode.

Look for the On/Off toggle switch and turn it on. If you have not yet set Pattern as your lock screen security, you will be prompted to do so now. Without a Pattern in place, Guest Mode will not turn on.

LG Guest Mode Settings

Tap on Set Pattern.

Create a new pattern that will be used by guests to unlock your device. Hit Continue, repeat the pattern and hit Confirm to complete this step.

LG Guest Mode Set pattern

Last, we need to decide which apps your guests will have access to. At first glance this sounds like a simple task, but keep in mind that Guest Mode is not a unique user account on your device, it is merely a locked down experience using your main account. What this means is that guests will have access to your data in any app that you give them access.

If you are setting up Guest Mode for your children, so that they can access games on your device without being able to access any other features, your privacy is easy enough to manage. However, if you are handing your device over to someone else, you may be tempted to include apps like a web browser, maps and more.

I will leave it to you to think this through, but a couple quick examples to be aware of, providing access to Google Camera allows a user to view your camera roll. More straightforward of an example, providing access to Gmail does not give them a blank slate to work with, it gives them your Gmail.

Simply tap on Set apps.

Hit the Edit button in the top right corner.

Choose the apps your guests get to use. In this particular LG device, you are limited to 20 app selections.

Tap OK to save and exit.

LG Guest Mode Set apps

That is all there is too it. Exit settings and go about your day.

How to use Guest Mode

LG’s Guest Mode is triggered from the lock screen on your device. You will need to turn off your display, and wait for the required time for the auto lock to secure your device. Be sure to look back over last week’s Android customization post if you need a refresher on how to manage this, or the Tasker tutorial on controlling your display, if you are using that.

From the lock screen, enter the Guest Mode pattern you had created earlier.

LG Guest Mode enter from lock screen

Once inside, guests are presented with a basic homescreen with icons for the apps you have provided access. Guests cannot access any other apps, nor can they get to the notification bar or app drawer. Guests can long press each app to re-arrange the layout of the homescreen, but that is about the extent of functionality, aside from running the apps, of course.

When finished, simply turn off the screen and back on again to get back to the lock screen. Enter your normal pattern and go back to your normal use.

One final note, guests can not access the Recents list, but anything they use will show in your list. This is a simple method to monitor what your guest was up to, if needed. Of course, if you are in the habit of keeping an empty Recents list, this just gives you a handful of apps to swipe away.

What’s next

While LG’s Guest Mode is not the absolute best way to secure your data when handing over your phone to anyone else, it does provide a decent method to allow a trusted user to access an app or two without messing with your stuff.

I would not consider Guest Mode to be secure enough to effectively lock out law enforcement, Customs or a TSA agent, if that becomes a situation for you during any holiday travel this Christmas season.

Next week

android 5 lollipop (2)

We hope that the LG users out there found this week’s Android customization post to be useful. We promise not to make a habit of offering tips and tricks on manufacturer and device specific tools, but we like the simplicity of LG’s Guest mode, and we thought you would too. Next week, we would like to take a look at a brand new feature in Android 5.0 Lollipop that allows you to take control of your device for your sleeping hours. I hope you’ll join us.

What tools do you use to secure your device when you hand it over to someone else?

ePad 7 Android 4.0 ICS
$162 $100 FREE SHIPPING 

10" Android 4.2 1.2GHz Tablet PC

7