An Android flaw from 2010 allows any app to break out of the Android sandbox. But is it really a threat in practice? We’ll dig in.

The Podcast patent troll takes it on the nose, and some highlights from the Gnome development conference this week.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Android crypto blunder exposes users to highly privileged malware | Ars Technica

This is the issue in a nutshell.

The Fake ID vulnerability stems from the failure of Android to verify the validity of cryptographic certificates that accompany each app installed on a device. The OS relies on the credentials when allocating special privileges that allow a handful of apps to bypass Android sandboxing. Under normal conditions, the sandbox prevents programs from accessing data belonging to other apps or to sensitive parts of the OS. Select apps, however, are permitted to break out of the sandbox. Adobe Flash in all but version 4.4, for instance, is permitted to act as a plugin for any other app installed on the phone, presumably to allow it to add animation and graphics support. Similarly, Google Wallet is permitted to access Near Field Communication hardware that processes payment information.

The App simply needs to claim its Adobe flash, and it gets to break out of the sandbox.

The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.

Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.

Google’s Response to Ars

After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.

The Reality of the Situation

First, a patch been sent to OEMs and AOSP, but with Android’s abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed. This means two things.

First, that there are no applications in Google Play that exploit this issue. If you stick to Google Play, you’re safe from this issue, period. No ifs and buts. Second, even if you install applications from outside of Google Play, you are still safe from this issue. Verify Apps is part of Play Services, and runs on every Android device from 2.3 and up. It scans every application at install and continuously during use for suspect behaviour. In this case, an application that tries to exploit this flaw will simply be blocked from installing or running.

• New Android ‘Fake ID’ flaw empowers stealthy new class of super-malware

A new Android design error discovered by Bluebox Security allows malicious apps to grab extensive control over a user’s device without asking for any special permissions at installation. The problem affects virtually all Android phones sold since 2010.

• Android ‘supermalware’ can impersonate any app- The Inquirer

The vulnerability in the Android code that allows “Fake ID” in was first noticed in the now dormant Adobe Flash integration, which had been present since 2010 and was only patched with the arrival of Android 4.4 Kitkat earlier this year. The flaw is so deeply embedded in Android that it can affect all forks of the Android Open Source Project including Amazon’s Fire OS.

• Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android Users Since January 2010 At Risk – Bluebox Security

Dubbed “Fake ID,” the vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. For example, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM.

• Old Apache Code At Root of Android FakeID Mess – Slashdot

Podcasting patent troll: We tried to drop lawsuit against Adam Carolla | Ars Technica

In a statement released today, Personal Audio says that Carolla, who has raised more than $450,000 from fans to fight the case, is wasting their money on an unnecessary lawsuit. The company, which is a “patent troll” with no business other than lawsuits, has said Carolla just doesn’t care since his fans are paying his lawyers’ bills.

Adam Carolla’s assertions that we would destroy podcasting were ludicrous on their face,” said Personal Audio CEO Brad Liddle. “But it generated sympathy from fans and ratings for his show.

According to Personal Audio, they’ve lost interest in suing podcasters because the podcasters—even one of Adam Carolla’s size—just don’t make enough money for it to care.

“[Personal Audio] was under the impression that Carolla, the self-proclaimed largest podcaster in the world, as well as certain other podcasters, were making significant money from infringing Personal Audio’s patents,” stated the company. “After the parties completed discovery, however, it became clear this was not the case.”

Personal Audio also says it has a patent covering playlists.

Personal Audio has already dropped its lawsuits against two other podcasting defendants from the case (Togi Net and How Stuff Works) apparently without getting paid anything.

The patent company is charging ahead with its patent case against the big three television networks, CBS, NBC, and ABC. Personal Audio is trying to wring a royalty from those companies for releasing video “episodic content” over the Internet.

In response, Carolla sent Ars a statement saying he’ll continue to pursue counterclaims against Personal Audio, seeking to invalidate the patent “so that Personal Audio cannot sue other podcasters for infringement of US Patent 8,112,504.” Lotzi (Carolla’s company) has already “incurred hundreds of thousands of dollars in fees and expenses to defend itself” against the Personal Audio patents.

GUADEC 2014, Day Four: Hardware, New IDE for GNOME | Fedora Magazine

The fourth day of GUADEC was devoted to hardware and its interaction with desktop. The first talk was “Hardware Integration, The GNOME Way” by Bastien Nocera who has been a contributor to GNOME and Fedora for many years.

Performance Testing on Actual Hardware

Owen Taylor talked on continuous integration performance testing on actual hardware. According to Owen, continuous performance testing is very important. It helps find performance regressions more easily because the delta between the code tested last time and the code tested now is much smaller, thus there are much fewer commits to investigate.

He noted that desktop performance testing in VMs is not very useful which is why he has several physical machines that are connected to a controller which downloads new builds of GNOME Continuous and installs them on the connected machines. The testing can be controlled by GNOME Hardware Testing app Owen has created. And what is tested?

Here are currently used metrics:

• time from boot to desktop
• time redraw entire empty desktop
• time to show overview
• time to redraw overview with 5 windows
• time to show application picker
• time to draw frame from test application, time to start gedit.

Tests are scripted right in the shell (javascript) and events logged with timestamp. The results are uploaded to perf.gnome.org. In the future, he’d like to have results in the graph linked to particular commits (tests are triggered after very commit), have more metrics (covering also features in apps), assemble more machines and various kinds of them (laptops, ARM devices,…).

Builder: a new IDE for GNOME

The last talk of the day was “Builder, a new IDE for GNOME” by Christian Hergert. Christian started the talk by clearly stating what Builder is not intended to be: a generic IDE (use Eclipse, Anjuta, MonoDevelop,… instead). And it most likely won’t support plugins. Builder should be an IDE specializing on GNOME development.

Here are some characteristics of Builder:

• components are broken into services and services are contained in sub-processes,
• uses basic autotools management,
• source editor uses GtkSourceView,
• has code highlighting, auto-completation,
• cross-reference, change tracking,
• snippets,
• auto-formatting,
• distraction free mode.
• Vim/Emacs integration may be possible.
• The UI designer will use Glade and integrate GTK+ Inspector.
• Builder will also contain resource manager, simulator (something similar to Boxes, using OSTree), debugger, profiler, source control.

After naming all Builder’s characteristics Christian demoed a prototype.

For Later Reading Pick:

• AnandTech | The NVIDIA SHIELD Tablet Review

Feedback:

• More information on the “Trans Pacific Partnership” from an Avid Australian listener – Magentium

Hey Guys at Jupiter Broadcasting. Just wanted to put a bit more info to you that I saw on Tech Talk Today about the Copyright Act that’s being brought into Australia. Someone mentioned that “Netflix could come in” and make some serious mone. Netflix would be awesome if our Internet Infrastructure wasnt at a maximum of 12Mbps speeds (If you are lucky).

On a good day (and ive got some of the best net here) i get around 8mbps down. Netflix wouldn’t be viable because it wouldnt be available to even 30% of the country. We have Foxtel (like SKY / Cable) which is Premium Paid TV and costs a FORTUNE. It’s still not viable.

In regards to the Copyrighting, the Government also has it all wrong. The number one reason that I am always told by people I know as to why they pirate TV shows, movies and Games, is that the pricing of this stuff over here is unbelievable. For instance, the box set of Star Trek : The Next Generation will cost you over US$250 if you convert the costs, depending if its on special / discount or not.

Either way, you guys were spot on. Keep up the great work, Love the show, and a big shoutout from Australia! CRICKEY! ( we dont actually say that, so don’t get fooled by the stereotype). And no I don’t have a pet Kangeroo (not anymore).

The post Android's Leaky Sandbox | Tech Talk Today 35 first appeared on Jupiter Broadcasting.

Mike and Chris chew on the major problems patent trolls are creating for small and large development shops.

Then it’s a race to the bottom for software prices, and the guys have a few theories on what, if anything, developers can do to carve out a living.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Feedback —

• Help choosing the right language and GUI toolkit for a desktop application

• Services ,Stability and ease of use ,Ios VS Android

• Coffeescript and other Bastardized languages

— Dev Hoopla —

• Dicks

• Texas messes with Apple’s effort to protect app makers from notorious patent troll — Tech News and Analysis

Unfortunately, Apple has just been booted out of court. As Ars Technica explains, the federal judge overseeing the Texas case ruled that Apple\’s motion only applies to seven specific app maker defendants — and Lodsys has just reached settlements with all seven.

• Martha Stewart files lawsuit against Lodsys following patent infringement accusations | The Verge

As reported by GigaOm_, _Martha Stewart Living Omnimedia (MSLO) has filed a complaint in a Wisconsin federal court against Lodsys. The patent trolling company had apparently contacted Stewart\’s corporation, claiming that four of her iPad magazines infringed on a number of Lodsys patents and asking for $5,000 for each offending magazine to license the allegedly infringing technology. Unlike the small app developers that Lodsys typically preys on, however, Stewart\’s company isn\’t interested in playing ball. The civil action filed this week asks the court for a \”declaratory judgement\” against Lodsys — MSLO wants the court to affirm that none of its iPad magazines infringe upon any of Lodsys\’ patents.

• “Patent troll” claiming playlists and podcasts scores license with SanDisk | Ars Technica

The Personal Audio lawsuit that is furthest along is its case against CBS, NBC, HowStuffWorks, and TogiNet. It\’s scheduled for trial in 2014. TogiNet, the least-known defendant in that group, is based in Tyler, Texas. It seems likely that the company was added to Personal Audio\’s litigation to maintain venue in the Eastern District of Texas.

In May, the Electronic Frontier Foundation had a successful fund-raiser to fight Personal Audio\’s podcasting patent at the US Patent and Trademark Office. \”We\’re preparing a petition challenging the so-called \’podcast\’ patent and will be filing it soon,\” said EFF attorney Daniel Nazer.

• Worth Less than a Cup of Coffee — Florian Kugler

After Realmac Software had released Clear for iOS 7 as a new paid app, the outcry from existing users quickly made them change their mind about the pricing model. Now they are offering the iOS 7 upgrade for free to existing Clear users on the iPhone, while only charging for the new universal app. This in turn caused other developers to complain about Realmac Software for giving in and participating in the downward price spiral.

— Tool of the Week —

• Napkin – Concise Image Annotation and Communication

Napkin is the ultimate tool for concise visual communication. Painlessly create visual notes and diagrams and share the results quickly.

Follow the show

• Email the show
• Join the Coder Radio Subreddit
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post With Apologies to Texas | CR 69 first appeared on Jupiter Broadcasting.

Blink a new fork of Webkit announced by Google looks to reignite the age old browser war, but this time around Mike and Chris think it’s only going to hurt developers, support personnel, and end users.

Plus the return of a notorious patent troll, and you won’t believe what they are claiming this time. Betting on the OUYA, a big batch of your emails, and much more!

Thanks to:

GoDaddy.com Use our code coder295 to get a .COM for $2.95.

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes —

Feedback

• Khalil share some more disappointing USC news
• Nick writes in asking if SPAs are crazy? And is looking for tips on how to influence the technical direction of his company without stirring the pot.
• Juris has been coding nights and weekends but does not work in IT and would like to make the leap. But how?
• Lots of Play! feedback.
• Tushar doesn’t feel that the cloud is “ready yet” and has some questions about the QT license.
• Krasi’s email: Trying something New

Dev World Hoopla

Lodsys: Patent troll Lodsys sues 10 mobile game makers, despite Apple’s intervention
Chrome gone wild!
Ouya Smackdown: Ouya review: can an indie console take on Sony and Microsoft? | The Verge

Pick of the week:

[asa]B0050SZD18[/asa]

Follow the show

• Email the show
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Browser War 2.0 | CR 44 first appeared on Jupiter Broadcasting.

Angela and Chris celebrate all things trolling! From famous videos, comics, jokes, and much more! Enjoy all things trollish in this very special FauxShow!

Direct Download:

HD Download | Mobile Download | MP3 Download | YouTube

Show Notes:

Wiki Definition: https://en.wikipedia.org/wiki/Troll_%28Internet%29

Urban Dictionary Definition: https://www.urbandictionary.com/define.php?term=trolling

Know Your Meme Definition: https://knowyourmeme.com/memes/subcultures/trolling

Meme – An image, video, etc. that is passed electronically from one Internet user to another.

Earworm – A catchy song or tune that runs continually through a person\’s mind.

Top Trolls: https://www.thinkdigit.com/Internet/Top-10-Trolls-in-Internet-History_3261.html

Trolling To Do List: https://artoftrolling.files.wordpress.com/2012/03/internet-troll-the-list-of-the-art-of-trolling.jpg

Troll Symbol: https://4.bp.blogspot.com/-GPidNKEy7qY/Ta6t-FnADKI/AAAAAAAAAG0/KhZu3mU9rHc/s1600/IMG_8304.JPG

Trolling Song: https://trololololololololololo.com/

XKCD: https://xkcd.com/351/

Rick Roll: https://www.yougotrickrolled.com/

Pink Fluffy Unicorns: https://www.youtube.com/watch?v=eWM2joNb9NE

Pink Fluffy Unicorns Cover: https://www.youtube.com/watch?v=9kF2WoF17Z4&feature=related

Tweet Leaks: https://www.youtube.com/watch?v=98E2hfxF8oE

Coke: https://i2.kym-cdn.com/photos/images/original/000/000/374/AccidentallyUniverse.jpg

Coke Story: https://www.vortux.net/blog/645/i-accidentally-a-whole-coca-cola-bottle-is-this-bad

How to spot A Troll? https://blog.getsatisfaction.com/2011/04/27/infographic-the-hard-knock-life-of-an-internet-troll/?view=socialstudies

Laws: https://gizmodo.com/5898585/itll-soon-be-illegal-to-troll-in-arizona
NYtimes: https://twitter.com/nytonit
Bill Clinton: https://twitter.com/PimpBillClinton

Troll birthday: https://acidcow.com/pics/16172-how-to-troll-your-son-4-pics.html

Grandma: https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-ash4/425698_263646133720848_106043532814443_591047_1528332519_n.jpg

https://artoftrolling.memebase.com/

Favorite: https://artoftrolling.files.wordpress.com/2012/04/internet-troll-mindtrick.jpg

Yikes, links to some of the \”infmaous\” troll sites: https://lolshock.com/

Ang’s Minecrafting video this week: https://youtu.be/vfnUolyq2uo

The post Trolling | FauxShow 84 first appeared on Jupiter Broadcasting.