80% of Android Apps Use TLS to Encrypt Traffic

Back in 2018, Google announced that beginning with Android 9, it would prevent apps from using unencrypted connections by default. As of December 2019, Google notes that 80 percent of all apps in the Google Play store use TLS, and that rises to 90 percent of all apps targeting Android 9 and higher.

Android 7 (API level 24) introduced the Network Security Configuration in 2016, allowing app developers to configure the network security policy for their app through a declarative configuration file. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain.

Today, we’re happy to announce that 80% of Android apps are encrypting traffic by default. The percentage is even greater for apps targeting Android 9 and higher, with 90% of them encrypting traffic by default.

Since November 1 2019, all app (updates as well as all new apps on Google Play) must target at least Android 9. As a result, we expect these numbers to continue improving. Network traffic from these apps is secure by default and any use of unencrypted connections is the result of an explicit choice by the developer.

That last sentence is a bit concerning. If app developers want to explicitly make their apps communicate through unencrypted connections, that’s fine, but as far as I can tell there is no way that consumers are made aware of this.

Just as modern browsers warn me that the website I’m visiting doesn’t use encryption, Google should inform users when they are using apps that do so as well. I’d be happy with a notification on the Google Play store page for such apps that “This app sends network traffic over unencrypted channels” or something like that.

(Yes, users could set up a packet analysis tool to look at the data their phone is sending, but they shouldn’t have to do so).

Fooling The Samsung Galaxy S10 Ultrasonic Fingerprint Scanner

Someone has put up a post on imgur claiming to demonstrate unlocking a Galaxy S10 by 3d printing a fingerprint based on an image of the fingerprint,

First I simply took a photograph of my fingerprint on the side of a wine glass. I used my smartphone to take this picture, but it’s certainly not out of the question to use a long focal length DSLR camera to snag a fingerprint image from across a room…or further.

I then pulled the image into Photoshop and increased the contrast, and created an alpha mask.

I exported that over to 3ds Max and created a geometry displacement from the Photoshop image which gave me a raised 3d model of every last detail of the fingerprint.

I popped that model into the 3D printing software and began to print it. This was printed using an AnyCubic Photon LCD resin printer, which is accurate down to about 10 microns (in Z height, 45 microns in x/y), which is more than enough detail to capture all of the ridges in a fingerprint.

As the author of the post notes, if a smartphone is stolen, it is likely that a fingerprint of the owner will be found on the phone itself (especially if the user is repeatedly touching a specific area of the screen to unlock it, as someone using the ultrasonic fingerprint reader would be doing).

It Is 2019, and ESPN Still Doesn’t Give a S— About Its Users’ Security

Why the f— is ESPN still not using TLS in 2019? This is extremely irresponsible behavior from a company owned by one of the largest media companies in the world (Disney). There are zero excuses for putting its users at risk this way.

The Citrix Hack and Password Spraying

Somebody made off with terabytes of data from Citrix, and one of the interesting tidbits from Citrix’s press release about the breach is speculation that the hackers used “password spraying,”

While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security.

The Secret Security Wiki provides additional information about how password spraying attacks work,

Traditional brute-force attacks attempt to gain unauthorized access to a single account by guessing the password. This can quickly result in the targeted account getting locked-out, as commonly used account-lockout policies allow for a limited number of failed attempts (typically three to five) during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single commonly used password (such as ‘Password1’ or ‘Summer2017’) against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.

Clever. With access to enough account usernames, somebody somewhere in an organization is likely to have practiced poor password hygiene.

Android’s Real Security Problem

Cameron Summerson makes an excellent point about the latest Android vulnerability: Android’s real security problem is the manufacturers,

Currently, manufacturers are doing a terrible job of protecting their users, full stop. While not getting full OS updates (or even point releases) is annoying at best, not getting security updates is unacceptable. It sends a message that can’t be ignored: it says that your phone manufacturer doesn’t care about your data. Your info isn’t important enough for them to protect.

Security updates aren’t huge like full OS updates or even point releases. They’re released monthly by Google, so they’re much smaller and easier to bake into the system—even for third-party manufacturers. Again, there’s no real excuse not to make this a priority.

Carriers also play a significant role in slowing down Android updates. All of these companies that are more than happy to take consumers’ money seem reticent to do beyond the bare minimum to make sure they’re protected on the devices and networks they choose.

As Duo Security notes, the result of this insanity is that “90 percent of Android devices were not on the latest security patch released 26 days prior.”

People Are Still Using Crappy Passwords in 2018

SplashData looked at the passwords of 5 million accounts that were leaked by various breaches in 2018, and found that many users are still using very simple, easy-to-guess passwords.

The top 10 most common passwords, for example, were:

  1. 123456
  2. password 
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567 
  8. sunshine
  9. qwerty
  10. iloveyou

According to SplashData, 2018 is the fifth year in a row that “123456” and “password” were #1 and #2 respectively on their list of common passwords based on analysis of breaches in that year. SplashData offers sensible steps to better create and manage passwords,

1. Use passphrases of twelve characters or more with mixed types of characters.

2. Use a different password for each of your logins. That way, if a hacker gets access to one of your passwords, they will not be able to use it to access other sites. 

3. Protect your assets and personal identity by using a password manager to organize passwords, generate secure random passwords, and automatically log into websites.

But, fundamentally, the systems that are in widespread use these days are far too difficult for end users to easily secure.