Squeezing the numbers and facts of Google’s annual Android security report

Monday, April 24, 2017

Last month Google published its third annual security report on Android’s security protections, aiming to send a clear message to the world about mobile malware (or Potentially Harmful Applications (PHAs), as they like to call them): devices, apps, and Android users are safer than ever. And the entire Android ecosystem is now more secure.

Sending positive messages is ok, but is good to be realistic as well. That is what makes us all improve. We have squeezed some numbers and facts included on the report, to finally determine that it's hard to believe that actually the Android ecosystem is as secure as Google claimed, as the used terminology is not clear and some showed numbers are not aligned.

It is all about “malware” definitions
According to the report, PHA are “applications that could put users, user data, or devices at risk”. This include among many others trojans, spyware, or phishing apps. That is ok, but, as Google recognized, “we are also less strict in our definition of certain PHAs than some users expect. A classic example is advertising spam, which we define as an app that pushes advertising to the user in an unexpected way, such as on the device home screen or lock screen”. This means Google does not count aggressive adware as PHA, which is the most common problem for Google Play users. There is no evidence of aggressive adware definition included in The Google Android Security Team’s Classifications for Potentially Harmful Applications. How this “advertising spam” or aggressive adware may it be? We do not know. Some “so called” advertising campaigns ended up rooting the device. This definitely makes the numbers go down and it is maybe one of the gaps antivirus companies and Google play with.

Latch and IoT, a perfect symbiosis

Wednesday, April 19, 2017

The Internet of Things stopped being the future to become our present. It’s rare that on any given day we do not interact in one way or another with an IoT device: the radio we use in the mornings, the camera that “takes care” of our baby, the heart rate monitor/watch that we use when we go running or the car that takes us to work. IoT is almost everywhere.

Figure 1: Latch plugin video for Mosquitto

Limiting the use scope of our secrets in Latch with “Limited Secrets”

Wednesday, April 12, 2017

When creating a Latch app as a developer, Latch provides us with an application identifier (appId) and a secret.

These two keys allow us to sign the requests sent to the API, in order to ensure that we are the legitimate owners of that app.

Example of app ID and secret in an application.

ElevenPaths is now a NoMoreRansom.org associated partner

Sunday, April 9, 2017

Ransomware has a severe impact for IT companies and users. The increasing popularity of this security threat along with the profitable business for criminals make ransomware one of the most urgent and complex cybersecurity challenges nowadays. In this context NoMoreRansom (NMR) initiative has gained prominence and nine months after the launch it has received considerable attention from law enforcement and private partners belonging to the cybersecurity sector.

The www.nomoreransom.org platform has a clear mission: on one hand, to support and enable ransomware victims to get their files back without paying the criminals. On the other hand, share information among security forces to legally track attackers. ElevenPaths brings the expertise in this field, devloping and offering a tools to the NMR alliance. Thanks to the innovation and lab area, has allowed the company to become part of the alliance, as one of the seven associated partners with Avast, Bitdefender, CERT de Polonia, Check Point, Emsisoft y Kasperksy.

ElevenPaths creates an addon to make Firefox compatible with Certificate Transparency

Monday, March 27, 2017

Certificate Transparency will be mandatory in Chrome for new certificates in late 2017. This means that the webpages will show an alert if protected by certificates not present in the logs that Chrome checks by that time. No other browser supports Certificate Transparency yet. Mozilla is in its way to make it work but there is no official date to release it. ElevenPaths creates an addon to cover this feature.

Checking the SCT embedded in our certificates

Certificate Transparency is a new layer of security on top of TLS ecosystem. Sponsored by Google, it basically makes all the issued certificates to be logged (in some special servers), so if an eventual attacker would want to create a rogue one, it would face a dilemma: If the rogue certificate is not logged, that would rise up some eyebrows… if logged, that would allow a faster detection. A certificate is considered "logged" if it counts with a SCT (Signed Certificate Timestamp). This SCT is given to the owner of the certificate when logged, and the browser has to verify it is real and current. This is exactly what Chrome has been doing for a while now. Now Firefox, thanks to this plugin, is able to check the SCT for certificates. But there are some good news and bad news:

This is how Chrome checks the SCT
 The good news

Our addon, created in cooperation with our lab in Buenos Aires, works with most of known logs. It means that it does not matter from which log the SCT comes from, we will be able to check it because we have introduced the public key and address of basically all known logs so far:

Google 'Pilot', Google 'Aviator', DigiCert Log Server, Google 'Rocketeer', Certly.IO, Izenpe, Symantec, Venafi, WoSign, WoSign ctlog, Symantec VEGA, CNNIC CT, Wang Shengnan GDCA , Google 'Submariner', Izenpe 2nd, StartCom CT, Google 'Skydiver', Google 'Icarus' , GDCA, Google 'Daedalus', PuChuangSiDa, Venafi Gen2 CT, Symantec SIRIUS and DigiCert CT2.

This makes our solution quite complete but...

The bad news

SCT may be delivered by three different ways: 
  • Embedded in the certificate.
  • As a TLS extension.
  • In OCSP.
It is not easy from a plugin technical perspective to get to TLS or OCSP extensions layer and check the SCT. So our plugin so far checks for SCT embedded in the certificate itself. Although not ideal, this is the most common scenario so most of certificates distribute its SCT embedded.

Another bad news is that plugins have to be validated by Mozilla to be published in its addons store. Once uploaded the plugin gets in a queue. If it contains "complex code" it may be there for longer, so Mozilla can make a better work reviewing and checking its security and quality. After waiting for more than two months, we have decided not to wait anymore. The queue seems to be stuck for days and days and the is no hope to make it work faster. Mozilla reviewers are working as much as they can, but they can not deal with so many addons as fast as they would like to. We thank them anyway. That is why we have decided to distribute it outside addons store. Once it gets reviewed released, we will let you know.

The addon is available from here.

To install it, just drag and drop the file into a new tab.

Or, from the extensions menu, settings, install from a file.

Innovation and Lab