Connect with us

Apps

Samsung keyboard app could let a crook crack your phone – Naked Security

Published

on

Do you have a Samsung phone?

Ryan Welton, a presenter at BlackHat London, has come up with some bad news for you: the keyboard app built in to your device may leave you open to attack.

According to Welton, many Galaxy models on numerous mobile carriers may be at risk, including the S4, S4 Mini, S5 and S6.

Apparently, Samsung phones include a bundled-and-rebadged version of SwiftKey, a popular keyboard app that claims to be cooler and smarter than your average keyboard, making better predictions of what you are going to type next.

Unfortunately, as Welton spotted when he started digging around, as security researchers like to do, Samsung’s variant of SwitftKey, rather blandly renamed to SamsungIME, includes an auto-update “feature”…

…that doesn’t do authentication or integrity.

This is a similar bug to the hole we recently wrote about in Hospira drug pumps, where a researcher found he could upload a firmware update without worrying about verification.

That sort of vulnerability makes it much easier than it ought to be for a crook to feed fake code or data into your device, and ultimately to reprogram it almost arbitrarily.

Welton noticed that Samsung’s IME (Input Method Editor – the techie name for souped-up keyboard software) updates itself via plain old HTTP, using a web request like this:


GET http://skslm.swiftkey.net/samsung/down.../az_AZ.zip

You’d probably expect an update of this sort to use TLS (Transport Layer Security), and thus to go over HTTPS, because TLS is encrypted, and encryption is good.

But, strictly speaking, it’s not so much confidentiality you’re after in this case, because the contents of the update aren’t secret.

Indeed, you can download an APK (Android package) of the original SwiftKey app straight from Google Play and extract it from your phone to examine at your leisure.

NB. SwiftKey’s own app is not affected by this vulnerability. You get SwiftKey for Android from Google Play, along with its updates, so it’s as secure as Google Play.

What really matters are authentication and integrity, so you can convince yourself that the update came from a trusted source, and wasn’t tampered with along the way.

Done properly, TLS (and therefore HTTPS) can provide both these features, but the absence of TLS wasn’t the evidence Welton needed to satisfy himself there was a problem.

After all, the update package itself could have been digitally signed by Samsung, and verified during the update to establish that it had arrived unmodified from Samsung’s official repository.

Indeed, there was some sort of validation done during the update.

But Welton soon found that the “digital signature” was a simple SHA1 hash, specified in what’s called a manifest file:



  "name": "English (US)",
  "language": "en",
  "country": "US",
  "sha1": "3b98ee695b3482bd8128e3bc505b427155aba032",
  "version": 13,
  "archive": "http://skslm.swiftkey.net/samsung/down...
  "live": 
    "sha1": "b846a2433cf5fbfb4f6f9ba6c27b6462bb1a923c",
    "version": 1181,
    "archive": "http://skslm.swiftkey.net/samsung/do...
   


Sadly, that manifest file, including the SHA1 hashes, was itself downloaded in an unauthenticated HTTP request, just before the package itself:


GET http://skslm.swiftkey.net/samsung/down.../languagePacks.json

JSON stands for JavaScript Object Notation, a simple, compact, text-based, easily-processed, human-readable file format commonly used for exchanging data between web-based clients and servers. JSON exists so that whenever you find yourself thinking, “I’ll use XML,” you don’t have to.

In other words, if you want to send a modified (or even a totally different) update ZIP file, you don’t have to hack into Samsung first and steal one of its carefully-guarded signing keys.

All you need to do is modify the manifest to match the modifications to your ZIP.

Worse still, Welton noticed that Samsung’s updater runs with the privilege android.uid.system, which means that a hacked ZIP fed in as an update could, in theory, do almost anything, including reading and writing files almost anywhere on the device.

With a bit of work (more accurately, with a more than a bit of clever thinking and quite a lot of work) he was able to package up a Trojanised ZIP that would directly run a program of his choice, making this a full-on RCE, or Remote Code Execution vulnerability.

What to do?

• If you’re a Samsung user…

Assuming your phone is vulnerable (Welton has published a partial list), there isn’t a whole lot you can do except try to steer clear of networks you don’t trust, where a crook might try to intercept and hack your traffic.

A Virtual Private Network (VPN) can help, where all your network traffic is encrypted before it leaves your device, “tunnelled” back to a server at head office or at home, and only sent out onto the open internet from there.

The silver lining, if that’s not too strong a way to describe it, is that a crook can’t exploit this hole just whenever he likes: you have to be on his dodgy network when an IME update happens, and he has to notice in time to jump in as a man-in-the-middle.

Unfortunately, however, it seems that the Samsung IME can’t be uninstalled, and it keeps on updating even if you disable it and use a different keyboard instead.

• If you’re a programmer responsible for coding updates…

Don’t take shortcuts when it comes to authenticity and integrity.

An unsigned SHA1 checksum is fine as an initial check that your update wasn’t accidentally corrupted.

(But use SHA2 or SHA3 instead: the world is moving away from SHA1 because it has some cryptographic weaknesses, so it makes sense to drop it now, before someone finds a way to break it completely.)

However, as well as or instead of a plain hash, you need to use a stricter sort of digital signature based on public-key cryptography to validate that the update came unmodified from where you expected.

And even if you use HTTPS/TLS to encrypt your updates, that alone is not enough.

You also need to do what TLS calls certificate validation to confirm the correctness of what you’re downloading.

Footnote

According to Welton, Samsung coded a fix for this problem early in 2015, but – as often happens in the Android ecosystem – it’s not clear which devices on which mobile networks have been patched yet.

All you can really do is ask, and we suggest that you do.

But please ask nicely: the more people who ask their phone provider pointedly but politely what has been done, the more likely we will collectively get the answers we need!

Sophos UTM Home Edition

Would you like to run your own Virtual Private Network (VPN) at home, and boost your resilience to man-in-the-middle attacks and coffee-shop snoops?

Try our award winning UTM.

The Home Edition includes all the Sophos UTM features: you get the VPN, as well as email scanning, web filtering, web application security, and everything you need to keep up to 50 devices on your home network secure, 100% free for home use.

In you live in a shared house, or you have children to look out for online, this could be just the product you need.

Better yet, you get 12 free licences for Sophos Anti-Virus for Windows that you can install and manage throughout your household, right from the UTM web console.

Click to go to download page...

Understanding firewalls and secure gateways

Listen to our Sophos Techknow podcast, Firewalls Demystified

(Audio player above not working? Download, or listen on Soundcloud.)

Apps

Days Gone Game Download for Android

Published

on

Days Gone is an open-world survival horror and action-adventure video game developed by SIE Bend Studio. Moreover, this horror-adventure game published by Sony Interactive Entertainment. Unreal Engine 4 used for the development of this game. The game set in a post-apocalyptic Oregon held after a global pandemic. However, a former drifter Deacon St. John. seeks to survive with the help of his mate by staying in a shelter with resources like food, water, weapons, and booze.

Days Gone Android

App Version 1.0 BETA
Apk Size 112 MB
Publisher Sony
Supported Versions Android 4.1 and up
App Package com.sony.daysgone
Content Rating PG13+

How to Install Days Gone on Android

  • Go to the apk website to download Days Gone APK.
  • Open Days Gone.apk either from the download folder on your Android Device.
  • Allow an unknown resource to be installed on your phone. However, you will get the launcher on your mobile phone and tap on it.
  • Complete the verification process and additional data download. Next, play the game on your mobile.

Gameplay

As I already said, the game sets in a post-apocalyptic environment and the main protagonist is Deacon St. John. The third-person view of the game is the player navigates an open-world setting. The player uses handguns, equipment with improvised weapons. Stealth is used to protect and defend against hostile humans and creatures.

The main player is to complete his objectives by using stealth mode or assault mode. The weather is dynamic like day-night cycle mode and also features slow by day. Fast by night with deep thrill chilling environment. John’s transportation is a motorcycle, and it is modified with several parts to enhance speed and durability.  As a player, you need to defend yourself against threats as it is a survival-horror game. Take care of your vehicle because you need to travel to different locations, clean the bandit camps, freak dens, and killing zombies.

Related: PUBG lite hack app: Latest Version September 2021

Game Features

The game featured a muddy and disturbed environment with zombies and firefighters, and the graphics are good, and the story is interesting with the necessary action. The game background music is good and apt to the environment. John’s character was well designed. Especially, his face features angry, sullen, and when it comes to his personal life. His wife has been divorced and claimed to be death.

Related: PUBG Mobile Lite new update, Download APK- Latest news

Days Gone PS4

Players can experience epic gameplay with additional features. They can play the game with their earned weapons, NERO boosters, skills, collectibles, and more. You can play NG+ on any mode like easy, normal, hard, and survival. Additionally, players can new trophies and new weapons from several modes.

Days Gone PC

Players begin a new journey on PC. They have two challenge modes Survival Mode and Challenge Mode. Players can play the main story, and also they can access new game content. In Survival, I and Survival II modes are difficult to play because enemies are harder. Indicators removed, and no fast travel and gameplay are highly tensed environment.  In Challenge mode, there are 12 different challenges available. The player needs to fight with zombies, freaks, and bike races as he needs to climb up the leaderboard. The player can earn credits to unlock bike skins and characters.

Related: Free Fire Max registration: Release Date, How to Download APK, Rewards, Redeem Codes Details

Continue Reading

Apps

Download Modern Critical Warfare action offline games 2018 APK 0.0.2j for Android

Published

on

World of Warcraft Action Offline

The World of Warcraft is all set to release its newest epic, the Modern Critical Strikes package that promises to be an expansion pack for World of Warcraft, and one that many are expecting to be well worth the money spent on it. As always, Blizzard Entertainment will be releasing a new patch with this new game, and it will be essential to players to make sure they are up to date on this before downloading and installing the latest patch. Not only will the new game to add a number of new levels and additional content, it will also include brand new equipment for the characters in the game, as well as a brand new system for playing” PvE “and” PvP “online. Here are some of the details about the exciting new addition to World of Warcraft:

There are currently over a dozen World of Warcraft massively multiplayer online role-playing games available, but only one of them offers players the chance to truly enjoy the highly addictive action that is the staple of modern critical combat, with a number of unique settings and combat mechanics that are not found in other MMORPGs. STJ Games, Incorporated has developed a number of fantastic arcade style mobile games, and now they have decided to bring this excellent content to life on the Android platform. As with the other versions of the Modern Critical Strike series, users will find that the touch screen interface is easily navigable, and that Android users will really enjoy the various little details that have been added to this popular action-adventure game. A great deal of the fun comes from the new arcade style level design that Blizzard has used, and players will have a good amount of fun figuring out how to defeat the ever growing numbers of enemies that appear on screen.

This all adds up to an exciting prospect for avid World of Warcraft players around the world, and it looks as though the company is gearing up for a number of new releases, including perhaps the return of the Lich King. With the success of STJ games on consoles, it’s only a matter of time before the PC version becomes available. Of course, the success or failure of STJ depends on whether or not the player base continues to grow as rapidly as the developer hopes it will. As you might expect, the success of STJ depends very much on the user base, which would seem to indicate that there are a lot of people out there who play this game. Whether or not they can enjoy it on their PC is another matter entirely.

Continue Reading

Apps

How to download PUBG Mobile 1.6, android and iOS

Published

on

PUBG Mobile 1.6: How to download PUBG Mobile 1.6 on your android and iOS, Download Link and Step by step guide
PUBG Mobile 1.6: How to download PUBG Mobile 1.6 on your android and iOS, Download Link and Step by step guide

PUBG Mobile 1.6: How to download PUBG Mobile 1.6 on your android and iOS, Download Link and Step by step guide – After the massive success of the PUBG Mobile 1.5 Update, Krafton has given PUBG Mobile players another reason to be excited. The much-awaited PUBGM 1.6 update is live for players globally with new maps, weapons, vehicles, and many other cool features. Players can download the game on their mobile devices from the Google Play Store (Android) and Apple App Store (iOS). Sometimes users face the problem while downloading the game but don’t worry we have covered you. In this article, we have covered all steps to download the PUBG Mobile 1.6 Update APK and OBB file on your mobile.

PUBG Mobile 1.6: How to download PUBG Mobile 1.6 on your android and iOS, Download Link and Step by step guide

PUBG Mobile 1.6 Update: PUBG pros and enthusiasts alike can download the game and enjoy the new feature on their mobile. If you don’t have PUBG Mobile on your device and want to download it on your android device. Please head over to the Google Play Store to install the game on the device. If you having any problem with downloading the game from Google Play Store, we have got you covered. We bring the download link of PUBG Mobile 1.6 Update APK and OBB File from where you can download the game on your device.

Also Read: PUBG New State delayed: Check the new release date of PUBG New State leaked by Apple App store

PUBG Mobile 1.6 Update APK and OBB file: Step by step guide to install

Latest APK Download Link– Download now

Latest OBB File Download Link- Download now

PUBG Mobile 1.6: How to download PUBG Mobile 1.6 on your android and iOS, Download Link and Step by step guide

PUBG Mobile 1.6 APK & OBB Global Version Download Link and Step by step guide?

Step 1: To begin the installation process, players need to download the APK file from the given link.

Step 2: After the download is complete, players need to enable the “Install from unknown source”. Ignore this step if done already.

Step 3: Locate & Install the downloaded APK file on your device

Step 4: After installation, open the game & download all the necessary resources. Once the process has complete players may restart the game & enjoy the all-new Titan theme at the battlegrounds.

Advertisement

Continue Reading

Trending