security

While far from exciting, as it won't bring any new features, Microsoft is rumored to be working on an update to fix fraudulent SSL certificates in a hacking attempt that took aim at many web browser. Microsoft just published a security advisory on the issue to address the bogus SSL certs. As Bruce Cowper, manager of the Microsoft Trustworthy group states:

This is not a Microsoft security vulnerability; however, one of the certificates potentially affects Windows Live ID users via login.live.com...These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against end users. We are unaware of any active attacks.

Microsoft has since patched Internet Explorer against the attack is reportedly mulling over an update, even possibly an over-the-air (OTA) one for Windows Phone, though nothing is certain at this point. No time line was given either. It will be interesting to see if Microsoft utilizes the OTA update capability for Windows Phone, a feature which was originally thought to be used for adding copy/paste but has since taken a back seat due to reliability concerns.

Edit: For those curious about SSL certs and how they work, see VeriSign

Source: WinRumors

Yesterday, the Android market had 21 applications pulled by Google and force-removed from users' devices due to them containing an exploit called 'rageagainstthecage'. And while Google successfully and quickly pulled the software from the market and from devices ("kill switch"), those 21 apps were downloaded over 50,000 times (bigger market, bigger target).

It was bound to happen. We've been bombarded for years about the threat of computer viruses, exploits, Trojans, etc. and if there was ever a viable target today, Android would be it. It has an open market (no approval processes), huge market share and one heck of a hacker community. How serious is the exploit? Our sister site Android Central says:

rageagainstthecage...opens the door for the app to do anything with your data -- like send it to a remote server. Of course with root it can do much worse as well.

If you installed any of these applications, they should have been pulled off your phone, but that's not enough. You need to do a full system wipe and reset your phone completely, the data wipe and reset from settings may not be enough. This means ODIN, RUU's, .sbf files or a trip to your carrier store if this is beyond your capabilities.

Mind you, all 21 apps were uploaded by one person. Going further, Android Police, who originally broke the story says

...it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.

Egads. While we hope nothing too nefarious has happened, it goes to show that having a regulated Marketplace, like Windows Phone, where the code is checked for such things can be quite valuable when compared to what Android users are now facing. Will this become a regular occurrence? What will Google do to address the problem? It will be interesting to see in the next couple of days the fallout from this breach.

Location sharing is a key component to Windows Phone 7. From apps to photos, your location is used with regularity when you access your Windows Phones. Curious about how location based services are used, in conjunction with Data Privacy Day 2011 (January 28, 2011), Microsoft commissioned a study on various aspects of these services.

The 1,500 person survey was conducted in December of 2010 and involved consumers in the U.S., Japan, Canada, and Germany. The survey found that only 51% of the participants had used location-based services but that 94% found them to be valuable. 84% of those surveyed were worried about the services sharing their location without permission.

More after the break.

Awhile back, we first broke the news about Windows Phone 7 and the tough protection scheme Microsoft has implemented to prevent piracy. Specifically, private keys (PVKs) which are tied to the hardware and need to server-authenticate. This hurdle would prevent non-approved devices from accessing all LIVE services and severely limit device functionality. Interestingly enough, just weeks later this was confirmed by team DFT, who were attempting to hack WP7 to the aging (but versatile) HTC HD2.

Fast-forward today and it is being claimed (not yet demonstrated) that certain aspects of PVK has been breached. But, like before, they're still far from a viable implementation. Pocketnow has summarized this as follows:

Several different methods are being attempted to bypass the limitation, including the search for a so-called "corporate key," which would essentially be a universal PVK for large-scale activations. Unfortunately, because all devices are security-flashed at the factory, such a key may not even exist. Secondly, overseas developers -- beyond the reach of Microsoft legal, apparently -- are said to be hacking the different bits of the device-side authentication piecemeal, but because of the unusually intricate security measures employed by Redmond, "it doesn't really look good" according to our source.

What does this all mean? In reality, that nothing has changed. While porting portions of the WP7 OS to the HD2 is doable, attempting everything is and will remain very difficult. So difficult in fact, it begs the question if this is worth all the effort. At least here in the U.S., with a new Samsung Focus fetching for $99 without 3rd party sales, WP7 hardware seems cheap enough to negate the value of hacking a broken but new OS onto the HD2.

Source: PocketNow