IT Support and Hardware for Clinics
32.1K views | +0 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Google has delayed its Android encryption plans because they're crippling people's phones

Google has delayed its Android encryption plans because they're crippling people's phones | IT Support and Hardware for Clinics | Scoop.it

Google is delaying plans to encrypt all new Android phones by default, Ars Technica reports, because the technical demands of encryption are crippling people's devices.

Encryption slowed down some phones by 50% or more, speed tests show. 

In September 2014, Google — along with Apple — said that it planned to encrypt all new devices sold with its mobile OS by default. This means that unless a customer opted out, it would be impossible for anyone to gain access to their device without the passcode, including law enforcement (or Google itself).

This hardened stance on encryption from tech companies came after repeated revelations about the NSA, GCHQ and other government spy agencies snooping on ordinary citizens' data.

Default encryption has infuriated authorities. One US cop said that the iPhone would become "the phone of choice for the paedophile" because law enforcement wouldn't be able to access its contents. UK Prime Minister David Cameron has floated the idea of banning strong encryption altogether — though the proposal has been slammed by critics as technically unworkable.

Apple rolled out default-on encryption in iOS 8 back in September. Google's Android Lollipop system was first released in November — but because the phone manufacturers, rather than Google itself, are responsible for pushing out the update, it can take months for a new version of the OS to reach the majority of consumers.

But as Ars Technica reports, Lollipop smartphones are now finally coming to the market, and many do not have default-on encryption. So what's the reason? The devices couldn't actually handle it.

Speed tests show that even Google's flagship phone, the Google Nexus 6, suffers serious slowdown when encryption is turned on. A "random write" test measuring writing data to memory showed that the Nexus 6 performed more than twice as fast with encryption switched off — 2.85MB per second as compared with 1.41 per second with it on. The difference was even more striking in a "sequential read" test to measure memory reading speeds. An unecrypted device achieved 131.65MB/s; the encrypted version managed just 25.36MB/s. That's a third of even the Nexus 5, the previous model, which came in at 76.29MB/s.

As such, Google is now rowing back on its encryption stance. Its guidelines now say that full-disk encryption is "very strongly recommended" on devices, rather than the necessary requirement promised. Users can still encrypt their devices (even if it slows them down), but it won't happen by default.

Google says it still intends to force it in "future versions of Android".


more...
No comment yet.
Scoop.it!

930 Million Android Devices at Risk?

930 Million Android Devices at Risk? | IT Support and Hardware for Clinics | Scoop.it

Information security experts are calling on Google to rethink its patch priorities after it confirmed that it will no longer update a critical component that runs on Android 4.3 "Jelly Bean" and older devices. As a result, 61 percent of all Android smart phones and tablets - or about 930 million devices - will be running a version of Android that contains known vulnerabilities that an attacker could remotely exploit to seize control of the device or steal the data it stores, according to data security firm Rapid7.


At issue are the versions of WebView, which is used by Android to render Web pages, that are present in pre-Android 4.4 devices. Rapid7 researchers say that after finding and reporting a newly discovered vulnerability in older versions of WebView to Google's security@android.com team, Google responded that it was not going to issue a related patch.

Google says that if it receives a patch for older versions of WebView from a third party, it will distribute it to anyone who develops Android distributions. But Google says it no longer plans to create and distribute its own patches for such flaws. "If the affected version [of WebView] is before 4.4 [KitKat], we generally do not develop the patches ourselves but do notify partners of the issue," Google's e-mail to Rapid7 says. "If patches are provided with the report [from a third party] or put into AOSP [Android Open Source Project] we are happy to provide them to partners as well."

But Rapid7, citing data published by market researchers Gartner and Strategy Analytics, says Google's policy will leave the estimated 930 million mobile devices that run pre-KitKat versions of Google's open source Android operating system at risk, because they will be stuck running outdated - and vulnerable - versions of WebView. Device manufacturers could, theoretically, issue related patches themselves, but to date they have not done so.

A Google spokeswoman declined to comment on Rapid7's report.

Numerous hardware and software developers stop issuing updates for their products after they have been on the market for a specified period of time. But today, only 37 percent of in-use Android devices run version 4.4 of the operating system - introduced in November 2013 - and just 1.5 percent run the most recent version 5 - code-named Lollipop - according to market research firm Net Market Share.

In other words, 61 percent of still-in-use Android devices won't be receiving WebView updates from Google, and thus could be at risk from "mass-market exploits" designed to seize control of millions of devices at once, says Tod Beardsley, who's the technical lead for the Metasploit open source penetration testing framework, which is maintained by Rapid7.

"This is great news for penetration testers, of course; picking company data off of Android phones is going to be drop-dead easy," Beardsley says in a blog post. "Unfortunately, this is great news for criminals," because it gives them potential new ways to penetrate devices, implant malware, steal data or intercept communications.

Beardsley says that in the past year, two researchers have discovered nearly a dozen exploits in WebView - most of which affect versions of the component that run on Android 4.3 "Jelly Bean" and earlier devices - and that Metasploit currently ships with 11 exploits for known WebView flaws.

Newer WebView Auto-Updates

WebView is a widely used Android component. Indeed, Google's developer guide encourages Android developers to use WebView "to deliver a Web application - or just a Web page - as a part of a client application." Google's developer documentation further outlines a number of scenarios in which it might be employed, ranging from retrieving an end-user agreement or user guide from inside an app, to accessing any type of information that requires an Internet connection, such as retrieving e-mails.

When Google introduced Android 4.4 KitKat, it debuted a new, stand-alone WebView component, based on its Chromium open source project, that was decoupled from the Android operating system. "The new WebView includes an updated version of the V8 JavaScript engine and support for modern Web standards that were missing in the old WebView," Google's developer documentation states.

From a security standpoint, the big-impact change was the ability - now found in all modern browsers - for WebView to be automatically updated by Google. In other words, thanks to Google uncoupling WebView from the innards of the Android operating system, WebView updates can be piped directly to all users of Android 4.4 and newer, just as Google does with any other app that's available via the Play Store and Google Play services, news site Android Police reports.

Here is why that change is good: Many Android devices run a version of the operating system that's customized by whichever OEM produces the device. As a result, every time Google releases an Android operating system update, the OEM has to test the update, then create a customized version for its devices. Thanks to the newer version of WebView, however, Google can now directly update that component on all Android 4.4 and newer devices, without the OEM having to build the patch into their version of Android and then distribute it to their users.

Android Is Open Source

But the question of whether it's right for Google to cease updating older versions of WebView, an important component that still runs on nearly 1 billion Android devices, remains. Rapid7's Beardsey notes that Android is technically an open source project, and that OEMs could, in theory, obtain patches for newly discovered flaws in older versions of WebView from third parties. But he says that to date, the OEMs that do patch Android have relied on updates issued directly from Google. "The update chain for Android already requires the handset manufacturers and service carriers to sign off on updates that are originated from Google, and I cannot imagine this process will be improved once Google itself has opted out of the patching business," he says. "After all, is AT&T or Motorola really more likely to incorporate a patch that comes from some guy on the Internet?"

Some OEMs have a relatively good track record at keeping customers' Android devices updated with the latest security fixes. But others rarely - if ever - release security patches for devices.

With Google ceasing to update a core component of Android that runs on pre-4.4 versions, the risks to users will only increase, Beardsley warns. "Please reconsider, Google," he says. "As a software developer, I know that supporting old versions of my software is a huge hassle. I empathize with their decision to cut legacy software loose. However, a billion people don't rely on old versions of my software to manage and safeguard the most personal details of their lives."


more...
No comment yet.