Tag: software integrity

Should the Android platform be exclusively dependent on the Google Play app store for software?

USB-C connector on Samsung Galaxy S8 Plus smartphone

A question that is appearing for Android users is whether software developers can sell software independently of Google Play

Over the last few months, Epic Games released their Android port of Fortnite in a manner that is very unusual for a mobile-platform app. Here, they released this port of the hit game as an APK software package file that is downloaded from their Website and installed on the user’s Android device as if you are installing a program on a regular Windows or MacOS computer. This allows them to maintain control over the sale of game additions and similar merchandise without having to pay Google a cut of their turnover. Or it could allow them to maintain control over the software’s availability such as issue beta or pre-release versions of software or simply offer high-demanding software like action games to devices known to perform at their best with the software.

The Android platform has a default setting of disallowing software installations unless they come from the Google Play Store or the device manufacturer’s app store. This is a software-security setting to prevent the installation of software that has questionable intent on your Android device. But the “regular” computer platforms have implemented other approaches to allow secure installation of software thanks to their heritage of being able to install software delivered on package media or from download resources like the software developer’s Website or a download site. It also caters towards the role that regular computers play in the course of business computing where line-of-business software is being installed on these systems by value-added resellers and solutions providers.

This question will become more real as the Android platform is taken beyond mobile devices and towards the smart TV like with NVIDIA Shield or recent Sony smart TVs. It could also appeal towards other “smart devices” like network printers that are based on the Android software codebase where there is a desire to add functionality through an app store.

Recent efforts that Microsoft, Apple and the open-source community have taken to protect our regular computers against include software-authenticity certification, least-privilege execution, sandboxing and integrated malware detection. In some cases, there is the ability for users to remove software-authenticity certificates from their regular computer in case questionable software was deployed as highlighted with the Lenovo Superfish incident.

Similarly, these operating system vendors and many third parties have developed endpoint-security software to protect these computers against malware and other security threats.

Google even introduced the Google Play Protect software to the Android platform to offer the same kind of “installed malware” detection that Windows Defender offers for the Windows platform and Xprotect offers on the MacOS platform. Samsung even implements Knox as an endpoint-protection program on their Android devices.

Android does maintain its own app store in the form of the Google Play Store but allows device manufacturers and, in some cases, mobile-phone service providers to create their own app store, payment infrastructure and similar arrangements. But it is difficult for a third-party software developer to supply apps independent of these app stores including creating their own app store. This is more so for app developers who want to sell their software or engage in further commerce like selling in-game microcurrency without having to pay Google or others a cut of the proceeds for the privilege of using that storefront.

Android users can install apps from other sources but they have to go in to their phone’s settings and enable the “install unknown apps” or a similar option for them to install apps from sources other than the Google Play Store or their OEM’s / carrier’s app store.

What could be done for the Android platform could be to support authenticated software deployment that uses the same techniques as Microsoft and Apple with their desktop and server operating systems. It can also be augmented with the creation of authenticated app-stores to allow software developers, mobile carriers, business solutions providers and the like to implement their own app stores on the Android platform. The authentication platform would also require the ability for end-users to remove trusted-developer certificates or for certificate authorities to revoke these certificates.

It could allow for someone like, for example, Valve or GOG to operate a “Steam-like” storefront which is focused towards gaming. Or an app developer like Microsoft could use their own storefront to sell their own software like the Office desktop-productivity suite. Then there are people courting the business segment who want to offer a hand-curated collection of business-focused apps including line-of-business software.

But there would have to be some industry-level oversight regarding certified apps and app stores to make it hard for questionable software to be delivered to the Android ecosystem, This also would include app stores having to make sure that their payment mechanisms aren’t a breeding ground for fraud in its various forms.

There will be the common question that will crop up regarding alternative app stores and developer-controlled or third-party-controlled app-level certification is the ability to purvey apps that have socially-questionable purposes like gambling or pornography. Here, the Android ecosystem will have to have the ability to allow end-users to regulate the provenance of the software installed on these devices.

At least the Fortnite software-distribution conversation is raising questions about how software is delivered to the Android mobile-computing platform and whether this platform is really open-frame.

Security flaw found in HP laptop audio driver software–how to fix it

Article

HP Elitebook Folio laptop press picture courtesy of HP

Check that your driver software is up to date on these HP business laptops.

HP issues fix for ‘keylogger’ found on several laptop models | ZDNet

Keylogger Found in Audio Driver of HP Laptops | BleepingComputer

From the horse’s mouth

Hewlett-Packard

Download site – identify your computer’s model number in the form on this site to obtain a list of the relevant software

My Comments and further information

Just lately, a security weakness had been found in the Conexant HD Audio driver software that was delivered to a large number of recently-issued HP business-tier laptop computers. It may also affect some of their consumer-focused laptops that run this driver. Let’s not forget the reality that some of you may have one of the affected HP business laptops as a consumer-tier computer, perhaps due to buying an ex-lease or surplus unit. This weakness affects driver versions 10.0.46 and prior versions.

The problem manifests with the MicTray64 program that comes with this software package. Here, it is a keyboard monitor that listens for particular keystrokes in order to allow the user to control the computer’s integrated microphone. But, thanks to debug code being left in the production release of this software, the software becomes a keylogger, writing keystrokes to a cleartext logfile (MicTray.log) in the Users\Public folder on the computer’s system drive.

But what is a monitor program for those of you who want to know? It is a program that “listens” to activity from or to a peripheral for a particular event then instigates a pre-defined activity when a particular event occurs. In most cases, you see these programs in operation when you use a printer or scanner with your computer and they show up a print-job status message when you print or catch scan jobs you started from your scanner’s control surface.

If you have this version of the Conexant HD Audio driver software on your HP business laptop, you may have to use Task Manager to kill the MicTray64 keyboard-monitor process, as well as removing it from the Scheduled Tasks list. It may also be worth moving the MicTray64.exe file out of the Windows\System32 folder and the MicTray.log file out of the Users\Public folder on the system disk to somewhere else on your computer’s file system and see if the computer is still stable and, if so, delete those files.

An update that rectifies this problem has been made available on the HP.com driver download site but should also be made available through Windows Update. This will be available on Wednesday 10 May 2017 (US Pacific Time) for those machines made since 2016 and on Friday 12 May 2017 (US Pacific Time) for systems made during 2015.

HP may have software installed on these systems to check for newer versions of the software drivers, which may simplify the process of updating your computer’s drivers and firmware.

This is endemic of a situation where driver software and system firmware is rushed out the door without being checked that it is production-ready and good-quality software. This software ends up as part of the distribution software image that comes with newer computer equipment, including appearing on the recovery partition of your computer’s system disk.

A good practice is to regularly check your computer manufacturer’s Website for newer drivers and firmware for your computer at regular intervals and install this software. This practice will allow you to have a computer that runs in a more secure and stable manner, perhaps gaining some extra functionality that answers current requirements along the way.

August responds to its smart lock’s security weaknesses by patching its software

Article August Smart Lock press picture courtesy of August

IoT manufacturer caught fixing security holes | The Register

Here’s what happened when someone hacked the August Smart Lock | CNet

My Comments

The Internet Of Things, along with network hardware focused at consumers and small businesses, has been considered a thorn in the side of people who are involved with data security. This is because of a poor software-maintenance cycle associated with these devices along with customers not installing new software updates for these devices.

Recently, at the DEFCON “hack-a-thon” conference in Las Vegas, a few of the smart locks were found to have software weaknesses that made them vulnerable.

But August, who makes one of these smart locks which are retrofitted to existing “bore-through” single-cylinder tubular deadbolts, answered this issue in a manner that is considered out-of-place for the “Internet Of Things”. Here, they issued software patches to rectify these security issues and offered them as a user-downloadable firmware update.

What is a sad reality for a lot of these devices is that the manufacturer rarely maintains the firmware that runs these devices, if not at all. Some manufacturers think that this practice is about having to “add functionality” to these devices which they would rather do with subsequent models or product generations. But this kind of updating is about making sure that the software ecosystem associated with the product is secure and stable with all the “bugs” ironed out. Similarly, it is also about making sure that the product is complying with industry standards and specifications so as to work properly with other devices.

August uses the latest iterations of their smartphone apps to deploy the firmware updates to their products, typically requiring that you place your phone with the app running near the door that is equipped with these locks.

The computing security industry and computing press congratulated August on responding to the security weakness in its products through a firmware update with “The Register” describing it as being beyond the norm for the “Internet Of Everything”. But they wanted more in the form of them disclosing the nature of the threats in the lock’s firmware in a similar manner to how Microsoft, Google or Apple would disclose weaknesses in their operating-system software.

This issue also is something that is applying to home-network equipment like routers, along with toys and games that connect to the Internet. What is being called out for is a feedback loop where bugs and other software deficiencies in all these devices are called out and a simplified, if not automatic, in-field software-update process takes place whenever newer firmware that answers these problems is released. This also includes the manufacturers disclosing the security issues that have been found and explaining to customers how to mitigate the risks or update the affected software.

Dealing with the bloatware that comes with your computer

Article

Lenovo Yoga 3 Pro convertible notebook at Rydges Hotel Melbourne

Being able to keep stock of the software that comes with your laptop or all-in-one computer can prevent unwanted conduits to your data.

Windows PC makers hang customers out to dry with flawed crapware updaters | PC World

My Comments

A common issue with laptop and all-in-one computers sold through the popular retail channels is the supply of “bloatware” or “crapware” with these computers. This is typically low-value software including trial or demo packages that are pre-installed on consumer-grade computers but doesn’t necessarily include drivers or manufacturer-supplied software that enables the particular features that the computer has. I have covered this issue before in relationship to the Superfish software that Lenovo had furnished with some of their consumer-focused laptops.

This can also apply to software delivered on a CD-ROM with retail-pack system parts, peripheral devices or consumer-electronics devices like digital cameras or keyboards. Some of the software is ostensibly supplied as a way to give the customer a “foot in the door” when it comes to a particular function or computing task, which tends to apply to trial versions of desktop security software or entry-level video editors and DVD / Blu-Ray playback software.

This wouldn’t necessarily happen with computer systems supplied to big businesses or contractor-supplied equipment because it is easier for these customer groups to call for a standard operating environment when they purchase their technology. Similarly, the traditional desktop computers that are built and sold be independent computer stores and dedicated computer-store chains aren’t as likely to be full of the “bloatware”.

The key issue that has been raised is the poor quality-assurance that occurs when it comes to supplying and maintaining this software. Here, there isn’t a secure path for software delivery especially whenever the software is updated or upgraded to a paid-up premium version. The software can be substituted by a man-in-the-middle attack that can be easily facilitated on an unsecured public-access Wi-Fi network. As well, there isn’t any way to verify the authenticity of the software updates, whether it is the software intended to be or actually delivered as part of the update.

This is part of the culture associated with the low-value software that the OEMs are paid to deliver with the systems that they sell to consumers and small businesses, but can affect the device drivers and functionality-enablement software.

Respected software names like Microsoft and Apple implement a secure delivery path for both server-to-device delivery and backend data transfer. As well, they implement a digitally-signed manifest (“shopping list” of files to be substituted in an update) and digitally-verified software files so that the programs can’t be altered surreptitiously.

Dell and Lenovo implement a TLS secure path for the software-manifest delivery while Lenovo implements a digitally-signed software manifest. But these policies are not applied across a manufacturer’s product line.

What can we do?

The best practice for consumers, small businesses and community organisations to do is to “strip back” the bloatware that isn’t being used. Most such software can be uninstalled through the “Programs and Features” option in the Windows Control Panel or through the uninstall routine in the software. Preferably, they should keep just the drivers and functionality software on their system.

On the other hand, they could facilitate a supervised semi-automatic software update for the OEM-supplied software and do this on their home or small-business network. If they are using any of the third-party software that has been provisioned by the OEM, it may be a better idea to visit the software developer’s Website and draw down newer versions of that software from there.

What is needed for OEM-supplied software update processes

If an OEM wishes to provision extra software with a computer, peripheral or consumer-electronics device; they need to make sure that this software is of high-quality, and respects customers’ security, privacy and data sovereignty wishes.

This includes a secure software-maintenance policy such as:

  • a secure software-delivery path with latest standards and protocols between the device and the software-provisioning servers and the software distribution backbone
  • digitally-signed software files and update manifests with verification occurring before and after delivery

Third-party software developers who wish to package software with a computer systems should be required to maintain this software to the same standard as what would be expected if they sold the software to customers themselves or through a traditional retailer. This includes allowing a person to upgrade from an OEM version to a premium version or instigate a subscription through their storefront rather the OEM’s storefront.

A clear reality surfaces with the Internet Of Things

Article

Linksys EA8500 broadband router press picture courtesy of Linksys USA

A tight healthy operating software update cycle can keeep routers and other devices from being part of botnets

Hacked Shopping Mall CCTV Cameras Are Launching DDoS Attacks | Tripwire – The State Of Security

My Comments

What is being highlighted now is that devices that are normally dedicated-purpose devices are becoming more sophisticated in a way that they are effectively computers in their own right. This was highlighted with some network video-surveillance cameras used as part of a shopping mall’s security armour.

What had happened was that these cameras were found to be compromised and loaded with malware so that they also are part of a botnet like what comonly happened in the 2000s where multiple computers loaded with malware were used as part of zombie attacks on one or more targets. In a similar way to a poorly-maintained computer, they were found to run with default passwords of the “admin – admin” kind and were subject to brute-force dictionary attacks.

AVM FRITZ!Box 3490 - Press photo courtesy AVM

AVM FRITZ!Box – self-updating firmware = secure network infrastructure

The article’s author highlighted that there need to be work done concerning dedicated-purpose devices, whether they are the network-infrastructure devices like routers or devices that are part of the “Internet Of Everything”.

Here, the devices need to run constantly-updated software, which is something that is considered necessary if the device is expected to have a long service life. The best example would be some of the routers offered to the European market like the Freebox Révolution or the AVM Fritz!Box where they receive constantly-updated firmware that at least can be downloaded at the click of an option button or, preferably, automatically updated like what happens with Windows and OS X and what is done with recent iterations of the AVM Fritz!Box firmware.

As well, a device’s setup routine should require the user to create secure credentials for the management interface. In some cases, if a device is part of a system, the system-wide management console could exchange system-specific access credentials with the member devices.

What has commonly been said is that the Internet of Things needs to face a severe security incident as a “wake-up call” for such devices to be “designed for security”. This is similar to incidents involving desktop computing, the Internet and mobile computing have served a similar purpose like the way Windows implemented privilege escalation on an as-needed basis since Windows Vista.

HP integrates secure firmware practices in to their enterprise laser printers

Article

HP adds protection against firmware attacks to enterprise printers | PC World

My Comments

An issue that has become a reality with dedicated-purpose devices like printers, network infrastructure hardware and the Internet Of Everything is making sure these devices run software that isn’t a threat to their users’ safety and security and the integrity of their users’ data.

Most device manufacturers tackle this through a regular software-update program but this requires users to download and deploy the newer firmware which is the software that runs these devices. It is also the same path where, in some cases, these devices acquire extra functionality. AVM, a German network-hardware manufacturer, took this further by providing automatic updating of their routers’ firmware so users don’t have to worry about making sure their router is up to date and secure.

But Hewlett-Packard have approached this issue from another angle by implementing watchdog procedures that make sure rogue software isn’t installed and running on their devices. Here, the printers implement a detection routine for unauthorised BIOS and firmware modifications in a similar manner to what is implemented with business-grade computers. This effort is based on their experience with developing regular computers including equipment pitched at business and government applications.

Here, when the printer validates the integrity of its BIOS during the start-up phase and loads a clean known-to-be-good copy of the BIOS if the software in the machine is compromised. Then, when the machine loads its firmware, it uses code-signing to verify the integrity of that firmware in a similar manner to what is done with most desktop and mobile operating systems. The firmware also implements an activity checker that identifies if memory operations are “against the grain” similar to well-bred endpoint-protection software. The watchdog software will cause the machine to restart from the known-to-be-good firmware if this happens.

Initially this functionality will be rolled out to this year’s LaserJet Enterprise printers and MFCs with any of the OfficeJet Enterprise X or LaserJet Enterprise machines made since 2011 being able to benefit from some of this functionality courtesy of a software update. There is a wish for this kind of functionality to trickle down to the consumer and small-business desktop printers that HP makes.

What I like of this is that HP has put forward the idea of continual software integrity checking in to embedded and dedicated devices. This isn’t a cure-all for security issues but has to be considered along with a continual software-update cycle. Personally these two mechanisms could be considered important for most dedicated-purpose device applications where compromised software can threaten personal safety, security or privacy; with the best example being Internet routers, modems and gateways.