The latest update to Google’s Smart Lock app on iOS means you can now use your iPhone as a physical 2FA security key for logging into Google’s first-party services in Chrome. Once it’s set up, attempting to log in to a Google service on, say, a laptop, will generate a push notification on your nearby iPhone. You’ll then need to unlock your Bluetooth-enabled iPhone and tap a button in Google’s app to authenticate before the login process on your laptop completes. The news was first reported by 9to5Google.
Two-factor authentication is one of the most important steps you can take to secure your online accounts, and provides an additional layer of security beyond a standard username and password. Physical security keys are much more secure than the six digit codes that are in common use today, since these codes can be intercepted almost as easily as passwords themselves. Google already lets you use your Android phone as a physical security key, and now that the functionality is available on iOS it means that anyone with a smartphone now owns a security key without having to buy a dedicated device.
The new process is similar to the existing Google Prompt functionality, but the key difference is that Smart Lock app works over Bluetooth, rather than connecting via the internet. That means your phone will have to be in relatively close proximity to your laptop for the authentication to work, which provides another layer of security. However, the app itself doesn’t ask for any biometric authentication — if your phone is already unlocked then a nearby attacker could theoretically open the app and authenticate the login attempt.
According to one cryptogopher working at Google, the new functionality makes use of the iPhone processor’s Secure Enclave, which is used to securely store the device’s private keys. The feature was first introduced with the iPhone 5S, and Google’s app says that it requires iOS 10 or later to function.
The new iPhone support appears to be limited to authenticating Google logins from the Chrome browser. When we attempted to use an iPhone to authenticate a login of the same service (we tested with Gmail) using Safari on a MacBook, we were prompted to insert our key fob (which we don’t have), meaning it created an extra step in our login process where we had to pick an alternative 2FA option.
Here’s your latest reminder that Android security is a joke
The pile of Android threats to watch out for has been mounting at a pretty rapid clip so far this year, with apps sneaking into the Google Play Store that can do everything from log in to your Google and Facebook accounts, access key features of your device, spread malware and so much more. Google, of course, kicks these apps out of its store as soon as they’re found, which we note each time this occurs — though each instance is also one more reminder of just how much of a minefield the threat landscape remains. Meanwhile, as if all that weren’t enough, the security firm Malwarebytes is calling attention to what may be one of the nastiest Android infections yet — a piece of malware that’s actually been circulating for a while now that can reinfect a device after almost every defense has been thrown at it, including a factory reset.
Back in August, this particular malware strain, called xHelper, had already been detected by Malwarebytes’ antivirus app on some 33,000 mostly US devices. That eventually put a target on the malware, by researchers who regarded it as a major Android threat on the basis of those numbers alone. xHelper is essentially a so-called trojan dropper, installing malicious APKs on a device that can, in turn, be used to install a variety of malicious apps.
What makes this one such a tough threat is that it can apparently survive factory resets, which return the device to its original state. Researchers at Symantec also noticed this back in October, writing about how they’d “observed a surge in detections for a malicious Android application that can hide itself from users, download additional malicious apps, and display advertisements. The app, called xHelper, is persistent. It is able reinstall itself after users uninstall it and is designed to stay hidden by not appearing on the system’s launcher.” The Symantec researchers went on to note that, by their tally, it had already infected more than 45,000 devices over the previous six months, and that many users were complaining about random pop-up ads and how the malware keeps showing up even after they’ve manually uninstalled it.
Per Symantec, once xHelper connects to its command and control server, other payloads like rootkits might be downloaded to the compromised device. It’s believed that malware from xHelper’s server can actually perform a variety of functions, “giving the attacker multiple options, including data theft or even complete takeover of the device.”
This all came back to light this week, when Malwarebytes published a report detailing how one device owner kept removing the malware only to see it return to her device inside of an hour. The source of this malware is still being investigated by researchers — but, in the meantime, device owners can keep their gadgets safe by making sure their software stays updated, avoiding unfamiliar and untrustworthy sites when downloading apps, frequently backing up data, installing a strong security app, and being aware of permissions requested by apps.
February 2020 security patch rolling out with a ton of Pixel 4 bug fixes
What you need to know
- As of February 3, 2020, the latest Android security patch is rolling out to Pixel phones.
- There are quite a few fixes/updates specifically for the Pixel 4 and 4 XL.
- These include a fix for devices getting stuck during boot, broken NFC functionality, and more.
January is officially in the books and February is upon us as the second month of the new year and decade. On February 3, Google began rolling out the latest security patch for its Pixel devices.
As with every security patch, this one comes with general bug and vulnerability fixes to ensure your phone is as safe as possible. On top of all of that, however, Google is also offering quite a few fixes specifically for the Pixel 4 and 4 XL.
If you own one of those two phones, here’s what you can look forward to:
- Fix for some devices stuck during boot
- Fix for stuck preview while recording video
- Fix for overexposure while recording video in certain scenarios
- Fix for broken NFC functionality with certain apps
- Fix for UI crash while using Assistant
The February 2020 patch should hit your phone over the next few days, and as always, you can manually check and see if the update is waiting for you. Just go to Settings -> System -> Advanced -> System update.
Texas detective says the data encryption of modern Android phones is superior to iPhones
The US government has been trying to pressure companies like Apple to create a backdoor in its smartphones to help law enforcement agencies access encrypted data when needed. Such a backdoor could help agencies gather crucial information about a detainee, which can then be used as evidence in a court of law. However, critics have argued that giving the government easy access to smartphone data defeats the entire purpose of encrypting it in the first place. Apple, among other companies, has refused to cooperate so far. But a recent report from Vice claims that the government has been doing a decent job of cracking smartphone encryption even without their help when it comes to most iPhones. Android smartphones, however, have been getting increasingly more difficult to crack.
The report cites statements from Detective Rex Kiser, who conducts digital forensic examinations for the Fort Worth Police Department. In his statement, Kiser said, “A year ago we couldn’t get into iPhones, but we could get into all the Androids. Now we can’t get into a lot of the Androids.” The report further reveals that Cellebrite — a company that government agencies hire to crack smartphones — already has a tool that can crack iPhone encryption all the way up to the iPhone X. The tool can successfully get investigators access to data such as GPS records, messages, call logs, contacts, or even data from specific apps like Instagram, Twitter, LinkedIn, and more, which can be used to prosecute criminals.
However, the same Cellebrite tool hasn’t seen much success with Android encryption on a variety of handsets. For instance, the tool wasn’t able to extract any social media, internet browsing, or GPS data from devices like the Google Pixel 2, which features a tamper-resistant hardware security module, and the Samsung Galaxy S9. And in the case of the Huawei P20 Pro, the software didn’t get access to anything at all. To this Kiser told Vice that, “Some of the newer operating systems are harder to get data from than others … I think a lot of these [phone] companies are just trying to make it harder for law enforcement to get data from these phones … under the guise of customer privacy.”
But the aforementioned information doesn’t mean your Android device is uncrackable. Even though Cellebrite’s tool doesn’t work on some Android devices, it doesn’t mean investigators can’t extract the data they need for an investigation. The process is just a bit more labor-intensive and takes more time. According to Vice’s sources, even brand new devices like the iPhone 11 Pro Max can be cracked, but the process isn’t as easy as hooking up the device to a cracking tool to get the job done. Nonetheless, the report still does suggest that some Android phones are more difficult to crack than iPhones, making them a safer alternative if security and privacy are major concerns.
The Future1 day ago
A new iPad Pro refresh will reportedly arrive ‘around March’ 2020
Tech News1 day ago
Nintendo announces first new Switch Lite color since launch
Tech News1 day ago
PS5 and Xbox Series X surprise reveal as key specs leak for BOTH consoles
Systems1 day ago
Galaxy Z Flip ongoing review: Battery life, weird design choice, star features so far
The Motivator1 day ago
Scientists Built a Genius Device That Generates Electricity ‘Out of Thin Air’
Tech News1 hour ago
Samsung’s Z Flip glass covering is ready for non-Samsung foldables
Tech News39 mins ago
SoundCloud Mobile Uploads Are Finally Here — Here’s What You Need to Know