This Week In Security: Android Bluetooth RCE, Windows VMs, And HTTPS Everywhere

Android has released it’s monthly round of security updates, and there is one patched bug in particular that’s very serious: CVE-2021-0316. Few further details are available, but a bit of sleuthing finds the code change that fixes this bug.

Fix potential OOB write in libbluetooth
Check event id if of register notification command from remote to avoid OOB write.

It’s another Bluetooth issue, quite reminiscent of BleedingTooth on Linux. In fact, in researching this bug, I realized that Google never released their promised deep-dive into Bleedingtooth. Why? This would usually mean that not all the fixes have been rolled out, or that a significant number of installations are unpatched. Either way, the details are withheld until the ramifications of releasing them are minimal. This similar Bluetooth bug in Android *might* be why the BleedingTooth details haven’t yet been released. Regardless, there are some serious vulnerabilities patched this in this Android update, so make sure to watch for the eventual rollout for your device. Continue reading “This Week In Security: Android Bluetooth RCE, Windows VMs, And HTTPS Everywhere”

Let’s Encrypt Will Stop Working For Older Android Devices

Let’s Encrypt was founded in 2012, going public in 2014, with the aim to improve security on the web. The goal was to be achieved by providing free, automated access to SSL and TLS certificates that would allow websites to make the switch over to HTTPS without having to spend any money.

Hundreds of millions of sites rely on Let’s Encrypt for their HTTPS certificate needs. HTTPS security helps protect sites and users, and makes it harder for malicious actors to steal private information.

The project has just announced that, come September 1, 2021, some older software will stop trusting their certificates. Let’s look at why this has come to pass, and what it means going forward.

Certificates Expire

When Let’s Encrypt first went public in early 2016, they issued their own root certificate, by the name ISRG Root X1. However, it takes time for companies to include updated root certificates in their software, so until recently, all Let’s Encrypt certificates were cross-signed by an IdenTrust certificate, DST Root X3. This certificate had been around much longer, and was already supported by the vast majority of OSes and browsers in regular use. This allowed Let’s Encrypt to hit the ground running while they waited for the majority of software to support their own root certificate. Continue reading “Let’s Encrypt Will Stop Working For Older Android Devices”

Linux Fu: The Linux Android Convergence

The Android phone that you carry in your pocket is basically a small computer running Linux. So why is it so hard to get to a usable Linux environment on your phone? If you could run Linux, you could turn your cell phone into an ultra-portable laptop replacement.

Of course, the obvious approach is just to root the phone and clean-slate install a Linux distribution on it. That’s pretty extreme and, honestly, you would probably lose a lot of phone function unless you go with a Linux-specific phone like the PinePhone. However, using an installer called AnLinux, along with a terminal program and a VNC client, you can get a workable setup without nuking your phone’s OS, or even having root access. Let’s see what we can do. Continue reading “Linux Fu: The Linux Android Convergence”

Should You Build For Windows, Mac, IOS, Android, Or Linux? Yes!

The holy grail of computer languages is to write code once and have it deploy effortlessly everywhere. Java likes to take credit for the idea, but UCSD P-Code was way before that and you could argue that mainframes had I/O abstraction like Fortran unit numbers even earlier. More modern efforts include Qt, GTK, and other things. Naturally, all of these fall short in some way. Now Google enters the fray with Flutter.

Flutter isn’t new, but in the past, it only handled Android and iOS. Now it can target desktop platforms and can even produce JavaScript. We haven’t played with the system enough to say how successful it is, but you can try it in your browser if you want some first-hand experience.

Continue reading “Should You Build For Windows, Mac, IOS, Android, Or Linux? Yes!”

Google Turns Android Up To 11 With Latest Update

Just going by the numbers, it’s a pretty safe bet that most Hackaday readers own an Android device. Even if Google’s mobile operating system isn’t running on your primary smartphone, there’s a good chance it’s on your tablet, e-reader, smart TV, car radio, or maybe even your fridge. Android is everywhere, and while the development of this Linux-based OS has been rocky at times, the general consensus is that it seems to have been moving in the right direction over the last few years. Assuming your devices actually get the latest and greatest update, anyway.

So it’s not much of a surprise that Android 11, which was officially released yesterday, isn’t a huge update. There’s no fundamental changes in the core OS, because frankly, there’s really not a whole lot that really needs changing. Android has become mature enough that from here on out we’re likely to just see bug fixes and little quality of life improvements. Eventually Google will upset the apple cart (no pun intended) with a completely new mobile OS, but we’re not there yet.

Of course, that’s not to say there aren’t some interesting changes in Android 11. Or more specifically, changes that may actually be of interest to the average Hackaday reader. Let’s take a look at a handful of changes and tweaks worth noting for the more technical crowd.

Continue reading “Google Turns Android Up To 11 With Latest Update”

Hackaday Podcast 075: 3D Printing Japanese Joinery, Android PHONK, One-Armed Time Bandit, And Whistling Bridges

Hackaday editors Mike Szczys and Elliot Williams scoop up a basket of great hacks from the past week. Be amazed by the use of traditional Japanese joinery in a 3D-printed design — you’re going to want to print one of these Shoji lamps. We behold the beautiful sound of a noise generator, and the freaky sound from the Golden Gate. There’s a hack for Android app development using Javascript on an IDE hosted from the phone as a webpage on your LAN. And you’ll like the KiCAD trick that makes enclosure design for existing boards a lot easier.

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Continue reading “Hackaday Podcast 075: 3D Printing Japanese Joinery, Android PHONK, One-Armed Time Bandit, And Whistling Bridges”

PHONK – A Hacker’s Fun Shortcut To Android Programming

As the common myth goes, the average human utilizes only about 10% of the true potential their smartphone is capable of. Especially when it comes to electronics projects, it seems that we often overlook how we can integrate and take advantage of their functionality here. Maybe that’s not a big surprise though — while it isn’t rocket science, getting into mobile development certainly has its hurdles and requires a bit of commitment. [Victor Diaz] figured there had to be a better way, so he went on and created PHONK, the self-contained creative scripting toolbox for Android.

PHONK is installed like any other app, and allows rapid prototyping on your Android device via JavaScript by abstracting away and simplifying the heavily boilerplated, native Java parts. So instead of setting up an app from scratch with all the resources defining, UI design, activity and application lifecycle management — not to mention the Android development environment itself — PHONK takes care of all that behind the curtain and significantly reduces the amount of code required to achieve the task you’re actually interested in. In case you’re worrying now that you have to actually program on your phone, well, you can, which can definitely come in handy, but you don’t have to.

Once the app is opened, a web server is started, and connecting to it from any modern browser within the same WiFi network presents you the PHONK development environment with everything you need: editor, file browser, console, and API documentation. You can write your code in the browser, and pressing the run button will execute it straight on the device then. As everything is self-contained within the app itself, no additional software is required, and you can start right away by exploring the set of provided examples that showcase everything supported so far: sensor interaction, BLE server and client, communication protocols like MQTT or WebSockets, OpenStreetMap maps, and even integration with Pure Data and Processing. Attach a USB OTG cable and you can program your Arduino, have serial communication, or interface a IOIO board. You can even connect a MIDI controller.

This is really impressive work done by [Victor], and a lot of attention to detail went into the development. If you have an old Android phone collecting dust somewhere, this would be a great opportunity to revive it and build something with it. And as [Victor] writes on the project’s GitHub page, he’s always curious what people will come up with. If you’re thinking about building a mobile sensor lab, or want to learn more about the sensors inside your phone, have a look at the 36C3 talk about phyphox.