android

362 Articles

This Week In Security: Twitter, Windows DNS, SAP RECON

July 17, 2020 by 8 Comments

Twitter just had their biggest security breach in years. Mike warned us about it on Wednesday, but it’s worth revisiting a few of the details. The story is still developing, but it appears that malicious actors used social engineering to access an internal Twitter dashboard. This dashboard, among other interesting things, allows directly changing the email address associated with an account. Once the address is changed to the attacker’s, it’s simple to do a password reset and gain access.

The bitcoin address used in the crypto scam ended up receiving nearly $120,000 USD worth of bitcoin, all of which has been shuffled off into different accounts. It’s an old and simple scam, but was apparently rather believable because the messages were posted by verified Twitter accounts.

Screenshot from Motherboard

A series of screenshots have been posted, claiming to be the internal Twitter dashboard used in the attack. More than a few eyebrows have been raised, as a result of that dashboard. First off, the fact that Twitter employees can directly change an account’s email address is asking for trouble. Even more interesting are the tags that can be added to an account. “Trends Blacklist” and “Search Blacklist” do call to mind the rumors of shadow-banning, but at this point it’s impossible to know the details. Motherboard is reporting that Twitter is removing that screenshot across the board when it’s posted, and even suspending accounts that post it. Of course, they’d do that if it were faked as well, so who knows? Continue reading “This Week In Security: Twitter, Windows DNS, SAP RECON”

PHONK – A Hacker’s Fun Shortcut To Android Programming

July 2, 2020 by 31 Comments

As the common myth goes, the average human utilizes only about 10% of the true potential their smartphone is capable of. Especially when it comes to electronics projects, it seems that we often overlook how we can integrate and take advantage of their functionality here. Maybe that’s not a big surprise though — while it isn’t rocket science, getting into mobile development certainly has its hurdles and requires a bit of commitment. [Victor Diaz] figured there had to be a better way, so he went on and created PHONK, the self-contained creative scripting toolbox for Android.

PHONK is installed like any other app, and allows rapid prototyping on your Android device via JavaScript by abstracting away and simplifying the heavily boilerplated, native Java parts. So instead of setting up an app from scratch with all the resources defining, UI design, activity and application lifecycle management — not to mention the Android development environment itself — PHONK takes care of all that behind the curtain and significantly reduces the amount of code required to achieve the task you’re actually interested in. In case you’re worrying now that you have to actually program on your phone, well, you can, which can definitely come in handy, but you don’t have to.

Once the app is opened, a web server is started, and connecting to it from any modern browser within the same WiFi network presents you the PHONK development environment with everything you need: editor, file browser, console, and API documentation. You can write your code in the browser, and pressing the run button will execute it straight on the device then. As everything is self-contained within the app itself, no additional software is required, and you can start right away by exploring the set of provided examples that showcase everything supported so far: sensor interaction, BLE server and client, communication protocols like MQTT or WebSockets, OpenStreetMap maps, and even integration with Pure Data and Processing. Attach a USB OTG cable and you can program your Arduino, have serial communication, or interface a IOIO board. You can even connect a MIDI controller.

This is really impressive work done by [Victor], and a lot of attention to detail went into the development. If you have an old Android phone collecting dust somewhere, this would be a great opportunity to revive it and build something with it. And as [Victor] writes on the project’s GitHub page, he’s always curious what people will come up with. If you’re thinking about building a mobile sensor lab, or want to learn more about the sensors inside your phone, have a look at the 36C3 talk about phyphox.

Macros For A Mazda

June 23, 2020 by 16 Comments

[Arik Yavilevich] recently upgraded his second-gen Mazda’s control console, going from the stock busy box to an Android head unit that does it all on a nice big touchscreen. It can also take input from the handy steering wheel buttons — these are a great option for keeping your eyes on the road and occasionally startling your unsuspecting passengers when the radio station suddenly changes.

The only problem is that [Arik]’s stock steering wheel doesn’t have any media-specific buttons on it. After a short trip to the junkyard, [Arik] had a fancier wheel to go along with the new head unit.

[Arik] doesn’t use cruise control, and those particular buttons can’t be hooked up with reprogramming the car’s computer, so he made them into macro buttons that control the head unit over Bluetooth, using an STM32 black pill board stashed in the glove box.

[Arik] found out that the cruise control buttons don’t ride the CAN bus — they use a resistor ladder/voltage divider and go directly into the ECU. After that it was mostly a matter of finding the right wires and then cutting and re-routing them to make the buttons work on the ACC setting as well as ON. A brief demo video is idling after the break.

Have an old smart phone lying around? Of course you do. Why not make your own head unit?

Continue reading “Macros For A Mazda”

Samsung’s Leap Month Bug Teaches Not To Skimp On Testing

June 15, 2020 by 23 Comments

Date and time handling is hard, that’s an ugly truth about software development we’ll all learn the hard way one day. Sure, it might seem like some trivial everyday thing that you can easily implement yourself without relying on a third-party library. I mean, it’s basically just adding seconds on top of one another, roll them over to minutes, and from there keep rolling to hours, days, months, up until you hit the years. Throw in the occasional extra day every fourth February, and you’re good to go, right?

Well, obviously not. Assuming you thought about leap years in the first place — which sadly isn’t a given — there are a few exceptions that for instance cause the years 1900 and 2100 to be regular years, while the year 2000 was still a leap year. And then there’s leap seconds, which occur irregularly. But there are still more gotchas lying in wait. Case in point: back in May, a faulty lunar leap month handling in the Chinese calendar turned Samsung phones all over China into bricks. And while you may not plan to ever add support for non-Gregorian calendars to your own project, it’s just one more example of unanticipated peculiarities gone wild. Except, Samsung did everything right here.

So what happened?

Continue reading “Samsung’s Leap Month Bug Teaches Not To Skimp On Testing”

Palm’s Mini-Mobile Phone Becomes Bike Phone

June 4, 2020 by 16 Comments

The mini-mobile phone [Jim Yang] got his hands on deserves a bit of background. Palm had the concept of a companion mobile phone, and this manifested itself in late 2018 as a cute palm-sized smartphone that one could carry around when one didn’t wish to haul along their “real” phone. This smaller and simpler phone was originally intended to share the same mobile number as one’s primary phone (though it has since been made able to work as a standalone device.)

[Jim]’s device, in use as a bike-mounted smartphone.
[Jim] got his hands on a refurbished Palm PVG100, rooted it, and shared some pictures of the internal components. The phone was not carrier-locked, but getting it up and running was still a bit more complex than plugging in a SIM card. For example, voice calls worked fine but to gain access to mobile data on the Three UK mobile network required updating the Access Point Name (APN) settings. [Jim] also rooted the Android-based phone and describes how he removed Verizon bloatware.

Palm’s companion phone idea hasn’t really caught on in a commercial sense, but in a way, [Jim] is validating the concept. After getting it up and running, he attached it to his bike with a custom mount to enjoy the benefits of having a mobile phone along without actually risking his primary device.

In case you’re wondering, this Palm is indeed the same Palm that launched the PalmPilot in 1996, whose distinctive folding keyboard accessory has shown up in past hacks.

Writing Android Apps In C, No Java Required

May 13, 2020 by 32 Comments

Older Android devices can be had for a song, and in many cases are still packing considerable computational power. With built in networking, a battery, and a big touch screen, they could easily take the place of a Raspberry Pi and external display in many applications. As it so happens, Google has made it very easy to develop your own Android software. There’s only one problem: you’ve got to do it in Java.

Looking to get away from all that bloat and overhead, [CNLohr] set out to see what it would take to get 100% C code running on an Android device. After collecting information and resources from the deepest and darkest corners of the Internet, he found out that the process actually wasn’t that bad. He’s crafted a makefile which can be used to get your own C program up and running in seconds.

We mean that literally. As demonstrated in the video after the break, [CNLohr] is able to compile, upload, and run a C Android program in less than two seconds with a single command. This rapid development cycle allows you to spend more time on actually getting work done, as you can iterate through versions of your code almost as quickly as if you were running them on your local machine.

[CNLohr] says you’ll still need to have Google’s Android Studio installed, so it’s not as if this is some clean room implementation. But once it’s installed, you can just call everything from his makefile and never have to interact with it directly. Even if you don’t have any problem with the official Android development tools, there’s certainly something to be said for being able to write a “Hello World” that doesn’t clock in at multiple-megabytes.

Continue reading “Writing Android Apps In C, No Java Required”

A Microcontroller Display With A Classic Twist

May 8, 2020 by 18 Comments

In a fit of lock-down-induced boredom, [Peter Z] has turned his smartphone into an LCD screen (simulation) via an Android app (German language, Google Translate link), so that a mobile device can be plugged into your favourite microcontroller and the classic HD44780 LCD look can be replicated on its screen.

It doesn’t speak standard HD44780, but rather a custom UART serial protocol, so if you’re looking for something to replace a busted LCD, this isn’t your bag. But if you are looking for a large UART terminal for debugging, with a nice aesthetic, you win.

We’d guess that a serial-to-Bluetooth converter could also be made to function, with a bit of work. The protocol is trivial too, meaning that almost any microcontroller could make use of it. All the code as well as the APK is available from the forum linked above, and there is a YouTube video of it in operation below.

The number one complaint in the comments is going to be that this doesn’t emulate a HD44780, so if that’s really what you want, read this deep-dive into the HD44780 and get hacking.

Continue reading “A Microcontroller Display With A Classic Twist”