Category Archives: Cell Phone (iPhone, Android, windows mobile)

Special Edition – HIDDEN COBRA – Malicious Cyber Activity

Special Edition: Information security focus

US Homeland security (DHS) urge the world to staying alert with HIDDEN COBRA Malicious Cyber Activity. It looks that the cyber attack wreak havoc to the world. And therefore DHS suggest to add below Yara rule into your IDS or malware detector (For instance RSA ECAT).

The following YARA rule may be used to detect the proxy tools:

rule NK_SSL_PROXY{
meta:
Author = "US-CERT Code Analysis Team"
Date = "2018/01/09"
MD5_1 = "C6F78AD187C365D117CACBEE140F6230"
MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC"
Info= "Detects NK SSL PROXY"
strings:
$s0 = {8B4C24088A140880F24780C228881408403BC67CEF5E}
$s1 = {568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E}
$s2 = {4775401F713435747975366867766869375E2524736466}
$s3 = {67686667686A75797566676467667472}
$s4 = {6D2A5E265E676866676534776572}
$s5 = {3171617A5853444332337765}
$s6 = "ghfghjuyufgdgftr"
$s7 = "q45tyu6hgvhi7^%$sdf"
$s8 = "m*^&^ghfge4wer"
condition:
($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8)
}

There are total 2 items of malware would like to draw your considerations.

  • Trojan: HARDRAIN (Backdoor – Remote Access Tool)
  • Trojan: BADCALL (data thief and surveillance)

In order to avoid unforeseen data breach happens to enterprise firm and personal data privacy protection. We better to consider the suggestion by DHS.

  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users’ ability (permissions) to run unwanted software applications
  • Enforce a strong password policy and
  • implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Keep operating system patches up-to-date.
  • Enable a personal firewall on agency workstations.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g.,
  • USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs.

Threat actor transform Vehicle GSM GPRS GPS Tracker Car Vehicle Tracking Locator technology

Since the mobile phone usage volume bigger than personal computer today. Perhaps digital e-wallet function and BYOD concept let people keep their confidential data on mobile phone. And therefore it lure the hacker focusing the mobile phone device especially Android. This round hacker relies on GRPS TCP/UDP connection (see below diagram for reference) create Trojan (BADCALL) to listen for incoming connections to a compromised Android device, on port 60000. Meanwhile it awaken the security concern on GPRS gateway.

Since this is a special edition of article so we summarize the technical details as below:

Trojan: HARDRAIN

  • 32-bit Windows executables that function as Proxy servers and implement a “Fake TLS” infiltration function. The hash shown as below:

3dae0dc356c2b217a452b477c4b1db06 (3DAE0DC356C2B217A452B477C4B1DB06)

746cfecfd348b0751ce36c8f504d2c76 (746CFECFD348B0751CE36C8F504D2C76)

  • Executable Linkable Format (ELF) file designed to run on Android platforms as a fully functioning Remote Access Tool (RAT). The hash shown as below:

9ce9a0b3876aacbf0e8023c97fd0a21d (9CE9A0B3876AACBF0E8023C97FD0A21D)

DHS report for reference:

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf

Trojan: BADCALL (data thief and surveillance)

  • 32-bit Windows executables that function as Proxy servers and implement a “Fake TLS” infiltration function. The hash shown as below:

c01dc42f65acaf1c917c0cc29ba63adc (C01DC42F65ACAF1C917C0CC29BA63ADC)

c6f78ad187c365d117cacbee140f6230 (C6F78AD187C365D117CACBEE140F6230)

  • run on Android platforms as a fully functioning Remote Access Tool (RAT). The hash shown as below:

d93b6a5c04d392fc8ed30375be17beb4 (D93B6A5C04D392FC8ED30375BE17BEB4)

DHS report for reference:

https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF

End discussion, thak you for your attention.

Happy valentines day.

Renaissance – Cyber attack transformation

Preface:

Renaissance – The period of this revival, roughly the 14th through the 16th century, marking the transition from medieval to modern times.

Background:

The virus and malware wreak havoc in information technology environment in past decade especially on Microsoft windows operating system platform. It looks that a transformation was happened since smartphone leading the IT technology trend today. The percentage of usage for smartphones are bigger than traditional computer devices (desktop, notebook and server).

Transformation of cyber attack scenario

The major of cyber attacks in information technology environment are given by tradition virus since early 90’s. A quick and simplified explanation below diagram is able to awaken your memories in this regard.

The Evolution diagram of virus, worm, malware and ransomware

Remark: Perhaps we shown the generations of the virus and malware past three decades. The diagram looks simple. However it represents the virus and malware in the specific period of time.

The attack surface targets to Microsoft products till SmartPhone appears.

We all known the design goal of virus and malware targeted Microsoft products fundamentally. We feel that Linux base operating system will be provided a secure environment. But the question is that which element change the atmosphere in silent way?

We understand that the infection of malware divided into four phase (see below diagram). Since the malicious file (so called dropper – file) relies on the PE (portable executable) to execute the infiltation. The way is that the malicious code will try to infiltrate for executables, object code, DLLs, FON Font files, and others used in 32-bit and 64-bit versions of Windows operating systems.

However the specifics mechanism does not work in Linux environment till ELF malware invented.

Stages of a Malware Infection and technology evolution overview

Where it began? Code Injection to Linux world.

Linux Operating system looks like a well protected castle but a beast live inside. Whether are you familiar with ptrace() command on Linux? With reference to tutorial (execute man command in Linux). The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers. It is primarily used to implement breakpoint debugging and system call tracing.

Docker, an open-source technology. Meanwhile Docker is the company driving the container movement and the only container platform provider to address every application across the hybrid cloud. Microsoft cloud product family also embraced Docker. Below informatics diagram can bring an idea to you on how the docker works.

No matter Fedora workstation or Cloud computing platform (Docker). The command (ptrace()) can do the magic. Even though attach to system process!

Reference: you can disable this behavior by the following:

If you are using Fedora (see below for reference)

echo 0 > /proc/sys/kernel/yama/ptrace_scope

or modify (with root privileges)

/etc/sysctl.d/10-ptrace.conf

If you are using Docker, you will probably need below options:

docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined

Above detail information intends to proof of comment which described earlier. Linux Operating system looks like a well protected castle but a beast live inside. Why? If there is a zero day vulnerability occurred in Linux. A ELF format of file embedded malicious code relies on zero day vulnerability execute the attack. That is to awake the beast with privileges escalation. This assumption not rare. Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel found last year. Such incident not only harm to workstation. It also includes cloud infrastructure. From technical point of view, it do not have difference in between Microsoft Product and Linux product.

ELF malware space

Above example highlight the ELF format file. ELF is flexible, extensible, and cross-platform, not bound to any given central processing unit (CPU) or instruction set architecture. This has allowed it to be adopted by many different operating systems on many different hardware platforms. Since smartphone especially Android phone fully utilize Linux OS platform. Perhaps the vendor announcement told this is not a standard Linux OS. But the truth is that they are using Linux base kernel.

According to the IDC Quarterly Mobile Phone Tracker, phone companies shipped a total of 344.3 million smartphones worldwide in the first quarter of 2017 (1Q17). And such away the cyber attack includes BYOD botnet or IoT botnet wreak havoc.

In order to cope with IT technology and smartphone trend. The attackers will build ELF malware using a customized builder. And therefore the malware of target to Linux system includes smartphone rapidly growth. For instance, Gyrfalcon implant, which targets OpenSSH clients on a wider variety of Linux platforms. Should you have interest, please refer below url for reference.

https://wikileaks.org/vault7/#OutlawCountry

Summary:

Information security expert found Stagefright exploit puts millions of Android devices at risk on early 2016. The attack is effective against devices running Android versions 2.2 through 4.0 and 5.0 and 5.1. Another way round of malware attack to android devices is copyCat. CopyCat Malware Infected 14M Android Devices, Rooted 8M, in 2016. Since this is a history but the malware attacks to Linux world are on the way!

SS7 flaw make two factor authentication insecure – Reveal the veil

Preface:

Two factor authentications claimed itself that it is a prefect security solution. No matter online banking transaction, Bitcoin wallet, e-trading business system and application system which concern the data privacy are willing to apply two factors authentication.

The overall comments for two factor authentication on the market

Let’s take a review in below cyber security incident records

  1. Cyber Criminals stolen Bitcoin in electronic Wallets by counterfeit two factor authentication SMS messages.A investment trader so called night owl. He was notified the passwords had been reset on two of his email addresses on 11th Aug 2016. He losses among the largest in his bitcoin investment. The venture capitalists (Bo Shen) he had value of US$300,000 electronic money (Augur REP tokens) stolen by hacker, plus an undisclosed amount of bitcoin and other cryptocurrencies lost. Coinbase (US base world biggest bitcoin exchange) observed that a double growth of cyber heist among it customers during November to December 2016.
  2. Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January 2017. Meanwhile the attackers use SS7 vulnerability to intercept and redirect mTANs ( mobile transaction authentication numbers) sent by banks in Germany to authorize transfers payment out of victim accounts.

The clarification of two factor authentication criteria

Two factor authentication (2FA) definition is based on providing two of the following three “somethings”: (1) something you know, which is your username and password combination or a pin, (2) something you have, which can be a bank card, mobile device, smartwatch, or another device you’ve flagged as safe, and in more advanced scenarios, (3) something you are, which includes biometrics like fingerprints, retina scans, or voice recognition. By requiring a user to verify their identity with two or more of these unique ways, 2FA is effectively extending security beyond the password. The final step of the authentication process is send one-time authorization code to a device via an SMS, which you then enter to prove your identity.

My doubt on above matter?

What if my situation in regards to key terms “something you are” function replace by a hardware token. In this scenario, my hardware authentication token will be synchronized in the 1st round of registration to RSA ACE server. Thereafter the dependence of the hardware token depends on a element (timing). This setup compliance to 2FA definition. In the sense that it did not involve SMS message. So the 2FA still trustworthy, right?

SS7 Vulnerability

A proof of concept shown that attacker could use the telephone network to access the voice data of a mobile phone, find its location and collect other information. Hacker able to manipulating USSD commands to spoof financial transactions such as the authorization of purchases or the transfer of funds between accounts.

The hacks exploit the SS7 vulnerability by tricking the telecom network believing the attacker’s phone has the same number as the victim’s phone. We know that hackers can hijack whatsApp and telegram via ss7. A vulnerability found on 2008.

SS7 design fundamental is going to trust any request.  We known that JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. And therefore counterfeit SMS message will more easier (see below information supplement 1 at the bottom of this page for reference). Carriers often “ask” one another for the whereabouts of a certain device so they can calculate the nearest cell tower to route a call. These sorts of automated interactions happen all the time. Nokia safeguards network operations with new security features in Sep 2015. The features consisting of Signaling Guard and Security Assessment service, detects and prevents attacks that exploit vulnerabilities in the SS7 protocol. It looks that such remediation step not effective to avoid insider threats.

Nokia safeguard network operation effectiveness

The fundamental of SS7 signal system is operate in a private network, meaning that cyber criminals have to hack it to gain entry—or find a telecom insider willing to offer illicit access.However there is another vulnerability on ASN.1. That is ASN.1 Compiler flaw leads to Network vulnerability. As such , hacker explore the back door on SS7 not only targeting to their internal staff. It might have possibility allow attackers to remotely execute unknown and unauthorized code inside the firmware of devices that use the compiled ASN1C code from within C and C++. Meanwhile java language fully compatible with SS7 protocol stack and platform. Oops! Do you think a design weakness will be happen in this place?

Hacker might reading shared memory data using Java . Program source that is written by C++.

Hacker can create a method in Java to read or write on shared memory. Hacker might have way relies on Java SS7 benefits hook to sharing memory process. As a result, it compromise the machine. It can send SMS to anyone or anywhere includes communicate with other Telco vendor. It is the most concern and dangerous way.

Conclusion:

From technical point of view, 2FA (Two factor authentication) still a secure method for authentication. It looks that the flaw given by SS7 signaling system instead of 2FA itself. Since 2FA not limit to SS7 to conduct authentication. You are allow to use other alternative. Guys do not worry too much.

Information supplement 1: Open Source Java SS7 stack that allows Java apps to communicate with legacy SS7 communications equipment. JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. Below javascript sample is the pass along message implementation programming syntax for reference.

package org.mobicents.protocols.ss7.isup.impl.message;

import java.io.ByteArrayOutputStream;

import org.mobicents.protocols.ss7.isup.ISUPMessageFactory;
import org.mobicents.protocols.ss7.isup.ISUPParameterFactory;
import org.mobicents.protocols.ss7.isup.ParameterException;
import org.mobicents.protocols.ss7.isup.impl.message.parameter.MessageTypeImpl;
import org.mobicents.protocols.ss7.isup.message.ISUPMessage;
import org.mobicents.protocols.ss7.isup.message.PassAlongMessage;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageName;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageType;

/**
 * Start time:xx<br>
 * Project: xx<br>
 *
 * @author <a href="mailto:xx@xx.com">xx </a>
 */

public class PassAlongMessageImpl extends ISUPMessageImpl implements PassAlongMessage {
 public static final MessageType _MESSAGE_TYPE = new MessageTypeImpl(MessageName.PassAlong);

static final int _INDEX_F_MessageType = 0;
 private ISUPMessage embedded;
 /**
 *
 * @param source
 * @throws ParameterException
 */
 public PassAlongMessageImpl() {
 super.f_Parameters.put(_INDEX_F_MessageType, this.getMessageType());
 }



public MessageType getMessageType() {
 return _MESSAGE_TYPE;
 }

@Override
 public void setEmbeddedMessage(ISUPMessage msg) {
 this.embedded = msg;
 }

@Override
 public ISUPMessage getEmbeddedMessage() {
 return embedded;
 }

public boolean hasAllMandatoryParameters() {
 return this.embedded == null ? false: this.embedded.hasAllMandatoryParameters();
 }

@Override
 public int encode(ByteArrayOutputStream bos) throws ParameterException {
 if(this.embedded!=null){
 throw new ParameterException("No embedded message");
 }

//encode CIC and message type
 this.encodeMandatoryParameters(f_Parameters, bos);
 final byte[] embeddedBody = ((AbstractISUPMessage)this.embedded).encode();
 // 2 - for CIC
 bos.write(embeddedBody, 2, embeddedBody.length - 2);
 return bos.size();
 }

@Override
 public int decode(byte[] b, ISUPMessageFactory messageFactory,ISUPParameterFactory parameterFactory) throws ParameterException {
 int index = 0;
 //decode CIC and PAM message type.
 index += this.decodeMandatoryParameters(parameterFactory, b, index);
 byte targetMessageType = b[index];
 this.embedded = messageFactory.createCommand(targetMessageType, this.getCircuitIdentificationCode().getCIC());
 //create fake msg body
 byte[] fakeBody = new byte[b.length-1];
 System.arraycopy(b, 1, fakeBody, 0, fakeBody.length);
 index+=((AbstractISUPMessage)this.embedded).decode(fakeBody, messageFactory, parameterFactory)-2;
 return index;
 }



// Not used, PAM contains body of another message. Since it overrides decode, those methods are not called.
 protected void decodeMandatoryVariableBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, int parameterIndex)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected void decodeOptionalBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, byte parameterCode)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected int getNumberOfMandatoryVariableLengthParameters() {
 // TODO Auto-generated method stub
 return 0;
 }

protected boolean optionalPartIsPossible() {

throw new UnsupportedOperationException();
 }

}

Information supplement 2: How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design! For more detail, please refer below:  

How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design!

 

The enemy of ASLR (Address space layout randomization) – memory leak

Preface

Address space layout randomization (ASLR) is a computer security technique which popular in cyber world today. Since it reduce the ratio of incident hit rate of malware infection. Do you agree that there is not required to worries about malware infection once ASLR implemented?

Start discussion

We discuss ASLR topics in our earlier discussion (see below).  Our discussion last time focus on virtual machine (VM) especially VMware.

Mirror Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

We move our focus on mobile phone this time especially Android system. As far as we know, chip-set vendors (Qualcomm and Intel) going to reduce the attack surface with division of duty of design.

Highlight of division of duty of design on mobile chip set

Baseband processor: Manages all the radio functions except Wi-Fi and Bluetooth radios. A baseband processor typically uses its own RAM and firmware.

WiFi chip-sets:  responsible for handling the PHY, MAC and MLME on its own, and hands the kernel driver data packets that are ready to be sent up.

Reference point:  We noticed that research found that hacker can implant malicious code relies on WiFi chip-set design weakness to compromised Baseband processor. Since WiFi chip-set did not protect by ASLR technique. But this time we are not going to focus on chipset design weakness from mobile phone topic. As such we move on to the following items of discussion.

ASLR implementation status on Android

Early Android versions only had stack randomization due to lack of kernel support for ASLR on ARM. The address space layout randomization (ASLR) has been adopted in their design since 2015. Android version  4.1 introduced support for full ASLR by enabling heap randomization and  position Independent Executables (PIE). But we frequently heard that Android OS encountered malware infection. But what is the root causes?

  1. Non traditional spawning model

On Android system (from my personal view point it is a tailor made Linux), but the memory management design have different. A process so called Zygote.
However the zygote process have design limitation. It might have possibilities let malware to do the infiltration (see below detail for reference).

 

Mobile apps like your wife or girlfriend. They are tracing you!

2. Memory leak

Android system needs to manage memory allocation resources. A programmatically initiate that Garbage initiation when memory runs short. Garbage collection base on the following criteria.

a. Verify all object references in memory , non reachable object will go to Garbage collection. Everything else are wiped out from memory to free up resources

b. Everything serving the user should be kept in memory

Garbage collection design weakness Highlight

a. The drawback is that when code are written in negligence form result that unused objects are referenced somehow from reachable objects, garbage collection would mark unused objects as useful object. As a result it would not be able to remove. This is called a memory leak. From technical point of view, memory leak will be few kilo bytes to mega bytes. However mobile phone application relies on  java engine and Java script. Java dynamic language use garbage collect to management memory. To enhance CPU performance, a caching technology will be in use. A design weakness was found is that component shares some of its cache with untrusted applications. Hacker could send malicious JavaScript that specifically targeted this shared memory space.  A known bug (see below CVE details) confirm that JavaScript Attack Breaks ASLR on CPU Micro-Architectures  (vulnerable CPU displayed as below:)

CVE – vulnerabilities on CPU

CVE-2017-5925 is assigned to track the developments for Intel processors
CVE-2017-5926 is assigned to track the developments for AMD processors
CVE-2017-5927 is assigned to track the developments for ARM processors
CVE-2017-5928 is assigned to track the JavaScript timer issues in different browsers

Vulnerable CPU (mobile phone devices)

Allwinner A64 ARM – Cortex A53 (2016)
Intel Xeon E3-1240 v5 – Skylake (2015)
Intel Core i7-6700K – Skylake (2015)
Intel Celeron N2840 – Silvermont (2014)
Samsung Exynos 5800 – ARM Cortex A15 (2014)
Samsung Exynos 5800 – ARM Cortex A7 (2014)
Nvidia Tegra K1 CD580M-A1 – ARM Cortex A15 (2014)
Nvidia Tegra K1 CD570M-A1 – ARM Cortex A15; LPAE (2014)

b. The side-channel attack capable to bypass ASLR algorithm and assists malware implant to the system. The modern CPU require work with internal or external cache. Therefore this is the other alternative way may potentially bypass ASLR memory protection.

i. Evict + time

The attacker measures the time it takes to execute a piece of victim code. Then attacker flushes part of the cache, executes and times the victim code again. The difference in timing tells something about whether the victim uses that part of the cache.

ii. Prime + probe

The attacker now accesses memory to fill part of the cache with his own memory and waits for the victim code to execute. (Prime) Then the attacker measures the time it takes to access the memory that he would carefully placed in cache before. If it’s slow it is because the victim needed the cache and this gives us knowledge about what victim did. (Probe)

iii. Flush + reload

The flush and reload attack utilizes that processes often share memory. By flushing a shared address, then wait for the victim and finally measuring the time it takes to access the address an attacker can tell if the victim placed the address in question in the cache by accessing it.

Summary:

It looks that new technologies claimed that it avoid malware infection. For instance 64-bit OS and ASLR. As a matter of fact, these technology are valid and required. However we can’t say we are now secure! Refer to above discussion. Any mis-use operation or negligence form of programming technique, hacker might find vulnerability to compromise your mobile system even though ASLR is running on your mobile.

Tips to detect Android memory leak

LeakCanary is an Open Source Java library to detect memory leaks in your debug builds.

You create a RefWatcher instance and give it an object to watch:

// We expect java-id-session to be gone soon (or not), let's watch it.
refWatcher.watch(java-id-session);

When the leak is detected, you automatically get a nice leak trace:

* GC ROOT static ..............
* references .............
* leaks ....... instance

Have  a nice weekend!

 

 

 

 

 

 

Price of your privacy – mobile phone

Preface:

Google Pinyin,QQ,TouchPal,Sogou IME apps has high volume download volume in Google Play store. However user may also be vulnerable to component-hijacking attacks. Do you think whether there are more apps monitor your mobile phone silently!

Start discussion:

We heard technical terms so called predictive search and auto-correction. Google browser (Chrome) keyboard input feature apply similar technologies.

What is predictive search?

Google’s search feature uses a predictive search algorithm based on popular searches to predict a user’s search query. It requires interconnect with Google system.

What is auto-correction?

Auto correction is a feature in which an application predicts the rest of a word a user is typing. It requires interconnect with Google system.

Reality – existing situation in the market 2017

It looks that above criteria make sense, user are allow to disable this function. If mobile owner forgot to enforce the access permission setting. Seems their personal information will be forward to google during web site visiting. Their goal is going to do the web behavior analytic. As far as I know, the applications like google app, Google Zhuyin input, Google  Pinyin input  are maintain the following spy able permissions.

Google App – Reads Browser Bookmarks, Knows location by Cell-ID and WiFi, Knows location by GPS signal, Runs on device startup, Reads all SMS messages and records audio on voice calls

Google Zhuyin Input – Records Audio on Voice Calls, Runs on device startup

Google Pinyin Input – Records Audio on Voice Calls, Runs on device startup

MiTalk (China users) – knows location by GPS signal, Received all SMS messages, Records Audio on Voice calls, Knows location by Cell-ID and WiFi, Handles Outgoing calls and Runs on device startup

Attention –  critical loophole

In 2015, a group of researcher in Chinese university of Hong Kong (Wenrui Diao, Xiangyu Liu, Zhe Zhou, Kehuan Zhang, Zhou Li) found a vulnerability on Pinyin input. A vulnerability so called cross-app KeyEvent injection (CAKI) attack will be encountered on Google Pinyin input method. The flaw is that it allow 3rd party to harvest entries from the personalized user dictionary of IME through an ostensibly innocuous app only asking for common permissions.

Android CAKI vulnerability

Speculation:

We keep track of android vulnerabilities so far. I note with concerns of CVE-2016-9651.  This vulnerability is allow to collect the Invisible Private Property on your android phone. Details is shown as below:

Get all properties of an special object by d8 shell command

d8> var specialObject = new Error("test");
d8> var ownNames = Object.getOwnPropertyNames(specialObject);
d8> var ownSymbols = Object.getOwnPropertySymbols(specialObject);
d8> var ownKeys = ownNames.concat(ownSymbols)
d8> ownKeys
["stack", "message"] ---------> all public properties got by normal JavaScript
d8> %DebugPrint(specialObject)
DebugPrint: 0x3058e8cd: [JS_ERROR_TYPE]
- map = 0x53d0945d [FastProperties]
- prototype = 0x2560b9e1
- elements = 0x45384125 <FixedArray[0]> [FAST_HOLEY_SMI_ELEMENTS]
- properties = { ---------> all properties got by DebugPrint
#stack: 0x453d012d <AccessorInfo> (accessor constant)
#message: 0x453bb18d <String[4]: test> (data field at offset 0)
0x453859f1 <Symbol: stack_trace_symbol>: 0x3058e9c1 <JS Array[6]> (data field at offset 1) ---------> private property
}

If above flaw co-exists with this vulnerability. Sounds like a prefect surveillance backdoor allow 3rd to collect the information of your android phone. As a matter of fact, the surveillance program or cyber espionage keep track of our mobile activities daily. If such action is collected by your government for crime prevention purpose or big data foundation framework. From certain point of view, we have no doubt to say no. However, who can say how much is the value your personal privacy on your mobile phone?

Reference:

Mobile phone applications – access permission component

Application must have an AndroidManifest.xml file in its root directory. The manifest file provides essential information about your app to the Android system, which the system must have before it can run any of the app’s code. Manifest file capable declares the permissions (see below) that the application must have in order to access protected parts of the API and interact with other applications. It also declared the permissions that others are required to have in order to interact with the application components.

Sample – Manifest file capable declares the permissions

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.photoeffect"
android:versionCode="1"
android:versionName="1.0" >

<uses-sdk
    android:minSdkVersion="8"
    android:targetSdkVersion="18" />

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="com.example.towntour.permission.MAPS_RECEIVE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.CALL_PHONE" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="com.google.android.providers.gsf.permission.READ_GSERVICES" />

Mobile apps like your wife or girlfriend. They are tracing you!

 

 

 

 

 

Mobile apps like your wife or girlfriend. They are tracing you!

 

Preface

Power is always dangerous…..Android rule the world

 

About mobile phone security

Independently conducted by antihackingonline

The attack hit rate on personal mobile devices rate high. Mobile phone user enjoy to play the game apps. In order to fulfill the application requirement, their web browser require enable the plugins like Flash and Java in order to display some interactive content.

Culprit – Android OS (Zygote)

Zygote is a software component of the Android operating system uses to start apps.  The mechanism of the Zygote process will create a process (System call fork() is used to create processes), and the child process continues where it left off, loading the app itself into the VM.

ActivityThread,main() – see below

public static void main(String[] args) {
    ...
    Environment.initForCurrentUser();
    ...
    Process.setArgV0("<pre-initialized>");
    //Create the main thread looper
    Looper.prepareMainLooper();

    ActivityThread thread = new ActivityThread();
    //attach To the system process
    thread.attach(false);

    if (sMainThreadHandler == null) {
        sMainThreadHandler = thread.getHandler();
    }

    //The main thread enters the loop state
    Looper.loop();

    throw new RuntimeException("Main thread loop unexpectedly exited");
}

Zygote require root permissions on Android OS but it is an inherit right. And therefore Process ID is 1.

Remark: ID 1: init process, invoked by the kernel at the end of the bootstrap procedure.

Android zygote security weaknesses caused by performance design

An evaluation program found that the Address Space Layout Randomization (ASLR) not effectively implement in Android OS. As a result , it leaving software components vulnerable to attacks that bypass the protection. Zygote process creation model causes two types of  memory  layout  sharing  on  Android,  which  undermine  the effectiveness of ASLR. Firstly, the code of an application is always loaded at the exact same memory location across different runs even when  ASLR  is  present;  and  secondly,  all  running apps  inherit  the  commonly  used  libraries  from  the  Zygote process (including the libc library). For more details about the weakness of ASLR on VM. Please refer to below URL for reference.

Mirror Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

 

Remark: Android 7.0 or above, library load order randomization and ASLR improved. The major improvement goal increase randomness feature. As a result it makes some code-reuse attacks decrease successful rate.

Inline hooking – Inline hooking is a method of intercepting calls to target functions. For instance, prepares hooks for the following system properties.

  • java.lang.System.getProperty()
  • android.app.Instrumentation.newApplication()
  • com.android.internal.telephony.SMSDispatcher.dispatchPdus()
  • android.app.ActivityManager.getRunningServices()
  • android.app.ActivityManager.getRunningAppProcesses()
  • android.app.ApplicationPackageManager.getInstalledPackages()
  • android.app.ApplicationPackageManager.getInstalledApplications()

If the software developer would like to obtains SMS data on your mobile phone (Android), he can do the following steps.

  1. Manages SMS operations such as sending data

    void sendDataMessage (String destinationAddress, 
                    String scAddress, 
                    short destinationPort, 
                    byte[] data, 
                    PendingIntent sentIntent, 
                    PendingIntent deliveryIntent)

    2. The null pointer exception is directly linked to name. i.e. isms or isms2.

    3. The transact() method is redefined in the customized program “isms” (or isms2) binder realization, replacing the original.

    4. When the parent application of the customized program sends an SMS it leads to the call of the customized program transact() method.

    5. As a result, the customized program can obtains SMS data (destination number, message text, service center number) from raw PDU.

Current status

It is hard to draw into conclusion on this discussion topics this moment. We keep our eye open see whether a new vulnerability find on Zygote in 3rd quarter in 2017 . Ok, have a good sleep.  Zzzzzzz……

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2017 – How Android protect itself?

Preface:

Numbers 31:3 “So Moses spoke to the people, saying, “Arm men from among you for the war, that they may go against Midian to execute the Lord’s vengeance on Midian.”

If you are familiar with Bible, you might know who’s Midian. Some scholars have suggested that Midian was not a geographical area but a league of tribes.

Cope with nowadays cyber security world.  Sounds like Midian equivalent of a  malware. Man kind is going to find a way protect the electronic devices including computer, mobile phone and IoT devices.

2017 threats predictions (mobile phone)

We all  known ransomware aggressive 1st quarter this year and believed that similar of attacks will continue to grow. We aware that malware and malicious code embedded on Google Play store applications significant increases. And therefore the downloading apps from unknown and untrusted markets has always been more dangerous. And predicts that similar type of incidents will be happens continuously. Besides  there are hardware vulnerabilities during the last several years—including vulnerabilities in microprocessors and DRAM technology. May be you might ask? How mobile phone especially Android to protect itself?

Let’s talk a closer look see whether we can find the hints

Fundamental of Android APT

Android use the standard process isolation to split application.  The application reading each-other’s data by requesting permissions in the apk’s. By requesting permissions in the apk’s
AndroidManifest it is possible to get those granted by the PackageManager. Such permissions can result in applications being run under the same user id.

Heads-up: This is the reason Google is having a hard time getting rid of malicious Android apps

APK Installation Process

An additional Android manifest file, describing the name, version, access rights, referenced library files for the application. As such, the Manifest files plays an important role for every android application. From the perspective of security the manifest file is usually the first thing that a penetration tester will check on an engagement. The android:protectionLevel attribute defines the procedure that the system should follow before grants the permission to the application that has requested it. This is a major part of Android security feature. And this is one of the important protection feature of Android.

All the permissions that the application requests should be reviewed to ensure that they don’t introduce a security risk.

1
2
3
<permission>
android:protectionLevel="signature"
</permission>

Below is an example showing that an inherent risk found on Android manifest file. The setting lack of signature permission.

<?xml version='1.0' encoding='utf-8'?>
<manifest package="org.qtproject.example.notification" xmlns:android="http://schemas.android.com/apk/res/android" android:versionName="1.0" android:versionCode="1" android:installLocation="auto">
    <application android:icon="@drawable/icon" android:name="org.qtproject.qt5.android.bindings.QtApplication" android:label="@string/app_name">
        <activity android:configChanges="orientation|uiMode|screenLayout|screenSize|smallestScreenSize|locale|fontScale|keyboard|keyboardHidden|navigation"
                  android:name="org.qtproject.example.notification.NotificationClient"
                  android:label="Qt Notifier"
                  android:screenOrientation="unspecified">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
            <meta-data android:name="android.app.lib_name" android:value="-- %%INSERT_APP_LIB_NAME%% --"/>
            <meta-data android:name="android.app.qt_sources_resource_id" android:resource="@array/qt_sources"/>
            <meta-data android:name="android.app.repository" android:value="default"/>
            <meta-data android:name="android.app.qt_libs_resource_id" android:resource="@array/qt_libs"/>
            <meta-data android:name="android.app.bundled_libs_resource_id" android:resource="@array/bundled_libs"/>
            <meta-data android:name="android.app.bundle_local_qt_libs" android:value="-- %%BUNDLE_LOCAL_QT_LIBS%% --"/>
            <meta-data android:name="android.app.bundled_in_lib_resource_id" android:resource="@array/bundled_in_lib"/>
            <meta-data android:name="android.app.bundled_in_assets_resource_id" android:resource="@array/bundled_in_assets"/>
            <meta-data android:name="android.app.use_local_qt_libs" android:value="-- %%USE_LOCAL_QT_LIBS%% --"/>
            <meta-data android:name="android.app.libs_prefix" android:value="/data/local/tmp/qt/"/>
            <meta-data android:name="android.app.load_local_libs" android:value="-- %%INSERT_LOCAL_LIBS%% --"/>
            <meta-data android:name="android.app.load_local_jars" android:value="-- %%INSERT_LOCAL_JARS%% --"/>
            <meta-data android:name="android.app.static_init_classes" android:value="-- %%INSERT_INIT_CLASSES%% --"/>
            <meta-data android:value="@string/ministro_not_found_msg" android:name="android.app.ministro_not_found_msg"/>
            <meta-data android:value="@string/ministro_needed_msg" android:name="android.app.ministro_needed_msg"/>
            <meta-data android:value="@string/fatal_error_msg" android:name="android.app.fatal_error_msg"/>
            <meta-data android:name="android.app.splash_screen_drawable" android:resource="@drawable/logo"/>
            -->
        </activity>
    </application>
    <uses-sdk android:minSdkVersion="16" />
    <supports-screens android:largeScreens="true" android:normalScreens="true" android:anyDensity="true" android:smallScreens="true"/>
    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
</manifest>

Android-APT project page:

As we know Android APT plugin officially obsoleted. The Android Gradle plugin (version 2.2) replaced the traditional plug in (Android APT) on Oct 2016.

An announcement issued by Android studio. Annotation Processing became available in Android Gradle plugin (2.2 and later) so there is now no need to use the Android APT plugin anymore if using version 2.2 of gradle or above.

You can remove the line :

apply plugin: 'com.neenbedankt.android-apt'

Question: How about the security status who still supports Android APT plugin?

If the Android Gradle plugin not in use, it is still a Eclipse project. Currently android-apt works fine with version 2.2 of the Android Gradle plugin, but it doesn’t work with jack.

Is there security concerns on Android APT plugin?

Plugin technology was initially introduced by third parties to add additional enhancements and capabilities to Android.The plugin will find all AspectJ aspects available in the project compile classpath, plugin class and weave .class files. Meanwhile AspectJ allow to hook. AspectJ to work on Android we have to make use of some hooks when compiling our app and this is only possible using the android-library gradle plugin.

From security point of view, plugin design might contain inherent risk because of the fundamental hook process design. The Android plugin technology is an innovative application-level virtualization framework that allows a mobile application to dynamically load and launch another app without installing the app. This technology was originally developed for purposes of hot patching and reducing the released APK size. The primary application of this technology is to satisfy the growing demand for launching multiple instances of a same app on the same device, sounds like I log in my personal and business Gmail  accounts simultaneously.

Abbreviations 1: Weave (Web-based Analysis and Visualization Environment)

Abbreviations 2: AspectJ is an aspect-oriented programming (AOP) extension created at PARC for the Java programming language. It is available in Eclipse Foundation open-source projects, both stand-alone and integrated into Eclipse.

APT, AspectJ, Javassist corresponding component

Sound scary but Android have their solution to mitigate the risk?

Can we wait for Android O?

 

 

Digital wallet – Where to go? iphone, Android or not going to use

 

Preface

I’m smart brain, gave me lazy….

The implementation of the smart phone change people life style. Any time any where you can get in touch with the world. It break follow the sun operation concept. Why? Both online shopping and settlement simultaneously because of electronic payment function. Below bar chart on left hand side shown internet users in select countries who purchase items via mobile device in 2013. Less than 3 years time, a significant usage of mobile payment has been growth in Greater China (see below picture right hand side).

Cyber attack is a never ending story. Malware infection technique take the advantage of computer users negligence. Even though Bank did not have expection. The headline news shocked the world includes The Bangladesh Bank robbery. It was so called the Bangladesh Bank heist, took place in February 2016, when SWIFT instructions to steal US$951 million from Bangladesh Bank.

In order to avoid cyber incident happen on electronic payment transaction. Financial industry especially payment gateway services provider find perfection of authentication method goal enhance the reliability of payment. For instance 2 factor authentication, a second random generation of pass code go through SMS forward to you mobile phone.

Electronic wallet upside down to the world

A third-party online payment platform was launched in China in 2004 by Alibaba Group. As times goes by, now the biggest market share in China with 400 million users. The coverage near 50% of China’s online payment market in October 2016. As of today electronic wallet looks like flooding went to different countries in the world especially China. Electronic wallet initiate by mobile phone. Below table can provide an hints to you in this regard.

 

Background

A digital wallet refers to an electronic device that allows an individual to make electronic transactions

Digital wallet infrastructure elements

.

The account information and Card type lure the interest of criminals. But are you aware that there are difference in between mobile computing (electronic wallet) and traditional internet payment function (without electronic wallet). See below informatic diagram. Even though how precise and advanced encryption technology are deployed. But it is difficult to avoid a single device facing compromise. Personally I am not suggest my friend to use electronic wallet on his mobile phone. My friend was told even though money lost because of malware, it only lost the charge money value. Yes, from technical point of view it is correct. But reminded you that mobile OS is fragile. Why does it say mobile OS is fragile?

 

Why does it say mobile OS is fragile?

Android phone

(Memory)

Both the Android Runtime (ART) and Dalvik virtual machine perform routine garbage collection, this does not mean you can ignore when and where your app allocates and releases memory. Software designer need to avoid introducing memory leaks, usually caused by holding onto object references in static memory variables, and release any Reference objects at the appropriate time as defined by lifecycle callbacks.

Side effect of above defect – The easiest way to leak an Activity is by defining a static variable inside the class definition of the Activity and then setting it to the running instance of that Activity. If this reference is not cleared before the Activity’s lifecycle completes, the Activity will be leaked. So all depends on mobile apps developer design. It is hard to avoid memory leak. As you know, what is the defect of memory leak? Hacker relies on this error can implant malware.

If you would like to know more details, please refer below articles.

Heard that Android operating not secure anymore, but it is properly not.

How about IOS?

Design weakness:

Every WebKit object is RefCountedBase object

Mobile Safari and most of WebKit Apps leak address – Fill in another object and use the JS pointer of the old object to read information of the new object.

Should you have interest know the details on above matter, please refer below:

Meteor shower – Apple iPhone

Checkpoint : If above 2 technical articles make you feeling confused. Tired, you are not able to read. No problem we can jump to summary of this discussion. The information will stay here, anytime you have interest you are free to read.

Summary:

IT & cyber security technologies due to limit development life cycle. OS claim itself is safe today but is it hard to guarantee next 6 months. The most fundamental weakness in mobile device security is that the security decision process is dependent on yourself. You are allow anywhere play online games & watch on-line TV program. Because of the web browser extend feature, uncountable plug-In drivers will install to your mobile phone. How about your personal information includes your personal account information. Do you think only relies on your local antivirus. The so called malware detection program can aviod the cyber attack?

My personal suggestion is that think it over before install or make use of electronic wallet on your mobile phone.

Have a nice day, Good Bye!

 

The other side of the story on cyber attack (Electronic war between countries)

 

Preface

We heard  that the new age transformation is coming.  As a result it transform the traditional military weapons to electronic codes. The computer  technologies such as DDOS (Distributed denial of services), malware and virus similar a killer. It can disrupt the financial activities,  daily network communication and health care services. An idea bring to our attention on world war II history was that classic military power result destroyed everything (mankind and properties).  But re-built the society and operation after war. It is a harsh and difficult mission! From technical point of view, the victorious might stand on ethics view point to assists defeated side to rebuild the business and economic system. As a matter of fact, the distruction level of war created by military weapon especially missile it is hard to evaluation. And this is the reason let’s cyber warfare appears in coming future! But it started already!

Analytic result on technical articles about cyber warfare

In regards to my study on technical article issued by CSS Eth Zurich (The Center for Security Studies (CSS) at ETH Zurich).The analytic result highlights serveral key factors of Cyber warfare . Cyber warfare was cheaper than traditional military force. It provides a  “cleaner” (with less or no bloodshed) suitation. No doubt that  less risky for an attacker than other forms of armed conflict. The analytic result  defines 5 different types of cyber conflict during their study. They are Cyber War, Cyber Terrorism, Cyber Espionage, internet crime and cyber vandalism.

The specific feature of cyber weapon (in between country to country)

I was sometimes confused with the headline news on prediction on cyber technology war.  The questions on my mind is that how electronic weapon or cyber weapon replacing traditional military facilities? Think it over, the appropriate technique might adopted target into the following criteria (see below):

The capabilities of cyber attack techniques ( A transformation of traditional military force)

Type Attack technology Functional feature – objective Target – Environment Remark:
Cyber Vandalism, Cyber War IOT & BOTNET (DDOS technique)

 

Services suspension – electronic communication services (IP-Telephony) Bank, Fund House , Stock Exchange
Cyber Espionage Malware Information gathering Bank, Fund House, Stock Exchange & government sector
Cyber War, Cyber Vandalism Ransomware Services suspension important facility fucntion nuclear facility , Airlines,TV broadcast station, Radio broadcast station & military facility Ransomware feature contained facility to supspend the computer services. Besides it capable listen to the instruction of C&C server. On the other hand, the attacker can resume the services once they win the battle.
Traditional military force Bomb Services Suspension on important facility function and destroy permanently nuclear facility, military facility, power station, airport & communiation facility (Digital phone system)
Internet Crime, Cyber war Email phishing and Scam email message Carry out  psychological warfare, implant malware activities in order to fulfill their objective nuclear facility, military facility, power station,

Let us dig out one of the attack technique to see how the cyber technology feature fulfill the goal of the cyber warfare features .

Do you think Ransomware is founded by military department?

The first ransomware appear in the world on 1989. A biologist Joseph L. Popp sent 20,000 infected diskettes labeled
“AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference.
But after 90 reboots, the Trojan hid directories and encrypted the names of the files on the customer’s computer.
To regain access, the user would have to send $189 to PC Cyborg Corp. at a post office box in Panama.

In 2006, former President George W. Bush was increasingly worried about Iranian efforts at enriching uranium, and ultimately, its hopes to build an atomic bomb. The goal of Stuxnet is going to destroy Iraq nuclear facilities driven by US government. The rumors were told Stuxnet malware destroyed roughly one-fifth of Iran’s centrifuges in 2009.

An unconfirmed  information stated that there is a separate operation called Nitro Zeus, which gave the US access into Iran’s air defense systems so it could not shoot down planes, its command-and-control systems so communications would go dead, and infrastructure like the power grid, transportation, and financial systems.

Speculation:

WannaCry infection using EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol.  The U.S. National Security Agency (NSA) had discovered the vulnerability in the past, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. As we know nuclear power facilities control system OS platform relies on Microsoft OS system (see below articles). It may causes people think is there any secret action hide by NSA (National Security Agency). He aroused my interest in questioning who is the key figure to spread WannCry ransome? It looks that there is similarity with Stuxnet worm infection in 2009. Since we all fool by NSA at that time let your computer workstation transform to a cyber army then attack USA enemy.  Do you think wanncry is the rehearsal of test or pilot run?

Malware vs. nuclear power: Do you think SCADA system is the culprit of attack on nuclear power system?

Below diagram is my imagination of the modern nuclear facility environment. The SCADA system pay a key role in nuclear power facility. Ransomeware have capabilities to suspend the services of this facilities. It doesn’t need to destroy anything but the services will be totally shut it down the services. We have seen the real example in UK health care services as a reference. I will stop written here. Should you have any queries, I will try my best to written more in future.

Supplement – The other side of the story on cyber attack (Electronic war between countries) – 13th June 2017

 

As said on above discussion topic, since it looks not interest to visitors on reflection of comments on feedback.  However there is something on my mind need to share.

North Korea President Kim’s intention show to the world of his governance power. He is in frequent to demonstrate his military power cause US government concerns his equalize of military power in the world. To be honest, it is hard to equal the military and economics power as of today. For instance China nearly become the 1st business economic leader. We all know United state is the leader in this moment. However their economic operation chain should have difficulties to do the 2nd round of transformation. Because some of their capital business and business economy contained made in China element.  Since North Korea on finance and business economy are weak. President Kim did such things seems not make sense. I did not visit North Korea however a lot of news on TV might speculate their current situation. I strongly believed that their nuclear facility might operation in 60’s fashion. The SCADA system not possibly supply by Siemens. But learn and develop a windows based SCADA system not difficult.  From information point of view, North Korea nuclear facilities might relies on window for Control Systems instead of Linux for control system.  And therefore Ransomware type attack can specifics shot the target. Meanwhile the business industry from North Korea all work with Microsoft OS  in daily life.

The infection status of wannacry was not issued by North Korea government.  But for sure that wannacry type infection can suspend North Korea business finance and industries operations.

Below are the hints how to eliminate the risks issued by  SCADA system vendor. Any interest?

Process control vendors require:
1. A system with a minimal attack surface, so that biweekly or monthly patches are not required
2. A consistent programming interface that will not change every four to five years, requiring a complete rewrite of their software
3. An environment that can be quickly and safely “locked down” to reduce the risk from hacking
4. A system with limited network access, only through specific ports to reduce the risk of network based attacks
5. Support for priority-based multi-tasking, preferably a real-time operating system (RTOS) that supports hard real-time requirements
6. A robust ecosystem of utilities and tools to make development, installation, debugging, and maintenance as easy as it is on consumer systems.

End of this topic

 

 

 

Must aware during web surfing – protect your personal privacy – turn off your camera on web browser

Preface:

What’s our objective to discussion this topic today? Our goal is going to protect user privacy. As we know, internet traffic are under surveillance. This activities not limited to China nowadays. It was includes the major leader countries in Europe, England and USA.

Situation in China

The country like China provides a clear announcement. The China government was told that all internet traffics in China are under surveillance. And thus that they build the great wall (firewall).  (Tianhe-1 and Tianhe-2 (Milkyway-2) are capable to take this responsibility.

2016 Supercomputer magazine

Situation in United State

How about the surveillance program status from NSA (National security agency) . The NSA has official announcement was that after a comprehensive review of mission needs, current technological constraints, United States person privacy interests, and certain difficulties in implementation, NSA has decided to stop some of its activities conducted under Section 702. For more details, please find below URL for references:

NSA Statement: NSA Stops Certain Section 702 “Upstream” Activities – For more detail, please refer below url for reference.

https://www.nsa.gov/news-features/press-room/statements/2017-04-28-702-statement.shtml

NSA Stops Certain Foreign Intelligence Collection Activities Under Section 702 – For more detail, please refer below url for reference.

https://www.nsa.gov/news-features/press-room/press-releases/2017/nsa-stops-certain-702-activites.shtml

NSA Transparency Report: THE USA FREEDOM Act Business Records FISA Implementation – 15 January 2016 – For more detail, please refer below url for reference.

https://www.nsa.gov/about/civil-liberties/reports/assets/files/UFA_Civil_Liberties_and_Privacy_Report.pdf

Above items given an idea to people our communications (electronic or without electronic) are under surveillance. A positive thinking of idea told yourself that such policy are going to fight against crimes. Apart from that are you aware of your personal privacy especially your mobile phone camera (Lens)? We known more secret on mobile phone recently. The execution of JavaScript or HTML5  allow access your mobile phone camera from Chrome (example shown as below):

Enable camera and microphone in packaged application for Chrome OS

navigator.webkitGetUserMedia({ audio: true, video: true },
            function (stream) {
                mediaStream = stream;
            },
            function (error) {
                console.error("Error trying to get the stream:: " + error.message);
            });    

Remark: The audio and video for a <webview>-embedded page require permission. It will alert mobile phone owner. A software developer hints that the require permission might embedded audioCapture and videoCapture and put the permissions in manifest.json. The mobile phone user might not aware.

Below HTML5 program language which allow to select the source and pass it in as optional into getUserMedia. This function is available in Chrome web browser.

Step 1: Select source

MediaStreamTrack.getSources(gotSources);

Step 2: pass it in as optional into getUserMedia

var constraints = {
  audio: {
    optional: [{sourceId: audioSource}]
  },
  video: {
    optional: [{sourceId: videoSource}]
  }
};
navigator.getUserMedia(constraints, successCallback, errorCallback);

Step 3: Put the permissions on manifest.json or manifest.xml. The mobile phone user might not aware.

Above audio and video capture functions only do a reverse engineering will transform to other criteria of function receive your personal photo. Are you aware of it ?

Summary:

Refer to above information. It looks that we need to spend more job affords to close the back door on your mobile phone, right? But the easy way to do from end user side is that just disable the camera on your mobile phone browser. Or just use a sticker to disable it. It is straight forward, bye!