Android devices can be fatally hacked by malicious Wi-Fi networks

The exploit is just about the worst case scenario. Users don’t even have to connect to a malicious AP and turning off WiFi may not stop an attack. iOS has been patched but it is likely still weeks, if not months or in some cases ever, that Android will receive a patch. I can confirm that Broadcom makes some terrible chips after being stuck running Linux on a Mac for work recently. A coworker still routinely has disconnects and other issues with the same configuration.

Read More …

Nexus 7 Obsession

It has been a while since I talked about my mobile devices, just a bit over a year. You could say that I have happily realized everything for which I bought my Nexus 7. To address my sole complaint at the time, I even upgraded to the 32GB model when that came out. When I bought the 2nd generation model when that came out, too, well then I may have been given in to a bit of an obsession. In my defense, I only bought the two successive upgrades after arranging to sell the old ones so that they’d avoid the landfill and I was only paying an incremental cost.

Having lived with just about every model of this device, except the fully mobile data enabled ones, I have a few thoughts I want to share, about the devices themselves, an emerging concern, and a bit of an obligatory review though not for the tablets themselves.

Having such a strong relapse of my old gadget obsession is a pretty solid endorsement of these devices, for starters. The Android OS has come a long way, in terms of fit and finish, so much so that while I have been tempted on non-Google experience devices to try an aftermarket firmware like CyanogenMod, I have not felt that same urge with the Nexus 7. Everything just works and the experience is seamless.

Unlike the popular, fruit themed alternative, that extends to my ability to run open source apps and services and have them integrate very well into the overall device. I have another long overdue post in mind discussing my reasons for moving away from some Google services to alternatives that I control, specifically for data where on principle I would be upset or concerned if Google received a demand for that data.

I actually wasn’t going to buy the third tablet in this compulsive series. On paper, it seemed like a truly marginal improvement over an already stellar device in the first generation incarnation. When I mentioned selling my old devices, what I ended up doing was using them as part of teaching my kids responsible technology ownership. I have been supporting both in cultivating good spending and saving habits. After depreciating even relatively new devices considerably, they proved to be approachable and attractive rewards for their efforts.

Well, I should say, I did this with the first tablet with my older son who had been working on his responsible personal finance skills longer. When the 2nd generation Nexus 7 came out, I was tempted but figured I could wait until I had gotten a much greater use out of my 2nd tablet. That was the plan, until I realized that my younger son still had the oldest hand me down tech in the house, was learning the same lessons about responsibility, and it would simply be more fair to offer him the same deal, which just would happen to offset the cost of a new tablet for me enough to make it more of an impulse decision.

That’s what I tell myself.

Now comes the reservation, in the form of a thought provoking piece by Ron Armadeo on Ars Technica. It is well worth the read, the whole thing. With Microsoft buying Nokia, rumors of a buyout of Blackberry, and at this point everything but iOS and Android pretty being an also ran, the thought of Google following Apple’s lead into a more tightly controlled roadmap is chilling. It bears watching as Google has frustrated me before with similar turns away from the more open origins of several of its projects. Unlike iOS, at least there are still a few viable alternatives for the truly dedicated who wish to take a stand on the extension of the principle of user control from data to full devices.

And not to close this post, the obligatory bit, in the form of a quick product review.

I generally am skeptical of cases for my gadgets. I’d much prefer that they be able to withstand ordinary use well enough on their own, if not accrue an attractive patina over time. Silly but I really like the idea and I think it has actually been key to my otherwise much more staid approach to gadgets in recent years.

Unfortunately, the original Nexus 7 really did need a case. The gray plastic on the bezel was prone to scratches and the soft, leather like back did manage to get a nick or two, even in the short time I had each model of the 1st generation.

I tried a keyboard case but gave up on that as its lesser build quality saw it discolor in a way that made it obviously no longer match the device. The way it fit onto the tablet, it also was starting to lightly scratch the merely resistant screen. I tried a slim-line leather or leather-like case, which worked well until the piece holding the cover started to fray. For the 1st generation, the best case I tried was the stock one offered by Google in their own store. It fit snugly, it didn’t add any stress on the tablet itself, and it held up well. The cover was not a smart cover, nor did it quite work to prop the tablet up, but just to keep the tablet in good shape floating around in my bag, it fit the bill.

There is a similar case for the 2nd generation but I didn’t get that, I wanted something a little smarter, to go back and try a few more options. The build quality of the 2nd generation seemed to be higher, anyway, with the nick prone gray bezel replaced with a tougher black plastic piece. Even the grippy back seemed more like a durable rubber rather than a patterned leather so far less prone to scuffing.

While considering my options, I received an email from a case maker, The Snugg. I am not sure their press person actually read very deeply on my site because they initially offered me an iPad or iPhone case for review. I asked if they’d send me their case for the 2nd generation Nexus 7. After looking it over, it fit my policy of only accepting items for review that I might buy anyway on my own.

Despite sending me a color other than the one I requested, I tried it out for a few weeks. The short takeaway is that I would have happily bought this on my own. Unlike the last case in this style that I tried that frayed after a few weeks, the construction quality on The Snugg is quite high. The cover is a smart cover, triggering the sensor that matches the devices wake and sleep functions to opening and closing the cover. There are also a couple of magnets that help secure the lid when it is closed but gently so that it is still easy to flip open when fumbling for the devices on a crowded train for my usual commute reading. There is even an elastic strap built into the back that sits away flush when not in use but can be used to help hang on when using the tablet one handed.

My sole complaint with the case isn’t a problem with The Snugg per se but this style in general. The construction and choice of material means it is a tad on the bulky side. That can be attractive, if you want something with an excellent executive style, like an old school leather folio. The combination of that, though, and the very thin bevel on the long sides of the Nexus 7 made using the full screen, such as with the vast array of indie games I have accrued via the Humble Bundles, a bit frustrating at times.

Ultimately, just because of my personal preference and past experience, I bought the new Google designed case. If like me you want something a bit more snug in the hand and in your bag, this is a good choice. The cover is not a smart cover though despite the marketing text in the ad description so bear that in mind. If you want something with a classic style and the smart cover is a must have, I can definitely recommend The Snugg.

Archos 43 More than 6 Months Later: Largely Fail

I purchased an Archos 43 notaphone a little over six months ago. I have little use for cell phones or expensive data plans as I am usually within easy range of WiFi and Google Voice neatly takes care of the few instances where I have to give someone a working cell number even though I prefer just about any other means of communication. A few months ago I even popped for a pay-as-you-go mobile hot spot for those occasions when I am traveling or otherwise need connectivity and the availability of WiFi is unknown or unavailable.

At first, the lack of the Android Market was my biggest complaint, followed by the crummy resistive touch screen. Over time, those two complaints have swapped places. A bit of hacking got the Market onto the device and only occasionally does it present problems, mostly around major firmware updates from Archos. The screen, however, has not worn well and continues to get worse and worse.

There is a broad strip down the righthand side of the screen that no longer reliably works. If I re-calibrate the touch screen, it will work for a few minutes before it settles into its usual semi-functional state. If it was just an inoperable chunk of the screen, rotating would mostly overcome it at the expense of some small hassle. The problem is the accuracy on the rest of the screen is absolutely abysmal. All the way over to the left, it is pretty much spot on but the further to the right you touch, the worse it gets, registering touches as offset increasingly to the left. I am convinced the non-working portion of the display is part of this mis-registration, that the offset just gets so large you’d have to tap beyond the physical boundary of the screen to register successfully.

As you might imagine, typing on the soft keyboard with this idiosyncratic touch screen is an exercise in frustration. More often than not, after the third word of a message or update, I want to hurl the accursed devices into the nearest hard surface as hard as I possibly can. I try to avoid any applications now that require any typing, resigning myself to media consumption. You’d think that would alleviate the frustration with the damn thing a bit but not hardly.

Just reliably hitting the play, pause and next buttons often is an utter crap shoot. A miss can result in sending me back to the home screen or bouncing around to another podcast episode or track. Usually I have to rotate the thing around repeatedly to get the most reliable, left most edge to line up with the buttons I need. The amount of effort involved just to keep up with my podcasts and occasionally listen to some music when I am reading on my morning train ride is tiresome to say the least.

To add insult to injury, I finally installed a firmware updated from Archos that I’ve been avoiding for weeks. I was uncertain whether it would undo my Market hack, hence my hesitation. My (undeserved) that the update might improve the screen operation finally overcame my reluctance and yesterday I installed the patch. Not only did it do absolutely nothing to alleviate my existing woes, now it has introduced a new glitch. Whenever the screen automatically shuts off to help manage battery life, media playback goes out the window. I have disabled the auto shut off just so I can continue to listen to podcasts, otherwise that app would be utterly unusable. I also realize this may be a worsening of an existing bug that was interfering with some music files that previously had been glitchy. Leaving the screen on while using the built-in music player actually seems to work better on files I thought were just mis-encoded or had some metadata that was culpable.

Heck of a workaround, risk destroying my battery life or weird series of app activations and utilization as a result of the MID floating around my pocket with its screen on or give up on the core reason I bought the stupid thing in the first place.

So what to do? The gadget is still within its warranty but I am not optimistic about the vendor’s ability to address any of my complaints. I am also loathe to give up even a brain damaged media player for the duration it would take to get it repaired or replaced. I struggle enough to keep up with podcasts as it is.

I looked around a bit online today for a possible replacement. In short, there really are none. I could get a simpler, non-Android media player. There are several that work well with Linux. Even if I set aside how deeply habituated I am to having Internet access with me constantly, I cannot imagine going back to a device that has to be routinely synchronized with a computer. Of the other Android powered devices that are not phones, the vast majority of them are full sized tablets. For reasons I may discuss in some other post, I don’t want anything larger than my shirt pocket. Besides, judging by customer reviews of at least one WiFi only version of a popular seven inch tablet, the device makers often hobble the non-cell modem equipped tablets as a subtle and irritating prod towards the more lucrative versions.

Samsung has released an interesting media player that bears some passing resemblance to its popular Galaxy line of phones. It has not reached the US though and reviews so far have been mixed. I am not convinced it would be a worthwhile purchase.

As a last resort, I’ve looked into unlocked smart phones. A could see carrying around a Nexus S or some Galaxy based phone but haven’t been able to find any discussions about how reasonable it is to leave such a device unactivated. All the posts and forum threads I’ve found assume you’ll pop a SIM in from some carrier or another and start using it as a regular phone, voice + data plan and all.

I even considered biting the bullet and getting an Android smartphone with a plan of some kind. I can’t get past the fact that any contract option still costs more each month than I am willing to pay considering how lightly I’ll use the minutes and bandwidth. See my comments on access to WiFi and my ingrained aversion to mobile telephony. There are now Android phones available with pay as you go plans which could be a reasonable upgrade to the 2G dumb phone I still carry for when I absolutely, positively have to make or receive a mobile call. Of course none of the smart phones on offer with that option are ones for which I actually would pay good money.

Am I being unreasonable? Is there an option I haven’t considered to get an Android powered, small form factor media player and Internet device? If you have an answer to the latter, I sure would like to hear about it in the comments. Or if you can clarify how well an unactivated phone might work, I’d like to hear that too.

Impressions of the Archos 43 Internet Tablet

On Monday, I finally received the Archos 43 internet tablet I ordered from Amazon back in the middle of October. The device is Android powered and primarily intended as a personal media player. I picked it because it is an excellent price for the specs which include a 4.3 inch screen, 16GB of internal storage, a micro-SD card slot, and a 2 megapixel camera. It sports a 1Ghz ARM chip with an integrated DSP so also is a nice speed bump over my two year old iPod Touch. My requirements are very specific and sadly seem unusual. I do not want a phone (I hate the interruption factor), but want a screen size that is almost exclusively used in phones. I want something that will easily fit in a jeans or coat pocket, so definitely not a seven or ten inch tablet.

Specifically I wanted an Android based personal media player (PMP) or mobile internet device (MID) to be able to severe my last tie to Apple’s proprietary software ecosystem. I’ve documented the process of installing Linux for everyday use on my Mac Pro. I have been itching to install Linux on my Macbook Pro. With a substantial iTunes library and the idiotic proprietary sync mechanism of the iPod, my laptop has been relegated to an iPod peripheral. I actively avoid using it out of the sheer frustration arising from losing OS X muscle tone and my newly ingrained Linux reflexes constantly leading me to tap the wrong booster keys and generally fumbling the Apple interface conventions.

The Archos PMP/MID devices all are capable of mounting as mass storage devices over USB which works with all the popular desktop OSes. No need for any proprietary anything to get my music library onto it. I can simply use rsync if I want an exact copy of my main music library mirrored to my portable device. Of course, I can also use a file manager, music buying and sharing apps, and network storage services like DropBox to manage my media collection even more powerfully if I want. Like using Linux on my desktop, the move to Android provides a lot more possibilities.

After several days, I’ve got a good sense of the drawbacks and benefits of this new device. My iPod Touch is currently cleaning itself out preparatory to handing it down to my wife. My Macbook Pro is busy copying my iTunes library to my Linux desktop where I will sift through it deciding what to pull into Amarok and onto my Archos. All of that is simply to say that on the whole I am very happy with the Archos, with only a couple of qualifications.

Costing only 250 USD it is clear where Archos cut costs with the 43 IT. The performance of the touch screen is inconsistent. Some times it works very smoothly, as smoothly as my iPod Touch. Other times it freezes for several seconds, being utterly non-responsive. Another portion of the time, it simply mis-registers touches, double tapping or tapping somewhere else on the screen. This is frustrating but not enough so that I am looking to return the device. Most of the time, it simply sits in my pocket or on my desktop, playing media. The flaky screen is irksome when pushing status messages out to my social network but to be honest, the tiny onscreen keyboard and inconsistent landscape support under iOS was just as frustrating. I am hopeful that the problem is software and will improve with firmware updates from Archos.

Speaking of the firmware, the device did not arrive with FroYo, Android 2.2 as advertised. There is a footnote, now that I double check, and some clarification in the support section of Archos’ site. The device is FroYo capable and a new firmware build based on 2.2 is scheduled to ship this quarter. Looking at past firmware updates from Archos, they clearly invest extra effort to polish the Android builds to work better with their hardware, an effort I appreciate. I’ll post a follow up after it arrives.

Also on the software front, the biggest question everyone has is whether the Archos tablets include the Android Market. They do not. If you read the CCD, it is pretty clear why–they lack a GPS and compass as well as hardware buttons for home, menu and back. Archos confirms this in their FAQ. I think Archos’ handling of the buttons in software that the CCD requires to be hardware is actually much nicer. Most of the time, the soft buttons are present and actually change orientation when the screen turns. With video playback and viewing slideshows of pictures, they disappear altogether. I have only noticed one app, Aldiko, where the available screen area is a bit off because of the soft buttons. (Aldiko, an ebook reader that supports ePub, is thoughtfully one of the bundled apps.)

If you search, as I did, you’ll find ways around the lack of the Market. I cannot endorse or condone this as it is pirated and illegal software. I really wish Google would just let me buy my own way into the Market with the understanding that some apps may not work right, without a cell modem or GPS. The vast majority of them are agnostic of the hardware specifics, it is very odd that the compatibility definition is so tied to a minority of applications. The process od Installing apps of any kind exposes what capabilities of the device the apps may use, both in software and hardware. It would seem to be a simple enhancement to also have this address less capable devices and possible hardware compatibility issues. Until then, if you do choose to break the law, just be aware that your mileage may vary and that Google undoubtedly has some visibility into unauthorized devices using the Market.

The only other frustration is the camera quality. Given the size of the optics, it is understandable. The default quality setting in the picture taking software exacerbates the noise arising from the small glass and tiny sensor. On the maximum quality setting, with bright lighting, the photo quality is quite good. It drops off very rapidly in darker conditions, reminding me of an old Casio point-and-shoot I had with really stinky low light performance. The lack of a flash makes this more of a problem. However, to supplement proper cameras, either point-and-shoot or DSLR, I am entirely happy. I rarely carry a camera outside of specific, planned occasions, so even a lower quality camera is better than none at all as I carry my MID with me everywhere. Having it on the network, ready for posting to social networks, microblogs, and photo sharing sites also offsets the lesser quality considerably. I also plan on experimenting with the micro-SD card, shooting with my point-and-shoot using the standard SD card adapter then using the MID is a quicker means of sharing than downloading to my desktop library.

If, like me, you primarily are looking for a media player, I think the Archos is a solid buy, especially for the price. I consider the apps and other capabilities as bonuses. If you are looking for something more, you may want to wait for future iterations or devices from other vendors. Maybe hanging onto my 1G iPod Touch has set my personal expectations very low. I love having physical volume buttons, an external speaker, and a camera, all things the original Touch lacked. The bundled media apps are very nice, back porting some features from what my friends have shown me to be standard in FroYo. The included app market is OK, though no real replacement for the Google Market. You can also install standalone packages, like I did with the Firefox Mobile beta (review pending). My usage patterns minimize the frustrations I’ve noted though your mileage may vary.

I am also hoping that my order helps send a market signal that there is strong demand for non-phone, non-tablet (that is smaller than 7 inches) internet devices powered by Android. I choose to think that the long time it took my order to be filled is due to the high volume of orders, a reason for optimism. In the meantime, the Archos 43 IT is pretty much what I hoped it would be, a very pleasant way to step into the Android space without tying myself to a cell carrier.

Uncrackable Android Phone Rooted After All

Lauren Weinstein has a good follow up to the mis-reported rootkit story from a month ago. The G2 handset, successor to the early G1 Android phone, included a firmware reset feature that re-installed the stock image if it detected changes, like rooting of the phone. Many after market customizations and improvements rely on rooting, or acquire full software privileges, of Android phones.

Lauren was one of the saner voices at that time, clarify what would have to be true for this vendor “feature” to qualify as an actual rootkit. What T-Mobile and HTC did to the G2 is at most a form of DRM. For it to have been a rootkit, it would have had to allow some user, local or remote, access they would not otherwise have. Attackers leave these kits behind to turn a one time crack into an asset with ongoing value. Weinstein’s objection to the imprecise usage was that it clouded the real issues here.

He also suggested that as dire as this protective measure might have seemed, the dedicate modder community would surmount it like every other challenge vendors and carriers have tried to erect to user’s exercising their owner override.

As it turns out, it was quickly established that the G2 was not using a firmware rewrite system, but rather was employing the protected mode of JEDEC Embedded MMC memory (eMMC). Temporary rooting of the device was possible from early on since the underlying Linux kernel was caching changes related to user root attempts, but the eMMC protection mechanism was preventing those changes from ever being successfully written to flash system memory — so all such changes were lost at the next boot of the phone.

Lauren clearly followed this development quite closely. There are more details, if you are curious, in his blog post. The takeaway is both that this type of enclosure is almost certainly doomed to failure. Choice is a strong enough motivator for someone to come up with a way to open a device to exercise it.

“Uncrackable” G2 Android Phone Successfully and Permanently Rooted — and Why This Matters! Vortex

Quick Security Alerts for the Week Ending 11/7/2010

feeds | grep links > Chrome Loses Pirvacy Feature, Google Introduces Image Format, Microsoft Sues Motorola over Android, and More

feeds | grep links > Promiscuous Android Apps, Virgin Media Throttling P2P, Maverick Meerkat Approaches Release, and More

feeds | grep links > Plans for Firefox Home, Review of “Get Lamp”, Open HDCP Software Implementation, and More

  • Contest to produce JavaScript demos no more than 1Kb
    Slashdot links to this now concluded contest that sort of reminds me of the demo scene in terms of the constraint to bum down code as much as possible. The results are a bit more diverse, including many interactive games as well as passive animations. More so than a lot of recent and fairly contrived “HTML5” demos, the finalists in JS1K really showcase what modern browsers can do.
  • Firefox Home adding more devices, social capabilities
    Chris Cameron at ReadWriteWeb shares news of Mozilla’s plans for their Sync client for iPhone. Personally, I cannot wait to get an Android powered replacement for my iPod Touch and start running Fennec, their full mobile browser, but in the interim I’m happy that Home is getting such attention from the lizard wranglers. I especially cannot wait for the password sync support planned for a future release.
  • Congress passes internet, smart phone accessibility bill, Washington Post
  • Update to private cloud-based file system, Tahoe-LAFS, BoingBoing
  • Android software piracy rampant, Slashdot
  • A Review of Jason Scott’s “Get Lamp”
    Text adventure games figured largely in my earliest experiences of computers. It was a no brainer for me to pick up a copy of Scott’s documentary on the subject. I enjoyed it immensely and am far from finished exploring all the material he has included in the two disc set. Jeremy Reimer at Ars Technica has a glowing review that resonates very strongly with my own experience of the work.
  • EFF, others, support Microsoft in case trying to make patent invalidation easier, EFF
  • Open HDCP software implementation released
    Ars Technica, among others, has news of researchers using the recently leaked HDCP keys to build an open source program capable of decrypting encoded digital video streams. Peter Bright questions the utility of the effort as it would still require some sort of hardware to connect into your home media ecosystem. I think the overlooks the very strong tradition of these sorts of proofs of concept developed by security researchers interested in the system more so than its applications.

Amazon May Build Its Own Android Store

Andrew Savikas at O’Reilly Radar has the details, including an update indicating that the terms and conditions for developers have been leaked. This is far from a total confirmation but lends the notion credibility.

Unlike the iOs App Store, the terms of sale for the Android Market have always been non-exclusive — meaning developers are free to sell their Android apps in other places (we’ve taken advantage of that by including Android apps in many of our ebook bundles on oreilly.com, sold alongside access to PDF, EPUB, Mobipocket, and DAISY formats). Initially I wasn’t clear what Google’s intent was by taking that route, especially since parallel markets of any scale would mean developers needed to agree to terms with multiple marketplaces. But Amazon’s entrance actually makes sense for Google as well as for Amazon and likely for many app sellers.

That non-exclusivity enables this sort of competition, at the level of alternate distribution channels as well as at the individual apps and developers. Savikas suggests Amazon will curate their store more closely but as long as developers can sell their own wares directly or via other markets, I think there is more room for customers to indicate which model they find preferable with how they spend across the different offerings.

If Apple had embraced a similarly non-exclusive arrangement, even without opening up beyond that, I’d be considerably more tolerant of this shenanigans. Sara Perez at ReadWriteWeb has some further details that might give pause and take some of the shine of the idea of Amazon offering a more palatable alternative in this space.

In particular, Amazon will retain the right to add DRM to apps. Granted, anyone who has a problem with that has perfectly legal and viable alternatives, as I’ve noted. This indicates that the new store is as likely to be like the retail giant’s video download service, riddled with restrictions, as it is their MP3 store which is refreshingly enlightened.

Amazon building its own Android App Market? O’Reilly Radar