Force https on android

Use Android as Rubber Ducky against targeted Android device or PC

HID attack using Android

Using Android as Rubber Ducky against Android or Windows. This is not a new technique, just a demo how to perform HID attack using Android instead of rubber ducky. For targeted Android device it is not necessary to be rooted, have ADB/USB debugging enabled and device authorized, since attacker’s smartphone behaves as connected keyboard.

hid_attack — script contains customized commands that are executed (typed) against targeted Android device hid_pc — script contains customized commands that are executed (typed) against targeted Windows 10

How to prevent this happening on Android

charge you smartphone using you own adapter
use none trivial PIN or password lockscreen protection
use mobile security software that will detect and prevent from launching payloads

How to prevent this happening on PC

Don’t let anyone charge their smartphones in your PC
Use security software that will detect Metasploit payload
USB condom should help

rooted Android with HID kernel support (e.g. NetHunter ROM)
OTG cable

Video Tutorial using NetHunter

In the video was used «part1/msf_install» PoC script. Tested payload is removed.

Video Tutorial without using NetHunter

USB Gadget Tool: https://github.com/tejado/android-usb-gadget
HID gadgets: https://github.com/pelya/android-keyboard-gadget/tree/master/hid-gadget-test
For easy access, I copied USB Gadget Tool and HID gadget to https://github.com/androidmalware/android_hid/tree/main/part2

This is custom script, which might not work on your testing case scenario. Because of that, you must play around with pressed keys that are sent to targeted device. Website with my testing payload is not active anymore. List of all possible keys can be found on the link below.

bash hid_attack bash hid_pc

How to flash custom ROM with HID support

Источник

Android developers can now force users to update their apps

At its Android Dev Summit, Google today announced a number of new tools and features for developers that write apps for its mobile operating system. Some of those are no surprise, including support for the latest release of the Kotlin language, which is becoming increasingly popular in the Android developer ecosystem, as well as new features for the Android Jetpack tools and APIs, as well as the Android Studio IDE. The biggest surprise, though, is likely the launch of the In-app Updates API.

While the name doesn’t exactly make it sound like a break-through feature, it’s actually a big deal. With this new API, developers now get two new ways to push users to update their app.

“This is something that developers have asked us for a long time is — say you own an app and you want to make sure the user is running the latest version,” Google senior director for Android product management and developer relations Stephanie Saad Cuthbertson told me. “This is something developers really fret.”

Say you shipped your application with a major bug (it happens…) and want to make sure that every user upgrades immediately; you will soon be able to show them a full-screen blocking message that will be displayed when they first start the app again and while the update is applied. That’s obviously only meant for major bugs. The second option allows for more flexibility and allows the user to continue using the app while the update is downloaded. Developers can fully customize these update flows.

Right now, the new updates API is in early testing with a few partners and the plan is to open it to more developers soon.

As Cuthbertson stressed, the team’s focus in recent years has been on giving developers what they want. The poster child for that, she noted, is the Kotlin languages. “It wasn’t a Google-designed language and maybe not the obvious choice — but it really was the best choice,” she told me. “When you look at the past several years, you can really see an investment that started with the IDE. It’s actually only five years old and since then, we’ve been building it out, completely based on developer feedback.”

Читайте также: Android для netbeans ide

Today, the company announced that 46 percent of professional developers now use Kotlin and more than 118,000 new Kotlin projects were started in Android Studio in the last month alone (and that’s just from users who opt in to share metrics with Google), so that investment is definitely paying off.

One thing developers have lately been complaining about, though, is that build times in Android Studio have slowed down. “What we saw internally was that build times are getting faster, but what we heard from developers externally is that they are getting slower,” Cuthbertson said. “So we started benchmarking, both internally in controlled circumstances, but also for anybody who opted in, we started benchmarking the whole ecosystem.” What the team found was that Gradle, the core of the Android Studio build system, is getting a lot faster, but the system and platform you build on also has a major impact. Cuthbertson noted that the Spectre and Meltdown fixes had a major impact on Windows and Linux users, for example, as do custom plugins. So going forward, the team is building new profiling and analysis tools to allow developers to get more insights into their build times and Google will build more of its own plugins to accelerate performance.

Most of this isn’t in the current Android Studio 3.3 beta yet (and beta 3 of version 3.3 is launching today, too), but one thing Android Studio users will likely be happy to hear is that Chrome OS will get official support for the IDE early next year, using Chrome OS’s new ability to run Linux applications.

Other updates the company announced today are new Jetpack Architecture Component libraries for Navigation and Work Manager, making it easier for developers to add Android’s navigation principles into their apps and perform background tasks without having to write a lot of boilerplate code. Android App Bundles, which allow developers to modularize their applications and ship parts of them on demand, are also getting some updates, as are Instant Apps, which users can run without installing them. Using web URLs for Instant Apps is now optional and building them in Android Studio has become easier.

Источник

Force Https on android for all connections

My isp has started doing something weird. All websites like google, youtube, this forum would try to load http version and fail, on refreshing https page will open properly, I already had https everywhere extension installed in my browser so I changed https extension settings to block any non-https request and suddenly all websites started working properly.

As most websites now support https so blocking non-https sites is not a major problem and for such websites I can use other browser.

is there any app or any fix that can work like https everywhere extensions for all connections from android mobile.

Reactions: pothi

Sushubh

Admin

pothi

Reactions: Smh

Sushubh

Admin

this shit started just last week

I don’t think lco even know how to do this, may be some new customer is doing this (easy with publicly available tools but usually this breaks the internet ) or my isp started some over optimization to intercept traffic and serve content from cache.

Now my problem is how to explain this to lco because internet is working (works on refreshing page) and speedtest shows full speed.

Not many alternatives available.

my isp uses transparent dns so only way to use custom dns is using dnscrypt. Testing cloudflare dns 1.1.1.1

Sushubh

Admin

I think my problem is because of over optimization my isp is trying to do which messes up with https as they try to intercept connection and serve content from cache.

Dnscrypt will help in preventing mitm attack.

Bsnl has some malware problem right ?

Sushubh

Admin

yeah. they randomly redirect visits to http domains. it is a mess based on the active thread.

i remember one of the first isps i had. bandwidth was expensive. and even though i had just 1GB of data allocated (on 64kbps connection iirc?). he had put in very aggressive caching backend. i was doing web development for an online company at the time. and none of the changes i was making on the web pages appeared because the freak kept on serving pages from the cache. had to dump it because of this issue. there was no https back then for regular websites. and the only other hack was to rename the file, verify the change and renaming it back.

Источник

How To : Lock Down Bluetooth, Force HTTPS & Adjust Other Options to Secure Your Android Device

Android has several features built into the platform that improve user experience but require extra attention to prevent a security breach. By modifying these settings, you can drastically reduce the possibility of someone exploiting your device or intercepting information.

Based on surveys conducted by the Pew Research Center in November 2016, an impressive 77% of US adults own smartphones. Beyond the States, it’s assumed that somewhere close to two billion people use these devices across the world, and about 88% of them are Android-based.

Not all of these Android users are aware of certain features on their smartphone that are commonly exploited by malicious persons for financial gain or to scrape sensitive information. With an ever-growing pool of people constantly connected to the internet, the number of potential unscrupulous persons increases—and you don’t want to be one of the suckers they take advantage of, do you?

Basic Security Principles for All Technology

Before we look at ways to secure an Android, a few others points must be considered to ensure the most secure setup. Not only is securing your phone a critical operation, ensuring that the accounts you use follow a solid security protocol is important as well.

1. Don’t Leave Your Devices Unattended

It should go without saying, but whenever you are in public, a shiny piece of technology sitting unattended is asking for trouble. Admittedly, I’m personally guilty of this since most of my work is done outside my home, so there are times I step outside to take a call and leave my computer unattended. However, I make sure to lock my computer and ensure that any handheld devices are always either tucked away out of sight, or within arm’s reach.

2. Use Unique, Strong Passwords

Sure, it’s much easier to use the same password for everything, but this kind of laziness makes it quite simple for someone to access all your accounts by knowing a single password. Generate unique passwords for every account you create by using a combination of uppercase and lowercase letters, numbers, and symbols (if allowed). If you’ve ever wondered the strength of your password, there are sites that let you check it.

3. Update Your Software

Software is regularly updated for a variety of reasons, including the addition of new features, bug fixes, and most importantly, security patches. Think of your devices like a pirate ship; As time progresses, the vessel ages and wears. Holes develop which need to be plugged, or it will take on water and sink if not addressed.

Sometimes, we tend to hold off on installing major updates, as it is common to hear horror stories of OS overhauls causing major issues. This holds true for apps as well, but such issues tend to be resolved much quicker. Also, some Android devices inherently feature the ability to uninstall updates in the app manager found in your settings, and it’s possible to backtrack with other methods such as using Pyler’s AppDowngrader, though the device needs to be rooted.

Enhance Security on Your Android with These 6 Tips

Now that the basic principles of security are out of the way, let’s get into the lesser known tips.

Tip 1: Use the Screen Lock & Modify Settings

Using a secure lock screen (pattern, PIN, or password) prevents nearby people from snooping through your phone. It also prevents interfacing with a computer, as this device needs to be unlocked in order for a PC or Mac to read its contents.

Generally, this feature is found under the Security link within Settings. As seen below, I have a pattern set up, as this method (or a PIN) are the most secure ways to lock a device, since other locking methods, such as facial recognition, can be spoofed. Further, by setting the Lock phone after (or Automatically lock) option to «Immediately,» it virtually removes the possibility of anyone looking through a device after turning off the screen. Another good practice is to keep your phone hidden while drawing your pattern or typing in a PIN.

Starting with Android 5.0 Lollipop, there’s a new feature called Smart Lock that allows the device to remain unlocked when certain conditions are met, as seen in the following pictures. Use caution if you have this setting enabled, and consider your environment when adding «Trusted places.» Ideally, avoid using the «Trusted devices» setting altogether, as this will keep your phone unlocked at all times while it’s connected to a Bluetooth accessory.

Tip 2: Encrypt the Device

Encryption is highly useful tool for protecting your information in the event a device is ever stolen. Though a screen lock is useful for preventing unwanted access, most devices offer a built-in utility to apply AES 128-bit encryption that prevents all but the most skilled individuals from accessing files on the phone.

Virtually every Android offers this option, which is labeled «Encrypt device,» and can be found under the Security link within Settings. The only problem with encryption is it marginally slows down read and write speeds, but it shouldn’t have a noticeable effect on performance.

Tip 3: Use Android Device Manager

Ever plug your phone in when you’re away from home, leave in a hurry, then find yourself in a panic? It’s stressful, but as long as the device is powered on, location services are enabled, and you’re logged into Google, the phone can be located.

By using Android Device Manager, you can pull up the phone’s location, which is highly useful when you can’t remember where the device was left. Further, if it appears in a strange location (possibly indicating it was stolen) you can remotely wipe the data on the phone.

Tip 4: Lock Down Bluetooth

As convenient as Bluetooth may be for connecting to devices such as stereo systems, headsets, and other peripherals, it’s a two-way street that opens a door for nearby attacks known as Bluejacking or Bluesnarfing. Essentially, whenever Bluetooth is activated, there’s always some degree of risk, so the safest option is to turn off this feature when not in use (this helps save some battery life as well).

Early incarnations of Bluetooth were incredibly insecure, but current versions implement encryption based on the SAFER+ algorithm. Even though the connection is encrypted, paying attention to your devices while in use can help prevent unauthorized connections in cases where you could inadvertently enter a passkey should an unknown device attempt to connect.

We recommend removing paired accessories after use, as this is the easiest way for someone to gain access without a brute-force attack. In some cases, changing an accessory’s name to something currently paired to one of your devices is all it takes to gain access.

Tip 5: Force HTTPS for Sites You Regularly Visit

More than likely, you use Google Chrome on your Android, although many other options exist. With Chrome, you can add domains into the browser setting such that you will always connect using HTTPS.

Open up Chrome and type chrome://net-internals/ into the address bar, then navigate to the HSTS link. Add the URL for your favorite sites in the Domain field, then tap the «Add» button when finished. This will ensure sites will connect using an SSL certificate, which is considerably more secure. The catch is, sites without an SSL certificate will not open, so it would be best to avoid adding sites where you don’t login.

Tip 6: Use a VPN When Possible

A virtual private network, or VPN, works by filtering your internet traffic through a secure, usually encrypted server. If you use your phone for work in a situation where you connect to a company server, you may already have something similar implemented, as business systems generally sit behind a firewall. Most devices have a built-in, generic VPN client, but some setups, such as networks behind a Cisco ASA, require proprietary software to properly interface.

Aside from business purposes, it’s a good idea use a VPN for everyday use, especially if you use open Wi-Fi access points in a public place. There are plenty of VPN applications available on Google Play, but most require a monthly payment. Two good, (mostly) free options include FlashVPN, which is free but ad-based, and TunnelBear VPN, which doesn’t charge for the first 500 MB each month, but will charge for unlimited use.

Other measures are available for boosting the security level of an Android device, but if you followed the tips above, you’re likely in pretty good shape. Then again, extra security never hurts, so make sure to check out the article linked below for more ways to stay secure.

Keep Your Connection Secure Without a Monthly Bill. Get a lifetime subscription to VPN Unlimited for all your devices with a one-time purchase from the new Gadget Hacks Shop, and watch Hulu or Netflix without regional restrictions, increase security when browsing on public networks, and more.

Источник