Skip navigation

Android Blogs

7 Posts authored by: Daniel Quagliana Expert

KRACK (Key Reinstallation Attacks) is a security vulnerability that targets a key step in the Wi-Fi authentication protocol to break security encryption. These vulnerabilities could enable a proximate attacker (within Wi-Fi range of both the client device and the access point) to access and tamper with Wi-Fi packets over connections that are protected by WPA/WPA2 encryption.

Zebra takes security seriously and recommends that customers update to the latest BSP and accept monthly patches to minimize security risk.

KRACK may affect computers, mobile phones, and other IoT devices running both Android and Windows operating systems. If your device supports Wi-Fi, it is most likely affected.

Please check the KRACK Attack Security Vulnerability Update for availability of patches for specific Zebra devices.

The Link-OS printer operating system builds that address the Key Reinstallation Attack are now available on the Zebra.com Support and Downloads site.

View more information on the Zebra LifeGuard™ for Android™ Program or download updates.

BlueBorne, Heartbleed, Stagefright. The list goes on. Android gets a lot of negative publicity around security vulnerabilities. And Android is a large target with nearly 85% of the worldwide smartphone OS market share according to IDC, May 2017.

 

IBM’s 2017 Ponemon Cost of Data Breach Study revealed the average cost of a data breach is $3.62 Million, and companies are having larger breaches than in the past, averaging more than 24,000 records.

 

Corporations have a lot on the line with any device used as part of their business operations. So is Android really an Enterprise Ready Operating System?

 

The reality is that many of the headline-grabbing vulnerabilities are identified through Android-sponsored bounty programs with no actual exploitation in the real world.

 

Source: Google Safety Net Data; Masterkey data collected  from 11/15/2012 to 8/15/2013 and previously published at VirusBulletin 2013. Fake ID data collected data collected from 11/15/2012 to 12/11/2014 and previously published at the RSA Conference 2015.  Stagefright data current through May 2016.

 

Android has responded to the security challenges by making significant changes, starting particularly in Lollipop, to make a very secure operating system. Features like sandboxes & permissions, TrustZone Services, and Isolated Processes provide more Application Isolation. There is more comprehensive Device Management via administrative APIs and profiles. The OS now checks Device Integrity via Full Disk Encryption, mandatory for Android devices M and newer and encrypted at factory for the first boot. Verified Boot ensures OS image is not corrupted to prevent against malicious accidental OS changes.

 

Apps are still one of the areas that provide the most risk by opening access to a device so Android created SafetyNet Verify Apps which scans for Potentially Harmful Applications (PHAs) in Playstore on Device and third party app stores. Through this program over 1.4 billion devices are protected with 790 million device scans per day, and 6 billion apps checked per day. The result is that in 2016 less than 0.05% of devices that use Playstore have a Potentially Harmful App (PHA)

Source: Android Security 2016 Year In Review, March 2017

 

Google even proactively notifies developers of vulnerabilities resulting in over 275,000 apps improved in 2016.

As mentioned above, to improve Application Security Google has the Android Security Rewards Program with hundreds of active researchers who have been paid over $1 million in the last 12 months.

 

Google has also built the Managed Play Store, aka Enterprise Play Store. Administrators can configure Play Store on devices with only authorized applications from public or private Play Store or even local hosting.

 

Google regularly provides security updates to close the vulnerabilities in the Android Operating System, but attackers quickly exploit new vulnerabilities. As a trusted partner, Zebra gets early access to security patches and can prepare patches often before the vulnerabilities are made public. Google has moved to a 30-day security patch cycle, we are following this approach as well.

 

According to Google 15% of devices are still running KitKat and 29% on Lollipop. How does a 2-3-year consumer product life-cycle line up with an Enterprise life-cycle of 5 years? How can a business know their devices will continue to receive updates?

 

This is where the Zebra LifeGuard™ for Android™program comes in. LifeGuard provides extended security support, predictable periodic security updates and legacy OS security support when transitioning to a newer OS. Frequent updates will enhance your security and LifeGuard makes them easy to install at your discretion, either locally, or remotely via Enterprise Mobility Management (EMM).

 

There is no such thing as a completely secure solution, but Zebra and Android are working together to reduce the risks Enterprises must face. Three key areas of focus include

  • Prevention: If harmful applications cannot execute, they can do no harm. Control access to settings and whitelist/blacklist for the minimum require application set.
  • Detection: Zebra provides detection features to detect if vulnerability has occurred and take corrective action
  • Security Updates: Zebra works closely with Google to keep up with new security vulnerabilities in a timely manner. Plan to deploy regular security updates.

 

For more details on Zebra Security visit the LifeGuard™ for Android™ page, the Zebra Developer Portal, or watch a session from Zebra APPFORUM on Android Security.

 

Android provides a host of resources at the Android Security Center and the Android Security 2016 Year in review white paper.

One of the most common requests from developers is how to get started with Android development for Zebra devices. This post is designed to point people in the right direction.

 

Google has created several great resources for those that are brand new to Android development:

 

Zebra has similarly made a resource library to teach Android Developers how to build apps for Zebra mobile computers

BlueBorne is an attack vector that exploits Bluetooth connections to target and control devices.

Zebra takes security seriously and recommends that customers update to the latest BSP and accept monthly patches to minimize security risk.

BlueBorne may affect computers, mobile phones, and other IoT devices running both Android and Windows operating systems. (WinCE and Windows Embedded Hand Held devices are not affected.)

Patches for BlueBorne are available today.  Please check the bulletin and the Zebra.com site for specific device availability.

In response to the September Android Security Bulletin Zebra has addressed security vulnerabilities affecting eleven Zebra Android devices running Kit Kat (K), Lollipop (L), and Marshmallow (M) through patches as part of the Zebra LifeGuard™ for Android™ program.

 

According the the Android Security Bulletin:

The most severe of these issues is a critical severity vulnerability in media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

Impacted devices include ET50 L, ET55 L, MC18L, MC32 L, TC51 M, TC56 M, TC70 KK and L, TC70x M, TC75 KK and L, TC75x M, TC8000 KK.

 

Device updates are an important way to keep your Android devices secure and running at their full potential. All customers are encouraged to accept these updates to their devices.

 

Read more about the issues addressed or download the updates at Zebra.com

In response to the August Android Security Bulletin Zebra has addressed security vulnerabilities affecting eleven Zebra Android devices running Kit Kat, Lollipop, and Marshmallow through patches as part of the Zebra LifeGuard™ for Android™ program.

 

The highest severity update is a critical security vulnerability in media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

Impacted devices include ET50 L, ET55 L, MC67 KK, MC92 KK, TC51 M, TC56 M, TC70 L, TC70x M, TC75 L, TC75x M, TC8000 L.

 

Read more about the issues addressed or download the updates at Zebra.com

After the recent Xamarin acquisition, Microsoft has announced that Xamarin Studio is no longer supported on Windows.  Microsoft now supports only Visual Studio for Xamarin development on Windows.  In the next Zebra EMDK for Xamarin release [v2.2], Zebra will discontinue the support for Xamarin Studio for Windows.  However, Zebra will continue to support Xamarin Studio on Mac.

 

1. Why is Zebra ending support for Xamarin Studio on Windows?

     Since Microsoft has ended support for Xamarin Studio on Windows, Zebra is also ending support for all versions of Xamarin Studio on Windows.

 

2. Then what are my option for developing Xamarin apps on Windows?

     Visual Studio (2015 or higher) as this is the only IDE Microsoft and Xamarin are supporting for Windows. 

 

3. I use Xamarin Studio on Mac. Is there any change to Zebra’s support?

     No.  You can continue to use Xamarin Studio on Mac for application development.

 

4. Will Zebra continue to support Xamarin Studio on Windows for the previous versions of the EMDK?

     No.  Zebra has ended support for all EMDK versions for all Xamarin Studio versions on Windows.

Filter Blog

By date:
By tag: