Back in 2009 I quickly talked about the obvious revolution in computing that was rolling in the form of mobile phone as computer, and mentioned as well the fact that touch-based interfaces were going to dominate the marketplace because of that.
Move forward a couple of years, and last week I got my first tablet, running Android (a Samsung Galaxy Tab 10.1, if you’re curious). I didn’t know exactly why I needed one, but being in the tech industry I always have that nice excuse for myself of buying things early on for learning about the experience of using them. Last night, I could clearly see this can be a real claim in some cases (in others it’s just an excuse for the wife).
In the last post, we’ve seen some security issues which exist in the Android password manager gbaSafe version 1.1.0a, by analyzing the security description provided in its web site. As described there, even though the system depends on a “master key” which might be secure, the security of the system is seriously compromised by the encouragement of very weak keys (a few digits only) in what is named an “unlock key”, used to encrypt the master key itself. All of that in an application which claims to strongly protect people’s data from unwanted eyes.
In this post, we will play a bit with the Linux-based Android OS to actually explore these security deficiencies, demonstrating that such issues are very real, and that the claims of being hard to unveil the data is unfounded. Since the most serious weakness lies in the key itself, we’ll run a simple brute force attack to try to find arbitrary unlock keys.
For some time now I’ve been wanting to research more deeply about the internals of Android. Until now, though, this was just a sentiment. Then, a couple of weeks ago I’ve finally managed to replace my iPhone for an Android phone, and that was the final motivator for me to actually get into learning more about the inner workings of the Linux-based OS.
Now, I just had to pick an actual task for digging into. The Dalvik VM is certainly one of the most innovative and advertised technical details about the OS, so something around it would be a nice start.. some kind of bytecode fiddling perhaps, but what? Luckily, even without trying too hard, I eventually stumbled upon an interesting case for researching upon.
The “victim” of this research is the application gbaSafe version 1.1.0a, which claims to protect user passwords using unbreakable algorithms (how’s that for a hint of a Snake oil case?).
The constraint module presented in PyCon Brasil and later on EuroPython 2005 is now available. Here is a trivial example, solving the classical rooks problem:
problem = Problem()
numpieces = 8
cols = range(numpieces)
rows = range(numpieces)
for col1 in cols:
for col2 in cols:
if col1 < col2:
problem.addConstraint(lambda row1, row2: row1 != row2,
solutions = problem.getSolutions()
Update: It was also presented in FISL 2006.
University of Massachusetts has a very nice Problem of the Week service where they post a new math related problem every monday. At that time they report the percentage of people that correctly answered the question as well. To submit an answer, check the rules page. They’re usually very quick at answering if a given solution is correct or not.
This week’s problem is not specially challenging though. The problem name is Turn the page, and consists of the following question:
A novel has 527 pages (pages 1 â€“ 527). How many digits will it take to number all 527 pages from 1 to 527?
How many people wouldn’t know how to solve that? Solving with eyes closed is kind of fun, but with help from a calculator or from any programming language it’s trivial. In python, that single line does the job:
sum([len(str(i)) for i in range(1,527+1)])
Let’s hope for a more interesting problem next week. There are some good problems from previous weeks available as well.
Petals Around the Rose is an interesting brain teaser. Here is a copy of the game description:
The name of the game is Petals Around the Rose. The name of the game is important. The computer will roll five dice and ask you to guess the score for the roll. The score will always be zero or an even number. Your mission is to work out how the computer calculates the score and become a Potentate of the Rose.
Simple and challenging.