Encryption Stories August 30, 2018
Google releases Tink, a simple, cross-platform cryptography library
As (increasingly frequent) data leaks have proven, encryption is hard, and good encryption can be even harder. Today, Google has announced the first major release of Tink, an open-source, cross-platform library designed to make secure encryption easier for developers to use correctly.
Encryption Stories June 6, 2018
Project Capillary makes end-to-end push notification encryption easy on Android
In a progressive move, Google has released a new open-source privacy library to allow developers to encrypt Android push notifications.
Encryption Stories March 24, 2016
Gmail introduced a feature last month that warns users before sending and receiving emails from insecure addresses. Today, it’s announcing a bevy of new features and standards that improve email security.
Encryption Stories March 17, 2016
Encryption Stories February 18, 2016
Following Google CEO Sundar Pichai’s vague series of tweets yesterday, Hiroshi Lockheimer, senior vice president of Android, Chrome OS and Chromecast, has come out and offered his own opinion on Apple’s battle with the government on national security versus user privacy. Earlier this week, a U.S. judge ruled that Apple must help the FBI obtain data from a passcode-locked iPhone 5c used by one of the gunmen in the fatal San Bernardino shooting. Apple CEO Tim Cook then responded by posting an open letter on Apple’s homepage saying that Apple would not comply with the court’s request.
Although Lockheimer’s responses are just as vague as Pichai’s, he does seem to agree with Cook and Apple…
Encryption Stories February 17, 2016
It has been a wild 24 hours when it comes to smartphone encryption and user privacy versus national security. Last night, a U.S. judge ruled that Apple must help the FBI obtain data from a passcode-locked iPhone 5c used by one of the gunmen in the fatal San Bernardino shooting. Just hours later, Apple CEO Tim Cook responded by posting an open letter on Apple’s homepage saying that Apple would not comply with the court’s request. Now, Google CEO Sundar Pichai has chimed in on the matter, saying that he agrees with Cook.
Encryption Stories February 9, 2016
Google and the rest of the tech industry take security very seriously. As part of this year’s Safer Internet Day, Google is offering users 2GB of Drive storage if they perform a security check on their account. In another security minded update, Gmail will now flag emails sent to and received from non-encrypted sources.
Encryption Stories January 20, 2016
CyanogenMod officially ends WhisperPush support, recommends downloading Signal app instead
The CyanogenMod team has announced via an official blog post that it is ending support for WhisperPush, and that its services will be officially end of life from February 1st. WhisperPush, for those unaware, is an encryption service which keeps messages secure and private.
We’ve ultimately made the decision that we will no longer be supporting WhisperPush functionality directly within CyanogenMod. Further, WhisperPush services will be end-of-lifed beginning Feb 1st 2016. As this is a server side implementation, all branches of CM from CM10.2 and forward will be affected.
There are seemingly several reasons for CyanogenMod’s decision to end integrated WhisperPush support. The team says it saw many ‘hiccups’, and had a number of longstanding registration problems as well as issues in various countries with WhisperPush. Also, with the arrival of Snowden-endorsed Signal — an app which offers practically the same services — the necessity to continue the difficult development and upkeep of WhisperPush was significantly reduced.
We transitioned the work to CM13, instead opting to implement directly within our Messaging application. However, with the rapid adoption of the official Signal application, our implementation into Messaging would have been a seemingly unnecessary fork. Analyzing the costs of SMS verification (many thanks to Twilio for their support on this), usage traffic, server costs and registration numbers, forking would serve no larger long-term user benefit.
If you have a number registered with WhisperPush you should unregister by heading to Settings>Privacy>WhisperPush on your device running any version of CyanogenMod from CM10.2 to CM12.1. Once February 1st rolls around, all numbers will be unregistered by CyanogenMod.
Those who have used, or use the service regularly are urged by the CM team to download the aforementioned Signal app. It comes from Open Whisper Systems (who helped create WhisperPush) and offers encrypted text messages and voice calls. What’s more, it’s cross platform and there’s a desktop beta version.
Encryption Stories October 20, 2015
PSA: Beware 1Password web features can leak your browsing history, may show up in Google search
AgileBits has promised to beef up the security of 1Password after a Microsoft software engineer discovered that details of which websites you visit are unencrypted and indexed by Google if you use the 1PasswordAnywhere feature. Dale Myers said that he discovered this by chance after a sync problem led him to investigate the files used to store the metadata.
It turns out that your metadata isn’t encrypted [allowing someone to] go through and find out exactly what shady sites I have accounts on, what software I have licences for, the bank card and accounts I hold, the titles of any secure notes I have, any anything else I’ve decided to store in there.
While passwords remain secure, privacy is placed at risk and the data obtained could, says Myers, be used in a phishing attempt.
Thanks to people having links for easy access to their keychain on their websites, Google has indexed some of these. A simple search brings up results. By looking at one of these it was a simple matter to identify the owner of the keychain and where he lived. I know what his job is. I even know the names of his wife and children. If I was malicious, it would be easy to convince someone that I had compromised their account and had access to all of their credentials.
AgileBits said that the decision not to encrypt metadata was taken back in 2008, when decryption on mobile devices involved significant performance and battery-drain issues, and that it introduced a secure file format in 2012, but that it didn’t want to break compatibility with older versions by making that format the default.
The company said that work on making the secure file format the default was already in hand.
We’ve already started making changes to use OPVault as the default format. In fact, the latest beta of 1Password for Windows does this already. Similar changes are coming to Mac and iOS soon, and we’re planning on using the new format in Android in the future. Once all of these things are complete, we will add an automatic migration for all 1Password users.
For those who don’t want to wait, the company has posted instructions for manually migrating to the new format.
The 1Password Android app was updated in August with a freemium pricing model and the ability to create vaults on mobile. If you’re not yet using a password manager, check out our how-to guide over on 9to5Mac.
Via Engadget
Encryption Stories July 24, 2015
Dmail is a Chrome extension which allows you to un-send, or revoke any emails you send through your Gmail account. The service was launched by the same brainiacs that brought us the Delicious social bookmarking tool.
Self-destructing email isn’t exactly a new thing. Google itself rolled out a feature that lets you un-send a message once you’ve sent it. The only issue with Google’s built-in service however, is that you only have 30 seconds to change your mind about sending an email to someone. Dmail lets you revoke emails whenever you like. I took it for a quick spin to see what it’s like, and I have to say, it’s an incredibly convenient way to make all your outgoing communication more secure. It also happens to be ridiculously easy to use.
Encryption Stories May 29, 2015
Project Vault is a super secure, isolated computing environment from Google
One major barrier to adoption of new hardware and software solutions in the workplace is a top-down requirement that all communications are encrypted, secured from the prying eyes of today’s brazen hackers. It’s the reason why there are still thousands of businesses out there shockingly still issuing Blackberry phones. With more and more consumers and companies alike clamoring for a bring-your-own-device future, how can employees ensure their devices are as secure as chief information officer’s would like? Google has an idea.
Project Vault, shown off today at Google’s I/O conference, is a microSD card with full operating system, ARM-based processor, NFC chip, and antenna packed inside of it. Oh, and 4GB of storage. While that’s pretty incredible in and of itself, what really makes this microSD card special is that the OS it runs is known as a Real Time Operating System (RTOS), and is packed with a suite of cryptographic solutions for keeping data secure and messaging with others using Project Vault microSD cards encrypted. An RTOS is different from the operating systems most of us are used to (i.e. Unix) that can’t run every process we throw at them simultaneously but switch between tasks rapidly, ensuring at the very least that the computer is still responsive to its user (i.e. doesn’t freeze). Real-time operating systems have stricter deadlines to complete the tasks that are thrown at them.
The main function of Project Vault will be super-secure messaging so hackers, or the NSA, cannot snoop (which also explains why Vault uses an RTOS – all resources are dedicated to encrypting and sending/receiving messages quickly). The encryption only works when both the sender and the receiver are using Project Vault SD cards, however, but it’ll work on any device with a microSD slot – so laptops, smartphones, tablets, etc. are supported. Google says the microSD card can also be used to encrypt video and as an alternative to passwords (where the card could generate cryptographic key pairs and store them securely). The company has an SDK up on Github for it that developers can use to build applications for the new project. Maybe the next Snowden will send confidential documents to journalists using his smartphone?
Encryption Stories May 19, 2015
Google among those asking Obama to reject calls for government access to encrypted data
Google and Apple have co-signed a letter calling on President Obama to reject any government proposal to allow the government backdoor access to encrypted data on smartphones and other devices. The Washington Post says the letter, due to be delivered today, is signed by more than 140 tech companies, prominent technologists and civil society groups.
The signatories urge Obama to follow the group’s unanimous recommendation that the government should “fully support and not undermine efforts to create encryption standards” and not “in any way subvert, undermine, weaken or make vulnerable” commercial software.
The FBI has been pushing increasingly hard to require tech companies to build in backdoor access to their encryption systems to allow access by law enforcement, even going so far as to say that Apple could be responsible for the death of a child. a NY District Attorney has also cited public safety as justification for demanding access to encrypted data.
The letter calling on Obama to reject this argument is also signed by five members of a presidential review group appointed by Obama in 2013 to assess technology policies in the wake of leaks by former intelligence contractor Edward Snowden.
Many in the tech industry have pointed out that, aside from the obvious concerns over government intrusion into the private lives of its citizens, any backdoor used by the government could potentially be discovered and exploited by hackers and foreign governments.
Encryption Stories May 12, 2015
Following a Reddit AMA on government surveillance, Google has admitted that while it does encrypt Hangouts conversations, it does not use end-to-end encryption, meaning the company itself can tap into those sessions when it receives a government court order requiring it to do so. This contrasts with the end-to-end encryption used by some services, like Apple’s FaceTime, which cannot be tapped even by the company offering the service.
Motherboard noted that Google has always been vague about the level of encryption offered for Google Hangouts, and that when pressed by principal technologist at the American Civil Liberties Union Christopher Soghoian, the company would say only that messages were encrypted “in transit” … expand full story
Encryption Stories March 2, 2015
Back when Android 5.0 was announced, Google revealed that it would require all devices running the upgraded OS to use full-disk encryption by default to protect users. However, it seems that Google has now reversed course on that decision and allowed several Lollipop devices to ignore this requirement.
As noted by Ars Technica, several Android devices—both new and old—that run the Lollipop software have decided to forgo encryption for some reason. This includes previously released devices that were upgraded to the new software such as the Moto G, and new devices that ship with Lollipop, like the more recent Moto E.
Encryption Stories January 12, 2015
For several months we’ve followed the U.S. government’s attempts to work around encryption in chat apps, even taking the hyperbole to an illogical extreme at one point, but we haven’t yet seen similar threats from other nations… or at least, we hadn’t until today.
British prime minister David Cameron said today that unless the government is given backdoor access to encrypted messaging services, he’s just going to outlaw them:
Encryption Stories January 7, 2015
Bloomberg reports that a Manhattan District Attorney is challenging recent moves by Apple, Google and other tech companies by suggesting government pass laws that prevent mobile devices from being “sealed off from law enforcement.” In an interview this week, the government official called it “an issue of public safety.”
Encryption Stories November 18, 2014
The Wall Street Journal reports that WhatsApp has been updated with end-to-end encryption for messages sent and received between Android smartphones and tablets. The cross-platform messaging service claims it will be unable to help decrypt messages for law enforcement, a noteworthy move given increasing concerns about government surveillance and tracking over the past few years. expand full story
Encryption Stories September 18, 2014
Google said today that the upcoming Android L release would enable data encryption by default when users set up a new device. Previous versions of Android included the security measure as an option, but many users did not choose to activate it. Now the feature will automatically be turned on, meaning no data on the phone will be accessible without the owner’s password.
Essentially this will prevent anyone—including police—from reading stored text messages, viewing photos from the phone’s library, or checking the call history (among other things) even if allowed to do so by a court order. Apple rolled out a similar feature to its iPhone users with an update yesterday.
As reported by the Washington Post: expand full story
Encryption Stories July 9, 2014
If you’ve been frustrated by the fact that you can’t install paid apps on your Android Wear devices, your frustration should soon be at an end. Google has just notified developers of a workaround to the problem, which was caused by a bug in the anti-piracy measures employed with paid apps … expand full story
Encryption Stories June 3, 2014
Google wants you to know exactly how much email you send and receive is encrypted during transit, so today it launched a new section in its Transparency Report that does exactly that:
When you mail a letter to your friend, you hope she’ll be the only person who reads it. But a lot could happen to that letter on its way from you to her, and prying eyes might try to take a look. That’s why we send important messages in sealed envelopes, rather than on postcards… Email works in a similar way. Emails that are encrypted as they’re routed from sender to receiver are like sealed envelopes, and less vulnerable to snooping—whether by bad actors or through government surveillance—than postcards.
Google notes that Gmail has always used encryption in transit using Transport Layer Security (TLS), but that doesn’t do much if the email client on the other end isn’t doing the same. Around 40 to 50 percent of emails between Gmail and others aren’t encrypted, according to Google, and it provided the following chart of what services are using encryption: expand full story
Encryption Stories April 25, 2014
Google’s recent partnership to make the internet a safer place to play hasn’t stopped the company from working on its own products. The software giant recently opened up about a set of security enhancements to Chrome that make its famed browser safer and faster. Google anti-abuse research lead, Elie Bursztein published a post on the company’s blog detailing the measures taken to improve Chrome for desktop and Android.
Encryption Stories April 21, 2014
Google is currently developing a process that will make it easier for Gmail users to encrypt their emails, according to Venture Beat’s unnamed sources. For over 20 years, Pretty Good Privacy (PGP) has been an encryption standard, but the platform hasn’t always been the most user-friendly. This, along with growing concerns over unwanted internet surveillance has prompted Google to task its engineers with making PGP easier to use.
Encryption Stories April 14, 2014
Google is considering giving higher search rankings to websites that use security encryption, according to The Wall Street Journal. If true, this could force more websites to adopt a secure setup, possibly making it harder for cyber criminals to spy on web users. This new idea was recently mentioned at a conference by Matt Cutts, the head of Google’s Webspam team. Still under consideration, if Google decides to move forward with this process, a change reportedly won’t happen for quite a while.
Encryption Stories February 27, 2014
Following reports last night when the device was spotted going through the FCC, Reuters reports Boeing today officially announced a new Android smartphone with a number of innovative security features. Dubbed “Boeing Black,” the device will be marketed towards government officials and other organizations that highly value keeping their data secure. The tamper-proof device builds in a number of security features for encrypting calls and more and is designed to wipe itself clean of any data if someone attempts to open the physical casing of the phone. Here’s a bit more from Boeing’s website: expand full story
Encryption Stories August 15, 2013
Google launches server-side encryption for Cloud Storage at no charge to developers
Google announced today on its Cloud Platform Blog that the data stored in its Cloud Storage platform will now be automatically encrypted before written to disk at no additional charge to developers. Google said the process will not involve any input or configuration from developers and that the new encryption will cause “no visible performance impact”:
We manages the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing. Each Cloud Storage object’s data and metadata is encrypted with a unique key under the 128-bit Advanced Encryption Standard (AES-128), and the per-object key itself is encrypted with a unique key associated with the object owner. These keys are additionally encrypted by one of a regularly rotated set of master keys.
Google noted that developers will still be able to encrypt data using their own methods and manage their own decryption keys, but from now on Google will free developers from the effort and cost associated with doing so. The new server-side encryption is active starting today for new data written to the platform, and Google says it will work with both new objects or for overwriting existing objects. It also said that “older objects will be migrated and encrypted in the coming months.”
In July, reports claimed that Google was also readying server-side encryption for files stored in its consumer-facing Drive cloud storage service.
Encryption Stories July 17, 2013
Privacy protection in the apps we use on a daily basis has been a big topic of conversation following accusations that Google and other large tech companies were working with government agencies to provide user data. Google has worked tirelessly to clear its name during the scandal, and today CNET reports that the company is testing encryption for Drive files that could further keep its users’ data protected from prying eyes.
As a reminder, Google does not currently encrypt files store in its Drive cloud storage service, but rather only encrypts files being transferred on their way to Drive: expand full story
Encryption Stories October 11, 2011
Bizztrust is essentially a customized version of Android created by the Center for Advanced Security Research Darmstadt (CASED) and Fraunhofer trade group specifically to bring BlackBerry-like business class security to Android users.
With Bizztrust for Android installed, applications are then installed into one of two partitions– “work” and “personal”. Users can quickly swipe between either partition using an onscreen toggle baked into the UI. Of course, a business’s IT team will control anything installed on the “work” partition, while the end user will have full control of their “personal” partition. Any content installed on the work partition is also automatically scanned before a user is granted access to the company network and any transferred data is automatically encrypted. If an issue is detected prior to the user joining the network, any apps related to the issue will be disabled.
Ahmad-Reza Sadeghi of CASED says Bizztrust “significantly improves the security of today’s mobile terminals at no cost to user-friendliness.” If successful, this could be a huge hit to RIM’s quickly decreasing market share which still greatly relies on business users, as the Blackberry’s security features are often its only selling point. expand full story
