Security, Is There Security In The House

Security? What does it mean.

Several concepts:

Malware
Login
Secured Login
Code obsucration
Securing your .apk
Securing Content
Trojans
Comparing Signing Certificates

Basically here’s the long and the short.

Yes you can take steps to enhance your security, but a really good Hacker can succeed given sufficient time.

So always ask yourself if what you’re doing is the best method. It’s unlikely the best hackers are targeting you. A locked door just might push the wannabe hacker to the next door.

Fundamentally here’s the problem:

“But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.” Wired Magazine, Aug 6th, 2012.

In the Android’s Developers Guide there a section about Designing for Security.

ProGuard

Most devices don’t use password protection and most users will disable it if it’s offered.

The app can have a signin.

Halt! Who goes there? Roger!
Roger, thanks for the password.

OAuth Background OAuth emerged from the social web, originally motivated by a desire to mitigate the so-called “password anti-pattern” in which a user, in order to authorize a third-party site to access their Facebook data, would be asked to provide their Facebook password to that third-party site. The first version, OAuth 1.0, allowed a user to specify such permissions without divulging their Facebook credentials to any entity other than Facebook (and similar for other providers).

OAuth 2.0 still supports this original delegated authorization use case from the consumer web but is now relevant to enterprises and the Cloud as well—which is arguably more about authentication than authorization. For instance, Salesforce uses OAuth to protect the many APIs they offer up to their enterprise customers. Enterprises themselves are using OAuth to protect the APIs they offer their partners and customers as well as internal clients in “private cloud” models.

OpenID OpenID is an open federated identity standard targeted towards the consumer world, allowing individuals Single Sign-On (SSO) to “relying party” sites from an OpenID provider such as their email provider or social network. Large OpenID providers such as Google and Yahoo! have issued OpenIDs to all their users. OpenID is one of few federated identity standards that enable SSO without the need for a pre-existing relationship between the identity provider and the relying party, a feature that greatly fosters scalability.

Malware, is it a problem?

According to Google and Apples it’s not.

Google believes some of the anti-malware apps are worst than the malware. Apple despite the proof to the contrary says there’s no malware on their platform.

Malware, but it’s not. Lookout’s take on the ‘Apperhand’ SDK (aka ‘Android.Counterclank’) Apparently adveritisers are the biggest spammers.

As pointed out in this article somebody’s always crying “Wolf”. Symantec launches massive ‘Android malware’ scare campaign — extreme caution advised – Computerworld Blogs” sometimes the problem is overstated.

Recently I read 5 free Android security apps for your smartphone | Mobile Technology – InfoWorld

This article helped me understand that as a developer I probably should have at least one or two of these apps on my devices.
Not because I’m concerned about security, but because I need to know what these apps are telling app users about my app. Plus, I’m sure I’ll find some interesting things along the way.
So I’ll install a couple and let you know what I found out.

16 security problems bigger than Flame

Fred

JUNE 20, 2012 Smartphone security is heading for ‘apocalypse’

JUNE 19, 2012 New Android malware disguised as security app

Apple apps are the malware

Skype & Buzztouch

Skype is an essential tool for Buzztouch Developers.

In the past few months I’ve found that giving and getting support requires me to talk to people around the world. The most common form of communication after emails is by phone. And almost every time it’s been done with Skype. I have free Skype call to landlines in the US & Canada ($3/mo) and Skype to Skype to anywhere in the world. Some carriers (Verizon) don’t allow Skype calling.

MicroSoft owns Skype. It’s interesting seeing how MicroSoft is moving into the Mobile World. Skype is one of their doorways.  Few if any mobile devices don’t have MicroSoft on board.

Skype vs. Facebook You didn’t know there was a contest, well MicroSoft does.

An interest fact is that Facebook makes most of it’s money on display ads on desktops.  It makes almost zero on mobile devices.

Fred

 

Copyright, You, Buzztouch™ & Your App

Copyright and Your Buzztouch App

This blog is a collection of various issues that have been discussed on the Buzztouch Forum about copyright law.

This is not legal advise and is not intended as legal advice. If you want legal advise, hire a lawyer. It’s a review of the issues involved and my analysis of the issues. I’ll rewrite this later to include more analysis and to organize the various issues.

I know this blog is a mess, but given the frequency of request for this information, I’m providing it “as is”.

Issues:

  • Part I – Buzztouch & Copyright
    • Buzztouch’s, “I understand CopyRight Law Check Box” Do you really understand copyright law?
    • Missing Icon’s in BTv2. To bad not everything in life is free, sorry
    • Fair Use
    • Buzztouch TOS: Read it
    • Plugins: There’s Copyrighted content in there, yes really, there is.
    • Endless Debates: Hopefully this article will silence some of it.

Part II – But I’m a Non-Profit:

  • Non-Profit or just unprofitable: There’s a Big Difference.
  • Non-Profit’s: Who Cares you’re not special.
  • 501(c)(3): So, You’re a charity.
  • Non-commercial Use: Is your knitting club really non-commercial.
  • Free vs. Paid: Free doesn’t mean non-commercial.

Part III – The Law:

  • Location, Location, Location: USA Copyright Law vs. Non-USA Law
  • Digital Millennium Copyright Act:
  • DMCA warning:
  • Copyright Disclaimer:
  • Database Compilation

Part IV – Linking: To Link or Not to Link, that is the question:

  • Advertising with links: Maybe good, Maybe Bad.
  • Deep links: As always depends, probably not good. What country are you in?
  • Framing: Same as Deep Linking
  • Google Maps: Violation of TOS if you . . .
  • YouTube: See Google Maps

Part V – Apple Review:

    • iTunes Link: get it right
    • Apple’s crazy (Apple & PayPal): Thread carefully
    • Apple Review: Yes they look at copyright issues
    • Letter to Apple: Somebody doesn’t like you
    • Letter from Apple: You better pay attention
    • Different Reviewer Different Outcome: Not everyone at Apple know or understands the law.
    • Jailbreaking, Apple and EFF: It’s Legal
    • Adding Screens after submitting for review: you’re avoiding the issue, expect al letter one day

Part VI – Miscellaneous:

  • Is it your source code or theirs
  • Using someone’s source code
  • Copyrighting your app: Consider it done
  • It’s via a mobile app not a webpage: So What!
  • Can I Copyright this? Can you copyright what you don’t own.
  • What can you copyright?

Part VII – OTHER

  • Legal Advise: What make’s you think you need it.
  • Don’t Trust Lawyers: Most of them make it up, verify, verify, verify.
  • Litigation as a weapon

Part VIII – Android Market: Basically the same issues as iTunes, just not upfront.

    • Letter to Android Market
    • Letter from Android Market
    • Google routinely removes apps that violate Trademark and Copyright Law

Part IX – A Indecent Proposal:

  • Having Someone publish your App
  • Publishing Someone’s App

Part X – Company won’t allow apps with YouTube links: It’s their right, but they probably don’t understand the law or don’t wish to deal with the issue. It’s their call.

Lesson # 1: Buzztouch’s TOS: Did you read it or even know about it? Doesn’t matter, you agreed to it and it applies. among the many terms you agree to not use copyrighted content in violation of the law and to indemnify Buzztouch for your actions.

Lesson # 2 Fair Use: The first review of this Blog by chrspe: Ok Fred, good information, but just asking, at the end you say it is copyrighted…BUT it is someone elses (buzztouches) information. How does all that play in. Thanks for the info; “@chrspe, you ask an excellent question. My commentary and my analysis my content. The citing of the posts on the forum is fair use since I’m providing analysis. If I were to simply duplicate the posts and not provide analysis I doubt I would be lawful. Precisely why the ‘making fun of YouTube’ is allow whereas the linking for commercial purposes is not.  See the difference.”, Fred.
Getting consent is always wise, but not required for fair use. That’s why Jon Stewart loves Papa Bear and Fox News, so much free material to work with.

    The reason the icons were not included is they are copyrighted. Something to consider if you’re creating an app for commercial use, especially if you’re creating one for a client.

I don’t believe they own the copyright. They’re using per license, therefore they can’t give what’s they don’t have. Personal use is not the same as free. Fair use is a Defense to copyright right infringement. But it’s still an infringement. Basically ask yourself these questions? Am I benefiting from their work? Not good. Am I explaining, mocking, or discussing their work? Probably ok. Would I like it if they use my work that way? Probably not ok, see above.

But, I’m not trying to take anything from them? You should ask. Waves of legalities?? Depends, they may never know about you. FREE?? That’s Not the issue.

Rejection from apple? 8.6: Google Maps and Google Earth images obtained via the Google Maps API can be used within an application if all brand features of the original content remain unaltered and fully visible. Apps that cover up or modify the Google logo or copyright holders identification will be rejected.

YouTube TOS specifically says, “Users may only use their services for personal use (NOT COMMERCIAL) AND the TOS also says that you cannot access YouTube content through a paid gateway.”

“Look at tosh.0 he makes millions on his show, playing and making fun of YouTube videos…”, Slater. BT Forum Posted: Fri, Aug. 12 2011.

Zoid66, Posted: Thu, Nov. 03 2011 06:16 PM (pst) “Just a small ‘warning’ I release a very similar app on android… And was ready to release one on Apple.. Here is goes way bummed out on this one… I got a DMCA warning from one of the people on your list within your app.. That I was in violation.. Now I spoke with a IP attorney and I was told it is not against any trademark ect to link to copyright content.. Listing a R name is no different then a phone book listing a company’s name. Long story short.. I filed a dispute against this and my google account is now suspended why the matter is being resolved. Yep all my apps are removed for now.. I was going to post this in another topic most likely still will!!”

” . . . I too followed all the guidelines ect. One of the people in your apps list starting with a K filed a DMCA against me because I linked to their site… DMCA is digital millennium copyright act.”

David@Buzztouch Posted: Wed, Feb. 16 2011 03:58 PM (pst) ” . . .Apple’s crazy about this kinda thing. Oh, and the copyrighted material -um -did you check the check box that read I understand the copyright laws when you created your buzztouch app? This isn’t good. PayPal + Apple = Nightmare. Sorry, don’t have any good news here.”

One thing i am concerned about now is whether there would be legal liability fo if i allow people to upload photos to a server I host, could possibly get some (one) us(es) my app for uploading copyright stuff…Am re-considering including that feature in the App at all. One possible work around might be to use flickr as then the images are hosted with them and there is I assume some public (service) that would result in . . . images being taken down. IslandApps, Posted: Sat, May. 14 2011.

There are endless debates about the copyright question. Both sides make a good argument. About the best thing I can recommend is that you make 100% sure you can use content in your app without violating anyones rights. I know this is a generic answer, not sure what else to advise. Posted by David@Buzztouch, May 27th, 2011.

Jnica23, Posted: Fri, Jul. 08 2011 11:08 AM (pst) I was looking over some of the things I need for the submission of my app to the app store and one of them was a copyright. Do I have to copyright my app before I am able to submit it? (I’m such a n00b)

Stefan, Posted: Fri, Jul. 08 2011 12:01 PM (pst) “About copyright: it does not have to be registered like a trademark or service mark. Copyright exists the moment something is created. If the material in the app contain copyrighted content you should have the rights to use it. If its material you control/created yourself you have the copyright. That being said, don’t post apps that include copyrighted material that you dont have rights to use.”

Apple requires the App Store logo have a link. It’s mandatory.

Bracesport, “Posted: Fri, Jan. 06 2012 11:36 PM (pst) I think apple will only reject your app for technical reasons.. you just have to dot the i’s and cross the t’s.. I don’t thing they are interested in how it looks (that’s) your domain! I was rejected at the start for copyright when I foolishly thought apple would be happy for me to use their iTunes icon!!”

Mutzy, “Posted: Mon, May. 23 2011 06:13 PM (pst) So apparently my understanding of copyrighted information isn’t as good as I thought. I had some links in my app that loaded the algorithms we use for CPR and advanced cardiac life support (ACLS) on the American Heart Association’s website. The jpg files are free available online, and my app was free, so didn’t think it was an issue. I got an email today from them via apple stating I illegally used their copyrighted material. They were also upset because I mentioned these algorithms in my app’s description and because the link to these algorithms were a custom url as opposed to launching a new browser, both of which also violated their copyright agreement. They have a very long copyright agreement. They told me I had a couple (of) days to take down the app or they would take legal action (already removed the app and sent an update). Now I have to figure out if I can make my own algorithms or if they’ve somehow copyrighted the data within the algorithms as well. Confusing…”

Takagi, Posted: Mon, Jan. 30 2012 03:37 PM (pst) Apple can be real you know whats when it comes to rejecting apps. If I have learned anything it is to include a copyright/legal section. I would state in that: this app is purely for entertainment purposes only. The app is (non-profit) and is protected under the fair use doctrine. Apple accepted one of my apps after i added that.

In 2010, the EFF overthrew Apple’s claim that Jailbreaking is in violation of the Digital Millennium Copyright Act, and declared that iOS Jailbreaking is legal in the United States. The decision ‘which applies to all mobile smart phones and not the iPad, does not require Apple or other handset makers to allow Jailbreaking. Instead, it makes it lawful to circumvent controls designed to block Jailbreaking.’

David@Buzztouch, Friday Dec 23, 2011, It makes perfect sense that newly created plugins, such as the ones @David is making, would be based off existing plugins. As long as the person that wrote the code for the plugin your copying doesn’t mind. Be sure to read the readme, license, copyright info in a plugin package before you copy it, never know what an author may include. I’ll bet that most authors will be OK with you copying plugins and making new plugins so long as they feel like you’re not taking advantage and offering them commercially. It will be interesting to see how this plays out as time goes on. Assuming there isn’t an issue with copying, copy the entire folder, then adjust the values in:”

Question: Is the linking via a mobile device different from linking via a webpage.
Answer: It’s the same whether it’s via mobile app or webpage. They’re both infringements of the copyright. The question is, ”Is fair use a defense?”

Deep linking may get you in trouble.

USA law or German or India?

Framing their content?
Use of the logo will probably be ok, but what’s being linked & how will be the Issue.

“. . .the source code files included in your project where not created by you, it’s not appropriate to change the copyright info listed in those files. However, the application itself, the one in the App Store is for sure YOUR creation and your name should be listed as the copyright holder in the App Store (it asks you for this when you submit for approval). Copyright stuff is commonly misunderstood and it’s normal to be confused a bit. The general idea is this: If you use some source code without changing it (that was provided to you by somebody else) you shouldn’t claim it to be your own work. However, any modification, even the slightest, should be mentioned in any copyright info found in a file. Example: If you modified the BT_screenMenuList.m file, you should document your (changes) by adding something like this under the orignal copyright notice… ‘This code is based on the original BT_screen_menuList.m file created by [original author name]. I modified lines: 34 -34’ copyright 2012 [Your Name] Generally speaking, nobody but you will ever see your source code anyway but it’s possible that someone could. The idea is that if you shared your source code with another programmer they would understand who created it, then who modified it.

Generally speaking, nobody but you will ever see your source code anyway but it’s possible that someone could. The idea is that if you shared your source code with another programmer they would understand who created it, then who modified it. It’s challenging sometimes when files are modified in many, many places. At some point, if you modify a file in many ways, the file will become entirely your work. This is OK and in these cases you should just remove any existing copyright info and add your own. This is because the file is now entirely your work. This is a long way to say, add your name to the App Store for copyright info and don’t worry about using the source code we provided you, that’s the while idea behind open-source licenses”, post by David@Buzztouch, Posted: Mon, Feb. 06 2012.

Oh, by the way, if you were wondering, Yes this blog is copyrighted.

Fred

Buzztouch™ (iOS vs. Android)

Just a short blurb about the relative status of iOS vs. Android in relation to Buzztouch.

Not all features are supported on both platforms (read Android), but almost every feature now has a workaround.  I’d be interested in knowing what if any iOS features are not supported.

Interactive forms and databases are the last frontier.

I dare say on this front it appears Android will have the advantage.

An interesting development is the possibility of using your Android device as you Primary and Only Computer. Ubuntu Android add-on designed to replace PCs

Regarding poor Android app interface, that’s mostly because Android users are publishing before they understand how to properly do graphics or simply don’t care. I guess they’re App Happy.

Google has published a guide regarding graphics. They also suggest that app developers are not graphics designers and that app publishers should utilize the services of graphics designers for a successful app.

Apple avoids the problem by having a closed market.

Fred

Emulator & Android Market

Three ways to add apps to your Virtual Device.

A common problem is that people complain that they cannot test their pdf screens and a few other screens (Word, Excel) on their virtual device.

Several weeks ago, I believe January ’12, Someone stated on the Buzztouch™ Forum that an Email account could not be added to a VD. I posted that I had done so and that the email account worked.

I then speculated on the Forum that one could add apps via the Android Market.

Within the hour someone tried it and confirmed that it worked.

So, Need a PDF viewer on your Virtual Device?

Three Methods:

  1. Add an email account to the emulator. You can then email Android Market links to yourself and install.
  2. Install Android Market, or
  3. Use the VD’s browser to find the desired app either on the Android Market or any other location where the .apk is posted.
  • You could post the .apk your self on DropBox
  • Have someone else post the .apk on DropBox
  • I you wish to test another Buzztouch users .apk on the Virtual Device have them either email to you or to post it somewhere and you use the browser to download it.

Fred