New App - Secret Notes AES-256

Secure your secret notes with AES-256 encryption with this Zero Permission App

This app encrypt your notes into the very depth of internal storage in your device. The notes will stay in your phone and will not leave your phone. The encryption used for securing your notes is AES-256, refer to https://en.wikipedia.org/wiki/Advanced_Encryption_Standard, one of the strongest encryption scheme. Each note you type into Secret Notes AES-256 are encrypted. Your encryption key, or password, is not stored in any form in your phone or anywhere else.

Typical use cases: travelling to foreign countries, prying siblings, secret diary, too many passwords to remember, your very personal details such as bank a/c, financial statements

Compare Secret Notes AES-256 With Other Secret Notes Apps in Google Play

Our Ten Strengths:

1. No ads - which may or may not affect security, at least it annoys users when they are typing some secrets
2. No network connectivity - Rather than trust anyone who tell you your data is safe, we mean it when there is no possible way for your data to leave our app
3. No permission required for external storage media - this means we cannot copy your notes into some unintelligible form for later extrication
4. We use the strongest encryption method available, specifically CBC-AES-256 with IV size 16, this can be audited
5. We do not store your password (or password hash) anywhere in the app or in your phone. We just do not store your password but use a innovative method to verify the password is correct. 
6. You can verify the encrypted form of your notes, it can be audited
7. This app does not have in-app billing so that we do not have to connect to any servers, including Google or any other Web Services
8. This app will not send any notification to you because it cannot use the network functions and there is no reason for the app to send any notification
9. This app does not use Fingerprints or Swipe Patterns to unlock your notes because these two methods cannot be implemented safely (more on this in future blogs) for this kind of app
10. We take care of advance attacks such as dump and analysis of memory , app cache, code injection, and app tampering

We have started Zero Permission App (ZPA) initiative on our website. Zero permission app is an initiative to provide peace of mind to users by aiming to have no (ZERO) required permissions in Android, but still providing innovative and effective features to you.

Secret Notes AES-256 Does Not Require Any Permission

Usage:

To use, just download and enter a unique password (that you MUST remember), and then you can start typing your secret information. If you enter the password wrongly two times in a row, the application will default to a blank note list. This is for just in the case that you are forced to open the app. Uninstalling the application will automatically remove all the notes that the app stored on the phone. You can change your password anytime by using the "Change Password" setting in the App.

IMPORTANT 1: There is no way to retrieve the password if you cannot remember your password. Your password is not stored anywhere and by anyone. We will only be able to help you recover your notes if we have figured out a way to break AES-256, and we have NOT yet done so.

IMPORTANT 2: We will only support this app downloaded direct from Google Play. There are risks that the encryption may be weakened, malware infection, tracking logic added if you download the app from elsewhere.

IMPORTANT 3: Please use a more complex and hard to guess password to protect your notes. Yes, your birthday or phone number is easy to guess.

Features:

➤ No ADS and No root required

➤ Simple to use, no manual required

➤ Supports Smartphones, Tablets

➤ Supports Android KitKat, Lollipop, Marshmallow, Nougat

➤ Good resource management

➤ No frills, run with minimum RAM and CPU

➤ No unnecessary function in the app (to enhance security)

➤ No Android Permission required, zero, none, period

➤ Safe and Privacy focused, no servers and DOES NOT connect to the Internet

➤ Your notes will never leave your device

➤ Your notes is only stored in ENCRYPTED form, in the internal storage of your device

➤ Only your password (and pray you must not forget) can unlock your secret notes

➤ Backup of your notes is fully supported in the system

➤ No other app in the device can read your notes

➤ Check the permission required by other similar apps and you will agree that this is the BEST app for securing your notes in comparison

➤ You can request for full source code audit by contacting us

Warrant Canary provided here.

Download it now to secure your secrets.. We will refund with no questions if we fail in any one of our strengths. Have fun and God Bless.

GDPR News - The Aftermath

Did GDPR Send Europe Internet Users Back to the Dark Ages?

Follow up from our write-up on GDPR, it seems like some companies cannot deal with the regulations and decide to block all Europe traffic from their sites. Dozens of US newspapers are currently blocked in Europe, such as LA Times and Instapaper have suspended operations for EU.

Screenshot of Los Angeles Times from Singapore 

Screenshot of Los Angeles Times from UK Proxy

Although this is not a cyber attack, the effect is similar to someone shutting out Internet from all EU users.  Internet usage has become nearly an essential item for daily life, some people depend on it to make a phone call! There are some smart people who develop new services such as GDPR Shield, a service that supposedly block Internet traffic coming out from EU. This is funny and pathetic depending on whether you are in Europe at this very moment. We predict companies selling VPN, VPS or proxy services will be laughing all the way to the bank.

The GDPR legislation was passed in April of 2016, and there are ample time for companies to get their act together. If companies deem Europe business not worth their while, it will only benefit companies that put in effort and resources to make it right. #GDPRmemes

Update [1 June 2018] - Could GDPR be used to the advantage of cyber-criminals?

General Data Protection Regulation (GDPR) Memes #GDPRmemes

The good and bad of GDPR memes #GDPRmemes

GDPR stands for the “General Data Protection Regulation.” It’s the most important data privacy law thus far created in the EU. A convoluted product of a 4-year deliberative process that produced a 88-page document consisting of 56,000 words, translated into 26 different languages. The special date is 25 May 2018 (past), and companies were and some of them still scampering to comply.

On a personal level, what are the benefits to you? GDPR provides for EU citizens:

1. Increased security for your data
2. Most organizations will need your consent to process and share your data
3. The right to rectify mistakes, such as inaccuracy or incomplete info
4. The right to erase, also known as the right to be forgotten
5. Companies will try to win your business (or engagement) by championing your privacy rights

This recent exercise of companies flooding your email inbox with agreement or consent to the "New Privacy and Terms" can be used by you to have a stock take of how many companies did you give your personal information. Some of us received these emails from companies that we do not even remember. Thus, we recommend saving these emails to a folder to have your own record of who may have personal information on you. Do not reply to these emails if you do not think that you are going to engage them in the future. Even if you do engage these companies in the future, companies always welcome your business.

On a bad note of this meme, there are shady characters out there using this exercise to mass email people on the pretext of getting them to consent to privacy terms. Do not reply or click on these emails. Information such as email and location can be collected for future exploitation.

Our previous note on Memes can be referenced here for more information. There are more than 10 GDPR related apps in Google Play Store, with 90% of the publishers developed just one app.

Screenshot of GDPR Apps in Google Play

On a funny note, check out GDPR Hall of Shame, a collection of funny, crappy, or crazy GDPR emails and shutdown notices. My favorite:

Source: gdprhallofshame.com
Funny and Scary that a fridge has personal info on you

Updated App - Quick Check for RottenSys, Cosiloon, APT-C-23, AsiaHitGroup and Other Trojan Malware

Updated to include checks for Cosiloon malware

Our app, Quick Check for RottenSys, is updated and live in Google Play to check for Cosiloon malware (just discovered by Avast researchers).

Quick Check for RottenSys, Cosiloon and Other Malwares

If your phone contains this malware, it is likely that you will not be able to remove it.

Contact fledevstaff@gmail.com and we may be able to provide some free advice.

Our previous blog on Coisloon can be referenced here for more information.

Cheap Android devices ship with pre-installed malware

Beware of cheap unknown brand Android phones that you have not heard of

If you spot a really cheap smartphone and is tempted to purchase one, this recent news may make you pause to think.

Researchers from Avast discovered pre-installed malware in several hundred different low cost Android devices. The preloaded packages, some called them Cosiloon, belong to a type of malware that will display advertisement to user of the device. Interestingly the ads are from Google, Facebook, and Baidu ad networks.

Source: Avast

These annonying ads appear as overlays on top of other apps and users will not be able to remove the cause of these ads. This is because the malware is built into the system firmware, and in most cases users will still continue to get inflected because the malware will update itself or download additional packages after the system is "disinflected". This system level malware will continue to download additional packages from the Internet. Thus, if you own one of these phones, you either live with the annonying ads or buy a new phone. Some of the Anti-virus applications will be able to detect these malicious packages,
    com.google.eMediaService,
    com.google.eMusic1Service,
    com.google.ePlay3Service,
    com.google.eVideo2Service,

but sadly the clean up operation will still fail.

The complete list of inflected phones can be found here. ZTE, a more well known brand is on it with several models. Stay away from cheap brands unless you are capable of doing technical tests yourself. The current malware are just displaying ads but the capability to do more damage (fraudulent activities, identity compromise) is baked into the firmware.

We just checked and their C2 servers are still evolving and alive:

Tested on 25 May 2018

If you still want to buy a low cost smartphone, try to do some anti-virus tests and check that the phone is Google certified.

Personal note to the suppliers of cheap phones:
It is a good and noble intent of you to supply phones at a very low cost to the masses, but inserting malware or adware into the phone firmware without informing the user is not a good strategy. Some people may still get the low cost phone even when they are aware of the adware in the phone. It is akin to people visiting web sites for information knowing that some of these sites are supported by ads. Do things the legal way, everyone benefits.
Have a good day. 

500,000 Network Devices Inflected By Malware (Update)

500,000 Network Devices Inflected By Malware

Who is behind this attacks?

Advanced VPNFilter malware menacing routers worldwide
Malware with bricking capabilities poses major threat after infecting 500,000+ networking devices

Are these attacks from state backed, criminal groups or individuals? Some of the above reports claim to be state backed, notably Russia. One of the report claims that it is very difficult to pin point who is behind this but posted a picture as shown:

www.theregister.co.uk

Researchers have "no idea" who is behind the attack, and obviously Putin is not a researcher. Placing this caption and Putin image together is not a subtle programming of the readers' mind. And this news writing tactic is an attack, among the more obvious fake news, on the readers.

We do not know who are the attackers behind this malware. We do know whoever is behind this have the technical and operational skill to find this vulnerability, turn it into an malware, spread the malware to multiple network devices. More importantly, the attackers also have the business acumen to understand this vulnerability will not be hidden for long and the value of this knowledge is diminishing over time. Pushing the malware to the open this early will leave a huge footprint for investigators to eventually pick it out. Thus the attackers are probably going for quick success with this malware. Or worse, using this compromised network to insert a more stealthy malware into the actual targets.

(Update) FBI: Reboot, reset your router immediately to prevent cyberattacks

Follow us on all critical Android development and security news here.

Free Mobile Data Plan in Singapore (Yes it is really Free)

Free 1 GB Data Plan With 30 Mins Talk Time And 10 SMS

How much will you pay for a 1 GB data plan with 30 mins talk time, 10 SMS and caller ID? $10? $5? $1? It is FREE provided by the relatively new Telco Circles.Life 

https://pages.circles.life/flexiplan/

Why is it free, what is the catch? According to its website, this plan, known as S$0/month Flexi Plan, apparently cost Nothing and they throw in a FREE SIM card, FREE registration and FREE delivery! This will definitely shake up the local telco industry. By providing 1GB data/30min/10SMS as a freebie, it is bound to get many users signing up and brand recognition. 

Sign up for this as another line and you can:

➤ use it to expand your existing data plan by 1GB

➤ use it as a backup phone line or data access in the event of outage with your main telco line (Circles.Life leases from M1, so it may not work as a reliable backup if your main line is also M1)

➤ sign up and verify additional social media account with the additional phone number (e.g. another WhatsApp account)

➤ provide a short and quick loan to friends or foreign visitors

➤ give it to family members, kids, parents and maid (you are a douchebag if your spouse do not already have one)

➤ use it for Android development (how often you wish you have another internet link for testing purposes? ChatBot? Remote monitoring? SMS gateway? You get the idea)

➤ give your poor old discarded smartphone or tablet a new lease of connectivity life

➤ use it to register for other freebies that require a phone number

➤ confuse data trackers such as IMSI catchers (more on this in another time)

➤ engage in various forms of pranking your friends (your mysterious lover)

➤ call and talk to yourself (i seriously will not know why and i am running out of ideas)

➤ finally give yourself an excuse to buy a phone with two SIM cards

➤ ... suggest additional ideas in the blog comments but please stay on the legal side

Another benefit from Circles.Life is you can top up and spend as little as you want when you want to. For now, they provide the options of 2 GB for $12.00, 1 GB for $8.00 and 30 min for $5.00, all without pre-contracting.

The choice of identity used for signing up is almost quite comprehensive. You can be Singapore resident signing up with your NRIC ID, a foreign worker using your S-Pass, Employment Pass or Work Permit, a student with Student Pass, and even dependents of a foreign worker with Dependent Pass.

Circles.Life also have a bonus data plan, where you can get additional data from referrals, loyalty, and porting another telco number to it. However, it is unlikely this bonus data plan applies to the free 1 GB plan.

If you decide (and i do not understand why not) to sign up, you can download their app to manage your account. From the reviews, the existing customers are happy with the service provided.

Together with the previous post, readers should know by now that the writers are suckers for freebies. Hope to bring you other freebies next time. Cheerios.

Vulnerability of China High Speed Rail Tickets

Vulnerability of China High Speed Rail Tickets Through Information Disclosure

The reason why you MUST destroy the China High Speed Rail ticket after usage

This is not really a story on our Android development, though some of us did have the thought to develop an app to reverse what we found. But common sense prevails.

Recently I went on a holiday in China and took the famous China High Speed Rail from one city to another. When i examined my ticket, my passport number was printed on the ticket with only the last two characters replaced with a "*". Incidentally, i found a lost ticket next to the seat of mine and it was a ticket belonging to a Chinese resident. I knew it belonged to a resident because of the format of the National Identification number.

My Ticket

Ticket Found

The lost ticket have the National Identity Number (see image) and the name of the person who lost the ticket (both details redacted out). When i googled the format of the Chinese National Identity Number, it is as shown:

 RRRRRRYYYYMMDDSSSC

where the first six character, RRRRRR, represents the place where the ID was issued,
YYYYMMDD  represents the birth date of the person in the year (YYYY), the month (MM) and day (DD), SSS is a a sequential code to distinguish people with identical birth dates and birth places and C is a checksum value over the first 17 digits. The checksum is calculated using ISO 7064:1983, MOD 11-2. A useful or useless point is SSS is a odd number for male and a even number for female citizens.

As you can see from the lost ticket, the replaced digits corresponds to the birth month and birth date of the person. Redacting just the birth month and date just need an attacker to guess 365 or 366 times (by cryptographic standards, the guess is actually halved, i.e. 183, but that is too much maths) to get the real ID. However, with the additional help from the checksum calculation, maybe we can shorten the guessing domain space.

Long story short, i created a simple excel to calculate the number of permutations of birth dates that will result in a correct checksum code, which was also printed in clear on the ticket. The result is 33 to 34, depending on the checksum digit. Conclusion is you will be able to find 33 to 34 correct birth dates that corresponds to the ticket holder, and you will have found the personal name, National ID, gender, birth place and birth date of the ticket holder. And i shiver at the thought of what an attacker can use these information for impersonation or scams.

Thus, for foreign visitors to China, remember to destroy (or tear up the portion with your identity) the ticket after you exit from the gantry. This is because for foreigners, only the last two characters of your identity (could be passport number, work permit) are masked out. And depending on the scheme of encoding, it may be easier to guess your identity than the Chinese ID. For Chinese, it is also important not to throw your ticket into the bins after use. You do not want your identity to be used for impersonation.

What is the possible damage of a stolen identity in China? A Chinese resident in Shenzhen found it costed him USD 12.5 million, where the perpetrator(s) stole and used his identity to borrow money and open credit card accounts.

If you want to know, i returned the lost ticket to the station manager at my stop. Drop a email to fledevstaff@gmail.com if you want to have a copy of the Excel calculation.

Follow us on all critical Android development and security news here.

Free five dollars to your bank account (Yes it is really Free)

Free five dollars for you when you install DBS PayLah

If you are living and working in Singapore and you have not install any one of the e-payment app, there is a 100% chance of getting a free five dollars into your bank account.

Just install DBS PayLah from the Google PlayStore and enter your details. When you come to a page asking for a promo code, just enter "COMCHEST35". You will instantly get five dollars into your account.

Note that this promotion is valid from now till 27 May 2018.

Personally tested it and it works. Nothing is free in life, but occasionally something good drops in.

Grab it before 28 May. After you transferred out the 5 dollars, you can uninstall the app if it does not work for you.

Updated App - Quick Check for RottenSys, APT-C-23, AsiaHitGroup and Other Trojan Malware

Update: Seven reappearing malicious apps have been discovered by Symantec on the Play store under a different name and publisher even after these have been reported. App is updated to check for them

Get it here

Quick check and scan for RottenSys, Trojan.AsiaHitGroup, Trojan.SMS.AsiaHitGroup, Adware.AsiaHitGroup, APT-C-23 (Dardesh, VokaChat, Chattak) malware files in your Phones, Tablet, TV.


Features:
➤ Free
➤ No root required
➤ Simple to use, start scan when app is started
➤ Supports smartphone, Tablets, TV box
➤ Good resource management
➤ No frills, run with minimum RAM and CPU
➤ Supports Android Jelly Bean onwards, KitKat, Lollipop, Marshmallow, Nougat
➤ Safe and Privacy focused, no servers and does not connect to the Internet
➤ No unnecessary function and permission
➤ RottenSys malware is linked to Ads so for peace of mind this app is free of ads

This apk is uploaded to VirusTotal - see results in https://www.virustotal.com/#/file/87c786eaa4ae2755c6f98c31b47d22138672a6ce05357eb200fa9f53fe4d9fbe/detection

For more details on RottenSys:
- https://research.checkpoint.com/rottensys-not-secure-wi-fi-service/
- https://www.2-viruses.com/rottensys-malware-phones

For more details on Trojan.AsiaHitGroup, Trojan.SMS.AsiaHitGroup, Adware.AsiaHitGroup:
- https://blog.malwarebytes.com/cybercrime/2017/11/new-trojan-malware-discovered-google-play/

For more details on APT-C-23 (Dardesh, VokaChat, Chattak):
- https://www.zdnet.com/article/fake-android-apps-used-for-targeted-surveillance-found-in-google-play/

For more details on 7 malicious apps that sneaked into Google Play:
- https://www.symantec.com/blogs/threat-intelligence/persistent-malicious-apps-google-play


If a malware is detected, just go to setting/Applications and remove it.

In the unfortunate event that the malware cannot be deleted, you can email fledevstaff@gmail.com and we will try to help.

Get it here