FOXTROT/ALFA: SpaceX Launch Postponed, Google/Apple COVID-19 Contact Tracing API Released, StrandHogg 2.0

Yeah, it happened again: Too much to do, way too little time. I had to skip another few newsletters. It’s just not something that can be helped at the moment. But I’ve recapped the tech news of the last two days for you in today’s edition. So without further ado, here is FOXTROT/ALFA issue 123 for Thursday, 28 May 2020.

StrandHogg 2.0

A newer version of the Android vulnerability StrandHogg has been discovered. Like its predecessor, it allows to launch another app instead of the one the user thought he launched – which can be used to phish for login credentials. Except it’s harder to detect.

A Norwegian infosec firm discovered a new Android vulnerability, which they’ve dubbed Strandhogg 2.0. Security firm Promon says “Strandhogg” is an old Norse strategy for coastline raids and abductions, and today’s vulnerability is the “evil twin” of a similar one discovered in 2019. The original Strandhogg used an Android feature called taskAffinity to hijack applications – by setting the taskAffinity of one of its activities to match the packageName of any other app, then setting allowTaskReparenting=“true” in its own manifest, the Strandhogg app would be launched in place of the target app.

Imagine tapping the legitimate Gmail icon on your phone and getting what appears to be a legitimate login prompt, pixel-for-pixel identical with the one you’d see if your account had been logged off. Would you enter your credentials? If one of the free games or apps you or a child might have installed was a Strandhogg vessel, you just gave your credentials to an attacker – which might even launch the Gmail application itself immediately after testing your credentials, leaving no obvious sign you had been compromised.

Strandhogg’s 1.0 major weakness was the need to declare taskAffinity in the Android Manifest. Strandhogg 2.0 doesn’t require any special settings in a package’s Android Manifest – meaning the attacking code doesn’t need to be present on the Play Store to be scanned at all. Instead, the attacker can download the attack code later, once the trojan app or game is already installed on a user’s device. In addition to the obvious credential-stealing attacks, Strandhogg can be used to trick users into escalating its privileges based on the trust they have for the apps it hijacks.

Strandhogg 2.0 affects all versions of Android prior to 10—which translates to roughly 90 percent of the Android userbase. Google rolled out a patch to close the Strandhogg 2.0 vulnerability, CVE-2020-0096, in May’s Android Security Update. The older Strandhogg 1.0 vulnerability is not patched and likely will not be – it appears that Google prefers to play whack-a-mole with dodgy apps as they are uploaded to the Play store, since it can scan for exploits of that vulnerability directly in the Manifests of potential malware applications.

The Problem with Journalism Today

One of the biggest problems with journalism today is that very few of my colleagues bother to check things they get told in press releases. This is surprisingly prevalent in tech reporting. But the mainstream media (or what we would call “Leitmedien” in German) in the US seems to be getting even worse. They are now just reading out pre-scripted bits handed to them by someone, most likely a company’s PR department. If you want to see what that looks like, watch this video:

I’m guessing all of these stations are local affiliates of one of the big networks which pre-produced the script for them. But seeing as that script reads like its straight from the Amazon press release, that doesn’t really matter.

First Manned SpaceX Launch Scrapped

Last night the first manned spaceflight by the US (NASA and SpaceX) in ages was supposed to launch to the ISS but the launch was postponed because of unfavourable weather conditions.

NASA’s attempt to launch American astronauts to the International Space Station aboard an American-made rocket from American soil for the first time in nearly a decade was aborted today due to bad weather. Grey clouds loomed overhead as Robert Behnken and Douglas Hurley strapped into their seats in their SpaceX’s Dragon crew capsule atop a SpaceX Falcon 9 rocket. As the weather failed to improve, NASA scrubbed the launch 17 minutes from the planned 1633 ET (2033 UTC) liftoff after the threat of lightning proved too great.

The flight would have been the American space agency’s first manned mission carrying American astronauts on an American rocket from the good ol' USA for the first time since 2011.

Weather conditions at NASA’s Kennedy Space Center in Florida weren’t favorable to begin with, we note. Four hours before the planned blast-off, the agency’s boffins estimated there was a 60 per cent chance the launch would have to be postponed to another day; there was no opportunity to hold off launch for even a few minutes if the skies remained glum.

While these scrubs aren’t unusual, it does seem like NASA is doing this a lot more often than the Russians. Either the Russians just have more balls, or maybe Florida just isn’t the right place to launch spaceships from? You’d think a place like Black Mesa in Utah or something would have more stable weather…

All hope is not lost as NASA and Elon Musk’s SpaceX will attempt to send Behnken and Hurley up to the orbiting lab on Saturday, May 30 at 1522 ET (1922 UTC). The conditions are expected to be more favorable with only a 40 per cent chance of launch-scrubbing weather. In the meantime, the pair will be quarantined, as expected, to prevent carrying illnesses, such as the COVID-19 coronavirus, to the space station.

Switzerland Launches First SARS-CoV-2 Contact Tracing App

Apple and Google have now released iOS and Android updates to integrate their COVID-19 tracing API into their operating systems. Meanwhile, the Swiss have released the first app that’s using this tech.

Switzerland says it is the first country to roll out a contact-tracing app for the COVID-19 coronavirus using technology and a set of APIs produced jointly by Apple and Google.

The Swiss app, called simply SwissCovid, has been supplied to hospital workers, civil servants, and members of the Swiss army as a precursor to a large national roll-out next month. By using APIs developed by Apple and Google, as manufacturers of the most popular smartphone operating systems, the app is designed to protect people’s privacy by keeping all relevant information on their phone, and without burning the battery on Bluetooth signaling.

I very much doubt it’s actually not burning the battery down, BTW. I’d love to see some actual testing on that.

In Germany, SAP and Deutsche Telekom are working on a local, open source implementation of the API. I’ve looked into this in detail in yesterday’s episode of my privacy podcast The Private Citizen.

Boeing Resumes 737 MAX Production

Optimistically, Boeing has resumed production of their disaster plane 737 MAX.

Boeing has resumed production of the 737 Max, its passenger plane with software so flawed that its certification was yanked after being found to have caused two fatal accidents. A brief statement from the firm said “more than a dozen initiatives focused on enhancing workplace safety and product quality” are now in place at Boeing’s factory in Renton, Washington. The announcement also mentioned improvements to production systems and all sorts of new arrangements that make the plane easy and safe to build.

But there was no mention of software other than the quick reference to “quality”. Nor was there any indication that the United States’ Federal Aviation Administration will re-certify the plane, after grounding it in 2018 after the crashes.

I do not understand this. There’s currently no market for planes at all, let alone planes that aren’t allowed to fly and that nobody wants to fly in even if they were.

Airlines are currently bleeding as a certain virus severely reduces demand for air travel, so if the Max is allowed to fly again its lower operating costs may be welcome.

I doubt it. Why would anybody buy new planes at this point? Aside from existing orders, I doubt there will be new ones coming in…

But the pandemic means Boeing’s building them slowly. At least those on the 737 Max line have work, as Boeing also announced 6,770 layoffs in the USA and plans for more around the world. “I wish there were some other way,” said Boeing president and CEO Dave Calhoun, adding that “Some of our customers are reporting that reservations are outpacing cancellations on their flights for the first time since the pandemic started. Our industry will come back, but it will take some years to return to what it was just two months ago.”

GTA VI Coming in 2023?

Venture Beat had a story on some hints that GTA VI might ship in 2023.

Take-Two expects to spend $89 million on marketing during the 12-month period ending March 31, 2024. That is more than twice the marketing budget for any other fiscal year over the next half-decade, according to the company’s recent 10-K SEC filing. Why is Take-Two planning to spend that much more on marketing in fiscal 2024? One of the most likely explanations is that is when the publisher expects to release Grand Theft Auto VI, according to analyst Jeff Cohen of investment firm Stephens.

But that guess seems to have been wrong.

Take-Two clarified to GamesBeat that this marketing-obligation metric refers only to its contracts with third parties. It does not reflect its marketing budget for internal studios like Rockstar Games. That means this does not indicate a timeline for Grand Theft Auto VI. I apologize for this misleading error.

Ardour 6.0 Released

The latest version of the open source digital audio workstation (DAW) Ardour has been released.

The sound-tinkerers among you will be pleased to learn that Ardour 6.0 is out, representing a major upgrade of the open-source digital audio workstation for Linux, macOS and Windows.

According to the release notes, the main changes in version 6.0 are under the hood, where there have been “huge engineering changes”. It has been a long wait; the previous version 5.12 was out in September 2017. “The primary reason for the very long interval between the two releases has been the scope and difficulty of these engineering designs and implementations,” said the developers.

The result is full latency compensation so that alignment of the various signals routed through Ardour is precise. There is also a new resampling engine, the ability to add sound effect processing to a track when recording, simultaneous monitoring of input and output, improved MIDI support (though there remains “significant work to do”), and an enhanced plug-in manager. On the audio format side, FLAC is now an option for Ardour’s native recording format, and MP3 import and export is now fully supported – the developers were formerly opposed to MP3 import because it is a lossy format and not intended for this use. There are hundreds of other new features, and experimental support for a web browser user interface using WebSockets.

Bogus Chrome Web Store Numbers

You can’t really trust the download numbers in the Chrome extension store, it seems. Users are being scammed.

Efforts to manipulate installation counts in Chrome Web Store extension listings appear to be alive and well, despite a developer’s personal crusade to call attention to the problem. Julio Marin Torres has been highlighting suspiciously popular Chrome extensions since January in posts to the Chromium Extensions forum, trying to get Googler to enforce their store policies.

There are still thousands of extensions in the Chrome Web Store that artificially inflate their user count statistics, to make store visitors more inclined to believe the extensions are widely used and trustworthy. What happens after installation of one of these over-hyped extensions may just be a deluge of ads for users. For example, the AdBlocker for YouTube extension injects a JavaScript file for every webpage visited once installed. The code looks like it’s a scaffold for showing ads.

But Torres suggests there’s a risk this code could later be updated after the extension is widely installed to do something more nefarious. Torres has been gathering Chrome Web Store data and crunching the numbers to identify sudden surges in popularity. A list he posted on May 17 includes more than 80 Chrome extensions that purport to have massive numbers of users and yet have few if any user reviews. Other developers who have looked at the data say they’ve seen the same thing. The assumption is that unethical developers are spinning up virtual machines to download the extensions, to make them appear to be more popular in Chrome Web Store stats.

Also Noteworthy

Other stories I’ve been reading:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.