Jul 29, 2014

Google Android "Fake ID" Security Flaw Discovered: What You Need to Know

Bluebox Labs, the mobile security research team at BlueBox Security, announced the discovery of an Android flaw they have dubbed “Fake ID”. “Fake ID” exploits a device’s digital signature, which Android uses to verify that apps are who they say they are.

Essentially, the issue is that while Android checked that an app had the correct ID before granting it special privileges, it failed to check that the ID was in fact valid and not forged. As reported to the BBC, the researchers liken it to a visitor flashing his valid-looking badge to a security guard, but the guard failing to call the employer of that visitor to verify he is who he says he is. “Fake ID” is concerning because no action or approval is required of the device owner and any actions taken are hidden. In one example, the faked certification signature could be exploited by an app to impersonate Google Wallet to obtain payment data. The flaw is said to affect Android from the January 2010 release of 2.1 up to Android 4.3.

For in-depth technical details on how the exploits work, see Bluebox Lab’s post here.

Does this affect the LastPass Android app?

If you do not install apps from untrusted sources, you're likely safe. Google has scanned all of the apps in the Google Play store, and confirmed they have not seen anyone attempt to exploit this flaw to date. Since the flaw has just been released, it is unlikely that any malware has been written to take advantage of it yet.

Because it can be used to exploit this flaw, we have disabled the Adobe Flash plugin from loading in the LastPass browser, and have issued an update to our app. This affects only Android 4.3 and earlier, since Android 4.4 and later does not include Flash, and is therefore not susceptible to this bug. Even if a malicious app were to gain control of the device, all it would be able to get from LastPass would be a highly encrypted, unusable blob of data. Disabling offline access in the LastPass app’s preferences would also prevent this blob from being stored locally.

Advice on actions to take:

While this flaw is serious, most Android users should be able to avoid being affected by:
  • Only downloading apps from the Google Play Store - apps downloaded from outside the store are not regulated by the app store policies.
  • Avoiding untrusted apps - only download apps published by companies you know and trust.
  • Removing unused or untrusted apps from your devices.
  • Updating your phone to the latest Android version available with this issue patched.
We remain vigilant of any security discoveries that may affect the LastPass community and will update our users if any other details come to light.

Jul 28, 2014

User Case Study: Why a Financial Planner Uses LastPass

My clients place a high level of trust in me to provide them with the advice and guidance they need to achieve their financial goals. They also trust me to protect their confidential information and ensure that what they share with my firm is always secure. This includes everything from investment account statements and tax returns, to their life insurance policies and estate plans.

As a financial planner and investment advisor, I take password security and encryption very seriously. I do everything in my power to safeguard sensitive client and business information at all times. When it comes to preventing unauthorized access to bank and investment accounts, there is literally no room for error.

That's why I'm honestly not sure what I would do without LastPass. I use LastPass literally every day to manage nearly 300 complex business and personal passwords. Considering that my typical password is 12 to 16 random characters, including upper and lower case letters, numbers, and symbols, there is no way I could remember all of them without it.

Likewise, I need a way to access my passwords on-demand and from anywhere. With LastPass, it doesn't matter if I'm working at the office, from home, or on the road, I can login to any site I need to quickly and easily. Even better, I can access LastPass from my desktop, tablet, and my smartphone.

Most importantly, because LastPass encrypts data locally, before it is transmitted over the Internet, I feel much more confident about storing passwords with the software. This is absolutely critical when it comes to any login that I use to access client information. I simply won't do it any other way.

Although there are many features that I really love with LastPass, there are three that really standout for me:

  • Multifactor authentication – As secure as my master password might be, I believe that a second form of authentication is an absolute must. With LastPass and Google Authenticator I have a simple two-step verification system to ensure that even if my master password was compromised, my other passwords would still be safe. Tip: If you are a Google Apps for Business user, you can enable two-factor authentication for your Google account as well.
  • Auto-generate secure passwords – One of the biggest downfalls when it comes to password security is the repeat use of the same (often weak) password across many different sites. I admit that before finding LastPass the only time I used a different password was if a web site forced me to because of specific restrictions on the characters they'd allow. Thankfully, I wised up several years ago and changed every important password I use to a new one that I randomly generated using the LastPass secure password generation tool. Creating complex, random passwords literally couldn't be any easier.
  • Auto-save and update on the fly – The LastPass plugin (in my case for Chrome) is a web user's dream. Not only can I log in automatically to almost any site on the web (with a master password re-prompt of course), but I can also save new passwords on the fly. Finally, whenever I change a password, LastPass knows and asks me if I want to update the existing entry or save a new one. This makes password management so easy, you almost forget about it.

As someone who is committed to putting clients first, security is a top priority. I've worked for companies before that literally stored usernames and passwords in an Excel file. If that sounds familiar, you need LastPass! With LastPass available on Windows, Mac, Linux, and mobile, there is no reason to risk exposing your personal or your professional passwords to the world. If you aren't using LastPass, download it today and give it a try. It's free and I promise you'll love it!

Jonathan K. Duong, CFA, CFP® is a fee-only investment advisor and financial planner in Denver, CO. He is the president of Wealth Engineers, which he founded to provide an alternative to the high costs and conflicts of interest of a typical financial advisor. Jonathan specializes in working with busy professionals, entrepreneurs, and athletes to help them navigate through the unique financial challenges they each face and build a more confident path to achieving their goals. Thank you, Jonathan, for coming on the LastPass blog to share your story!