You are currently browsing the category archive for the ‘Android’ category.

I was reading this report this morning and I must confess that I was not surprised. Long story short, many devices out there running Android have ADB actively listening on port 5555, essentially leaving those devices out there exposed with a nice and convenient sudo backdoor.

Android’s Debugging Bridge is a tool that allows communicating with a device, execute commands and, essentially, fully control the device with a sudo shell-like terminal. It is not authenticated or secured, but in order to use it, one must have physical (USB connection) to the device and manually toggle Debug Mode on the phone. This makes this backdoor on an Android device at least hard to access by an adversary. However, it has been discovered that many devices out there allow access to ADB via the network simply by connecting to port 5555.

It is not surprising that, as a result, there’s been a massive spike in port-scanning of port 5555 recently. And so far researchers discovered already a malware/botnet that exploits this to mine cryptocurrencies on Android devices.


So far it’s a botnet mining bitcoin, but the worst case scenario of a sudo backdoor on an Android device is pretty bad. It will be interesting to learn more about what types of devices this is affecting. According to the report, they have found “everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition.

ADB open listening to port 5555, what could possibly go wrong?

I was reading last night about Blackphone, one of the most interesting things presented at the recent Mobile World Congress in Barcelona. This new handset is being developed by a Spanish startup (Geeksphone) in partnership with the US-based security firm Silent Circle. The whole system appears to be based on a security-enhanced version of Android known as PrivatOS.

This phone is clearly a very interesting idea and a product to consider, specially because it is the first time someone does an actual step towards ensuring privacy of communications for smartphone users. However, I would like to have more details on how everything work. Blackphone claims that it can do encrypted voice calls, but something tells me that this is probably only possible among Blackphones and you cannot have an encrypted call with a “normal” phone. Moreover, this is not something new, as there are apps out there that allow to do the same things on, for example, an Android phone. The only privacy concern with those is whether the server running the app in the background gets to “see” the messages or not. And the same question applies to the Blackphone. I am assuming that, if the crypto is well done, everything stays within the phones involved in the “secret call”. But, again, having more tech details would be helpful.

On top of secured calls and messages, which can already be done with several well known apps (for example RedPhone), Blackphone has other interesting features, such as a fine-grained control of the permissions each app gets. On top of that, Blackphone does very simple things automatically, such as configuring WiFi in a way that it is not trying to connect to any hotspots it senses (avoiding potential Man-in-the-Middle attacks). It also seems to offer a way to remotely wipe the device without requiring a centralized service (like the Find My Phone feature from iCloud). I wonder how they do this, though, and how they address the wipe command from an arbitrary place in the Internet (i.e. my home computer) to the Blackphone without a server somewhere in between that keeps an open connection with the phone.

All in all, a very interesting phone, yours for 629$.


It took me a while to figure this out. I have an app that I coded and it runs a service in the background. Given a specific event, I want to show an alert on the screen. How to do it?

All the ways I tried would work nicely, but the alert would only pop up when I opened the activity that started the service in the background. My goal was to have a “global alert” that will show up on the screen right then and there, no matter what the user is doing or what activity is controlling the screen. And, if the screen is locked, the alert should be displayed as soon as the user unlocks the phone.

Here is how you do it:

  • First create a new class (activity). We will call it displayAlert:
public class displayAlert extends Activity {

    private boolean doDisplayAlert;

    private static final boolean D = true;
    private static final String TAG = "tagYouUseForYourApp";

    public void onCreate(Bundle savedInstanceState) {

        if(D) Log.i(TAG, "+++ ALERT starting alert class. +++");
        if(D) Log.i(TAG, "+++ ALERT getting Intent. +++");

        //Get intent and boolean "proceed" field within.
        Bundle bundle = getIntent().getExtras();
        displayAlert = bundle.getBoolean("proceed");

        if(D) Log.i(TAG, "+++ ALERT got Intent. +++");

        if(displayAlert == true){

             if(D) Log.i(TAG, "+++ ALERT do display alert. +++");

             // custom dialog
             AlertDialog.Builder dialog = new AlertDialog.Builder(this);
             dialog.setTitle("Write here whatever you want to display in the alert message as title.");
             dialog.setMessage("Text content of the alert message.");

             dialog.setPositiveButton("OK", new DialogInterface.OnClickListener() {
                 public void onClick(DialogInterface dialog, int whichButton) {
                      //Do something when the user clicks OK to close the alert (optional)


             dialog.setNegativeButton("Ignore", new DialogInterface.OnClickListener() {
                 public void onClick(DialogInterface dialog, int which) {
                     //Do something if the user chooses to ignore the alert (optional)



             if(D) Log.i(TAG, "+++ ALERT do not display alert. +++");

             //Do something in the case the service does not want you to display an alert.
             //Actually, you can use this code to display two types of alert depending on the
             //value of the boolean that the service passes to this class ("proceed")


  • Now, in the code of your service you will have something running. If you want to display the alert, you use the following code:
if(D) Log.i(TAG, "+++ SERVICE starting displayAlert activity to show an alert. +++");
Intent showAlert = new Intent(applicationContext,displayAlert.class);
showAlert.putExtra("proceed", true);
if(D) Log.i(TAG, "+++ SERVICE displayAlert activity went well. +++");
  • Note that this code needs the context of the parent application (applicationContext). What I do is to pass the context when I create and start the service.
  • Remember to define the class in the manifest file (add this code within the <application>. There should be first your main activity, then the service and then you can add the displayAlert activity)
android:label="@string/AlertActivityName" >
  • That’s it!

I hope this is useful.

Pennywise is on shuffle on Spotify at the moment. Have a good one!

As some of you, I am an amateur Android developer, who is getting better and better. For work it’s good to have demos of certain projects running on a phone and it is always useful to have actual implementation results when submitting a paper. I learned Android literally in 2 days because I was already decent in Java and because, as in Java, pretty much everything is done for you and you just have to put pieces together. I am able to code simple apps with all types of functionalities.

(At this point I want to take a quick break to share the fact that I am listening to Don’t Tread On Me by Metallica, an awesome song, and it is thanks to the glorious agreement between Metallica and Spotify)

So far I had been able to, with a decent amount of work and time, figure out everything I needed for all kind of apps. However, I needed to move on and have things running in the background as a service. It took me 3 days of struggle and headaches to get it done. And the Android developer guide did not help at all. So I have decided to share this with whoever is interested. This is how you have a simple service running in the background. Adding any extra code and functionality to this should be trivial.

Simple background service in Android step by step

(Note that most of the functions and code is from the official Android sample files. I am not giving any proprietary code or anything that is my new creation. I just explain well step by step how to put all the pieces from Android sample code together. Android’s developer site does a very poor job at it.)

(Note that this is a simple amateur way to do it. I am sure there are other ways that are way more efficient)

  • You should have an activity already coded and working well
  • Create a new class that extends service. In this example we will call it
  • In the app’s Android manifest file add this after </activity>:

<service android:enabled="true"

  • Add to your activity the following variables:

private static final String TAG = "testService"; //For debugging

private boolean serviceOn; //Boolean that logs if the service is ON or OFF

Messenger messengerToService = null; //To send messages to the service

//Class for interacting with the main interface of the service (Extracted from <a href="">the official Android sample code</a>)
private ServiceConnection mConnection = new ServiceConnection() {
     public void onServiceConnected(ComponentName className, IBinder service) {
          // This is called when the connection with the service has been
          // established, giving us the object we can use to
          // interact with the service.  We are communicating with the
          // service using a Messenger, so here we get a client-side
          // representation of that from the raw IBinder object.
          messengerToService = new Messenger(service);

          Log.e(TAG, "+++ Connected to service +++");

     public void onServiceDisconnected(ComponentName className) {
          // This is called when the connection with the service has been
          // unexpectedly disconnected -- that is, its process crashed.
          messengerToService = null;

          Log.e(TAG, "+++ Disconnected from service +++");

  • Implement the following methods in your activity:

void doBindService() {
         // Establish a connection with the service.  We use an explicit
         // class name because there is no reason to be able to let other
         // applications replace our component.
         bindService(new Intent(this,TestService.class), mConnection, Context.BIND_AUTO_CREATE);
         serviceOn = true;
         Log.e(TAG, "+++ Binding to service +++");

void doUnbindService() {
     if (serviceOn) {
          // If we have received the service, and hence registered with
          // it, then now is the time to unregister.

          // Detach our existing connection.
          serviceOn = false;
          Log.e(TAG, "+++ Unbinding from service +++");

  • Now you just have to add the following code where you want to turn ON or OFF your service. Note that the service will run in the background until you either turn it off manually with this code or your activity is destroyed. In other words, the service still runs in the background even if you minimze the activity or you open another app or whatnot. However, I am sure that this is not really efficient so do not use it for an app you want to make commercial. This is mostly an “amateur” solution.

//Bind to service (To turn service ON)
if (serviceOn == false){
     if(D) Log.e(TAG, "+++ Executing doBindService +++");
     mConversationArrayAdapter.add("WEIRD.Already connected...");

//Unbind from service (To turn service OFF)
if (serviceOn == true){
       mConversationArrayAdapter.add("WEIRD.Already disconnected...");

  • Now let’s look at the service class you created. You will need the following variables:

private static final String TAG = "testService"; //For debugging

//Target we publish for clients to send messages to IncomingHandler.
final Messenger mMessenger = new Messenger(new IncomingHandler());

//CODES (the messages you want to be able to send from the activity to the service. I am showing 2 examples, but they could be anything)
static final int MSG_SAY_HELLO = 1;
static final int MSG_SAY_BYE = 2;

  • These are the methods you will need:

public void onCreate () {
    //One-time set-up procedures
    Log.e(TAG, "+++ SERVICE ON CREATE +++");


public void onDestroy () {
    //Close files, disconnect stuff, etc
    //If the service wants to autodestroy itself, the code should call stopSelf()
    Log.e(TAG, "+++ SERVICE onDestroy +++");

    // Tell the user we stopped.
    Toast.makeText(this, R.string.remote_service_stopped, Toast.LENGTH_SHORT).show();

public IBinder onBind(Intent intent) {
    Log.e(TAG, "+++ SERVICE onBind +++");
    return mMessenger.getBinder();

private void handleCommand(Intent intent) {
    // TODO Auto-generated method stub


class IncomingHandler extends Handler {
    public void handleMessage(Message msg) {
    switch (msg.what) {
        case MSG_SAY_HELLO:
            Log.e(TAG, "+++ SERVICE received order to say hello +++");
            Toast.makeText(getApplicationContext(), "hello!", Toast.LENGTH_SHORT).show();
        case MSG_SAY_BYE:
            Log.e(TAG, "+++ SERVICE received order to say bye +++");
            Toast.makeText(getApplicationContext(), "bye!", Toast.LENGTH_SHORT).show();

  • And that’s it. Now, when you do doBindService() in your activity the service starts. To stop it, just use doUnbindService() in your activity.
  • To send a message to the service to make it say hello or by (as per the example used here), just use this code in your activity:

if (serviceOn){
    Message msg = Message.obtain(null, TestService.MSG_SAY_HELLO, 0, 0);
    try {
    } catch (RemoteException e) {

And that’s it. Simple and easy.

(The Struggle Within is playing now… have a nice weekend everyone!)

Today’s post will sound a bit random. Lately I have been very busy for various reasons (among them a deadline, let’s cross our fingers…) and I haven’t posted in a couple of weeks. In order to get back to my blog, I decided to share some thoughts on a few things I have been working on for fun over the last few months…

For a while I had been wanting to learn how to program apps. Everybody does it so, why not me? Given that I have an iPhone and that I love anything related to the iPhone and the iPad. However, when I was ready to start, I found out something that, to me, sounds ridiculous and stupid: You need a MAC computer to program apps for iOS. I immediately decided that I would not lear to program apps for iOS and added this Apple “feature” to the list of things I really dislike from Apple. Very close to the top. Very close to the overpriced and unnecessary accessories (Not only they force people to use this to connect to a display when every single non-MAC computer has a VGA connection, but they also charge you 30$ for it).

I decided to move on to Android. I liked it right from the moment I started. I already knew a bit of Java and it is really like programming in that language. Everything is already programmed for you, literally anything, you just need to put the pieces together. Once I understood the xml files, how to create a layout and how to “reference” layout sections from within the code, I was able to program decently complex apps.

Over the last 6 months I have been using Python a lot. I still dislike it quite much (I wrote a couple of posts about it earlier this year), but I have to admit that it is way faster than Matlab processing data. I am able to read and digest massive files of a couple of Gb very fast, something just impossible with Matlab. It is also much better than Matlab in digesting files with a non-standard or predefined format. The only thing I miss is that, beyond the Python documentation itself (very useful but extremely limited) there is no good big sources for samples of code. So, I end up looking up for stuff on Stack Overflow all the time.

I have been playing with the Arduinos lately. I love them. So easy to code and so many libraries and pre-coded functions and features. Like in Android/Java, it is just a matter of putting pieces together.

That’s it. Nothing new in this post. I just wanted to share some thoughts and get back into the blogging mode. I will try to post something at least a couple of times per week. And now, for you geeks out there like me, let’s all go watch The Avengers this weekend!

I was just told this morning during an early morning coffee with a friend about a new vulnerability found in Google Wallet. I was going to try to find information on it at work but it was not necessary. It was highlighted in the daily news digest of the industry that we get. Everyone out there is talking about an unbelievably simple and, in my most humble opinion, absurd vulnerability in Google Wallet.

The presented threat does not even require hacking skills or complex tools. You just need somebody else’s phone – either second hand bought or stolen/”found” -. Apparently, the way Google Wallet works is such that the system gets synched with your device – the phone – instead of your Google Account. Despite there is a PIN to add an extra layer of security, if somebody erases all the data of the Wallet app and runs it again, it asks for a new PIN and allows you to use the Google Wallet Account and funds the previous user/owner had. Just as simple as that.

Google has acknowledged the threat and are offering a quick initial fix, consisting on providing a phone number to call to cancel the account linking for people who lost their phone or wants to sell it. They are also working on an automatic fix to happen with an update of the app.

Read about this incident on the NYTimes, Electronista, TechCrunch and The Smartphone Champ.

Do you own an EVO 4G, EVO 3D (really? why would you buy a 3D phone?), Thunderbolt, EVO SHift 4G, MyTouch 4G Slide…? Then you better read this.

A new vulnerability in HTC Android phones has been found. In a similar way as it happened with iPhones, the device is logging a whole bunch of data for no apparent or known reason. However, unlike it happened with the Apple devices, this log files are easily accessed by any app installed on the phones listed in the first paragraph. Long story short, if you have any of these phones and you give Internet connection permissions to an App (permission that most of the apps will require and request), that App has full access to (extracted from Android Police):

  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Despite HTC was informed of the vulnerability a couple of days before making it public, there has not been an official response yet. Meanwhile, if you have one of those phones, watch out what Apps you download.

The person who discovered the vulnerability has created a Proof of Concept app to show the kinds of data the phones are releasing:

Read more about this story here.

This morning while having breakfast I was reading the news, as I always do. I found out about a very good news and a very interesting news. The very good news is that there will be a 4th Austin Powers movie – hooray! – and the interesting news is the one I talk about here…

Google has reached an agreement to acquire Motorola Mobility for 12500$ million. With this operation Google is aiming to strengthen its mobile OS Android. The operation comes after a series of disputes on patents that Google went through recently and after the unsuccessful attempt to acquire the patent portfolio of Nortel.

Larry Page commented on the acquisition on Google’s official blog:

Motorola is also a market leader in the home devices and video solutions business. With the transition to Internet Protocol, we are excited to work together with Motorola and the industry to support our partners and cooperate with them to accelerate innovation in this space.

Motorola’s total commitment to Android in mobile devices is one of many reasons that there is a natural fit between our two companies. Together, we will create amazing user experiences that supercharge the entire Android ecosystem for the benefit of consumers, partners and developers everywhere.

This acquisition will not change our commitment to run Android as an open platform. Motorola will remain a licensee of Android and Android will remain open. We will run Motorola as a separate business. Many hardware partners have contributed to Android’s success and we look forward to continuing to work with all of them to deliver outstanding user experiences.

We recently explained how companies including Microsoft and Apple are banding together in anti-competitive patent attacks on Android. The U.S. Department of Justice had to intervene in the results of one recent patent auction to “protect competition and innovation in the open source software community” and it is currently looking into the results of the Nortel auction. Our acquisition of Motorola will increase competition by strengthening Google’s patent portfolio, which will enable us to better protect Android from anti-competitive threats from Microsoft, Apple and other companies.

The combination of Google and Motorola will not only supercharge Android, but will also enhance competition and offer consumers accelerating innovation, greater choice, and wonderful user experiences. I am confident that these great experiences will create huge value for shareholders.

There is still a lot of details to be revealed but I am wondering what are Samsung and HTC going to think about this deal. Both of them partnered strongly with Google to release the G1, G2, Nexus One and Nexus S.

Read more about the deal in Engadget, Forbes and Wired Magazine.

I read in the news yesterday that some initial details on the new Google phone, due to be release next Fall, had been leaked. It is expected to have a huge 720p display and to be fueled by a double core 1.2GHz or 1.5GHz processor. It is also expected to be already LTE-compatible, hence the rumored name: Nexus 4G. It will run Android 4.0 (ice cream sandwich).

This new Google OS for mobile devices is expected to be equipped with Near Field Communications (NFC), so it might be the first phone that can really be used as a wallet for all kind of payments and transactions. And you might be able to use it to open doors for which you usually require a card.

Read more about it at BGR.

Additionally, we can expect a 4G LTE radio, 1GB of RAM, 1080p HD video capture and playback, a 1-megapixel front-facing camera, and a 5-megapixel rear camera. The 5-megapixel camera, however, is said to be an advanced 5-megapixel sensor delivering class-leading image quality in addition to superior low-light performance. The Google Nexus 4G will run Android 4.0 (Ice Cream Sandwich) and hold everything together in an ultra-thin package. We were told that Google is aiming to make the phone available around Thanksgiving, and our source couldn’t confirm a carrier, leading us to believe this might be one of the first AT&T 4G LTE smartphones. It’s also possible that this device will just be the flagship/reference Ice Cream Sandwich device — just like the Motorola DROID and Motorola XOOM were for Android 2.0 and Android 3.0, respectively — and not a Google Nexus-branded product, so we’ll have to wait and see. In either case, this sounds like an incredible phone regardless of what label is under the dress.

More information at Gizmondo and PC World.

The new Kyocera Echo will be released soon on Sprint’s network. At a cost of 200$ with a 2 year contract, this phone is the first smart phone to hold two touch screens. By flipping it in a similar way one would un-hide the keyboard of TMobile’s G2, the second screen can be aligned with the main one, creating a big 4.7 inch display. However, it seems that, the bulky shape of the phone makes it unable to lay flat once both screens are aligned.

The device, which is a bit bulky, weights 6.8 ounces and is noticeably heavier that an iPhone 4 or a Blackberry Bold. Also, it seems that only seven of the phone’s apps work in the mode that runs an app on each screen.

Read the full review at the Wall Street Journal.

It has a five-megapixel camera with a flash, built-in GPS, one gigabyte of on-board memory and an eight-gigabyte microSD card that comes with the phone. It runs Android 2.2, though a Sprint spokeswoman said the Echo will be upgraded over-the-air to the newer 2.3 Android operating system before the end of the year.

Users might worry about the Kyocera Echo’s battery life since it has two screens.

Sprint estimates the phone’s talk time battery life to be about seven hours, and I usually made it through the day without charging my Echo. The phone comes with a spare battery, which can be swapped out for your original battery or can act as a power source if used with a portable charger that plugs into the phone.

About me:

Born in Barcelona, moved to Los Angeles at age 24, ended in NYC, where I enjoy life, tweet about music and work as a geek in security for wireless networks.
All the opinions expressed in this blog are my own and are not related to my employer.
About me:

Blog Stats

  • 147,509 hits

Twitter feed

Enter your email address to follow this blog and receive notifications of new posts by email.