SIDEBAR
»
S
I
D
E
B
A
R
«
[Danish] S&S: Android-x86 og Chromebook
Jun 8th, 2019 by miki

Lidt dråber fra Facebook.

Føler at hver eneste gang jeg forvilder mig derind, ender jeg i en fristil i forsøget på at hjælpe gud og hver mand.

Denne gang en snak om Android på “PC”, og basale digitale processeringsbehov for den almindelige dansker.

Spørgsmål

Stillet i gruppen “Danske Android Brugere “:

Er der nogen som ved, om man kan få en pc med Android system?

Svar

Mit svar:

Som andre omtaler, kan der fås en uofficiel variant af det frie styresystem Android til x86-arkitekturen (den gængse Intel/AMD-baserede computer kendt som “personlig computer”).

Det projekt lever på https://www.android-x86.org/. Installationsvejledning på engelsk er på https://www.android-x86.org/installhowto.html. Man kan både installere som multiboot på samme disk som et eksisterende operativsystem, starte fra en ekstern disk (USB-medie, cd/dvdrom e.l.) eller evt. køre i en virtuel maskine på et eksisterende operativsystem (VirtualBox,QEMU/KVM, VMware Player/Workstation).

Jeg har kun erfaring med livedisk boot fra USB og VM, og der synes jeg ikke altid tingene spiller perfekt, så forvent ikke en helt problemfri oplevelse.

“Android på PC” er på kanten af noget understøttet, hvor man ofte er på egen hånd. Nogle af folkene bag Andoid-x86 forsøgte at lave en kommerciel forretning på det, hvor det var tanken at sælge det som færdige hardwareenheder, RemixOS – https://en.wikipedia.org/wiki/Remix_OS, men det gik ikke så godt og er lukket ned igen.

Hvis behovet bare er “en bærbar computer uden for meget vrøvl”, så er en færdig Chromebook med Chrome OS (der ligesom Android også er bygget på GNU/Linux) eller noget af det der dyre Frugt-udstyr nok det mest tilgængelige (men jeg fornemmer at pris også kunne være en faktor?). Til forskel fra traditionelle operativsystemer til computere, er Chrome OS dog møntet specifikt på at få dig til at bruge Googles webbaserede tjenester (mere om softwaren bag på https://www.chromium.org/chromium-os), så hverken software eller hardware er beregnet til at lagre data på selve enheden, og der er sjældent meget diskplads tilgængelig til f.eks. billeder.

Et hurtigt kig på markedet identificerer Acer Chromebook 15 (https://www.edbpriser.dk/produkt/acer-chromebook-15-cb515-1h-c7kg/) og Lenovo S330 (https://www.edbpriser.dk/produkt/lenovo-chromebook-s330-81jw-3292492/) som populære Chromebook i 2k kr.-klassen, men kender ikke maskinerne specifikt.

God jagt :).

Micro:bit – Official Android mobile application maturity and future
Jan 31st, 2019 by miki

The support request replicated below was posted as ticket #20427 on Micro:bit support on 2019-01-31 22:19 CET spawned by discussion in F-Droid RFP #662 about inclusion of the official Micro:bit Android Companion application in the free software application store F-Droid.

Hi at Micro:bit Educational Foundation.

We are wondering a bit in the F-Droid free software community (https://gitlab.com/fdroid/rfp/issues/662) whether it is worthwhile for us to try to loosen the official Android companion application (https://microbit.org/guide/mobile/#og-app) from its non-free dependencies to make it available in the free software application store F-Droid (https://f-droid.org/).

This leads to a couple of questions you can hopefully help answering;

1) Do you regard the application as alive and supported?

The latest release of the application was v2.0 2017-01-17 (https://play.google.com/store/apps/details?id=com.samsung.microbit) and the publicly available code base (https://github.com/Samsung/microbit/) seems to have been completely abandoned. Only two commits were ever made by Samsung and no involvement with the community has been seen at all.

2) How come the big difference in maturity between the iOS and Android mobile applications?

It seems like the iOS application has received some more attention seeing regular updates through to v3.0.2 released 2018-11-01 (https://itunes.apple.com/gb/app/micro-bit/id1092687276?mt=8). Also it appears to have a much wider fetaureset (https://play.google.com/store/apps/details?id=com.samsung.microbit&reviewId=gp%3AAOqpTOGpgo4CF2qrry4qWqLXyj0TZaEEJcrTB-yZ61o4nJbqhq-2mBojlYQJP7BzdkAzseGaLD1sVO9fBv1R3sY) developed along the way by Insight Resources (http://www.insightresources.co.uk/microbit/index.html).

The Android application appears to have been more of a one-off project from Samsung having all sorts of issues especially with Bluetooth that has never been attended to (http://www.suppertime.co.uk/blogmywiki/2016/04/mobile-microbit/, https://support.microbit.org/support/solutions/articles/19000041104-diagnosing-bluetooth-problems-android).

3) Is there a plan to bring the application in better shape?

Some activity can be seen in repository forks and branches from the original Samsung committer ailrohit (https://github.com/Samsung/microbit/compare/master…ailrohit:school_project) and microbit-sam (https://github.com/Samsung/microbit/compare/master…microbit-sam:partial-flash) identifying as being from the foundation but none of this work seem to be included in releases yet.

4) If a freed fork is made for inclusion in F-Droid would you be willing and able to integrate the changes into the official sources?

F-Droid prefers an upstream source which can be directly built without non-free dependencies using an appropriate set of build options. This greatly simplifies maintenance and build efforts. A forked repository is already in place at the foundation’s Github organization (https://github.com/microbit-foundation/microbit-android) but is at the moment even with the stale Samsung repository.

Thanks for any clarifications you can provide.

Regards,
Mikkel

Setting free a Google Authenticator TOTP secret
Nov 7th, 2017 by miki

Below you’ll find an illustrated guide for freeing the authentication mechanism used by the Google Authenticator app for Android or iPhone for use on your favorite device (anywhere an implementation is available). In fact the Authenticator is using a standards based 2FA (two factor authentication) scheme defined by OATH (Initiative for Open Authentication) and published in RFC6238 dubbed TOTP – Time-Based One-Time Password Algorithm (more Authenticator background and it’s basis HOTP).

This is a rather fine contraption but Google doesn’t advertise it very loudly being a standard instead locking the generated TOTP secret into a QR code that they will only imply are for use by their own Google Authenticator. That is not true as a host of alternative Android OTP apps are compatible and can read the QR codes as they are based upon the Authenticator’s legacy as an open source application which Google took private.

Retrieve Google Account QR Code

Login to your Google Account (maybe using the authenticator?) and go to Account -> Security -> Signin -> 2-step verification.

Locate the “Authenticator app” section and Click “CHANGE PHONE” (really “CHANGE TOTP SECRET”).

Screenshot from 2017-11-06 22-32-05

In my country’s locale, Danish, this is BTW mistranslated as “SKIFT TELEFONNUMMER” = change phone number);

Screenshot from 2017-11-07 00-50-06

You’ll now get a choice between either iPhone or Android, this will only affect the link to the app store shown on next screen which also contains the QR code, the one we are really after:

Screenshot from 2017-11-06 23-03-44

Right click the QR code image, select to save it and put it somewhere you can find it (~/Google_TOTP_QR.png might be sensible).

Get your tools right

Install the QR-code decoder zbar for extracting the TOTP secet from the image and the OATH toolkit oathtool for generating future TOTP passwords using it. On Debian/Ubuntu this can be done by installing the packages zbar-tools and oathtool.

 

$ sudo apt install zbar-tools oathtool

 

Now extract the otpauth URI (seems to be a Google thing) by passing the image file to zbarimg;

 

$ zbarimg ~/Google_TOTP_QR.png
 QR-Code:otpauth://totp/Google%3Auser%40domain.com?secret=pca7uyfht7f6mfs7oiec4aeavxaevish&issuer=Google
 scanned 1 barcode symbols from 1 images in 0.02 seconds

 

The URI contains all parameters to input into the TOTP algorithm for generating a password usable for 2FA authentication, notably the secret key in base32 format. Defaults are not mentioned in the URI and are not necessary to specify explicitly for oathtool. So for the above URI specifying only a secret, a password can be generated as such;

$ oathtool --totp --base32 pca7uyfht7f6mfs7oiec4aeavxaevish
 491293

“491293” being the password, having a default validity of 30 seconds (called step size because of the counter based nature of the HOTP behind it).

If your are interested in the defaults assumed by oathtool they can be viewed by supplying -v to it (not showing TOTP mode=SHA512, I later added this feature in my oath-toolkit fork, and opened a MR) ;

$ oathtool --totp --base32 pca7uyfht7f6mfs7oiec4aeavxaevish -v
Hex secret: 7881fa60a79fcbe6165f72082e0080adc04aa247
Base32 secret: PCA7UYFHT7F6MFS7OIEC4AEAVXAEVISH
Digits: 6
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2017-11-06 23:23:31 UTC (1510010611)
Counter: 0x30007F7 (50333687)

133339

 

Use & Behold

Enjoy having cut your reliance on the Google Autenticator, and opened up for your own choice of client:

Also see the dongleauth.info website for a list of other sites supporting TOTP and U2F.

Clean Up & Secure

Be sure to delete the QR code image when finished, and seek out a suitably secure place to store your TOTP secret. One solution could be using PGP encryption, maybe even through some clever management system such as pass.

Also educate yourself of the shortcomings of TOTP/HOTP and consider studying and using the FIDO U2F standard and related devices.

HTC One Stagefright disable instructions
Jul 29th, 2015 by miki

Until your device is sufficiently patched against the Stagefright vulnerabilty I recommend disabling automatic MMS retrieval on any Android phones from 2.2 and up (which is hopefully all in current use) to prevent unattended triggering.

Howtos for Google and Samsung devices are here.

Below are screenshots of how to do it on HTC One M7 using the stock (HTC Sense) messaging application called “SMS”. The procedure is likely to be very similar on most HTC devices using Sense.
The UI shown is in Danish locale, the English menus will be something like SMS->Settings->Multi Media Messages (MMS)->Automatic Retrieval.

wpid-wp-1438164382994.jpeg wpid-wp-1438164394794.jpeg wpid-wp-1438164402504.jpeg

Schneier discusses details here and this seems to be the commit in CyanogenMod for the underlying problem in the media library. Check aælso the issue’s review page

Google Play; no interaction with policy breaking app provider
Aug 8th, 2012 by miki

When dealing with policy enforcement for products that you distribute from business partners and whose sales your organization directly profits from, you’d think that you’d want to engage in some kind of communication with your peers before making drastic moves like shutting down distribution of these products. Especially when your peer is a national lottery organization partly owned by a European state, who is strictly professional about their business and which probably has a non-significant turnover facilitated by the product.

Well, if your are Google and runs the Google Play software distribution system for the Android platform, you apparently couldn’t care less. At least that is what a move today by Google implies, when banning an Android gaming app by Danske Spil, the national Danish lottery, who has a governement enforced monopoly on lottery in Denmark. This was done without any interaction with Danske Spil which of course was taken by surprise when realizing this, as reported (GTrans) by Danish tech magazine Version2.

Admittedly, as it stands now from an objective point of view, the app clearly breaks the content policy of Google Play which states that “We don’t allow content or services that facilitate online gambling”. So the real question, apart from the peculiar  behaviour of Google towards this app provider for Google Play, is for Danske Spil; “How on earth did you think you could distribute an app through Google Play which so blatantly is in direct violation of the content policy?”.

Maybe the endorsement by the Danish legislation has risen to their heads, making them think their monoploy in Denmark made them so special that they could ignore Google’s standard policies? The current response from Danske Spil is that the app had been previously “approved” by Google, whatever that means because to my knowledge there is no verification procedure as such for content on Google Play (that’s a point for further investigation when time permits) .

At the moment not only the app itself, but also the provider page for Danske Spil A/S is inaccessible at Google Play, even though marketing from Danske Spil still tries to lure new users to the lotteries provided by the app, both from the web, TV and electronic billboards.

If your business model relies on outside partners (and which doesn’t?), this might be a good occasion to take the time for a second thought about what dependencies it has. And especially who is in the power to pull the carpet below it without interacting with you.

If I had a business with parts, components or services not under my in complete control, I’d prefer a partner which had a fellow human representing him, with which I could meet and look into his eyes. That way a social bond is created, which hopefully increases the probability that I will know if anything is about to happen that affects my business.

»  Substance:WordPress   »  Style:Ahren Ahimsa
© 2019 Mikkel Kirkgard Nielsen, contents CC BY-SA 4.0