Review Norton Mobile Security for Android

Along with a review for Norton Internet Security 2012, Evebugs also asked me to review the Norton Mobile Security for Android App.

Initially, I installed the App to the SDCard, which is only possible if you have a rooted phone to begin with. I was surprised that the App detects that and gives out a warning that it must be moved to the phone memory. After moving the App, it started without any problems and asked me for my Norton Account and licence key. Once that is entered, the app offers Anti-Theft, Anti-Malware, Call & SMS Blocking and Web Protection.

The Anti-Theft module works by setting an unlock keyword and then setting up a buddy list that can actually use the keyword. It allows anyone that is on that list and has the password to remote wipe, lock or locate your phone. It will also trigger a password promt screen everytime the sim card is changed.

The remote locate feature will send back 2 sms, the first only containing the GPS coords and accuracy, the second containing a link to google maps. I tested this with GPS off and got a completely wrong result, several kilometers away where my wifi used to be a year ago (SSID never changed). I don’t know if it’s Googles’ fault or Nortons’ but it’s extremely misleading to report an accuracy of 60 meters on a completely wrong location.

The remote lock worked good, sending back an SMS that it succeeded. However, with the taskswitcher and home button I could catch quick glances on other apps content, like the messages. It was not possible to remove the lockscreen without the password.

The malware Scan runs extremely fast, even when scanning the SSD along with it. I do not know about the quality, but I guess Norton knows how to find malware.

The call and SMS blocking works reliable as well. If called by a blocked number, the incoming call will appear for less than a second in the notification area and then be denied with a “busy” message. It did trigger my Tasker script for incoming calls, so it is not completely blocking everything. Still does an OK job tho.

The Web Protection should block fraudulent sites in the browser, but only works for the standard Android Browser. In my tests with Cyanogen Mod 7.0, I saw absolutely no evidence of the app doing anything in the browser. The Web Protection also proclaims it needs a “stable network connection to effectively block fraudulent Web sites” which makes me belive that the app either proxies all traffic through a Norton service, which would be a HUGE privacy problem, or it checks each Web request in paralell to my browsing, which will make browsing alot slower. Also, in the context of a mobile phone, how do you determine if you have a stable connectoin? When on EDGE/2/3/4G? WLAN? This feature has too many unknown implications for my taste.

I could not see any impact on my battery life while having it running, which is a very good thing since my battery is rather old and only lives for about 15 hours to begin with. In contrast to the desktop software, the interface of the Android App is clean and easy to use and generally does not leave any unanswered questions apart from the mentioned questions about web protection.

I personally will keep the app on my device, but for most of the features there are free alternatives around. I hope for some updates in the future that provide more features, like automatically enabling GPS when I want to locate my phone, making it ring and vibrate on a keyword or enabling me to locate the phone from a web browser instead of a 2nd cellphone.

Did this help? Then please consider donating.
I do not need nor want money instead buy me some music so I can have fun while writing another review! CDs (Amazon)
Alternatively, I am also totally into books. Books (Amazon)

Review Norton Internet Security 2012

The officcial Norton Internet Security 2012 Site promises a ton of good features that will catch the attention of the average customer. But what’s behind the marketing? Evebugs asked me to find out, and so I did.

I will not talk about how good Norton Internet Security 2012 is at things like finding viruses and malware or how fast it updates, that requires expert knowledge which I simply do not have. Instead, I had a good look at the usability and features it provides from a customer point of view.

So, let’s start with the very first thing that you encounter: The Setup.

The Setup only took a minute or two, but never gave me any options. I never got the chance to change the install location, set any options or generally do anything but clicking install. I am notoriously lacking space on my hard drive and would have loved to install the whole thing on a different partition – not a chance. Once the sorfware is installed, it presents a very good looking, yet not in any way standardized, user interface. It features a damn cool live view (or at least it claims to be live) of virus activities around the whole world. The setup also installs a Windows widget on my Desktop, obviously without me agreeing to that. At the first start I had to create an account at Norton so I could start using the software. The account holds the days left of my subscription as well as an email address and a password.

Once the Setup was done, I quickly checked all settings and the first major minus point for the software hit me right there: There was no update triggered of the virus definitions and signatures. The GUI happily proclaimed – in green font – that my definitions are 73 days old. I am normally used to antivirus software screaming at the top of its virtual lungs when the definitions are older than 10 days, but this does apparently not happen here. So I started a manual update, which downloaded some 13 updates and then asked for a reboot – ouch. There should realy be no need for a reboot anymore, especially not under Windows 7. So after a reboot, I had a quick check at the default settings.

The default settings seem ok to me, and will work for most people. The only thing I do not understand is why removing of infected compressed files is not activated by default. Apart from that, everything looks ok. A very nice feature is, after disabling things like the firewall and re-enabling them, the software starts a so called quick scan of vital parts. The proclaimed “quick” scan took about 15 minutes on my machine and did not allow me to hide the window, which is annoying at best. Also, while the scan was running, the rest of the application was extremely slow to react to user input. A positive surprise was that the scan also killed a few tracking cookies from my system, a feature I have not yet seen in an antivirus.

But after that, the negative things started to come up. Don’t get me wrong, there are a lot of good ideas in this software that I have not seen in other products, but they all have the same problem: The new Norton Internet Security 2012 suite is another example for good intentions with bad implementation.

It is a great idea to implement IM scanning, but it only supports a few officcial clients. The list is realy short: Yahoo! Messanger, AOL Instant Messanger, MSN Messanger and Trillian. Why not support pidgin or miranda? They are realy wide spread, and the big player that’s missing is Skype. And as far as I know, most malware uses IRC to receive commands, so checking that would have been a good idea too.

Same story continues with the Identiy Safe and the mail scan. The Norton website says that the Identity Safe supports Chrome (not tested), the Interface only shows me options for the Internet Explorer. Hello? Firefox anyone? After checking my addon list in Firefox I found the problem: They install a plugin, but it isn’t compatible with Firefox 7.0.1. Also, I do NOT trust a software that saves my CreditCard information, along with logins and passwords to the cloud, even if it would make my life a bit easyer because of the sync feature. The mail scan only showed options for Microsoft Outlook and Outlook Express, I did not even bother checking if it can tap into Thunderbird. Also, shouldn’t it scan Windows Live Mail instead of Outlook Express? Just a thought. Also, when configuring mail scanning the software offers a GUI to select the ports for SMTP and POP, but when I tried to change SMTP scanning to port 993, I was greeted with an error telling me that is no standard port for SMTP. Well yea, it is used for TLS, but what if I realy have unencrypted SMTP traffic over that port? Apparently, Norton decided this is not possible.

The firewall is also rather strange. It is set up to auto learn about programs, but during all my testing, it never blocked a single program or asked if I want a program to connect to the internet. So, without granting access I could for example use SSH, Firefox, Skype, Pidgin, Thunderbird, Windows Explorer with remote shares etc. The list goes on and on, but I never was promted for permission. In fact, I am not sure if the firewall actually does anything at all agains outgoing traffic with the default settings.

The Interface itself is also not optimal. It has fancy animations and a truckload of buttons and links and requires a lot of searching reading and clicking around to find a specific setting. Most settings end up in a link that opens a new window. It is simply not possible to quickly check any setting with this, and some windows that pop up only offer 2 settings – why this cannot be handled in the main window is beyond me.

Conclusion: I like the fact that they include tracking cookies in the scan and some of the features realy have potential but still lack support for quite a few important clients. I absolutely hate the fact that the software seems to save everything it can in the cloud, especially Login and Credit Card information and that the standard settings for the firewall seem to do nothing. If those things are fixed, I might consider reinstalling the product, but until then I will stay away from this.

Did this help? Then please consider donating.
I do not need nor want money instead buy me some music so I can have fun while writing another review! CDs (Amazon)
Alternatively, I am also totally into books. Books (Amazon)

Bash script to migrate from SVN to git

At work we took the decision to switch from the good old SVN to git. To ease all the work, I wrote a small bash script that takes 2 arguments, the SVN repository name and the git repository name and moves your code cleanly to git.
It also requires a file users.txt that is located in the same folder as the script which has the following layout (1 user per line).

meredrica = Florian Westreicher 

The file is needed to map the SVN users (meredrica in this case) to the git users.

And finally, here’s the script. Make sure you change the svn/git urls before running it.

#!/bin/bash
PROJECT=$1
GIT=$2
mkdir temp
cd temp
/usr/bin/git svn init http://localhost/svn/$PROJECT --no-metadata
/usr/bin/git config svn.authorsfile ../users.txt
/usr/bin/git svn fetch
cd ..
mkdir $PROJECT
/usr/bin/git clone temp $PROJECT
rm -rf temp
cd $PROJECT
/usr/bin/git push ssh://git@localhost/$GIT.git master
exit 0

Thanks go to Jon Maddox for his guide over at his blog

Saving and restoring Singletons

The Singleton pattern is one of my most favorite patterns. I use it for writing services, as controller in MVC and sometimes as settings storage.
Here’s the code how to create a Singleton in Java:

public class Singleton {
   public static Singleton instance = new Singleton();

   public static Singleton getInstance() {
      return instance;
   }

   private Singleton() {
   }
}

Sometimes you want or have to restore a Singleton and this is where it can get problematic. You could try to expose the internal state of the Singleton via a Memento but this will generally cause big troubles.

Why?
Since the idea behind the Singleton is that it only exists once and shows only one state to all classes, it does not make sense to give anyone the possibility to save and restore it.

But what if you want to keep the state of a Singleton over multiple sessions?
The best way is to load the old state when the Singleton is created. This means this will happen only once, usually the first time the Singleton is accessed. Simply build a private load function in your singleton that you call in the constructor. Inside the load function you can then read data from a file, database, de serialize an object etc. and set all private properties you need to the old state.

Now, we have a Singleton that can load it’s old state, but how do we save it?
We add a public function save to the Singleton. Every time that function is called, we save the current state of the Singleton so that we can read it later again. There is just one thing you must not forget: Thread safety.
In java, you can do this quite easy:

public void load() {
   synchronized(this) {
      // write data to the database etc
   }
}

This will block any access to the object until the critical section is done.

However there is still a big question: When to save?
Unfortunately, this depends heavily on the application. You could either save whenever someone sets something (only do this when this does not happen often), schedule it (this might still cause a loss of data) or simply call it manually whenever you think the time is right.
I usually do it manually since the other options do not appeal to me. I usually only save once, when I shut down the Application, right before the exit command.

Did this help? Then please consider donating.
I do not need nor want money instead buy me some music so I can have fun while writing another guide! CDs (Amazon)
Alternatively, I am also totally into books. Books (Amazon)

Encrypting and decrypting large data using Java and RSA

Encrypting large data using Java and RSA is not a lot different to encrypting small data, as long as you know the basics.

Our goal is to encrypt a String of arbitrary length, send it over the Internet and decrypt it again on the other end. We will not discuss key exchange here since that is a rather trivial task.

What we need first is a KeyPair. Where you get it from does not matter in the end – Here we will create one on the fly.

KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(1024);
this.keypair = kpg.generateKeyPair();

Now that we have our KeyPair we also need a Cipher that works with our Keys. I used a plain RSA Cipher without specifying padding etc.

this.cipher = Cipher.getInstance("RSA");

Next we would like to have 2 functions that can encrypt and decrypt. Here we will face 2 big problems:

  1. Ciphers do not use Strings, they use byte arrays.
  2. block ciphers cannot encrypt arbitrary long byte arrays directly.

Both of those points seem rather trivial to solve – but the devil is in the details.
First of all we have to understand that Strings and Strings can be different things. At the end of the day, a String represents the encoding of quite a lot of 0s and 1s. Even if our bytes are set in stone that does not mean that byte -> String -> byte will give us identical byte arrays.
Question: Why not?
Answer: Encodings!
I’m pretty sure you have heard about UTF-8 somewhere so far. UTF-8 only defines how a series of bytes is mapped to a char. The problem is that there are quite a lot of byte patterns that do not always make sense (in the context of UTF-8) or are not really standardized. This is why German letters like öäü etc or for example Japanese symbols sometimes get replaced by something else like a box, star etc. We have all seen it.
So we will need a better representation than “normal” Strings. Especially for transferring the String (or storing it or … Well basically anything) we want a representation that will keep the correct byte message and supports byte -> String -> byte operations.
The 2 most common ways are to use base 64 encoding or hex encoding. In my example I will use Hex encoding since I had to call REST services with encrypted Strings and base 64 encoding inserts CR/LF markers when it seems fit – something you do not really want in URLs.
But, before I go on, let’s have a look at the encrypt and decrypt functions:

public String encrypt(String plaintext) throws Exception{
	this.cipher.init(Cipher.ENCRYPT_MODE, this.keypair.getPublic());
	byte[] bytes = plaintext.getBytes("UTF-8");

	byte[] encrypted = blockCipher(bytes,Cipher.ENCRYPT_MODE);

	char[] encryptedTranspherable = Hex.encodeHex(encrypted);
	return new String(encryptedTranspherable);
}

First we init the cipher with encryption mode and our public key. We could also have gotten the key from somewhere else, the only important part is that you need a cipher and a key that work together or you will get exceptions.
After that, we convert the plaintext to a byte array. You can see that we assume the String to be in UTF-8. This could be skipped but might lead to side effects while recreating the string later. I included the UTF-8 for safety reasons.
Next we call the function blockCipher, which does all the magic of encrypting in blocks (we will come to that later).
Now we encode our new, encrypted byte[] into a Hex based String. For this purpose I used the org.apache.commons.codec.binary.Hex class. If you do not want to import that for any reason, have a look at the source code here: Kickjava.com

The String is now ready to be saved to the disk, transferred over the Internet or even sent via mail.

Decryption is much the same, just the other way round. This time we go from HexString -> byte[] -> String. Note that we again create a String that is UTF-8 based at the end.

public String decrypt(String encrypted) throws Exception{
	this.cipher.init(Cipher.DECRYPT_MODE, this.keypair.getPrivate());
	byte[] bts = Hex.decodeHex(encrypted.toCharArray());

	byte[] decrypted = blockCipher(bts,Cipher.DECRYPT_MODE);

	return new String(decrypted,"UTF-8");
}

So far so good, but what about the voodoo in blockCipher? Here’s the source:

private byte[] blockCipher(byte[] bytes, int mode) throws IllegalBlockSizeException, BadPaddingException{
	// string initialize 2 buffers.
	// scrambled will hold intermediate results
	byte[] scrambled = new byte[0];

	// toReturn will hold the total result
	byte[] toReturn = new byte[0];
	// if we encrypt we use 100 byte long blocks. Decryption requires 128 byte long blocks (because of RSA)
	int length = (mode == Cipher.ENCRYPT_MODE)? 100 : 128;

	// another buffer. this one will hold the bytes that have to be modified in this step
	byte[] buffer = new byte[length];

	for (int i=0; i< bytes.length; i++){

		// if we filled our buffer array we have our block ready for de- or encryption
		if ((i > 0) && (i % length == 0)){
			//execute the operation
			scrambled = cipher.doFinal(buffer);
			// add the result to our total result.
			toReturn = append(toReturn,scrambled);
			// here we calculate the length of the next buffer required
			int newlength = length;

			// if newlength would be longer than remaining bytes in the bytes array we shorten it.
			if (i + length > bytes.length) {
				 newlength = bytes.length - i;
			}
			// clean the buffer array
			buffer = new byte[newlength];
		}
		// copy byte into our buffer.
		buffer[i%length] = bytes[i];
	}

	// this step is needed if we had a trailing buffer. should only happen when encrypting.
	// example: we encrypt 110 bytes. 100 bytes per run means we "forgot" the last 10 bytes. they are in the buffer array
	scrambled = cipher.doFinal(buffer);

	// final step before we can return the modified data.
	toReturn = append(toReturn,scrambled);

	return toReturn;
}

I will not comment the source again, just go ahead and read it. The most important part is maybe this: int length = (mode == Cipher.ENCRYPT_MODE)? 100 : 128;
This part will tell the code wheter we chunks that are 100 bytes long or use 128 long chunks.
Why do we need that?
RSA is a block cipher. No matter how long (or rather: short) the input, it will produce a 128 byte long output. That explains the 128.
But why the 100? Could we not just use the whole byte array?
No we can’t. Most guides will not tell you this part at all since the authors forget that plaintext Strings can get quite large. No block cipher can ever encrypt a bitstring longer than the maximum block size. That’s why they are called block ciphers (opposed to stream ciphers that encrypt bit by bit or byte by byte).
If you ever find a class that can take arbitrary long input, uses a block cipher and generates an output, you can be 100% sure that the block ciphering is done internally.
So what we do is:
For ENcryption we use a maximum of 100 bytes of plaintext and encrypt each of those byte chunks to exactly 128 byte long ciphertext.
For DEcryption we use 128 bytes long chunks of ciphertext and decrypt each to a (maximal) 100 byte long plaintext.
Note that we do not have to use exactly 100 bytes. We could and maybe should use a slightly bigger byte range. As far as I can remember the maximum length is 116 or 117 bytes, but you can easily find that out with trial and error (You will get an IllegalBlockSizeException or similar).
One method that was used above but not stated yet is the following:

private byte[] append(byte[] prefix, byte[] suffix){
	byte[] toReturn = new byte[prefix.length + suffix.length];
	for (int i=0; i< prefix.length; i++){
		toReturn[i] = prefix[i];
	}
	for (int i=0; i< suffix.length; i++){
		toReturn[i+prefix.length] = suffix[i];
	}
	return toReturn;
}

This only appends 1 byte array to the other.
And, we’re done. With this you should have all things together to encrypt large data with RSA. Note that it will take a LOT of time to encrypt 1 mb of data with this algorithm (3 minutes and more). But the main goal was to encrypt large Strings, and a String with 1 mb is really HUGE.

Hope you enjoyed the trip! Leave comments if you like it, find bugs etc :)

Did this help? Then please consider donating.
I do not need nor want money instead buy me some music so I can have fun while writing another guide! CDs (Amazon)
Alternatively, I am also totally into books. Books (Amazon)

Why I do this

I’ve been writing source code for quite some time now and have been getting quite experienced with patterns and Java.
Recently, I’ve encountered quite a few situations where I could not find any good information on the internet or the information was spread over multiple sites.

I’ve been playing around with the idea of setting up a coding blog alot already and this very last weekend I solved a problem that finally set me off installing WordPress.
I had to implement a security layer for a REST framework that we develop for a university course. The security layer should transparently encrypt and decrypt all data that passes through it and handle key exchange.

Having done my cryptography homework I did not expect this to be a huge job. Well, turns out it cost me the whole weekend which is roughtly about 20h of work.

Switch to our mobile site