Category Archives: Security

Android hackers writing malware attack apps using App Inventor

There is no problem with using App Inventor to write your own apps and share them with others. The problem is that App Inventor makes it easy to write any app – and malware authors have begun to use App Inventor to create apps that are malware and might do bad things.

“App Inventor doesn’t give malicious apps any special powers nor access to exotic exploits to attack your phone. But it does make the production of Trojanized apps enormously easy. With only a basic understanding of Android programming, an attacker can churn out tons of malicious apps. More apps means more confusion, and more opportunities for attack.”

Source: Mobile Threat Monday: Android Attackers Use App Inventor for Evil | PCMag

2/3rds of programming projects expected to use “low code” tools by 2025

App Inventor is a “low code”, visual software development tool. Such “drag and drop” programming tools enable non-programmers (and programmers) to create many types of applications without the details of traditional programming code.

This leads to an important issue – will less trained/less experienced programmers inadvertently introduce security problems in their applications?

Gartner predicts that by the end of 2025, over 65% of development projects will use low-code builders. The field of low-code continues to expand. But what security implications does low-code introduce? Low-code refers to tools that enable application construction using visual programming models. Adopting drag-and-drop components instead of traditional code, no-code and low-code platforms enables non-technical folks to construct their own workflows without as much help from IT. Yet, handing power to citizen developers with less security training can be risky. Plus, low-code platforms may hold compromised propriety libraries or leverage APIs that may unknowingly expose sensitive data to the outside world. There’s also the possibility that low-code could increase shadow IT if not governed well.

How to Mitigate Low-Code Security Risks

Part 4: Protecting yourself from online tracking

Today we understand everything we do online is tracked, recorded in databases, analyzed by software to determine detailed aspects of our lives and then used for marketing and propaganda purposes. In some cases, this information is used against our own interests.

We can minimize online – and offline – tracking by paying attention to when we are being tracked and taking steps to disable the tracking.

For example, I am typing this in a coffee shop. Until today, access to their WiFi has been open. But today they require I enter a name and email address. Providing this information provides them with a way to link my retail store purchase here with online activities (since it is a chain, it also provides a way to track my travels). I gave them a fake name and an email address that I created 30 minutes ago, specifically to avoid trackers like this.

I mention this because the key is to be mindful of when you are being tracked and pro-actively taking steps to reduce data surveillance.

Pro-actively seek out privacy settings and set them to restrictive options. Avoid giving out real contact information for places who have no need for your real contact information. Create a fictitious email and phone number for these situations. Mostly, think! Be aware of when someone is asking for information that they do not actually need – and do not give it to them.

Plus, use the right online tools with the best settings to avoid tracking.

Use the Best Browser or Plugins to Stop Tracking

Facebook (and Google and more) track you as you move about the online web using many methods including “cookie files” deposited on your computer, hidden single pixel images that link to Facebook, and through their ad network. In 2017, an estimated 44% of all online ads seen anywhere on the web were served through the Facebook ad network. Each of these ads provides an opportunity for Facebook to track which web sites you visit, which pages you visit, and even which products you may have viewed online.

The best way to avoid this tracking is to use a browser that supports privacy enhancements.

The Epic Privacy Browser has privacy features built in – as a feature. Give it a try! Plus the organization behind Epic provides a proxy server when you wish to surf anonymously.

The Firefox browser from Mozilla supports several “add ons” that reduce tracking of your online behavior.

In the Firefox browser, click on the 3 small horizontal bars at upper right of the address line to display Firefox options. Click on Add-ons. Then click on Get Add-ons at upper left, then page all the way to the bottom to find “See more add-ons”. Using the Search box, search for and install each of these add-ons:

  • Ghostery
  • Privacy Badger
  • Adblock Plus (or other ad blocker)
  • Cookie Autodelete

These add-ons work to disable tracking features used by web sites and ad networks. To some extent they overlap in their functionality, but that is okay. Cookie Autodelete automatically deletes tracking cookies when you leave a page. After installing this add on, click on the icon that appears at the right of the Address bar and make sure you have “Auto-clean enabled” set.

Once enabled, Cookie Autodelete removes all cookie files generated by pages you visit, a few seconds after you have left the page. It is common to discover that individual pages drop 30 to 100 cookie-based trackers on your browser.

Sometimes you may not want cookies automatically deleted. For example, sites that keep you logged in between visits will lose the login connection when their cookie files are deleted. To prevent auto deletion of those sites, when you visit such sites, click on the “Whitelist” option to add the domain name to a list of sites that will not have their cookie files cleaned.

Each of these add-ons can be “Enabled” or “disabled” for individual web sites. Occasionally a page may nor format correctly or the web site may say that it will not work with ad-blockers. When that happens, disable the add-on for that individual page or site and refresh the page.

Smart phone and tablet apps

The Facebook and Messenger apps are nasty and default to enabling numerous “Permissions” to access most everything on your device.These apps are privacy nightmares.

My recommendation, if possible, is to uninstall these apps and not use them on your portable device. These apps are basically enhanced surveillance tools.

If you can, uninstall these apps. If you cannot, then selectively set more restrictive permissions for each app. Definitely turn off the Mic permission. Back in 2014, Facebook said their app listened using the Microphone:

Don’t worry, though. Facebook says they’re respecting your privacy while they do this. While ambient audio is definitely being recorded, they’re not storing exactly what the microphone picks up. The new feature works just like Shazam does: it tries to match an audio fingerprint from your environment with one in its database. The goal is to figure out if you’re listening to particular song or watching a TV show like The Simpsons.

As a general rule, selectively turn off app permissions whenever you can. I found half of the apps installed on my phone ask for the “Location” permission. Many of these are specifically for tracking my location – for someone’s benefit but not mine – while some are for mapping functions and obviously, need Location permission.

41% of the top 2500+ apps in the Google Play Store act as Facebook trackers (similar to how web sites track things on behalf of Facebook). To block those apps from tracking you, go to the Google Play Store and install Adguard. Adguard is an app that works to block the Facebook trackers, not just in the browser but also from other apps. I am not sure but I think this or similar tools are available for the iPhone.

Also, install the https everywhere plugin which works to encrypt your online communications whenever possible.

Other Apps

Review the apps you have installed on your phone. Uninstall those that you are no longer using. Review the permissions of the apps that you are using – and consider setting those options to more restrictive levels.

Online Web Surfing

Use a privacy-enhanced browser, as described above.

However, your Internet Service Provider is also tracking everything you do online, and depending on which country you live in, your ISP can share your full online history with third parties.

To minimize ISP tracking, do not use their default Domain Name System or DNS lookup.

You can configure your computer to use DNS services provided by other parties, such as Open DNS, or even Google DNS. You should also set DNS settings for your phone and tablet devices (you may need to look up online how to do this – its not obvious in Android and the method varies depending on the version of Android.)

These DNS providers do collect data but they anonymize it so it is not connected to you specifically.

Offline tracking

How many stores have you visited that offered you a Loyalty Discount Card? Just fill out this little application – where they try to collect as much personal identification as possible. Our experience is the discounts are bogus – in fact most vendors using these seem to have raised prices – and then give a discount that drops prices to where they were before they introduced their discount card!

If you fill out and use a Loyalty card give them fake information. Do not give them your real phone number or real email address. Those two items are the data base keys that enables them to sell your retail store purchase history to offline data brokers.

Break the link between your online and offline store purchases, wherever possible.

Social Media

In addition to setting privacy and sharing options, do not accept friend requests from completely random people (there needs to be some connection to you or common interests, at least). “Random connections” are an obvious and simple way for someone to intentionally spy on you as they have access to your private, “Friends-only” posts and comments.

Limit your friends to those you know in real life, or those with which you have a substantial interaction or common interests.

Periodically clean up your Friends list. For years, we believed it was important to gather as many friends as possible. Our total friend count was a badge of honor and most us were anxious to add to our friends list. Because of social media filtering, however, we rarely see posts from most friends. Do we really need this many friends?

By reducing your friends list, your news feed can become usable again. It also reduces the amount of information linked to you via networked friend graph analysis.

Do delete old posts – especially those that may be controversial. The “half life of a Tweet” is said to be 15 minutes. That means, half of all views of a Tweet occur within 15 minutes of posting in online. Tweets that are weeks or months or years old are rarely viewed and there is little reason to keep them online. You can use a service like to automatically delete all tweets older than a specified number of days.


Do not upload Contact lists to Instagram, Facebook and so on. The primary purpose of these contact lists is for the provider to enlarge their database, identify people connections, and learn more about you.


In 2014, I noticed a lot of “Friends” were sharing what we now call propaganda. I knew  little about propaganda. Wasn’t propaganda what governments do during war time? Yes, it is, but propaganda is far bigger than that! We are surrounded by propaganda, which is based on specific methods designed to influence us. I started reading books and papers on the subject. I started a private blog to record my notes – I kept the blog private for a year and a half.

Eventually, one post shared on Facebook convinced me to make a public blog about social media propaganda – I first called it Occupy Propaganda – but later renamed it Social Panic. The blog is propaganda about propaganda! Specifically, about social media propaganda.

In the past two weeks, we all learned a lot about social media surveillance and propaganda. I think half the posts I made in 4 years were written in the past two weeks!

Everyone is now aware of social media’s surveillance and propaganda problems and I expect I will let my little Social Panic blog fade away.

And then I can return to more tutorials on App Inventor relate topics. I am working on something involving Fusion Tables, and possible a way to bring back functionality similar to the original TinyWebDB.

After Afterword

I said at the top of this post I wrote this while sitting in a coffee shop. At the table next to me, two people were using online tools to look up all kinds of information on their clients, figuring out how much they were worth, their current jobs, their future career growth trajectory – and how good looking they are (really). And talking about all of this while they did it – in a public cafe!

If you do not think online surveillance is widespread and potentially a problem, you are not paying attention!



Part 3: Setting #Facebook’s hidden privacy settings #DeleteFacebook

Facebook does not make it easy to protect your privacy! You should not use Facebook unless you take these steps to protect yourself. In fact, in essentially all cases, Facebook “privacy” defaults to “anti-privacy”, sharing your information as widely as possible!

Update: I began writing this a few days ago. Facebook has since announced that in “a few weeks” they will make it easier to set your privacy settings. At the present time, Facebook has hidden most of the privacy settings in about 20 different locations. Setting privacy options, like deleting content, has been near impossible on Facebook. The options under “Privacy” have little to do with privacy.

Because Facebook will be rolling out an entirely new system for controlling privacy and deleting our own data, the following instructions – which work as of right now – may end up being a historical document about how bad Facebook became.

Download the Facebook Archive and Learn What they Have Recorded About You

Some people have reported archives up to several gigabytes in size.

To download your archive, go to Settings | General and find the Download a copy at the bottom of the page. Follow the instructions to download the archive.

NOTE – my archive was missing many of the 1000 or so photos I had uploaded. However, I could go to the separate Facebook page for Photos, click on Albums, and then download each album, one by one by clicking on the gear icon that appear at upper right of each Album as my mouse was moved the Album, and choosing the Download option. Before you delete things that you want to save, be sure to check whether they really are stored in the archives.

Contact Lists

Never submit contact lists to online services like Facebook or Instagram. Each recommends you upload your contact list to help you find friends. The main purpose is for Facebook to acquire your contacts and their information including names, email addresses, and phone numbers. Facebook uses this information to create “graphs” of how people are related to one another and will also use it to suggest people as “friends”. This information may also be used to apply peer pressure – “your friend Bob is also using this product” …

Who knows what else they are using it for? Best bet: never upload Contacts. If you have already uploaded Contacts, edit the list or delete it.

Remove all Imported Contacts

Or Edit your Imported Contacts List here

Because this post is so long – you should read all of it – you need to Click the next link to continue on to the rest of the post!

This is the most comprehensive list of Facebook privacy options that I have seen on the Internet so far.

Continue reading Part 3: Setting #Facebook’s hidden privacy settings #DeleteFacebook

Part 2: Protecting yourself from #Facebook and online Spies

Per my previous post, I concluded Facebook is unsafe for anyone to use. Facebook is a global surveillance and propaganda platform masquerading as a way of “connecting people”. Facebook’s collected data has leaked out through Facebook platform apps to third parties – from 2005 to 2015 and possibly longer. Regardless of the leaks, Facebook has sold this data to advertisers and political groups – even though much of what they collect is bad or noisy data, and wrong. Facebook also enables this data to be used to intentionally discriminate against people.

What to Do If You Cannot Delete Facebook

For those us that cannot delete our Facebook accounts, there are steps we can take to enhance our privacy and minimize the impacts of Facebook. Unfortunately, FB does not make this easy – consequently, explaining how to do this is going to be split into several, sometimes very long posts!

The general ideas are to:

  • Download the Facebook “archive” of everything you have posted. Then start deleting online content that you no longer need.
  • Deleting old content is nearly impossible. I had 11 years worth of “stuff” on Facebook. The only way to delete it is to View Activity Timeline and then select each item, one by one, and click about 3 times, to delete each item, individually. That is unusable, by design. Facebook does not want you to delete anything. Instead, you can use the Social Book Manager extension in Chrome to bulk select past posts, comments and likes, and delete them or unlike.
  • Set Facebook “privacy” settings to their strongest settings. As we will see later, this is hard to do as the real settings are not labeled “privacy” and are hard to find.
  • Remove yourself from most Groups you have joined. Because FB filters the content that appears in your news feed, you may see few or no posts from Groups.
  • Unfollow most Pages, for the same reason as Groups. In both cases, joining a Group or “Liking” or “Following” a Page is used to collect your interests and information about you.
  • Turn off most notifications. These are used to “nag” you to waste time on Facebook.
  • Do not use your primary email address for online social media sites. Your email address is used to associate your online activities with your offline activities in third party databases.
  • Do not give them your phone number (same reason as email). Most services do not need your phone number but will nag you to give them your phone number.
  • Do not give a social media web site your credit card number, and if you do, do not allow them to store the number. The credit card number is another way of linking your online activities with your offline, retail store purchases.
  • Never, ever upload a Contacts list to web service or app (or give the app permissions to access your Contacts unless critical to app functionality)
  • Uninstall seldom used apps from your phones and tablets. Up to half of apps are spying on some aspect of your activities. Alternatively, turn off most app Permissions to deny them access to your Contacts, phone and text messages.
  • Delete Facebook Photo Albums (fairly easy to do).
  • Delete Contacts (easy to delete all uploaded Contacts).
  • Use privacy enhanced browsers to surf the web. These work to block online trackers and to remove cookie files automatically.
  • And a whole lot more.

The next post will give detailed instructions on the above plus many more hidden Facebook settings.

Should you delete your Facebook account? Yes, if you can #Facebook

This past week many of us learned a lot about Facebook’s data collection, sharing and business practices.

After much review I concluded that Facebook is unsafe for all of us to be using. If possible, we should delete our Facebook accounts. If we cannot delete our account, then we should take steps to protect our data.

This first post is an overview of Facebook’s data collection. Follow up posts will discuss how to minimize this data collection and sharing, particularly for those of us who may not be able to delete our Facebook account.

How bad is Facebook’s Data Collection?

Facebook’s data collection practices are highly invasive, collecting vastly more data than any of us realized.

  • Facebook collects everything you have posted online. We expected this, of course.
  • The actual “secret sauce” of Facebook, however, is “Likes”. Each time you click “Like” on a friend’s post or page, Facebook uses that to interpret aspects of your interests and behavior. “Like” buttons are a psychological mind trick that tricks us into unwittingly giving information about ourselves to Facebook. Their goal is literally to get inside our minds. Twitter, Instagram and Youtube also data mine “Likes” as part of their spying on us.
  • Facebook tracks you across web sites, logging what web sites – even what pages – you have visited. Facebook does this using Facebook web site logins, “Likes”, and “Share” buttons on other web sites. Recommendation: Do not use the Facebook option to log in to non-Facebook web sites.
  • Using hidden pixel bit images and online advertising networks, Facebook logs your visits to web sites where you had no relationship with Facebook.
  • Facebook tracks purchases you make at retail stores, completely off line and having nothing to do with Facebook. Facebook does this by purchasing data from retail store data aggregators – using your email address, phone number or credit card number as a database identifier. Facebook combines this purchased data with data that Facebook’s own spying operation has collected. Many retail stores encourage you to obtain their “free” loyalty card that supposedly gives you occasional discounts. By giving them your phone number or email address, these cards are used to track your store purchases. Retailers sell this data to third party companies that maintain databases about your store purchases.
  • Facebook’s Android app was – for many years – recording information about every phone call and text message you sent and received – and stored all of this in Facebook’s archives. Facebook has not said what this data is used for. At a minimum, it could be used to make “friend” suggestions on Facebook. Worse, by analyzing the to/from phone numbers used, Facebook could detect that you are making visits to doctors or mental health professionals and make guesses as to your physical and mental health. That information could be sold to insurance companies or recruiters who may seek to avoid someone with health issues.
  • Facebook apps (presumably including Messenger, WhatsApp and Instagram) also track your Location. Every where you have traveled has been logged by Facebook. The Instagram app also requests permission to access your phone, SMS and contact list. Instagram has no bona fide need for this information.
  • 41% of the top 2,500 Android apps in the Google Play store include embedded Facebook tracking features. Trying to avoid Facebook tracking is difficult.
  • Not only does Facebook track what posts you have made, Facebook logs posts you started to type but then abandoned.
  • Facebook uses software to analyze all of this data to create a model of you and your behavior. Literally, a computer simulation of you. Facebook’s goal is to identify how you can be persuaded to buy something or to advocate for someone else (such as a politician). By identifying your “hot buttons”, Facebook knows how to influence your behavior (and has done tests and written research papers about how they manipulate people). Propagandists and advertisers know that people who are in an emotional state (happy or sad) or more receptive to their messaging. By identifying your “weak spots”, propagandists and advertisers are more likely to influence you. Facebook makes money by selling this data (or sometimes even giving this data away intentionally or accidentally).
  • Facebook’s spying has been associated with manipulating elections in many countries around the world.
  • The effect is that Facebook is a platform for surveillance and propaganda messaging. So is Google, by the way.

Facebook’s business is spying on every aspect of your life, and then sharing the “model” of conclusions that Facebook has drawn about each of us, with third parties.

Third parties use that “model” to create highly optimized advertising – and propaganda – to deliver to each of us, individually, to persuade us to buy something or to adopt someone else’s agenda.

In some cases, the data collected by Facebook is even used against our best interests. Facebook allows advertisers to target ads by racial preference, sex and age. Real estate advertisers have targeted specific racial groups (e.g. whites) as a way to avoid getting applicants from the non-targeted group. Employers, including high tech employers like Facebook, have targeted tech job ads by age – such as age 24-35, thereby avoiding having older applicants be aware of job openings and hence, no applicants from older workers. Unaware of these job openings, older workers do not even apply. In this way, they discriminate against older workers. Finally, nursing jobs are typically targeted at women only – a field where in the U.S. 89% of all registered nurses are women.

These ads are not just those that appear on Facebook – Facebook’s ad networks displays 44% of all advertising on the web (as of 2017). This means Facebook’s ad network is used to secretly discriminate against tens of millions of people every day.

We have zero control over the data that Facebook has collected on us. Even if we delete individual items, they retain the deleted items in the Facebook archive. Worse, deleting items on Facebook is very difficult. For example, go to your Activity time line and delete 100 posts – you have to select each post, one by one, click 3-4 mouse clicks to delete each individual post. This is ponderous considering that most users have been using Facebook for years. Lacking a bulk delete/edit or bulk change privacy of past posts feature, Facebook becomes a “write only” memory system from which data can generally not be removed. This is by design – Facebook intentionally makes it very hard to remove old items we have posted or shared.

Further, data is placed in different silos. “Photos” contains albums – you can delete entire albums, fortunately. But the photos posted on your time line can only be deleted by going to the Activity time line and deleting them one by one. Then there is a section called “Events”. Any time you clicked on Interested or Going, Facebook logged that. Stuff is hidden all over the place so that Facebook can claim they allow you to delete things while simultaneously making it as difficult as possible to find where you can delete it.

I concluded Facebook is generally unsafe for everyone. Realistically, deleting your account may not be something you can do – at least not right now. However, there are steps you can and should take to protect your personal information. I will discuss those steps in another post soon.

Personally, I have removed myself from about 90% of the Groups I belonged to on Facebook, unliked all of the Pages I had liked, deleted all of my photo albums, and have turned off nearly all Notifications. I will also be deleting 2 or 3 of the 4 pages that I run on Facebook and unfriending those friends that I have had little or no interaction with. I will no longer post anything to my personal page nor will I ever again click “Like”.

I plan to keep this App Inventor programming page on Facebook as perhaps my only activity on Facebook. However, if that should change, I will let you know and provide you with an alternate – at a minimum, you can always visit our web site directly at

On App Inventor topics, I have been working on something – its not ready yet – but some stuff on Fusion Tables and also perhaps how to resurrect the old TinyWebDB type simple cloud-based database. We will see how this turns out!

Update on Meltdown-Spectre security vulnerabilities

Anti-virus software makers are detecting malware that attempts to exploit the security vulnerabilities identified as Spectre and Meltdown. Since code must execute on the computer to exploit these vulnerabilities, anti-virus software is being updated to detect such malware attacks. Of course, some such malware may yet get through our defenses and could end up on machines.

Source: Meltdown-Spectre: Malware is already being tested by attackers | ZDNet

My view is that for most of us, its just another form of malware. We all need to be pro-active about avoiding malware by taking appropriate steps such as installing code we know to be good, using anti-virus software, and keeping our systems generally update. Meltdown and Spectre are just two more exploits that hackers can use.

Is your computer now protected from Spectre and Meltdown security vulnerabilities? 

Steve Gibson of Gibson Research Corporation has provided a downloadable program that says whether or not your Windows PC has been updated with fixes for Spectre and Meltdown. The program also offers, if possible, options to disable the security protections (such as you find the updates cause your computer to run slower).

Go here to read about and download the utility program: GRC | InSpectre  

Intel says: Stop installing Intel SPECTRE/MELTDOWN firmware updates

Intel says it has identified a problem with its firmware update that was causing Intel processors to become unpredictable. Intel is now telling customers to discontinue Intel processor firmware updates until they release and fixed update soon.

Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners

By Navin Shenoy

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.

Based on this, we are updating our guidance for customers and partners:

  • We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Security Center site.
  • We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.
  • We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.

I apologize for any disruption this change in guidance may cause. The security of our products is critical for Intel, our customers and partners, and for me, personally. I assure you we are working around the clock to ensure we are addressing these issues.

I will keep you updated as we learn more and thank you for your patience.

Navin Shenoy is executive vice president and general manager of the Data Center Group at Intel Corporation.

Source: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners

Note – Intel processor firmware updates are generally provided to end users (people like us) by the manufacturer of our computer or system motherboard. Many of us have probably not seen this firmware update yet. The Intel firmware updates are separate from operating system updates that have been created for Android, Linux, Mac OS X and Windows.

Intel updates performance impact of SPECTRE and MELTDOWN fixes

Intel is continuing to measure and evaluate the performance impact of their own firmware changes to address the SPECTRE and MELTDOWN exploits. Click on the chart to view the results in full size.

The chart shows Intel’s measurements for certain 6th, 7th and 8th generation Intel processors. The measurements are made using standard “benchmarket” tests that simulate specific usage scenarios. Consequently, these are measurements of performance impacts to these benchmark tests, which may not represent how we use our own computers.

Source: Intel Security Issue Update: Initial Performance Data Results for Client Systems

Separately, Google says they managed to upgrade their cloud servers with their own fixes that had negligible impacts.

While AMD processors appear to not be impacted by the MELTDOWN exploit, AMD did announce that one of the variants of SPECTRE does impact the AMD processors.

This suggests that over the weeks and months to come, future updates may appear that fix new variations of the exploits but also improve performance as better solutions are identified.