Fitbit Android App and Password Security Issue

Android 3.0 047/365I’ve been a Fitbit user for a few months now, and really love the product.  Recently, I had been reading about Android apps that don’t do a great job of protecting user information on the device itself.  Many Android apps store sensitive information in plain text, and rely on the Linux sandbox model to protect that information.  The sandbox model works well, until the device is rooted, which allows access to all of the previously secured sandboxes.

I’ve been looking at the data stored by various apps on my rooted Galaxy S3 using Root Explorer looking for apps that fail to protect sensitive information.  During one of these exercises, I discovered that the Fitbit Android app falls into this category.

In the application sandbox’s files directory, is a file called login_credentials.json.  Inside this file are my Fitbit username and password in clear text:

{“password”=”<my password>”,”login”:”[email protected]”}

If a user chooses to use the same password for the service as other services (such as a bank account), the disclosure of the password could be very detrimental to them.  Of course, I’m able to see this information easily because my phone is rooted.  On a non-rooted device, the application sandbox security model prevents other apps from seeing this data.  However, there have been attacks on Android devices where malware first obtains root, and then uses root to enable other malicious behavior.  If someone was determined enough, they could craft a similar malware bot that could first obtain root access and then discover other passwords on the system stored as plain text.  If a thief steals an Android device, they could root the device and harvest passwords on the system.

I first disclosed this issue to Fitbit a few weeks ago, and after a few days they notified me that they were addressing the issue.  Another day or two goes by, and the new update was already available in the Google Play store.  After seeing the new update, I launched the app, and then Root Explorer to see if the this issue was fixed.  In the new version, the login_credentials.json file was gone, and instead replaced with a file called authinfo_credentials.json.  

Root Explorer viewing the Fitbit Android app sandbox.

Root Explorer viewing the Fitbit Android app sandbox.

This file contains what appears to be a base64-encoded encrypted blob,  which likely contains my username/password.  By encrypting my credentials, this fix prevents the scenario’s that I listed above.

Fitbit doesn’t list a security-related email address on their page for reporting these kind of issues.  I had to open a trouble-ticket with support, and quickly had it escalated, in order to disclose this vulnerability.  On the positive side, I was impressed that Fitbit took this issue seriously, and issued a fix within a week of my report.  I continue to be a fan of their products, and am glad to see that they care about user security.

A Sunday in June: My first 50 mile ride

Burton, OH

Burton, OH

On Sunday, June 9th, there’s an annual biking event called Sunday in June, held every year on the second Sunday.  This is the first year in which I started to get more serious about road-riding, and this was the first organized bike event that I’ve tried.  Overall, it was a great experience.

I got there around 8:00, and the parking lots were already full.  The event starts and ends at the Century Village in Burton.  There were over a 1000 people at this event, and the atmosphere was pretty much the same as one of the many geek conventions I’ve been to, such as Microsoft Build/PDC.  Imagine a big geek convention like that, except that instead of IT/Computer geeks, these are all bike geeks.  There was music, food, bike mechanics on hand to help get your bike ready for the ride, and a buzz that made me feel excited about attempting to ride a distance that I had never ridden before.

My Trek Madone 2.1 in the foreground. Sunday in June 2013

My Trek Madone 2.1 in the foreground.

I signed in, got my registration info, and started to stretch in preparation for the ride.  I knew I was going to do at least 25 miles, but I could also choose 50, 63, or 100 miles.  I really wanted to do 63, but I knew I would really be pushing it to make it to 50.  In retrospect that was a good decision.  The first 25 miles were fairly easy, except for a steep climb up to Century Village.  The terrain was mainly flat, with some nice rolling hills.  You did have to watch out for the horse manure, after all we were in Amish country.

After a few snacks and refill my bottles, I headed out for the second half of the 50 miles.  The second 25 miles was a lot more challenging.  Instead of small, rolling hills, the hills were much higher and steeper.  Around the 40 mile mark, I really started to hit the wall.  My speeds on the flat ground were slower, my hill climbing slowed, and I was coasting as much as possible.  My shoulders were tensing up, and I was very glad I only opted for 50 miles.

One of the coolest parts was seeing all the Amish families hanging out near the road, and cheering us on.  Having never been a part of an organized athletic event before, the thought of random people cheering and encouraging us was completely foreign to me.  It was very cool to see and it must have been a big event for them to see all of these cyclists in their city.

Sara and I, after the ride was over. Sunday In June 2013

Sara and I, after the ride was over.

However, the best part was the end.  I struggled to make it to the finish line and was able to just barely make it up the final hill.  But I did it.  I crossed the line and did it.  I parked my bike and just as it was starting to hit me as to what I accomplished, I turned around and saw that my wife had surprised me and saw the finish!  It was so cool to see her there like that and have her support.  I had inadvertently ridden right along side her car, as she was stopped in traffic waiting to park in the city square.  I hadn’t even noticed that as I was riding in.  Frankly, I was just trying to keep moving forward towards the finish line.

There are a few other cycling events in this area this summer that I plan to do, and I hope they are as fun as this one was.

Sunday in June 2013 - 50 Mile Ride

Sunday in June 2013 – 50 Mile Ride

Android at Google I/O 2013: Keynote Wrapup | Android Developers Blog

Google I/OI was really happy with the Android announcements yesterday from the Google I/O Keynote, as there are a number of things that I can immediately take advantage of as an app developer.

Android Studio

I have been a faithful user of Eclipse, and have avoid even trying some of the other IDEs for Android Development.  Just seeing a few of the features yesterday was enough to give the new Android Studio a try.  I love the embedded strings in the code editor, as managing strings in the resources is always a huge pain.

Beta and Limited Rollout

If you are fortunate to have a community of passionate users for your app, you have probably been asked by some of them to help test out early versions of new features.  I recently wrote about my experiences with this, and ended up creating my own beta channel app for these users.  Having this officially be part of the Android Developer Console will save a lot of time, and help other app developers who have not yet made the effort to offer a beta.

Limited Rollout is another great feature.  If your app is used by users for a critical part of their business, it can be risky to introduce new features.  Besides interrupting their business, it can also cause an avalanche of support emails and questions.  Being able to slowly roll out an application will go along way with major releases.

Google Games Cloud Save

While I’m not a game developer, I was happy to see a Cloud Save feature.  I’m puzzled as to why this is targeted only to game developers though.  Any app developer who has users on both a phone and tablet could benefit from this.  I’d love to see app preferences saved automatically across devices.  If an app has a complicated set of preferences, users are forced to enter (and re-enter) these preferences on every device.  While iCloud’s Core Data Sync isn’t perfect, I think the idea could be applied well to Android to help app developers of any sort synchronize app preferences.  I’m hoping that the Cloud Save feature on Android is generic enough that it can be used outside of games.

Android at Google I/O 2013: Keynote Wrapup | Android Developers Blog.

Exercising for Data with Fitbit

My best day, so far, from the Fitbit dashboard.

My best day, so far, from the Fitbit dashboard.

Smartphones and health-related apps have been around for several years now.  There are apps to track your exercise, track your food and diet, find healthy recipes, and share all of this with others who are trying to improve their health.  Most of these apps either require you to manually log your data, or require using your phone’s GPS to track your activity (something which drains your phone’s battery pretty quickly).  The next evolution in smartphone health is integrating low-power sensors with bluetooth, to create a system that automatically generates and logs your health data in real-time.

I recently purchased a Fitbit after reading about all of this, and was interested in having my smartphone help me to improve my health.  There are now lots of of health-related products out there for your smartphone.  Wireless heart-rate monitors, such as the Zephyr Monitor, can be used during exercise to chart your heart rate and help you keep it within your target range.  Activity monitors, such as Fitbit and Nike+, track all of your basic movements, even walking around inside your office or taking the stairs.  This data can be used to calculate the amount of calories above your Basal Metabolic Calorie Rate (The BMCR is the number of calories you would burn if you basically just laid in bed all day).  This helps you determine your total calorie burn for the day, and help you to figure out exactly how many calories to consume and still maintain/lose weight.  Sleep monitors, such as the WakeMate, help monitor your sleep patterns, and try to wake you up in-between your REM sleep cycles.

Fitbit Sleep Tracking

Learning about my sleeping habits has been very interesting.

I went with Fitbit because I wanted a device that did both sleep-tracking and activity-tracking.  I wear it everyday so that I have a precise calorie count based on my activity.  I have recently started to improve my diet and exercise, and wanted to find a way to figure out in a more accurate way how my exercise affects my calorie intake.  For my diet, I want to have a calorie deficit of 750 every day.  When I have a lot of activity, this means that I should eat more, but it’s hard to figure out exactly how much more to eat without something like the Fitbit.

Fitbit has been great so far.  But I have started to notice an interesting side effect.  Being a geek, I have always liked statistics and data.  Once I found myself tracking my activity, I immediately wanted to start improving the numbers, almost at a sub-conscience level.  I have been in my office building for over a year now, and never took the stairs to my office until I started using my Fitbit.  I enjoy seeing the numbers increasing and reaching the goals I have set.  I also started parking further away from my building, and taking more frequent breaks to walk around, so that I can increase my step count.

I was chatting with my friend Jay a few days ago about this, and he said a friend of his now says that he “Exercises for data”.  While I’m exercising for my health, I realized that I’m also doing that.  It’s also a lot of fun to see the data generated by my activity/sleep.  It’s very motivating to see real data (as opposed to manually entered data which may or may not be right), and it almost compels me to try and improve the stats.  While exercising with friends/family has proven to help people stick with a program, I think that exercising for data will also have the same effect.

Are you using a Fitbit or one of these other devices?  Are you “Exercising for Data” now?

Simple ways to backup your important files

From time to time, friends and family ask me about ways to backup their computer’s data.  Losing a hard drive full of mp3’s, family pictures, or videos of your kids is a painful experience.  Fortunately, it’s easier than ever to make sure that you never lose any of these.  By writing this article, I’m hoping to avoid the dreaded phone call from someone asking me what they can do when they think they’ve lost something important.

Years ago, my advice would have been to buy an external USB harddrive and manually copy your folders of photos/videos to that drive.  That will work, assuming that you remember to plug in the drive, remember to copy files, and disconnect it properly.  However, I’ve had many external (mechanical) USB drives fail for some unknown reason.  I didn’t drop them or abuse them.  They’ll work fine for a while, but then all of a sudden, you plug it in, and just hear the clicks of death.  Besides hardware reliability issues, a disaster,  burglary, or power surge could easily take out your computer AND external hard drive.

It’s important to backup both locally and remotely.  A local backup offers fast and easy access to your data.  A remote backup offers more reliability in the case all of your local data is lost or unaccessible.

Local Backup & Storage

Synology DS-211JWe use a NAS (Synology Disk Station DS211j) to store all of our movies, photos, music, and documents.  The NAS is a low-power storage appliance dedicated to storing and serving out files.  It replaced an aging PC that used to fill that role.  Why use a NAS?  The NAS allows us to centralize everything instead of having important data distributed across all of our computers.  If one of our computers should have a hard drive failure, no important data should be lost.

The Disk Station support dual disks with several RAID options, allowing your data to survive the loss of one of the hard drives.  I have 2x3TB hard drives for all of our media.  I chose the Western Digital Red drives which are designed to work with most NAS devices.  I do also have an external USB drive attached directly to the NAS.  The Synology software makes it easy to setup a backup schedule to the local USB drive.  Synology also supports being a Time Machine device, so your Macs can backup directly to it as well.

So our data is stored on the NAS, and backed up to the external USB drive.  But all of our data is still vulnerable because it’s all in the same location and external hard drives are flakey at best.

Adding Remote Backup

With the emergence of the cloud, there are lots of ways to backup your data remotely.  The Synology NAS directly supports Amazon S3’s Glacier Storage Service.  Glacier is a low-cost storage service that is perfect for backing up infrequently-accessed data.   It costs as low as $0.01/GB per month to store your data on Glacier.  I would prefer that the Synology software would offer some kind of local encryption options, so for now, I’m just backing up photos that are on Facebook already.  Glacier works well, but it’s a bit geeky to set it up correctly and manage your data.

Dropbox, SkyDrive, Google Drive, and Box are great ways to remotely store your files.  Each of these services make it easy by adding a special folder on your computer that you can manually copy files into.  You can also choose to use these services like a cloud-based NAS, and never have the files on your local PC.  Remember, however, that these services do not protect your privacy as both the transfer and storage of your files is not fully encrypted.  There are a growing number of providers, such as FileLocker, that provide a secure cloud storage capability.  You can also look at services such as Carbonite to remotely backup entire all of the PC’s in your house.  Uploading photos to social media sites like Facebook and Google+ are themselves a form of remote backup.  You can utilize music streaming services such as iTunes/iCloud, Amazon Cloud Player, and Google Music to keep your MP3 library safe and accessible.

In the event of a computer failure, it will take longer (and potentially cost something) to retrieve your remote backup data.  But if all of your local copies are wiped out, that’s a small price to pay.  Check out the privacy policies and security for any cloud-based storage system that you choose to use.

Cheap Flash Memory Backup

Ever see those cheap USB thumbdrives and/or SD cards that Microcenter sells near the registers?  Another cost-effective backup strategy is to pick up a few 8GB or 16GB devices, and use them as another backup destination.  Because flash memory devices have no moving parts, they are not subject to the mechanical failures that an external USB hard drive can have.  An external SSD drive will work well here too, and allow you to store more on a single drive than the USB/SD drives.  You can copy files onto them, throw them in a drawer, and they will be readable for years to come.  Storing a few of these off-site will increase the reliability of your backup strategy.

NAS Appliances

If you’re interested in learning more about NAS appliances (either to buy or build one), check out Lifehacker’s articles on buying or building a NAS.

Use REST Web services to share data across iOS and Android apps.

REST Web Services can be a great way to share data between iOS and Android mobile apps.  I recently answered a question on Quora about this topic.  Here’s my answer:

There are several different options here.  When you want to support multiple mobile platforms, creating a simple REST api is a good way to go.  Soap-based protocols are going to be too complex, slow, and difficult to use from a mobile device.

It sounds like you already have the data being sent to a webserver.  From there you will need to store the data in a SQL database, such as MySQL or Postgresql.  When you want users to see the other scores, you can implement a simple GET request on your same web service which would query the database, and return back the scores of the other users.

When submitting the score, your app can use this GET operation to read the other scores before submitting it’s own score.

Alternatively, if you need real-time scoring updates, you can use push notifications.  Both Apple and Google have push notification capabilities in their architecture, but this will add some complexity and server requirements.  If you don’t need real-time updates, I’d suggest each app just read the other scores from the leaderboard as needed.…

Google Cloud Messaging for Android

View Answer on Quora

Securing your app’s data on Android

Great article by SecureState’s Brandon Knight on Mobile App Security.

Securing your data is a common Android security problem.  During my development of Android apps, I’ve noticed lots of information being stored in unprotected areas of the filesystem, such as the /sdcard/Android/data folder.  For example, any file you view or cache offline from Dropbox is stored in /sdcard/Android/data/  Given that Dropbox could be used for both personal and team-based uses, it’s easy to see that corporate data isn’t safe here either.

During the Android 2.2 days, many phones (such as my HTC EVO) had ~200MB available for apps (and storage), supplemented by micro SD.  There was no choice but to save information on the micro SD.  The newer Android phones ship with much more internal storage, meaning app developers can (and should) begin to more to saving data in the app sandbox instead of the public space.  It will take a long time before app developers change over to the new model.  In the meantime, users should be aware of what data is being stored on the micro SD and other public areas of the filesystem.

Woodsmith #194 Media Center Part II

Progress on my woodworking project to build a media center has slowed, but is still moving along.

(Also see Part I, or Visit Woodsmith to find Entertainment/Media Center plans in Issue 194).

Both the left and right tower cabinets are assembled and have face frames installed.  I expanded both the height and width of the media center towers so that a larger TV could be accommodated  as well as more space for storage.  The towers are nearly 7′ tall and 24″ wide.


Lots and lots of sanding.  The maple plywood just requires a light sanding at 220.  The solid maple face frames take a little more time.  I’ve been starting at 120 and working my way up to 220.

Woodsmith #194 Media Center Sawdust

Face frame sawdust.

Here’s the two tower cabinets side-by-side.  Space in the garage is now at a premium.

Woodsmith #194 Media Center

The two tower cabinets side-by-side.

Each of the tower cabinets have two drawers on the bottom.  You can see the drawer slides in the picture above.  Each drawer is approximately 18.5″ wide and 12.5″ deep.  We’ll probably use these drawers for storing BluRay’s and XBox accessories.

The first drawer is almost done, 3 more to go build.

Woodsmith #194 Media Center Dovetail drawers

Media Center Dovetail drawers

I decided to use dovetails since my wife bought me a new Porter-Cable dovetail jig for Christmas.  After spending some time setting up the jig and calibrating my router, I was ready to make some dovetails.  My first two attempts didn’t go so well.  After tweaking the jig a few more times, I finally dialed in the right settings.  It’s a great jig, and I’m anxious to build these drawers and then try it with some other projects.

Android Developers Blog: New Google Maps Android API now part of Google Play services

I’m excited about the new Map Fragment in the latest Google Play services!  I’ve wanted to embed a Map View into one of my fragments for a while.  A lot of developers have requested this feature, and I’m glad to see it in the support library.

Android Developers Blog: New Google Maps Android API now part of Google Play services

Woodsmith #194 Media Center Part I

Back in October, I began a new woodworking project to build a media center for the living room.  Currently, my college entertainment center (designed for a 36″ CRT TV) serves as the only storage in the living room, and currently doesn’t do a great job.  It’s time for something better.  After looking around for plans, we finally picked this media center from Woodsmith #194:

Woodsmith #194

The next question…what kind of wood to use.  After seeing similar units in stores such as Pottery Barn and Crate & Barrel, the darker finishes really appealed to us.  Since I have a garage full of walnut, this was my first choice.  I quickly found that walnut plywood was too cost-prohibitive.  Instead, I settled on building this with maple, since I also have a lot of that as well.  I spent some time working on a dark finish:

Testing out various staining and glaze techniques.
Once I found a good dye/glaze combination that achieved the dark finish, it was time to make some sawdust.  I started making the center console.  The plans allowed for a 55″ TV, but knowing me, I wanted to be able to support an even larger TV.  By increasing the width of the center console, this unit should allow us to have a 65″ TV in this media center.
Center cabinet for the TV

Making the center cabinet went by really fast.  It features inset doors, which was a first for me.  It also feels two pull-out drawers for easy access to all of the electronics, and ample space for heat dissipation.   I plan to mount a high-grade power strip and gigabit ethernet switch for all of the components that require ethernet.  In the end, I will also be mounting some LED strip lighting inside the case as well, to make it easy to see inside the cabinet.

The inset doors were easier than I expected.  Mounting the doors with the euro-style hinges was also easier than I thought it would be.  It was also a first for me to use drawer slides for the two component trays.  That part was also easier than expected, and the slides work great.
Once the center unit was complete, I moved on to build the bridge unit that will sit above the center console.  The bridge unit was a fairly easy build.  Simple box construction, face frames, and a top that allows for a crown molding detail.
Bridge Cabinet

Here’s the Center and Bridge console together.

Bridge and Center cabinet together

In the next post, I’ll share some pictures of the two tower cabinets.  I have started to make some progress there as well, and I’m anxious to get both of the tower cabinets complete as well.  I can’t wait to bolt this unit together to see it all as one.