Leaked Xiaomi Mi 5 retail box shows color options

We’re getting close to the Xiaomi Mi 5 launch. We’ve learned a lot about this new smartphone although most of them are unconfirmed rumors and leaks. The last one we noted was the IR blaster and laser focus. Phone was also listed earlier on GearBest in three color options: gold, black, and white. The latest leaked images shared over on Weibo show us the retail packaging of the Xiaomi Mi 5.

The box shows the smartphone in not just three colors but four. There’s gold, black, and white alright plus pink. Note that we already saw a pink version in an earlier leak. The post on Weibo shows several shots of the retail box plus one showing boxes stacked up in what we believe is a factory or warehouse. The Mi 5 seems to be ready for distribution.

The phone is also said to be unveiled officially on February 24 at the Mobile World Congress in Barcelona but the images we’ve been seeing are more than enough to tell us how it would look.

Xiaomi Mi 5 e

Another image popped up on Weibo–a screenshot of the Mi 5 home screen–giving us an idea that there might be Dual SIM support and NFC capability. The MWC is still a few weeks from know so let’s sit back and relax before the official launch. And oh, expect more rumors and leaks.

VIA: Weibo (1),(2)

Tags: , , ,

Your phone will become more important than your password

2016 Predictions_Twitter.013

The password may be one of the worst security elements we have.

They are oftentimes easily guessed because we, as humans, are generally pretty bad at creating and remembering them. So, we use weak passwords across multiple accounts. We use simple passwords like “123456” or “password.” We share our passwords with our friends and family members (I’m looking at you, Netflix-share-ers).

The industry is also yet to find something better. The phone, however, presents new and exciting ways for companies to protect their accounts, which means the phone is also become a critical part of the hacker “kill chain.”

As we move into a time where serious data breaches happen multiple times a week, companies are emphasizing two-factor authentication into their accounts. The idea is that you know something, but you also have something. For example, an account may require a password in addition to a code sent to your phone (think of the Google Authenticator app).

Yahoo, for example, offers its users the option to sign into its email through a push notification sent to their phone. The idea is, if you have your phone, you can verify that you are who you say you are with the click of a button.

Mobile devices as targets

This also means, however, that the phone is becoming a target for attacks. Two-factor authentication and the like create a new attack scenario in which attackers must obtain control over a mobile device in order gain a little more access into the target system.

Two-factor and other iterations on our traditional authentication models are welcomed advancements. They will, however introduce new attack vectors, such as the mobile device, which will require a rethinking of where enterprise security priorities lie.

As the kill chain expands to include mobile devices, cybersecurity budgets also need to expand to include mobile device protection. Lacking security here may mean leaving an open hole in a company’s perimeter and it’s not a hole that will likely go unnoticed.

Want to learn more about securing mobility? Check out this whitepaper on Why Mobile Security Matters.

App Update Tool Could Endanger iOS Users

On Wednesday, FireEye posted a very detailed article about a concerning trend among iOS developers. Some developers are integrating an update library called JSPatch, used for delivering faster updates to their apps.

That’s a great idea, but unfortunately, there are some serious security concerns involved.

Apple exerts very tight control over the iOS App Store, in an attempt to keep malware out. All iOS apps have to go through a review process, both initially and at the time of any updates. If an app doesn’t pass the process, the developer must revise it and try again (or give up on iOS, which is not an appealing option for most developers).

Unfortunately, the app review process can be lengthy. Approval times vary wildly; according to some statistics, it rarely happens in less than 6 days, and can swing much higher than that at peak times.

So, imagine you’re an app developer with a critical issue in your app, and you’ve got to get a fix pushed out now. Unfortunately, it’s probably going to take at least 5-6 days, and probably longer, before your update is in the hands of users. In the meantime, of course, you get bad reviews, complaints on user forums, etc. This kind of bad publicity can kill a product.

Now imagine that someone offered you a way to update your app today, instead of next week. Sounds appealing, right? That’s exactly what JSPatch offers. Developers can incorporate JSPatch into their code, then deploy updates through JSPatch, by writing JavaScript code that calls through to iOS code directly.

This sounds great for developers and users alike, but you’re reading about this on the Malwarebytes site… it doesn’t take a genius to know there’s a “but” coming.

Apple’s App Store review process exists for a reason: to ensure that apps in the App Store are well-behaved, and are only doing things that they’re allowed to do. There are many code libraries in iOS that third-party apps simply aren’t allowed to touch. However, the only enforcement of that is in the review process. There’s no restriction in the system that prevents apps from using certain functions.

This means that apps that use JSPatch are essentially bypassing the review process, and thus can call all manner of restricted routines. An app could potentially import code via JSPatch that would allow it to capture your private data, for example, using code that would have gotten that app rejected by the App Store review process.

This opens the door to many potential abuses. An app developer could publish an innocuous app in the iOS App Store, get it approved, then push changes that would steal all your photos or potentially scrape passwords out of the iOS Pasteboard.

Worse, a legit developer could incorporate a third-party code library that is not as trustworthy as he/she thought. Then, the maker of that library could push malicious changes to a legit app.

Even if the developer is entirely trustworthy and uses no third-party code in their app, there’s another possible issue. If you connect your iOS device to an untrustworthy wifi network, and there’s a security issue with how that app downloads its updates via JSPatch, an attacker in a privileged position on that network could inject malicious code through a fake update.

Unfortunately for security-conscious users, there’s no easy way to determine whether a particular app includes JSPatch. Which means you could be vulnerable right now and not even know it. Apple does not allow anti-malware apps in the iOS App Store, due to security restrictions that effectively neuter such software. However, that means nothing can scan your iPhone for potentially vulnerable apps.

Unfortunately, even if Apple decides to ban all JSPatch code from the iOS App Store, it’s easily possible that a malicious developer could create a similar method for dynamically altering the functionality of his/her app without getting blocked.

This is a potentially very serious issue with iOS, that could open the door to more widespread iOS malware. It will be interesting to see how Apple handles it.

LG makes fun of Samsung over the S6 edge’s lack of removable battery

“Life’s Good,” says LG. And it’s more fun when you to take some time to tease a competitor. LG’s reply to Samsung on Twitter will make you laugh (maybe even LOL) because it was a sarcastic remark about Samsung phones not having a removable battery. You see, Samsung’s batteries are now built-in/non-removable much to the chagrin of fans. LG went on with the tradition with the LG G4 by still using a removable battery.

When Samsung Mobile posted a photo of a Samsung Galaxy S6 edge+ and boasted that it can be fully charged in 90 minutes, LG USA Mobile suggested one can go from zero to full charge in an instant with a removable battery and shared a link to the LG V10 product page.


It’s funny in some levels and we commend LG for being too straightforward. Could this mean the next LG G5 will still have a removable battery? Looks like it. That modular battery design could be the removable battery part of the next LG flagship. We’re very much interested about the rumored ‘Magic Slot’. Perhaps LG got the idea from modular phones being conceptualized the past years although we’re not expecting the G5 would be purely modular.

Samsung’s lack or removable battery has done the company harm. It may only be following Apple but it certainly didn’t do the South Korean giant any good. In this day and age that people are demanding for bigger batteries and capacities–all while more apps, specs, and features are draining them faster—OEMs should think of more solutions. The easiest way now is to just pop a new battery in. No more waiting for phone to be fully charged. No need to for power banks or quick charging tech–just put a new battery.

LG’s witty tweet had the netizens LOL-ing and comparing the two. Let’s see if LG will stick to removable batts or until when.


Tags: , , , ,