Researcher To Release Web-Based Android Attack - Vibrant General

I hope we get 2.2
http://it.slashdot.org/story/10/11/05/0229205/Researcher-To-Release-Web-Based-Android-Attack
"The attack targets the browser in older, Android 2.1-and-earlier versions of the phones."

http://forums.t-mobile.com/t5/Samsung-Vibrant/Security-vulnerability-in-2-1/td-p/535335
And the thread appears to have already been locked.
EDIT: My bad, the link icon isn't a lock icon.

What an ass. So he figures out something and now hes going to release it?
So is his intensions to piss people off or force Googles hands to fix it?

kizer said:
What an ass. So he figures out something and now hes going to release it?
So is his intensions to piss people off or force Googles hands to fix it?
Click to expand...
Click to collapse
I think its the latter. That, or to light a fire under the OEMs & network operators to get 2.2 out to more devices. Just my $0.02...
Sent from my SGH-T959 using XDA App

The current OEM vendor/carrier model is one of the worst parts of Android. Google attempted to break this model via the Nexus One. Hopefully it does light a fire to improve the security model for these phones.
Google may be forced to rein in some of the rampant variances to secure the platform via enforcing a minimum level of compliance to security updates or else revoke a phone makers ability to use the Android trademark.
The problem has already been fixed with 2.2, so the onus is on the OEMs to get their act together.

Some things make me want to respect this guy, then again it affects me since we have yet to recieve 2.2. But yes I believe all android phones should be running current software.

I wonder if you need to be rooted in order to fall the vicitm, unless you can push superuser.apk via the exploit and run it.
Have to give him props for trying, and like seeing that he is using linux based OS to develop on

lqaddict said:
I wonder if you need to be rooted in order to fall the vicitm, unless you can push superuser.apk via the exploit and run it.
Have to give him props for trying, and like seeing that he is using linux based OS to develop on
Click to expand...
Click to collapse
Youre right! Maybe he works for T-mobile and is secretely making all our phones go back to stock and unrootable. Which in turns means they will never release 2.2 hahaha. <- By the way do not take this as actual fact I know how the paranaoid are here on the forums lol

lqaddict said:
I wonder if you need to be rooted in order to fall the vicitm, unless you can push superuser.apk via the exploit and run it.
Have to give him props for trying, and like seeing that he is using linux based OS to develop on
Click to expand...
Click to collapse
No, this a generic exploit within WebKit. The actual exploit itself doesn't have superuser access, it can only access what the web browser is able to access. It can't make phone calls or generate SMS messages, but it can access files like photos and whatever else is available to non-rooted apps.

I don't know why you guys think this guy is a douche. This is how it always worked. When people find security vulnerbilities, they tell the company, but the company usually doesn't move it up to the top of the list to fix. So they mention the type of security flaw there is, sends the information to the company, and sometimes even mention it at conferences. After publicly announcing it, they give the company time to fix it, otherwise it's the company's fault for not getting their ass in gear to fix the security issue.

DKYang said:
I don't know why you guys think this guy is a douche. This is how it always worked. When people find security vulnerbilities, they tell the company, but the company usually doesn't move it up to the top of the list to fix. So they mention the type of security flaw there is, sends the information to the company, and sometimes even mention it at conferences. After publicly announcing it, they give the company time to fix it, otherwise it's the company's fault for not getting their ass in gear to fix the security issue.
Click to expand...
Click to collapse
I do no see how he is a douche.
Ignoring the issue does not make it disappear, and he clearly has done his work to make the issue public in hopes it gets addressed.
Releasing a code with a security hole that you have to use something to circumvent the security of the device to fix is douche (apple vs jailbreakme.com anyone)

kizer said:
What an ass. So he figures out something and now hes going to release it?
So is his intensions to piss people off or force Googles hands to fix it?
Click to expand...
Click to collapse
I was paranoid by this too. My Vibrant will shackled from having sex with the web until it gets 2.2 Maybe that researcher wants them to release Froyo soon so use this to leverage against them to release ASAP?

I don't think he's a douche. I honestly want to believe that google would push carriers to be on the same OS. Just the fact that not all android phones can handle the 2.2 OS - And so people stuck with those phones and would be affected by this flaw is pretty crappy. But I really hope this makes carriers want their phones updated and running the latest and greatest. Only time will tell.

Related

SE's attitude to root

In SE official support thread, I,and several other users, pestered one of SE support staff, asking if they would help us root the phone, to which the answer was no. Another user then asked, will SE actively try to prevent root, to which they also answered "no". What ius the opinion of the board as to whether we can trust them?
supamanc said:
In SE official support thread, I,and several other users, pestered one of SE support staff, asking if they would help us root the phone, to which the answer was no. Another user then asked, will SE actively try to prevent root, to which they also answered "no". What ius the opinion of the board as to whether we can trust them?
Click to expand...
Click to collapse
A link to the seconde "no" post ?
Vilam said:
A link to the seconde "no" post ?
Click to expand...
Click to collapse
what he said
Vilam said:
A link to the seconde "no" post ?
Click to expand...
Click to collapse
I knew I should've bookmarked that response... searching... Man SE forums don't make linking to a specific post that easy. OK, here we are.
http://talk.sonyericsson.com/message/1910#1910
For reference, my question:
saltorio on talk.sonyericsson.com said:
Jeff:
Before we all get up in arms, lets make sure we understand you correctly. By "There are no plans to allow root access on the the Xperia™ X10.", do you mean that SE will actively do what they can to prevent users from achieving root access, or do you simply mean that SE will not put in any efforts to simplify the process for users?
If the latter, I think most of us can understand.
However, if it's the former I think SE is really out-of-touch with the Android community and the concept of an "open" system. Couple such a decision with the mis-information about the X10 that was released by SE itself prior to it's release in regards to multi-touch support, the decision to release the X10 with the already out-dated Android 1.6, and then the decision to offer an upgrade to 2.1 at the end of the year, nearly 6 months after the release of 2.2, and it's looking completely like SE really doesn't care about it's customers.
The X10 hardware is pretty good (though the aforementioned lack of multi-touch is still a bad decision). However, the software requires alot of work. The X10 has been plagued by poor battery performance that appears to be the result of bad coding in the Home app, and Timescape is slow and buggy. The OS (as mentioned) is out-dated, and falling further behind, and SE's commitments to address these issues seem far-sighted and as not being enough.
If SE want's their sales to thrive, they need to address the issues with the X10's software. Since you don't seem to be in any rush to do so, what is the issue with allowing the community to do it for you?
Rumor has it SE has more Android handsets in the works. If you want sales of these devices, you'd better embrace your customers. As no amount of positive reviews (of which those for the X10 were mostly only luke-warm) will save a brand hampered by widespread customer satisfaction published all over the web.
Click to expand...
Click to collapse
And Jeff's (from SE) response:
Jeff on talk.sonyericsson.com said:
Hi,
Just a quick reply to say "SE will not put in any efforts to simplify the process for users" is correct.
Click to expand...
Click to collapse
The problem I see with SE's position, is that they could easily patch the exploit that the rooters have used, claiming it's a security flaw that required a fix. They then kill the root while being able to claim Jeff wasn't lying as they're looking out for their customer's best interests by fixing security holes.
Has there been EVER a manufacturer that supports root?
http://wiki.openmoko.org/wiki/Main_Page supprts root
visitador02 said:
Has there been EVER a manufacturer that supports root?
Click to expand...
Click to collapse
HTC and Google with their nexus one.
i wouldnt believe anything a cs agent/forum agent says to be honest. Its probably a correct answer as far as he knows for now but unfortunately it wont be anything to do with him whether SE patch it or not.
Its the same with the update. People believing what they twitter. The front end people in these companies are always the last to know whats going on and the first to get asked by their customers.
HunteronX said:
HTC and Google with their nexus one.
Click to expand...
Click to collapse
No, it is a Google branded phone. So, Google wants you to play with it.
I haven't seen HTC do it.
visitador02 said:
Has there been EVER a manufacturer that supports root?
Click to expand...
Click to collapse
Nokia N900
I wouldn't be too surprised if SE didn't patch the "root hole". The decision to lock the root so securely (as I understand) wasn't so much to curb piracy or to completely lock down the phone, but more as a safety device for the many people who don't have the technical knowledge that we see here on XDA.
SE were getting many phones returned because it was all too easy to brick the phone by attempting to install roms/updates which were either not designed for the device or otherwise having access to the filesystem - it's not quite like the situation with, for example, the PSP; where holes are being patched as they are found with newer firmwares, to try and stem the rampant piracy problem on that platform.
SE have no vested interest in the sale of software on the X10, nor in spending time and resources plugging holes in the security of root on their phones.
I think it's enough for SE that acheiving root is relatively technical, and that not too many users will be trying it - and also those users will probably be quite happy to be trawling forums for a fix rather than sending their device straight off to SE.
This is of course all conjecture - they might chase root holes and close them down on each and every exploit. But I doubt it.
SquidgyB said:
I wouldn't be too surprised if SE didn't patch the "root hole". The decision to lock the root so securely (as I understand) wasn't so much to curb piracy or to completely lock down the phone, but more as a safety device for the many people who don't have the technical knowledge that we see here on XDA.
SE were getting many phones returned because it was all too easy to brick the phone by attempting to install roms/updates which were either not designed for the device or otherwise having access to the filesystem - it's not quite like the situation with, for example, the PSP; where holes are being patched as they are found with newer firmwares, to try and stem the rampant piracy problem on that platform.
SE have no vested interest in the sale of software on the X10, nor in spending time and resources plugging holes in the security of root on their phones.
I think it's enough for SE that acheiving root is relatively technical, and that not too many users will be trying it - and also those users will probably be quite happy to be trawling forums for a fix rather than sending their device straight off to SE.
This is of course all conjecture - they might chase root holes and close them down on each and every exploit. But I doubt it.
Click to expand...
Click to collapse
I really want that to be true, and judging from the people I know in the development department of SE's mobile division it sounds like achieving root is almost considered an accolade.
The bit about making it hard to flash unsigned stuff to minimise the risk of people flashing random [email protected] to their phones makes good sense.

A Discussion with Google??

I want to start this discussion because I haven't seen it anywhere and I read several Android forums. I love the platform and it's "openess" but it seems that requirements from Google fall just short of making this the best platform ever for handsets.
We are all screaming at Motorola about the signed bl but we aren't focusing enough on the greater issue. The Android license from Google seems to allow this or maybe it is less specific to Google than to some other entity but I don't speak lawyerese so i'm not sure. Anyway, here is what I keep reading from Motorola...
"The use of open source software, such as the Linux kernel or the Android platform, in a consumer device does not require the handset running such software to be open for re-flashing. We comply with the licenses, including GPLv2, for each of the open source packages in our handsets"
My point of discussion is this, why aren't we asking Google what they can do? Why can't Google simply state that "we will not allow our software to be damaged in this way"? Why do they allow Verizon, at&t, Motorola, HTC or anyone else manipulate their software in a way that brings so much resentment? Is it not in Google's best interest to force this platform to remain open? I realize this is a double edged sword because open means people can do what they want, which holds true for companies also but I think that everyone realizes that Google's intent was that this would benefit everyone, not just the companies.
Also, everyone seems to forget that HTC is messing around with trying to lock down the NAND. Just because geniuses get past the protection doesn't mean that HTC isn't trying. If the Droid X is a huge success, even with this restriction in place, then what makes any of you think that the rest will not follow suit?
Because open means that you can do whatever you want with it. There is nothing stopping anyone from using it, modifying it for their own uses, and putting it in any device that would support it. That's why a company can strip down all of Google stuff from it and put Bing if they want to, and Google wouldn't be able to complain. The whole point of open and free software is that you compete by actually being the best at something. You keep Google stuff in Android because well, they work best.
Now, when you put Android in a device you manufacture, you do have the rights to do whatever you want with the device. This seems to be a hardware protection on top of the software ones. You know how DRM'd mp3 stop working? well, it's not much different, except that now there is physical damage.
True, these measures defeat the whole purpose of being open, but what the heck. Being truly open means making a great product, and then not complaining when someone grabs it and beats you with it. You have are always competing to deliver the best product, and that's why open is awesome.
Who was it that said: "I can't agree with what you are saying, but I will defend to the death your right to say it"?
Open goes both ways. The company (Motorola) has every right to lock down the bootloader and prevent others from flashing.
You guys are looking at it as if Motorola did this to prevent people from flashing custom roms. The real reason they did it was to prevent others from stealing their rom and porting it to another phone. If you like the "ninjablur" UI, you need to buy the DroidX.
Ryan Frawley said:
Open goes both ways. The company (Motorola) has every right to lock down the bootloader and prevent others from flashing.
You guys are looking at it as if Motorola did this to prevent people from flashing custom roms. The real reason they did it was to prevent others from stealing their rom and porting it to another phone. If you like the "ninjablur" UI, you need to buy the DroidX.
Click to expand...
Click to collapse
Actually, I don't agree. I'm pretty sure one could extract those widgets if you really wanted to. (They "Ain't all that" if you ask me. - And yes, I did buy an X yesterday and love it. Just ain't crazy about those widgets).
I think the real reason this is locked down is to prevent custom ROM/Root access to enable tethering. There are other issues I'm sure, but at the top of the list is to protect that revenue Big Red is trying to generate.
As to Google 'Stopping' the carriers from locking this down, please understand that if the carriers can't protect their revenue streams, they simply won't allow the phones on their network, and that would hinder the growth of the OS in general.
Don't take any of my words as endorsement of VZW/Moto actions. I'll be first in line to flash/root my phone when/if its ever possible. I'm just a realist. VZW wants $20/month for WiFi Tether. They are going to do as much as reasonably possible to keep you from doing that for free.
In a related note, 2.2 Froyo does tethering natively. I expect this to be crippled/disabled when we get our update in a couple of months.
I don't agree with the idea that companies would stop supporting the platform. The Droid has been a cash cow for verizon and it is an open book. Google could easily ask that their platform remain open for all to enjoy.
Beyond that, if Google allows them to gimp their OS then Google has created something entirely for the benefit of companies and not at all for the general population. I don't believe this is true. I think that the changes will start with Android v3.0. Google will start getting more pissy about custom crap especially if it makes their product seem worse and increase the chance that Android will be looked upon negatively.
Despiadado1 said:
I don't agree with the idea that companies would stop supporting the platform. The Droid has been a cash cow for verizon and it is an open book. Google could easily ask that their platform remain open for all to enjoy.
Beyond that, if Google allows them to gimp their OS then Google has created something entirely for the benefit of companies and not at all for the general population. I don't believe this is true. I think that the changes will start with Android v3.0. Google will start getting more pissy about custom crap especially if it makes their product seem worse and increase the chance that Android will be looked upon negatively.
Click to expand...
Click to collapse
Its the same problem with windows, the OS gets blamed for what hardware vendors do to it... we see this $400 computers getting compared to Apples $1500+ computers and thats some how proof windows sucks, I never had problems with Vista being slow, but people and there $400 computer did.
The problem with Android, specifically the scrolling smoothness, is the vendors custom Android OS setups...
FtL1776 said:
Its the same problem with windows, the OS gets blamed for what hardware vendors do to it... we see this $400 computers getting compared to Apples $1500+ computers and thats some how proof windows sucks, I never had problems with Vista being slow, but people and there $400 computer did.
The problem with Android, specifically the scrolling smoothness, is the vendors custom Android OS setups...
Click to expand...
Click to collapse
To be fair, I think the scrolling smoothness is half crappy hardware and half Android's lack of hardware acceleration.
Mikerrrrrrrr said:
To be fair, I think the scrolling smoothness is half crappy hardware and half Android's lack of hardware acceleration.
Click to expand...
Click to collapse
No some custom roms fix those issues because they enable the hardware acceleration, which again shows that Google really should crack down on some of these custom versions of Android on phones.
Zaphod-Beeblebrox said:
Actually, I don't agree. I'm pretty sure one could extract those widgets if you really wanted to. (They "Ain't all that" if you ask me. - And yes, I did buy an X yesterday and love it. Just ain't crazy about those widgets).
I think the real reason this is locked down is to prevent custom ROM/Root access to enable tethering. There are other issues I'm sure, but at the top of the list is to protect that revenue Big Red is trying to generate.
As to Google 'Stopping' the carriers from locking this down, please understand that if the carriers can't protect their revenue streams, they simply won't allow the phones on their network, and that would hinder the growth of the OS in general.
Don't take any of my words as endorsement of VZW/Moto actions. I'll be first in line to flash/root my phone when/if its ever possible. I'm just a realist. VZW wants $20/month for WiFi Tether. They are going to do as much as reasonably possible to keep you from doing that for free.
In a related note, 2.2 Froyo does tethering natively. I expect this to be crippled/disabled when we get our update in a couple of months.
Click to expand...
Click to collapse
Motorola has said so itself. The reason Droid X is locked down is because they don't want people stealing their custom UI. Widgets are only part of this UI. The inability to flash custom roms is merely a consequence of protecting their UI.
FtL1776 said:
No some custom roms fix those issues because they enable the hardware acceleration, which again shows that Google really should crack down on some of these custom versions of Android on phones.
Click to expand...
Click to collapse
Ah. Didn't know that.

Android Security: A neglected subject (long)

First of all: I'm an OSS advocate and love the idea of open source. Don't forget that while reading this.
Some 2 month ago, I got myself a Galaxy S. It's not exactly cheap, but on the other side, it's really good hardware. This thread is not about Samsung or the Galaxy S. It's about the missing parts of android security.
We all know it from our home computers: Software sometimes has bugs. Some just annoy us, others are potentially dangerous for our beloved data. Our data sometimes gets stolen or deleted due to viruses. Viruses enter our machines by exploiting bugs that allow for code execution or priviledge escalation. To stay patched, we regularly execute our "apt-get update;apt-get dist-upgrade" or use windows update. We do this to close security holes on our systems.
In the PC world, the software and OS manufacturers release security bulletins to inform users of potentially dangerous issues. They say how to work around them or provide a patch.
How do we stay informed about issues and keep our Android devices updated?
Here's what Google says:
We will publicly announce security bugs when the fixes are available via postings to the android-security-announce group on Google Groups.
Click to expand...
Click to collapse
Source: http://developer.android.com/guide/appendix/faq/security.html#informed
OK, that particular group is empty (except for a welcome post). Maybe there are no bugs in Android. Go check yourself and google a bit - they do exist.
"So why doesn't Google tell us?", you ask. I don't know. What I know is that the various components of Android (WebKit, kernel, ...) do have bugs. There's nothing wrong with that BTW, software is made by people - and people make mistakes and write buggy code all the time. Just read the changelogs or release notes.
"Wait", I head you say, "there are no changelogs or release notes for Android releases".
Oh - so let's sum up what we need to stay informed about security issues, bugs and workarounds:
* Security bulletins and
* Patches or Workaround information
What of these do we have? Right, nada, zilch, rien.
I'll leave it up to you to decide if that's good common practise.
"But why is this important anyway", you ask.
Well, remember my example above. You visit a website and suddenly find all your stored passwords floating around on the internet. Don't tell me that's not possible, there was a WebKit bug in 2.2 that did just that. Another scenario would be a drive-by download that breaks out of the sandbox and makes expensive phone calls. Or orders subscriptions for monthly new ringtones, raising your bill by orders of magnitute. Or shares your music on illegal download portals (shh, don't tell the RIAA that this is remotely possible).
The bug is probably fixed in 2.2.1 - but without changelogs we can't be sure.
But that's not all - there's a second problem. Not only are we unaware of security issues, we also don't have automated update mechanisms.
We only receive updates when our phone's manufacturers release new firmware. Sadly, not all manufacturers support their phones in the long run.
In the PC world, most Distros have a central package management - that Google forgot to implement in Android. Agreed, some phones can receive OTA updates, but that depends on the carrier. And because of the differences in Android versions it's not possible to have a central patch management either. So we do not know if our Android devices might have security issues. We also have no easy way to patch them.
Perhaps you knew this before, then I apologize for taking your time.
What do YOU - the computer literate and security aware XDA users - think about this? Do you think that's a problem? Or would you rather say that these are minor problems?
Very intresting, thanks! The update problem should be fixed with the next release, no more custom UIs and mods from phone manufacturers,at least google said that
Sent from my Nexus One using XDA App
Excellent post and quite agree with you. The other significant problem looming is the granularity (or rather, lack thereof) in app permissions which can cause problems you describe without bugs and exploits. I install an app that does something interesting with contacts and also has internet access to display ads. How do I know that my contacts are not encrypted, so making sniffing useless, and beamed back to mummy? Nothing other than blind trust!
I love Android but it's an accident waiting to happen unless the kind of changes you advocate are implemented and granularity of permissions significantly increased. I don't like much about Apple but their walled garden app store is something they did get right although IMHO, they also abuse that power to stifle competition. Bring out the feds!
simonta said:
The other significant problem looming is the granularity (or rather, lack thereof) in app permissions [...]
How do I know that my contacts are not encrypted, so making sniffing useless, and beamed back to mummy? Nothing other than blind trust!
Click to expand...
Click to collapse
I agree, although I'm not sure that less experienced users might have difficulties with such options.
simonta said:
I love Android but it's an accident waiting to happen
Click to expand...
Click to collapse
Sad but true. I'm just curious what Google will do when the first problems arise and the first users will have groundshaking bills.
If that happens to just a few users, it'll get a kind media coverage Google surely won't like.
I've seen quite a few android exploits posted on bugtraq over the years. It's a high-volume email list, but with some filtering of stuff you don't care about, it becomes manageable. It's been around forever and is a good resource if you want the latest security news on just about anything computer related.
http://www.securityfocus.com/archive/1/description
People are bashing a lot about the Android security model but the truth is you can never have 100% protection with ANY solution.
Apple is not allowing any app in their store. Fine. but mostly they are only filtering out apps that crash, violate some rules or they just don't like them or whatever. but they can never tell what an app is really doing. Therefore they would neeed to reverse-engineer every app they get etc. That's just impossible considering the amount of apps....
Speaking again of Android. I think the permission model is not bad. I mean, no other OS got such detailed description about what an app can do or not. But unfortunately it can only filter out very conspicuous apps, i.e. a Reversi game asking for your location and internet access. But then you never know... if the app is using ads it requires location and internet access, right? so what can you do?
RAMMANN said:
Apple is not allowing any app in their store. Fine. but mostly they are only filtering out apps that crash, violate some rules or they just don't like them or whatever. but they can never tell what an app is really doing. Therefore they would neeed to reverse-engineer every app they get etc. That's just impossible considering the amount of apps....
Click to expand...
Click to collapse
Not really, they do blackbox testing and let the apps run on emulated devices they then check if the app "behaves" as desired...
Of course you can't get 100% security and I don't think that's what we're saying, but there is a lot you can do.
Take for example internet access which is the biggest worry I have. The only reason most apps request internet access is to support ads. I now have a choice to make, don't use the app or trust it. That simple, no other choice.
If I installed an app that serves ads but did not have internet access, then the only way that app can get information off my phone is to use exploits and I'm a lot more comfortable knowing that some miscreant needs to understand that than the current situation where some script kiddy can hoover up my contacts.
However, if internet access and ad serving were separate permissions, you could in one hit address, taking a wild guess, 90% of the risk from the wild west that is Marketplace. With a bit more design and work, it would be possible to get the risk down to manageable and acceptable levels (at least for me).
I absolutely agree with you on Apple, one of the main reasons that I chose a Desire instead of an iPhone, but the Android approach is too far the other way IMHO.
Just my tuppence, in a hopeless cause of imagining someone at Google paying attention and thinking you know what, it is an accident waiting to happen.
marty1976 said:
Not really, they do blackbox testing and let the apps run on emulated devices they then check if the app "behaves" as desired...
Click to expand...
Click to collapse
Well, so why did a tethering app once make it into the appstore?
Also I think there are many possibilities for an app to behave normal, and just start some bad activity after some time. Wait a couple months until the app is spread around and then bang. Or remotely launch some action initiated through push notifications etc.
If there is interest, then there is always a way....
simonta said:
However, if internet access and ad serving were separate permissions, you could in one hit address, taking a wild guess, 90% of the risk from the wild west that is Marketplace. With a bit more design and work, it would be possible to get the risk down to manageable and acceptable levels (at least for me).
Click to expand...
Click to collapse
I agree that a seperate permission for ads would be a good thing.
But there are still many apps which need your location, contacts, internet access.... all the social media things nowadays. And this is where the whole thing will be going to so I think in the future it will be even harder to differenciate.
Getting back on topic: I just read that Windows 7 Phone will get updates and patches like desktop windows. That means patchday once a month plus when urgency is high...
simonta said:
However, if internet access and ad serving were separate permissions, you could in one hit address, taking a wild guess, 90% of the risk from the wild west that is Marketplace. With a bit more design and work, it would be possible to get the risk down to manageable and acceptable levels (at least for me).
Click to expand...
Click to collapse
But, how do you distinguish them? Today, (as a developer) I can use any ad-provider I want. In order to distinguish ads from general internet access, the OS would need one of:
A Google-defined ad interface, which stifles "creativity" in ad design. Developers would simply ignore it and do what they do now as soon as their preferred ad-provider didn't want to support the "official" ad system or provided some improvement by doing so.
An OS update to support every new ad-provider (yuck^2).
Every ad-provider would have to go through a Google whitelist that was looked up on the fly (increased traffic, and all ads are now "visible" to Google whether Google is involved in the transaction or not). This would also make ad-blocking apps harder to implement since Google's whitelisting API might not behave if the whitelist was unavailable. On the upside, it would make ad-blocking in custom ROMs be trivial.
Even if Google did one of these things, it still wouldn't provide any real increase in privacy or security. The "ad service" would still need to deliver a payload from the app to the service (in order to select ads) and another from the service to the app (the ad content). Such a mechanism could be trivially exploited to do anything that simple HTTP access could provide.
http://code.google.com/p/android/issues/list
issues submitted are reviewed by google employed techs... they tell you if you messed up and caused the issue or if the issue will be fixed in a future release or whatever info they find.
probably not the best way to handle it but its better then nothing.
twztdwyz said:
http://code.google.com/p/android/issues/list
Click to expand...
Click to collapse
Knew that bug tracker, but the free tagging aka labels isn't the best idea IMHO.
You can't search for a specific release, for example...
twztdwyz said:
probably not the best way to handle it but its better then nothing.
Click to expand...
Click to collapse
Ack, but I think Google can do _much_ better...
Two more things to have in mind:
1. I doubt that many Android users bother much about what permissions they give to an app.
2. Using Google to sync your contacts and calendar (and who knows what else), is a bad, bad idea.

A-Ha! WHY 2.3.3 !

This article just appeared:
http://www.businessweek.com/magazine/content/11_15/b4223041200216.htm
http://www.engadget.com/2011/03/31/google-tightening-control-of-android-insisting-licensees-abide/
Basically it says Google is calling out it's OEM to stop gross customizations and reduce fragmentation of the Android OS
this is great. People posting obviously don't get it. They aren't locking down anything, just making it so that companies can't take advantage of the users and fail to release updates. The os will still be as customizable as ever
Yeah it will still be just as open. But if companies customise it too much they won't be able to use the Android name. Although withholding the source code is not very open source and will hurt small companies/devs.
Explains it well http://gizmodo.com/#!5787565/google-finally-fights-back-against-android-fragmentation
fiscidtox said:
this is great. People posting obviously don't get it. They aren't locking down anything, just making it so that companies can't take advantage of the users and fail to release updates. The os will still be as customizable as ever
Click to expand...
Click to collapse
Well, 2.3.3 DOES increase the security and remove most of the malware* that are used to root the phone. So some of the exploits WILL go away. Certainly in that sense, it is more locked down.
*It is malware aka trojans, that's used to root; mostly Latoor G and J. I have to put the rooting software into a directory that's not scanned by my AV/AS.

Vuneralable software should be removed from xda

Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
What's the vulnerability?
Plain and simple the software needs removed.. doesn't that apply to the devs policy's which they agreed to here on xda not to publish anything which may be a threat to someone... So you know what should of happened is the devs should of removed the software right away. That never happened so I've lost all faith in theses devs and publishers of official software threads...
I ignore all posts where the word "of" is used instead of the correct "have" or at least the contraction ending in 've that sounds like of.
...should of happened
sliding_billy said:
I ignore all posts where the word "of" is used instead of the correct "have" or at least the contraction ending in 've that sounds like of.
...should of happened
Click to expand...
Click to collapse
I ignore all posts that don't make sense like the OP's and this thread.
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
First, there are no Oreo roms. Secondly, the devs who support our phones for free owe you nothing. Lastly, you need more than 12 posts to be taken seriously about anything around here. And, you can never post enough to attain the right to throw around accusations about the devs who, again, support our phone for free.
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
Tell us how you really feel!
Windows people ?
Sent from my Pixel using XDA-Developers Legacy app
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
If this is the case all root and bootloader exploits need removing also.
Any bootloader exploits or method of rooting without and unlocked bootloader is a SIGNIFICANTLY large security risk.
Sent from my Pixel using Tapatalk
Are we going to remove ALL the old ROMs from XDA? SHEESH.
In before the lock.
One thing I've found out over the years with hacking Android you eventually get tired of doing just hacking so you move onto security... Well that's the case with me anyways. Getting rid of vuneralable software is actually a good thing...
There's a reason why malware is successful with Android, and it's one that still hasn't been addressed: most phones are using old software and haven't been patched against it.
Google does a lot of work to make Android secure and keep it that way. It pays people to find security exploits, works with hardware vendors like Qualcomm or NVIDIA to fix them if needed, then writes a patch that can be injected into the existing version with no fuss. If you have a Pixel or Nexus or BlackBerry product, you'll then get these patches. If you have any other phone you roll the dice and hope the people who made it care enough.
Pixelxluser said:
One thing I've found out over the years with hacking Android you eventually get tired of doing just hacking so you move onto security... Well that's the case with me anyways. Getting rid of vuneralable software is actually a good thing...
There's a reason why malware is successful with Android, and it's one that still hasn't been addressed: most phones are using old software and haven't been patched against it.
Google does a lot of work to make Android secure and keep it that way. It pays people to find security exploits, works with hardware vendors like Qualcomm or NVIDIA to fix them if needed, then writes a patch that can be injected into the existing version with no fuss. If you have a Pixel or Nexus or BlackBerry product, you'll then get these patches. If you have any other phone you roll the dice and hope the people who made it care enough.
Click to expand...
Click to collapse
Nobody hacks individual phones. They hack companies and clouds.
****! Hey, can y'all hold it for just a moment? Need to run to the store real quick. I'm out of popcorn.
Seriously, though, just simply rooting your phone is a security risk. Also, from what i've seen, the majority of ROM users are smart about what they download. It's the general public that downloads mischevious apps that spread viruses. And as someone else mentioned, the malware and viruses don't target one person's phone. They are free floating and latch onto whatever moron downloads it. Your phone is not exactly the best place to download all your porn
But seriously, there are exploits with every security patch...it's the reason we get them every month, lol. Android is great and I love it but the OS itself is full of holes that malware developers consistently take advantage of.
Couldnt say this better myself..
Security is engineered into everything we do
Our goal is to make Android the safest computing platform in the world. That's why we invest in technologies and services that strengthen the security of devices, applications, and the global ecosystem.
It's also one reason Android is open source. Being open allows us to tap into a global network of security talent full of innovative ideas that help make Android safer every day. Security experts around the world can review our code, develop and deploy new security technology, and contribute to Android’s protections.
As the Android ecosystem evolves, we continue to invest in leading-edge security ideas. And we want to share our knowledge openly with you. Explore below to learn about the latest technologies and information that help secure Android.
Adrian Ludwig
Director of Android Security
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
With some custom ROMs whether or not the have the Sept security patch is probably the least of your problems, if security is a concern of yours... you should be more concerned with things like;
- what keys are they using to sign their ROM (Apks included). Did they generate their own private signing keys and platform keys, or did they just use a devkeys or keys provided in the SDK?
- what changes have they made to aosp sources or not integrate (or revert) that could reduce security?
- have they messed with android's security or permissions model?
- have they included legacy code (like forward porting), that may have been dropped in the first place do to being insecure (legacy mediaserver without seccomp integration).
- have they modified selinux policies in ways that potentially could open up attack vectors.
- does the ROM have odexing enabled? The fact is, odexing while useful for booting/loading programs faster, also has the side benefit of making an apk harder to tamper with...
- have any changes that have been made been audited, or verified for correctness?
...and the list goes on. You are worried about a monthly security patch, with a handful or two of fixes for CVEs, yet make no mention of far bigger concerns that may be present in XYZ custom ROM.
Just saying.
contribute to Android’s protections. Is one thing which is lacking from what I see... I hope you understand that there are underaged people who don't know any better about what's best for them and come running off to try to be the cool kids by rooting or adding unsecured software on their phones.. rooting is so crazy to do now a days you're all really going to the extremes by bypassing security features just so you can have root... That's not the message the younger generation should be taught... They should be taught the importance of how security works not 50 ways to bypass it... There's not a feature out there which Google wouldn't consider adding officially but also Google doesn't go off and use unofficial code to pull features from it would look bad for their business..
And as long as there's a community of underaged people who do go off and root and install unsecured software you might wanna lead by example and provide them with the best security you can... A child with unsecured software is scary that someone would open up security holes for them to be a possible victim and the best you're actually willing to do is try to remove yourself from the responsibility of being responsible for it by saying if you install our software you are responsible for any damages. You can't just publish something then go out and say you take no responsibility when by law you're still responsible for any damages cause you never legally got you're software that way...
Since you're the ones distributing the software you're liable for damages if there was a defect in you're product which was distributed.. security flaws and security bypasses count as defects in a product..
Distributorship and Liability
Even though the distributor is not responsible for manufacturing a product, it can be held liable in the event of defects. Under strict product liability laws, the seller, distributor, and manufacturer of a defective product can be held liable if a person is injured due to the defect. Though manufacturers are typically most responsible since they created the product, the liability can also fall to those that distribute or sell the defective items.
This liability law prevents the plaintiff from the need to prove the chain of supply. In order for any entity in the line of distribution to prove it has no fault, it would need to show which entity is actually responsible for the defect
I suggest you stick with Windows dude
The only thing your posts are good for is making people spit their coffee with humour, and embarrassing yourself.
Sent from my Pixel using XDA-Developers Legacy app

Categories

Resources