Related
I want to start this discussion because I haven't seen it anywhere and I read several Android forums. I love the platform and it's "openess" but it seems that requirements from Google fall just short of making this the best platform ever for handsets.
We are all screaming at Motorola about the signed bl but we aren't focusing enough on the greater issue. The Android license from Google seems to allow this or maybe it is less specific to Google than to some other entity but I don't speak lawyerese so i'm not sure. Anyway, here is what I keep reading from Motorola...
"The use of open source software, such as the Linux kernel or the Android platform, in a consumer device does not require the handset running such software to be open for re-flashing. We comply with the licenses, including GPLv2, for each of the open source packages in our handsets"
My point of discussion is this, why aren't we asking Google what they can do? Why can't Google simply state that "we will not allow our software to be damaged in this way"? Why do they allow Verizon, at&t, Motorola, HTC or anyone else manipulate their software in a way that brings so much resentment? Is it not in Google's best interest to force this platform to remain open? I realize this is a double edged sword because open means people can do what they want, which holds true for companies also but I think that everyone realizes that Google's intent was that this would benefit everyone, not just the companies.
Also, everyone seems to forget that HTC is messing around with trying to lock down the NAND. Just because geniuses get past the protection doesn't mean that HTC isn't trying. If the Droid X is a huge success, even with this restriction in place, then what makes any of you think that the rest will not follow suit?
Because open means that you can do whatever you want with it. There is nothing stopping anyone from using it, modifying it for their own uses, and putting it in any device that would support it. That's why a company can strip down all of Google stuff from it and put Bing if they want to, and Google wouldn't be able to complain. The whole point of open and free software is that you compete by actually being the best at something. You keep Google stuff in Android because well, they work best.
Now, when you put Android in a device you manufacture, you do have the rights to do whatever you want with the device. This seems to be a hardware protection on top of the software ones. You know how DRM'd mp3 stop working? well, it's not much different, except that now there is physical damage.
True, these measures defeat the whole purpose of being open, but what the heck. Being truly open means making a great product, and then not complaining when someone grabs it and beats you with it. You have are always competing to deliver the best product, and that's why open is awesome.
Who was it that said: "I can't agree with what you are saying, but I will defend to the death your right to say it"?
Open goes both ways. The company (Motorola) has every right to lock down the bootloader and prevent others from flashing.
You guys are looking at it as if Motorola did this to prevent people from flashing custom roms. The real reason they did it was to prevent others from stealing their rom and porting it to another phone. If you like the "ninjablur" UI, you need to buy the DroidX.
Ryan Frawley said:
Open goes both ways. The company (Motorola) has every right to lock down the bootloader and prevent others from flashing.
You guys are looking at it as if Motorola did this to prevent people from flashing custom roms. The real reason they did it was to prevent others from stealing their rom and porting it to another phone. If you like the "ninjablur" UI, you need to buy the DroidX.
Click to expand...
Click to collapse
Actually, I don't agree. I'm pretty sure one could extract those widgets if you really wanted to. (They "Ain't all that" if you ask me. - And yes, I did buy an X yesterday and love it. Just ain't crazy about those widgets).
I think the real reason this is locked down is to prevent custom ROM/Root access to enable tethering. There are other issues I'm sure, but at the top of the list is to protect that revenue Big Red is trying to generate.
As to Google 'Stopping' the carriers from locking this down, please understand that if the carriers can't protect their revenue streams, they simply won't allow the phones on their network, and that would hinder the growth of the OS in general.
Don't take any of my words as endorsement of VZW/Moto actions. I'll be first in line to flash/root my phone when/if its ever possible. I'm just a realist. VZW wants $20/month for WiFi Tether. They are going to do as much as reasonably possible to keep you from doing that for free.
In a related note, 2.2 Froyo does tethering natively. I expect this to be crippled/disabled when we get our update in a couple of months.
I don't agree with the idea that companies would stop supporting the platform. The Droid has been a cash cow for verizon and it is an open book. Google could easily ask that their platform remain open for all to enjoy.
Beyond that, if Google allows them to gimp their OS then Google has created something entirely for the benefit of companies and not at all for the general population. I don't believe this is true. I think that the changes will start with Android v3.0. Google will start getting more pissy about custom crap especially if it makes their product seem worse and increase the chance that Android will be looked upon negatively.
Despiadado1 said:
I don't agree with the idea that companies would stop supporting the platform. The Droid has been a cash cow for verizon and it is an open book. Google could easily ask that their platform remain open for all to enjoy.
Beyond that, if Google allows them to gimp their OS then Google has created something entirely for the benefit of companies and not at all for the general population. I don't believe this is true. I think that the changes will start with Android v3.0. Google will start getting more pissy about custom crap especially if it makes their product seem worse and increase the chance that Android will be looked upon negatively.
Click to expand...
Click to collapse
Its the same problem with windows, the OS gets blamed for what hardware vendors do to it... we see this $400 computers getting compared to Apples $1500+ computers and thats some how proof windows sucks, I never had problems with Vista being slow, but people and there $400 computer did.
The problem with Android, specifically the scrolling smoothness, is the vendors custom Android OS setups...
FtL1776 said:
Its the same problem with windows, the OS gets blamed for what hardware vendors do to it... we see this $400 computers getting compared to Apples $1500+ computers and thats some how proof windows sucks, I never had problems with Vista being slow, but people and there $400 computer did.
The problem with Android, specifically the scrolling smoothness, is the vendors custom Android OS setups...
Click to expand...
Click to collapse
To be fair, I think the scrolling smoothness is half crappy hardware and half Android's lack of hardware acceleration.
Mikerrrrrrrr said:
To be fair, I think the scrolling smoothness is half crappy hardware and half Android's lack of hardware acceleration.
Click to expand...
Click to collapse
No some custom roms fix those issues because they enable the hardware acceleration, which again shows that Google really should crack down on some of these custom versions of Android on phones.
Zaphod-Beeblebrox said:
Actually, I don't agree. I'm pretty sure one could extract those widgets if you really wanted to. (They "Ain't all that" if you ask me. - And yes, I did buy an X yesterday and love it. Just ain't crazy about those widgets).
I think the real reason this is locked down is to prevent custom ROM/Root access to enable tethering. There are other issues I'm sure, but at the top of the list is to protect that revenue Big Red is trying to generate.
As to Google 'Stopping' the carriers from locking this down, please understand that if the carriers can't protect their revenue streams, they simply won't allow the phones on their network, and that would hinder the growth of the OS in general.
Don't take any of my words as endorsement of VZW/Moto actions. I'll be first in line to flash/root my phone when/if its ever possible. I'm just a realist. VZW wants $20/month for WiFi Tether. They are going to do as much as reasonably possible to keep you from doing that for free.
In a related note, 2.2 Froyo does tethering natively. I expect this to be crippled/disabled when we get our update in a couple of months.
Click to expand...
Click to collapse
Motorola has said so itself. The reason Droid X is locked down is because they don't want people stealing their custom UI. Widgets are only part of this UI. The inability to flash custom roms is merely a consequence of protecting their UI.
FtL1776 said:
No some custom roms fix those issues because they enable the hardware acceleration, which again shows that Google really should crack down on some of these custom versions of Android on phones.
Click to expand...
Click to collapse
Ah. Didn't know that.
I hope we get 2.2
http://it.slashdot.org/story/10/11/05/0229205/Researcher-To-Release-Web-Based-Android-Attack
"The attack targets the browser in older, Android 2.1-and-earlier versions of the phones."
http://forums.t-mobile.com/t5/Samsung-Vibrant/Security-vulnerability-in-2-1/td-p/535335
And the thread appears to have already been locked.
EDIT: My bad, the link icon isn't a lock icon.
What an ass. So he figures out something and now hes going to release it?
So is his intensions to piss people off or force Googles hands to fix it?
kizer said:
What an ass. So he figures out something and now hes going to release it?
So is his intensions to piss people off or force Googles hands to fix it?
Click to expand...
Click to collapse
I think its the latter. That, or to light a fire under the OEMs & network operators to get 2.2 out to more devices. Just my $0.02...
Sent from my SGH-T959 using XDA App
The current OEM vendor/carrier model is one of the worst parts of Android. Google attempted to break this model via the Nexus One. Hopefully it does light a fire to improve the security model for these phones.
Google may be forced to rein in some of the rampant variances to secure the platform via enforcing a minimum level of compliance to security updates or else revoke a phone makers ability to use the Android trademark.
The problem has already been fixed with 2.2, so the onus is on the OEMs to get their act together.
Some things make me want to respect this guy, then again it affects me since we have yet to recieve 2.2. But yes I believe all android phones should be running current software.
I wonder if you need to be rooted in order to fall the vicitm, unless you can push superuser.apk via the exploit and run it.
Have to give him props for trying, and like seeing that he is using linux based OS to develop on
lqaddict said:
I wonder if you need to be rooted in order to fall the vicitm, unless you can push superuser.apk via the exploit and run it.
Have to give him props for trying, and like seeing that he is using linux based OS to develop on
Click to expand...
Click to collapse
Youre right! Maybe he works for T-mobile and is secretely making all our phones go back to stock and unrootable. Which in turns means they will never release 2.2 hahaha. <- By the way do not take this as actual fact I know how the paranaoid are here on the forums lol
lqaddict said:
I wonder if you need to be rooted in order to fall the vicitm, unless you can push superuser.apk via the exploit and run it.
Have to give him props for trying, and like seeing that he is using linux based OS to develop on
Click to expand...
Click to collapse
No, this a generic exploit within WebKit. The actual exploit itself doesn't have superuser access, it can only access what the web browser is able to access. It can't make phone calls or generate SMS messages, but it can access files like photos and whatever else is available to non-rooted apps.
I don't know why you guys think this guy is a douche. This is how it always worked. When people find security vulnerbilities, they tell the company, but the company usually doesn't move it up to the top of the list to fix. So they mention the type of security flaw there is, sends the information to the company, and sometimes even mention it at conferences. After publicly announcing it, they give the company time to fix it, otherwise it's the company's fault for not getting their ass in gear to fix the security issue.
DKYang said:
I don't know why you guys think this guy is a douche. This is how it always worked. When people find security vulnerbilities, they tell the company, but the company usually doesn't move it up to the top of the list to fix. So they mention the type of security flaw there is, sends the information to the company, and sometimes even mention it at conferences. After publicly announcing it, they give the company time to fix it, otherwise it's the company's fault for not getting their ass in gear to fix the security issue.
Click to expand...
Click to collapse
I do no see how he is a douche.
Ignoring the issue does not make it disappear, and he clearly has done his work to make the issue public in hopes it gets addressed.
Releasing a code with a security hole that you have to use something to circumvent the security of the device to fix is douche (apple vs jailbreakme.com anyone)
kizer said:
What an ass. So he figures out something and now hes going to release it?
So is his intensions to piss people off or force Googles hands to fix it?
Click to expand...
Click to collapse
I was paranoid by this too. My Vibrant will shackled from having sex with the web until it gets 2.2 Maybe that researcher wants them to release Froyo soon so use this to leverage against them to release ASAP?
I don't think he's a douche. I honestly want to believe that google would push carriers to be on the same OS. Just the fact that not all android phones can handle the 2.2 OS - And so people stuck with those phones and would be affected by this flaw is pretty crappy. But I really hope this makes carriers want their phones updated and running the latest and greatest. Only time will tell.
Hello,
Im currently writing an academic paper on android and openness in my master's programme. If all goes well, it will be submitted for a conference soon.
I'm looking for your opinions on having an android device open for operating system level modifications or not. As you may know, some phones have a signed bootloader such as the Motorola Milestone, t-mobile g2 (who made the phone reinstall stock OS when breached), and probably many others. Google however, make their devices open, even though they are sold as consumer devices. Many others do not bother to install circumvention mechanics.
Obviously, the people here will be biased towards allowing modification to the OS, therefore, i would like to get a discussion going, to discern what problems and possibilities you see in the long run for hardware manufacturers.
1. Does the possibility of making OS level modifications affect your willingness to purchase an android product? i.e. do you check if it can be modified before buying? And how much of an impact does it make on your desicion?
2. Why do you think hardware manufacturers put in measures to prevent custom android OS builds to be installed? Put on the corporate hat and try to see their strategy.
3. Do you think manufacturers have anything to gain by making devices open and free for modification, with source code for drivers and the like publically available?
I would really appericiate your opinions and discussion!
1. Does the possibility of making OS level modifications affect your willingness to purchase an android product? i.e. do you check if it can be modified before buying? And how much of an impact does it make on your desicion?
As a beginner app developer, this has yet to bother me. I do enjoy being able to add apps that add functionality to my phone but I haven't bothered to get down into the "root" area. So no I do not check nor does it impact my decision...I own a Samsung fascinate by the way
2. Why do you think hardware manufacturers put in measures to prevent custom android OS builds to be installed? Put on the corporate hat and try to see their strategy.
My opinion on measures to prevent changes is all about PR and performance. If enough people hacked a phone and the hack caused the phone to work below is ability then the only news report you will see is the phone sucks.
3. Do you think manufacturers have anything to gain by making devices open and free for modification, with source code for drivers and the like publically available?
This is also a give and take if question 2 is not of a concern to them, then its def a gain for the company and to all of the developers out there that do search for the best phone and nick pick around until they find it.
Are there enough of those kind of people out there to affect a companies buttom line. Maybe not yet but in another couple of years who knows.
1. Does the possibility of making OS level modifications affect your willingness to purchase an android product? i.e. do you check if it can be modified before buying? And how much of an impact does it make on your desicion?
It hasnt yet been a deciding factor on which device to get, primarily because sooner or later they all get cracked open.
2. Why do you think hardware manufacturers put in measures to prevent custom android OS builds to be installed? Put on the corporate hat and try to see their strategy.
One reason could be that the carriers demand it as a way to keep any revenue that they get from the preinstalled bloatware.
3. Do you think manufacturers have anything to gain by making devices open and free for modification, with source code for drivers and the like publically available?
The percentage of people that actually tinker in this area is very slim, so the manufacturers most likely don't see that as a big market opportunity.
Don't have any answers, but would like to read your paper when done...sounds interesting and a Masters Thesis is always fun to read! LOL
It's not a thesis, just a short article. I might make a survey for it but I need to ask the right questions.
Not all devices get fully customized, root is common, but in my phone for example it is not possible to load a custom kernel, as the bootloader checks for signed code (Motorola's secret key). There's been a massive uproar from the owners of the Milestone, as people didn't expect to be hustled like that when getting an android phone. The main problem is of course, that Motorola takes a long time to release updates. Even as of today, Froyo has still not been released for my phone by Motorola.
While I am not sure about it, I suspect Sony Ericsson X10i owners are in the same boat, and they will get a really rotten deal, seeing as 2.1 has been officially declared the last version the device will recieve. Yet, an enthusiast could release a perfectly fine version of 2.3 if the phone accepted custom firmware and he had access to drivers etc.
So basically, you buy a piece of hardware that is very capable, but The Company decides for you which software you could run.
Imagine if you bought a Windows Vista PC right before Windows 7 was released, and the only way you could get Windows 7 on it was if that particular PC manufacturer released an official update containing all it's bloatware and applications you don't want. Since the update needs to go through all kinds of verifications and approvals, it might be delayed for a half a year, or maybe 9 months, after the new OS release. Why do we accept this on our phones and tablets?
Hi,
1. Does the possibility of making OS level modifications affect your willingness to purchase an android product? i.e. do you check if it can be modified before buying? And how much of an impact does it make on your desicion?
For me personally, yes, most definately. I like to be able to get in and play, see how things work, change stuff. And i think custom ROMs IMO are a big drawcard of Android.
2. Why do you think hardware manufacturers put in measures to prevent custom android OS builds to be installed? Put on the corporate hat and try to see their strategy.
To try and ensure the device works as they want it to. Minimise support costs etc.
3. Do you think manufacturers have anything to gain by making devices open and free for modification, with source code for drivers and the like publically available?
Definately. Encourages improvement of existing features, and development of new stuff beyond the manufacturers initial product scope, which can be integrated in future products.
Android OS its self is an example of this - the developer community is writing apps, logging bugs, and contributing code to the benefit of future releases of Android, which in turn benefits device manufacturers.
- jc
my two cents
1. Does the possibility of making OS level modifications affect your willingness to purchase an android product? i.e. do you check if it can be modified before buying? And how much of an impact does it make on your decision?
>> Personally, I feel like the ability to modify my phone at the core level is something I as a power user can use to tailor my phone's experience in the way I need to make it the most efficient device it can be. This is especially necessary as my phone is my primary connectivity device (I really only use my laptop for things the phone just really isn't capable of handling yet, such as video conversion)
2. Why do you think hardware manufacturers put in measures to prevent custom android OS builds to be installed? Put on the corporate hat and try to see their strategy.
I think this is less the decision of the manufacturers and more of the carriers themselves. This really is because each device has to be tailored to be sold to the average user, rather than power users (read: 85-90% of people who will read this reply) and as a result is designed with an experience in mind. To the suits, anyone who take a phone that is supposed to have a specific experience in mind, and changes that, it becomes a different phone, and anyone who looks at that phone will see that. This means, TMo/HTC can't sell a G2, because everything that my office mates will see when they look at my phone is my android customizations, not a G2. my office mate, who is shopping for a phone, can get an android phone anywhere... but they can only get a /G2/ from TMo/HTC. Similarly, if I like my G2 experience, when i get a new phone, i will be more inclined to continue enjoying that experience with a G3, rather than buying any on sale android phone and making it just like my last one. Hence the need to have a G2 experience on every G2 phone. Just my 2 cents. I am not a businessman, lawyer, or doctor.
3. Do you think manufacturers have anything to gain by making devices open and free for modification, with source code for drivers and the like publically available?
Yes, but nowhere near as much as they can get by keeping their cards close to their hand. see my answer to number 2.
2.2.2 has a security fix
http://www.engadget.com/2011/03/02/google-spikes-21-malicious-apps-from-the-market-with-big-downloa/
thoughts?
My thoughts are simple: Sprint needs to get its **** together and release an official 2.3 release. And Google needs to consider some sort of authentication program for apps to be distributed in the Market.
Certainly don't want to cut the independent developer community off, but it shouldn't be their responsibility to release new versions of essential operating software that contain fixes that disable malicious exploits. They are here to enhance our user experience.
The manufacturers need to be concerned about what the deleterious effects of outdated software can open their networks to. After all, these apps had full internet access, as I've heard. Who knows if, say a DDOS attack (or something worse), could be possible using phones, and what kind of effects that could have on the stability of the entire Sprint network.
As for Google, I'm not suggesting that the Market be completely walled-off, but maybe having something like "Google Approved" or "Verified Secure" or something, would give us users more confidence that apps come from verified and vetted sources. We could still install things not verified -- at our own risks -- but at least we'd have a choice and be able to proceed with better, more complete information.
TonyArmstrong said:
My thoughts are simple: Sprint needs to get its **** together and release an official 2.3 release. And Google needs to consider some sort of authentication program for apps to be distributed in the Market.
Certainly don't want to cut the independent developer community off, but it shouldn't be their responsibility to release new versions of essential operating software that contain fixes that disable malicious exploits. They are here to enhance our user experience.
The manufacturers need to be concerned about what the deleterious effects of outdated software can open their networks to. After all, these apps had full internet access, as I've heard. Who knows if, say a DDOS attack (or something worse), could be possible using phones, and what kind of effects that could have on the stability of the entire Sprint network.
As for Google, I'm not suggesting that the Market be completely walled-off, but maybe having something like "Google Approved" or "Verified Secure" or something, would give us users more confidence that apps come from verified and vetted sources. We could still install things not verified -- at our own risks -- but at least we'd have a choice and be able to proceed with better, more complete information.
Click to expand...
Click to collapse
+1 but i also think they should make an official malware scanner.
Rydah805 said:
+1 but i also think they should make an official malware scanner.
Click to expand...
Click to collapse
This.^^^^
I'm an Android convert (from iPhone), and my great fear is that the very openness we enjoy could expose us to very nasty ****. I don't wanna be locked down, but I do want some manner of enhanced security.
That malware scanner in combo with some sort of developer authentication and/or verification program would be excellent.
So I download this X-Ray vulnerability scanner app (it's legit) and scan my device. To my surprise, even my Nightly is vulnerable to the mempodroid exploit. Should this concern me enough to file a CM bug report? By the way I use Franco kernel so if this is a legit exploit should I consider contacting him? See original G+ thread. https://plus.google.com/117694138703493912164/posts/AfNQ7cT9JYV
Sent from my Nexus 4 using Tapatalk 4 Beta
Mempodroid is a root exploit and considering that CM comes pre-rooted you shouldn't have anything to worry about
Sent from my NEXUS 4 using xda premium
Oh good. What a relief. So that means we have no known vulnerabilities. That's good. Take that Apple.
Sent from my Nexus 7 using Tapatalk 4 Beta
MikeRL100 said:
Oh good. What a relief. So that means we have no known vulnerabilities. That's good. Take that Apple.
Sent from my Nexus 7 using Tapatalk 4 Beta
Click to expand...
Click to collapse
http://www.theepochtimes.com/n3/152836-android-master-key-security-flaw-affects-900m-devices/
If people are worried about security they should not be rooting their devices to begin with.
Sorry if I'm offending
zelendel said:
If people are worried about security they should not be rooting their devices to begin with.
Click to expand...
Click to collapse
Sorry for disagreeing with you, but I worry about common sense security. If this is a root exploit that is needed to ship with CM to allow one to use root, no biggie. I know root makes you vulnerable, but guess what? So does administrative access on Windows. If I worked for the governemnt or a large business I would have a different, possibly non-smart phone to do that task. I'm not stupid enough to go downloading cracked apps from pirated sites, but let me tell you all something. On my PC I had Opera 14 installed and used it during when one of Opera's employee's PCs got hacked and injected the Opera certificates with malware. I freaked. Prooves that a targeted attac could be successful, even with good protection. Luckily, my layer of security (MVPS hosts, Avast, and Malwarebytes Pro) kept it from even approaching the front door. And my Linux box even has the MVPS hosts file as well. Also, if this was an actual vulnerability to be concerned about, Steve Kondik would've patched it before the iCrap loving media could get new anti-Google propaganda. By the way, I am arguing with none of you, but I do need to make a point. I know since Android is based of Linux and not Windows NT, it is hella more secure. I would not root this if this phone had to be used under secure conditions. I'd either disable root while at work, or get a second phone. Yes I love root that much. But I don't get malware very often, havent' had an actual infection that wasn't blocked in many many years. Never even had Android malware. You know why? Hosts file+common sense. I never go to pirated sites, and never will. I love the XDA devs, community, and even some of the non-XDA Google Play devs enough not too. And when I say love, I mean I don't want to see their income sapped. Piracy is a no-no on XDA, but I'm sure it's OK to condemn it. And my talk on that ends now. :good: So onto the main topic, I have common sense, some privacy protections, and I don't just allow any app superuser access. I check reviews first and even have a malware scanner in Advanced Mobile Care. No on demand protection since its not necessary for me, and I never have gotten malware. I bet jailbroken iOS devices get more malware since most of the apps on them are cracked since Apple boots you out of iTunes for jailbreaking. Also, even though I'm rooted I like to know what each exploit means. No device or computer (even a hardened Linux server) is safe from the most skilled black hat. But since I'm not a target of interest, I have some malware prevention via the HOSTS file, Android is more secure than Windows, and I most importantly have common sense, I'll be fine. Maybe I'm too lax on security, but I guarantee you, I will adapt if some freak drive by download trojan comes to Android and by some crazy way gets malware through the Play Store with reputable apps. If a nasty was detected, or an app just looked different enough, it ain't gonna get no system access from me. So go ahead you iOS loving "Android is the next Windows XP" malware magnet pundits in the media, go ahead (that i if any Apple trolls stumble across this thread). I guarantee none of the streams of infected botnets will not add another to the collection. Like I said, not arguing with you but I disagree with you (at least initially) on how powerful my common sense is. I'm not saying you're doubting me, you're a cool guy and more than likely give a lot of assistance around here, but I may look like a noob troll cause I am a Junior member, but I was a long time lurker, and on AndroidForums I have been around a bit. I'm not some sort of super brain (at least not yet) and I do know rooting hampers security, but although I care about security, I just don't want my precious Nexus 4 and 7 to ever become virus magnets. I should have mentioned it, but I thought that vulnerability in CM was because it needed an exploit to have root by defaul (even though CM has disabled it recently). Also I will take some blame myself if I offended any of you. I am paranoid about a lot of things. But it's good to be paranoid to a certain extent. That would explain the lack of malware on all of my computers. But I should pay less attention to the social networks. Even G+. If this was on Facebook, mind you all, I wouldn't have game a damn about it. Facebook is full of trolls, fanboys, and noobs. That's why I rarely use that site and when I do, I pretty much block off all access to my profile from strangers. G+ encourages sharing with new people, while Facebook is like being with your old clique of buddies. That's why I use G+ so much now. That and I can help idiiot test things for developers. :laugh:
scream4cheese said:
http://www.theepochtimes.com/n3/152836-android-master-key-security-flaw-affects-900m-devices/
Click to expand...
Click to collapse
Yes you're definitely right we have a security issue. Not that Android itself is insecure (both my Nexus 4 and 7 were rushed to the latest Nightly to prevent them from joining a botnet) Good thing is custom ROMs create headaches for the bad guys cause they fragment Android (not in the iSheep style way of not getting updates) but in the way that they remove bloatware and some system apps, increase security in some areas, and in general all the code changes make it harder to create a universal botnet. I guarantee 95% of that botnet will be from OEM stock phones. We forget around here that most people are ignorant of common sense and security, if not downright stupid and don't care about security as long as they get their free cracked apps. We're the nerds here and most people are going to make it easy for these holes to be abused. They go to the most untrustworthy sites, install unstrustworthy apps, and are basically asking for it. Also the OEMs are pathetic for not all having a way to quickly patch Android. This type of stuff should sound an alarm to create a security update. I can see not giving an old phone a new version of Sense/touchwiz/Motoblur,etc. but denying security updates is ridiculous. The government should sue the offending OEMs if they want to be respected by the geeks a little more after the whole NSA mess. Because despite the fact that we aren't the ones here creating the botnet, what are we gonna do if thousands of clueless users install cracked apps that contain malware with the exploit, and form a botnet, that say DDOS attacks Google. Then Google Services would be disrupter. Also Google (who I am a big fan of) needs to stop being greedy in the one area of Android updates and force OEMs to include security patches and also backport and open source the security patch ASAP. I know CM is safe from that exploit already, I saw Steve Kondik's commit. But the OEMs are the problem. Google needs to push them past their comfort zone. You can have a car that is 10-20 years old and just because it's out of warranty doesn't mean that even if it takes a fool to make the engine explode in a deadly blast, that the manufacturer would just it there. I've seen Chevy recalls for example. One of them was a recall because something would catch fire if you were an idiot and poured gasoline or engine fluid or somehting on the engine. Of course the people doing this were stupid, but the same is true with technology. Why let the clueless and in the worst case those that just don't care create a botnet for us all to suffer from? Create an idiot patch and stop the situation from exploding. Please OEMs. Do something right for once.
MikeRL100 said:
Sorry for disagreeing with you, but I worry about common sense security. If this is a root exploit that is needed to ship with CM to allow one to use root, no biggie. I know root makes you vulnerable, but guess what? So does administrative access on Windows. If I worked for the governemnt or a large business I would have a different, possibly non-smart phone to do that task. I'm not stupid enough to go downloading cracked apps from pirated sites, but let me tell you all something. On my PC I had Opera 14 installed and used it during when one of Opera's employee's PCs got hacked and injected the Opera certificates with malware. I freaked. Prooves that a targeted attac could be successful, even with good protection. Luckily, my layer of security (MVPS hosts, Avast, and Malwarebytes Pro) kept it from even approaching the front door. And my Linux box even has the MVPS hosts file as well. Also, if this was an actual vulnerability to be concerned about, Steve Kondik would've patched it before the iCrap loving media could get new anti-Google propaganda. By the way, I am arguing with none of you, but I do need to make a point. I know since Android is based of Linux and not Windows NT, it is hella more secure. I would not root this if this phone had to be used under secure conditions. I'd either disable root while at work, or get a second phone. Yes I love root that much. But I don't get malware very often, havent' had an actual infection that wasn't blocked in many many years. Never even had Android malware. You know why? Hosts file+common sense. I never go to pirated sites, and never will. I love the XDA devs, community, and even some of the non-XDA Google Play devs enough not too. And when I say love, I mean I don't want to see their income sapped. Piracy is a no-no on XDA, but I'm sure it's OK to condemn it. And my talk on that ends now. :good: So onto the main topic, I have common sense, some privacy protections, and I don't just allow any app superuser access. I check reviews first and even have a malware scanner in Advanced Mobile Care. No on demand protection since its not necessary for me, and I never have gotten malware. I bet jailbroken iOS devices get more malware since most of the apps on them are cracked since Apple boots you out of iTunes for jailbreaking. Also, even though I'm rooted I like to know what each exploit means. No device or computer (even a hardened Linux server) is safe from the most skilled black hat. But since I'm not a target of interest, I have some malware prevention via the HOSTS file, Android is more secure than Windows, and I most importantly have common sense, I'll be fine. Maybe I'm too lax on security, but I guarantee you, I will adapt if some freak drive by download trojan comes to Android and by some crazy way gets malware through the Play Store with reputable apps. If a nasty was detected, or an app just looked different enough, it ain't gonna get no system access from me. So go ahead you iOS loving "Android is the next Windows XP" malware magnet pundits in the media, go ahead (that i if any Apple trolls stumble across this thread). I guarantee none of the streams of infected botnets will not add another to the collection. Like I said, not arguing with you but I disagree with you (at least initially) on how powerful my common sense is. I'm not saying you're doubting me, you're a cool guy and more than likely give a lot of assistance around here, but I may look like a noob troll cause I am a Junior member, but I was a long time lurker, and on AndroidForums I have been around a bit. I'm not some sort of super brain (at least not yet) and I do know rooting hampers security, but although I care about security, I just don't want my precious Nexus 4 and 7 to ever become virus magnets. I should have mentioned it, but I thought that vulnerability in CM was because it needed an exploit to have root by defaul (even though CM has disabled it recently). Also I will take some blame myself if I offended any of you. I am paranoid about a lot of things. But it's good to be paranoid to a certain extent. That would explain the lack of malware on all of my computers. But I should pay less attention to the social networks. Even G+. If this was on Facebook, mind you all, I wouldn't have game a damn about it. Facebook is full of trolls, fanboys, and noobs. That's why I rarely use that site and when I do, I pretty much block off all access to my profile from strangers. G+ encourages sharing with new people, while Facebook is like being with your old clique of buddies. That's why I use G+ so much now. That and I can help idiiot test things for developers. :laugh:
Yes you're definitely right we have a security issue. Not that Android itself is insecure (both my Nexus 4 and 7 were rushed to the latest Nightly to prevent them from joining a botnet) Good thing is custom ROMs create headaches for the bad guys cause they fragment Android (not in the iSheep style way of not getting updates) but in the way that they remove bloatware and some system apps, increase security in some areas, and in general all the code changes make it harder to create a universal botnet. I guarantee 95% of that botnet will be from OEM stock phones. We forget around here that most people are ignorant of common sense and security, if not downright stupid and don't care about security as long as they get their free cracked apps. We're the nerds here and most people are going to make it easy for these holes to be abused. They go to the most untrustworthy sites, install unstrustworthy apps, and are basically asking for it. Also the OEMs are pathetic for not all having a way to quickly patch Android. This type of stuff should sound an alarm to create a security update. I can see not giving an old phone a new version of Sense/touchwiz/Motoblur,etc. but denying security updates is ridiculous. The government should sue the offending OEMs if they want to be respected by the geeks a little more after the whole NSA mess. Because despite the fact that we aren't the ones here creating the botnet, what are we gonna do if thousands of clueless users install cracked apps that contain malware with the exploit, and form a botnet, that say DDOS attacks Google. Then Google Services would be disrupter. Also Google (who I am a big fan of) needs to stop being greedy in the one area of Android updates and force OEMs to include security patches and also backport and open source the security patch ASAP. I know CM is safe from that exploit already, I saw Steve Kondik's commit. But the OEMs are the problem. Google needs to push them past their comfort zone. You can have a car that is 10-20 years old and just because it's out of warranty doesn't mean that even if it takes a fool to make the engine explode in a deadly blast, that the manufacturer would just it there. I've seen Chevy recalls for example. One of them was a recall because something would catch fire if you were an idiot and poured gasoline or engine fluid or somehting on the engine. Of course the people doing this were stupid, but the same is true with technology. Why let the clueless and in the worst case those that just don't care create a botnet for us all to suffer from? Create an idiot patch and stop the situation from exploding. Please OEMs. Do something right for once.
Click to expand...
Click to collapse
Oh you have many valid points. My statement was more for the average user that really has no use for root. They root and flash cause they think it is cool.
The carriers and OEMs are trying to do something to stop it. The are locking bootloaders and making unrootable kernels (Samsung) To be honest I think this is a good idea for most users. They have no really need for those things and only end up with issues cause they have no idea what they are doing.
Cm Released a set of patches today to block some of the security issues.
See that is the issue with With OEM. Google cant force them to do anything. All the carrier has to do is take the AOSP code and add their stuff to it. No one can say what they have to add or not. This is why I only get nexus devices. I watched Euro devices get updated by the OEM while the US based devices never saw any updates at all. Including security updates that the OEM had issued. As long as the Carriers control what happens to the devices there is nothing that we can really do.
#Nexus4Lyfe I wish this was G+. I felt like a stupid hash tag would be appropriate.