[Security] Should I be concerned about this vulnerability in CM? - Nexus 4 Q&A, Help & Troubleshooting

So I download this X-Ray vulnerability scanner app (it's legit) and scan my device. To my surprise, even my Nightly is vulnerable to the mempodroid exploit. Should this concern me enough to file a CM bug report? By the way I use Franco kernel so if this is a legit exploit should I consider contacting him? See original G+ thread. https://plus.google.com/117694138703493912164/posts/AfNQ7cT9JYV
Sent from my Nexus 4 using Tapatalk 4 Beta

Mempodroid is a root exploit and considering that CM comes pre-rooted you shouldn't have anything to worry about
Sent from my NEXUS 4 using xda premium

Oh good. What a relief. So that means we have no known vulnerabilities. That's good. Take that Apple.
Sent from my Nexus 7 using Tapatalk 4 Beta

MikeRL100 said:
Oh good. What a relief. So that means we have no known vulnerabilities. That's good. Take that Apple.
Sent from my Nexus 7 using Tapatalk 4 Beta
Click to expand...
Click to collapse
http://www.theepochtimes.com/n3/152836-android-master-key-security-flaw-affects-900m-devices/

If people are worried about security they should not be rooting their devices to begin with.

Sorry if I'm offending
zelendel said:
If people are worried about security they should not be rooting their devices to begin with.
Click to expand...
Click to collapse
Sorry for disagreeing with you, but I worry about common sense security. If this is a root exploit that is needed to ship with CM to allow one to use root, no biggie. I know root makes you vulnerable, but guess what? So does administrative access on Windows. If I worked for the governemnt or a large business I would have a different, possibly non-smart phone to do that task. I'm not stupid enough to go downloading cracked apps from pirated sites, but let me tell you all something. On my PC I had Opera 14 installed and used it during when one of Opera's employee's PCs got hacked and injected the Opera certificates with malware. I freaked. Prooves that a targeted attac could be successful, even with good protection. Luckily, my layer of security (MVPS hosts, Avast, and Malwarebytes Pro) kept it from even approaching the front door. And my Linux box even has the MVPS hosts file as well. Also, if this was an actual vulnerability to be concerned about, Steve Kondik would've patched it before the iCrap loving media could get new anti-Google propaganda. By the way, I am arguing with none of you, but I do need to make a point. I know since Android is based of Linux and not Windows NT, it is hella more secure. I would not root this if this phone had to be used under secure conditions. I'd either disable root while at work, or get a second phone. Yes I love root that much. But I don't get malware very often, havent' had an actual infection that wasn't blocked in many many years. Never even had Android malware. You know why? Hosts file+common sense. I never go to pirated sites, and never will. I love the XDA devs, community, and even some of the non-XDA Google Play devs enough not too. And when I say love, I mean I don't want to see their income sapped. Piracy is a no-no on XDA, but I'm sure it's OK to condemn it. And my talk on that ends now. :good: So onto the main topic, I have common sense, some privacy protections, and I don't just allow any app superuser access. I check reviews first and even have a malware scanner in Advanced Mobile Care. No on demand protection since its not necessary for me, and I never have gotten malware. I bet jailbroken iOS devices get more malware since most of the apps on them are cracked since Apple boots you out of iTunes for jailbreaking. Also, even though I'm rooted I like to know what each exploit means. No device or computer (even a hardened Linux server) is safe from the most skilled black hat. But since I'm not a target of interest, I have some malware prevention via the HOSTS file, Android is more secure than Windows, and I most importantly have common sense, I'll be fine. Maybe I'm too lax on security, but I guarantee you, I will adapt if some freak drive by download trojan comes to Android and by some crazy way gets malware through the Play Store with reputable apps. If a nasty was detected, or an app just looked different enough, it ain't gonna get no system access from me. So go ahead you iOS loving "Android is the next Windows XP" malware magnet pundits in the media, go ahead (that i if any Apple trolls stumble across this thread). I guarantee none of the streams of infected botnets will not add another to the collection. Like I said, not arguing with you but I disagree with you (at least initially) on how powerful my common sense is. I'm not saying you're doubting me, you're a cool guy and more than likely give a lot of assistance around here, but I may look like a noob troll cause I am a Junior member, but I was a long time lurker, and on AndroidForums I have been around a bit. I'm not some sort of super brain (at least not yet) and I do know rooting hampers security, but although I care about security, I just don't want my precious Nexus 4 and 7 to ever become virus magnets. I should have mentioned it, but I thought that vulnerability in CM was because it needed an exploit to have root by defaul (even though CM has disabled it recently). Also I will take some blame myself if I offended any of you. I am paranoid about a lot of things. But it's good to be paranoid to a certain extent. That would explain the lack of malware on all of my computers. But I should pay less attention to the social networks. Even G+. If this was on Facebook, mind you all, I wouldn't have game a damn about it. Facebook is full of trolls, fanboys, and noobs. That's why I rarely use that site and when I do, I pretty much block off all access to my profile from strangers. G+ encourages sharing with new people, while Facebook is like being with your old clique of buddies. That's why I use G+ so much now. That and I can help idiiot test things for developers. :laugh:
scream4cheese said:
http://www.theepochtimes.com/n3/152836-android-master-key-security-flaw-affects-900m-devices/
Click to expand...
Click to collapse
Yes you're definitely right we have a security issue. Not that Android itself is insecure (both my Nexus 4 and 7 were rushed to the latest Nightly to prevent them from joining a botnet) Good thing is custom ROMs create headaches for the bad guys cause they fragment Android (not in the iSheep style way of not getting updates) but in the way that they remove bloatware and some system apps, increase security in some areas, and in general all the code changes make it harder to create a universal botnet. I guarantee 95% of that botnet will be from OEM stock phones. We forget around here that most people are ignorant of common sense and security, if not downright stupid and don't care about security as long as they get their free cracked apps. We're the nerds here and most people are going to make it easy for these holes to be abused. They go to the most untrustworthy sites, install unstrustworthy apps, and are basically asking for it. Also the OEMs are pathetic for not all having a way to quickly patch Android. This type of stuff should sound an alarm to create a security update. I can see not giving an old phone a new version of Sense/touchwiz/Motoblur,etc. but denying security updates is ridiculous. The government should sue the offending OEMs if they want to be respected by the geeks a little more after the whole NSA mess. Because despite the fact that we aren't the ones here creating the botnet, what are we gonna do if thousands of clueless users install cracked apps that contain malware with the exploit, and form a botnet, that say DDOS attacks Google. Then Google Services would be disrupter. Also Google (who I am a big fan of) needs to stop being greedy in the one area of Android updates and force OEMs to include security patches and also backport and open source the security patch ASAP. I know CM is safe from that exploit already, I saw Steve Kondik's commit. But the OEMs are the problem. Google needs to push them past their comfort zone. You can have a car that is 10-20 years old and just because it's out of warranty doesn't mean that even if it takes a fool to make the engine explode in a deadly blast, that the manufacturer would just it there. I've seen Chevy recalls for example. One of them was a recall because something would catch fire if you were an idiot and poured gasoline or engine fluid or somehting on the engine. Of course the people doing this were stupid, but the same is true with technology. Why let the clueless and in the worst case those that just don't care create a botnet for us all to suffer from? Create an idiot patch and stop the situation from exploding. Please OEMs. Do something right for once.

MikeRL100 said:
Sorry for disagreeing with you, but I worry about common sense security. If this is a root exploit that is needed to ship with CM to allow one to use root, no biggie. I know root makes you vulnerable, but guess what? So does administrative access on Windows. If I worked for the governemnt or a large business I would have a different, possibly non-smart phone to do that task. I'm not stupid enough to go downloading cracked apps from pirated sites, but let me tell you all something. On my PC I had Opera 14 installed and used it during when one of Opera's employee's PCs got hacked and injected the Opera certificates with malware. I freaked. Prooves that a targeted attac could be successful, even with good protection. Luckily, my layer of security (MVPS hosts, Avast, and Malwarebytes Pro) kept it from even approaching the front door. And my Linux box even has the MVPS hosts file as well. Also, if this was an actual vulnerability to be concerned about, Steve Kondik would've patched it before the iCrap loving media could get new anti-Google propaganda. By the way, I am arguing with none of you, but I do need to make a point. I know since Android is based of Linux and not Windows NT, it is hella more secure. I would not root this if this phone had to be used under secure conditions. I'd either disable root while at work, or get a second phone. Yes I love root that much. But I don't get malware very often, havent' had an actual infection that wasn't blocked in many many years. Never even had Android malware. You know why? Hosts file+common sense. I never go to pirated sites, and never will. I love the XDA devs, community, and even some of the non-XDA Google Play devs enough not too. And when I say love, I mean I don't want to see their income sapped. Piracy is a no-no on XDA, but I'm sure it's OK to condemn it. And my talk on that ends now. :good: So onto the main topic, I have common sense, some privacy protections, and I don't just allow any app superuser access. I check reviews first and even have a malware scanner in Advanced Mobile Care. No on demand protection since its not necessary for me, and I never have gotten malware. I bet jailbroken iOS devices get more malware since most of the apps on them are cracked since Apple boots you out of iTunes for jailbreaking. Also, even though I'm rooted I like to know what each exploit means. No device or computer (even a hardened Linux server) is safe from the most skilled black hat. But since I'm not a target of interest, I have some malware prevention via the HOSTS file, Android is more secure than Windows, and I most importantly have common sense, I'll be fine. Maybe I'm too lax on security, but I guarantee you, I will adapt if some freak drive by download trojan comes to Android and by some crazy way gets malware through the Play Store with reputable apps. If a nasty was detected, or an app just looked different enough, it ain't gonna get no system access from me. So go ahead you iOS loving "Android is the next Windows XP" malware magnet pundits in the media, go ahead (that i if any Apple trolls stumble across this thread). I guarantee none of the streams of infected botnets will not add another to the collection. Like I said, not arguing with you but I disagree with you (at least initially) on how powerful my common sense is. I'm not saying you're doubting me, you're a cool guy and more than likely give a lot of assistance around here, but I may look like a noob troll cause I am a Junior member, but I was a long time lurker, and on AndroidForums I have been around a bit. I'm not some sort of super brain (at least not yet) and I do know rooting hampers security, but although I care about security, I just don't want my precious Nexus 4 and 7 to ever become virus magnets. I should have mentioned it, but I thought that vulnerability in CM was because it needed an exploit to have root by defaul (even though CM has disabled it recently). Also I will take some blame myself if I offended any of you. I am paranoid about a lot of things. But it's good to be paranoid to a certain extent. That would explain the lack of malware on all of my computers. But I should pay less attention to the social networks. Even G+. If this was on Facebook, mind you all, I wouldn't have game a damn about it. Facebook is full of trolls, fanboys, and noobs. That's why I rarely use that site and when I do, I pretty much block off all access to my profile from strangers. G+ encourages sharing with new people, while Facebook is like being with your old clique of buddies. That's why I use G+ so much now. That and I can help idiiot test things for developers. :laugh:
Yes you're definitely right we have a security issue. Not that Android itself is insecure (both my Nexus 4 and 7 were rushed to the latest Nightly to prevent them from joining a botnet) Good thing is custom ROMs create headaches for the bad guys cause they fragment Android (not in the iSheep style way of not getting updates) but in the way that they remove bloatware and some system apps, increase security in some areas, and in general all the code changes make it harder to create a universal botnet. I guarantee 95% of that botnet will be from OEM stock phones. We forget around here that most people are ignorant of common sense and security, if not downright stupid and don't care about security as long as they get their free cracked apps. We're the nerds here and most people are going to make it easy for these holes to be abused. They go to the most untrustworthy sites, install unstrustworthy apps, and are basically asking for it. Also the OEMs are pathetic for not all having a way to quickly patch Android. This type of stuff should sound an alarm to create a security update. I can see not giving an old phone a new version of Sense/touchwiz/Motoblur,etc. but denying security updates is ridiculous. The government should sue the offending OEMs if they want to be respected by the geeks a little more after the whole NSA mess. Because despite the fact that we aren't the ones here creating the botnet, what are we gonna do if thousands of clueless users install cracked apps that contain malware with the exploit, and form a botnet, that say DDOS attacks Google. Then Google Services would be disrupter. Also Google (who I am a big fan of) needs to stop being greedy in the one area of Android updates and force OEMs to include security patches and also backport and open source the security patch ASAP. I know CM is safe from that exploit already, I saw Steve Kondik's commit. But the OEMs are the problem. Google needs to push them past their comfort zone. You can have a car that is 10-20 years old and just because it's out of warranty doesn't mean that even if it takes a fool to make the engine explode in a deadly blast, that the manufacturer would just it there. I've seen Chevy recalls for example. One of them was a recall because something would catch fire if you were an idiot and poured gasoline or engine fluid or somehting on the engine. Of course the people doing this were stupid, but the same is true with technology. Why let the clueless and in the worst case those that just don't care create a botnet for us all to suffer from? Create an idiot patch and stop the situation from exploding. Please OEMs. Do something right for once.
Click to expand...
Click to collapse
Oh you have many valid points. My statement was more for the average user that really has no use for root. They root and flash cause they think it is cool.
The carriers and OEMs are trying to do something to stop it. The are locking bootloaders and making unrootable kernels (Samsung) To be honest I think this is a good idea for most users. They have no really need for those things and only end up with issues cause they have no idea what they are doing.
Cm Released a set of patches today to block some of the security issues.
See that is the issue with With OEM. Google cant force them to do anything. All the carrier has to do is take the AOSP code and add their stuff to it. No one can say what they have to add or not. This is why I only get nexus devices. I watched Euro devices get updated by the OEM while the US based devices never saw any updates at all. Including security updates that the OEM had issued. As long as the Carriers control what happens to the devices there is nothing that we can really do.

#Nexus4Lyfe I wish this was G+. I felt like a stupid hash tag would be appropriate.

Related

A Discussion with Google??

I want to start this discussion because I haven't seen it anywhere and I read several Android forums. I love the platform and it's "openess" but it seems that requirements from Google fall just short of making this the best platform ever for handsets.
We are all screaming at Motorola about the signed bl but we aren't focusing enough on the greater issue. The Android license from Google seems to allow this or maybe it is less specific to Google than to some other entity but I don't speak lawyerese so i'm not sure. Anyway, here is what I keep reading from Motorola...
"The use of open source software, such as the Linux kernel or the Android platform, in a consumer device does not require the handset running such software to be open for re-flashing. We comply with the licenses, including GPLv2, for each of the open source packages in our handsets"
My point of discussion is this, why aren't we asking Google what they can do? Why can't Google simply state that "we will not allow our software to be damaged in this way"? Why do they allow Verizon, at&t, Motorola, HTC or anyone else manipulate their software in a way that brings so much resentment? Is it not in Google's best interest to force this platform to remain open? I realize this is a double edged sword because open means people can do what they want, which holds true for companies also but I think that everyone realizes that Google's intent was that this would benefit everyone, not just the companies.
Also, everyone seems to forget that HTC is messing around with trying to lock down the NAND. Just because geniuses get past the protection doesn't mean that HTC isn't trying. If the Droid X is a huge success, even with this restriction in place, then what makes any of you think that the rest will not follow suit?
Because open means that you can do whatever you want with it. There is nothing stopping anyone from using it, modifying it for their own uses, and putting it in any device that would support it. That's why a company can strip down all of Google stuff from it and put Bing if they want to, and Google wouldn't be able to complain. The whole point of open and free software is that you compete by actually being the best at something. You keep Google stuff in Android because well, they work best.
Now, when you put Android in a device you manufacture, you do have the rights to do whatever you want with the device. This seems to be a hardware protection on top of the software ones. You know how DRM'd mp3 stop working? well, it's not much different, except that now there is physical damage.
True, these measures defeat the whole purpose of being open, but what the heck. Being truly open means making a great product, and then not complaining when someone grabs it and beats you with it. You have are always competing to deliver the best product, and that's why open is awesome.
Who was it that said: "I can't agree with what you are saying, but I will defend to the death your right to say it"?
Open goes both ways. The company (Motorola) has every right to lock down the bootloader and prevent others from flashing.
You guys are looking at it as if Motorola did this to prevent people from flashing custom roms. The real reason they did it was to prevent others from stealing their rom and porting it to another phone. If you like the "ninjablur" UI, you need to buy the DroidX.
Ryan Frawley said:
Open goes both ways. The company (Motorola) has every right to lock down the bootloader and prevent others from flashing.
You guys are looking at it as if Motorola did this to prevent people from flashing custom roms. The real reason they did it was to prevent others from stealing their rom and porting it to another phone. If you like the "ninjablur" UI, you need to buy the DroidX.
Click to expand...
Click to collapse
Actually, I don't agree. I'm pretty sure one could extract those widgets if you really wanted to. (They "Ain't all that" if you ask me. - And yes, I did buy an X yesterday and love it. Just ain't crazy about those widgets).
I think the real reason this is locked down is to prevent custom ROM/Root access to enable tethering. There are other issues I'm sure, but at the top of the list is to protect that revenue Big Red is trying to generate.
As to Google 'Stopping' the carriers from locking this down, please understand that if the carriers can't protect their revenue streams, they simply won't allow the phones on their network, and that would hinder the growth of the OS in general.
Don't take any of my words as endorsement of VZW/Moto actions. I'll be first in line to flash/root my phone when/if its ever possible. I'm just a realist. VZW wants $20/month for WiFi Tether. They are going to do as much as reasonably possible to keep you from doing that for free.
In a related note, 2.2 Froyo does tethering natively. I expect this to be crippled/disabled when we get our update in a couple of months.
I don't agree with the idea that companies would stop supporting the platform. The Droid has been a cash cow for verizon and it is an open book. Google could easily ask that their platform remain open for all to enjoy.
Beyond that, if Google allows them to gimp their OS then Google has created something entirely for the benefit of companies and not at all for the general population. I don't believe this is true. I think that the changes will start with Android v3.0. Google will start getting more pissy about custom crap especially if it makes their product seem worse and increase the chance that Android will be looked upon negatively.
Despiadado1 said:
I don't agree with the idea that companies would stop supporting the platform. The Droid has been a cash cow for verizon and it is an open book. Google could easily ask that their platform remain open for all to enjoy.
Beyond that, if Google allows them to gimp their OS then Google has created something entirely for the benefit of companies and not at all for the general population. I don't believe this is true. I think that the changes will start with Android v3.0. Google will start getting more pissy about custom crap especially if it makes their product seem worse and increase the chance that Android will be looked upon negatively.
Click to expand...
Click to collapse
Its the same problem with windows, the OS gets blamed for what hardware vendors do to it... we see this $400 computers getting compared to Apples $1500+ computers and thats some how proof windows sucks, I never had problems with Vista being slow, but people and there $400 computer did.
The problem with Android, specifically the scrolling smoothness, is the vendors custom Android OS setups...
FtL1776 said:
Its the same problem with windows, the OS gets blamed for what hardware vendors do to it... we see this $400 computers getting compared to Apples $1500+ computers and thats some how proof windows sucks, I never had problems with Vista being slow, but people and there $400 computer did.
The problem with Android, specifically the scrolling smoothness, is the vendors custom Android OS setups...
Click to expand...
Click to collapse
To be fair, I think the scrolling smoothness is half crappy hardware and half Android's lack of hardware acceleration.
Mikerrrrrrrr said:
To be fair, I think the scrolling smoothness is half crappy hardware and half Android's lack of hardware acceleration.
Click to expand...
Click to collapse
No some custom roms fix those issues because they enable the hardware acceleration, which again shows that Google really should crack down on some of these custom versions of Android on phones.
Zaphod-Beeblebrox said:
Actually, I don't agree. I'm pretty sure one could extract those widgets if you really wanted to. (They "Ain't all that" if you ask me. - And yes, I did buy an X yesterday and love it. Just ain't crazy about those widgets).
I think the real reason this is locked down is to prevent custom ROM/Root access to enable tethering. There are other issues I'm sure, but at the top of the list is to protect that revenue Big Red is trying to generate.
As to Google 'Stopping' the carriers from locking this down, please understand that if the carriers can't protect their revenue streams, they simply won't allow the phones on their network, and that would hinder the growth of the OS in general.
Don't take any of my words as endorsement of VZW/Moto actions. I'll be first in line to flash/root my phone when/if its ever possible. I'm just a realist. VZW wants $20/month for WiFi Tether. They are going to do as much as reasonably possible to keep you from doing that for free.
In a related note, 2.2 Froyo does tethering natively. I expect this to be crippled/disabled when we get our update in a couple of months.
Click to expand...
Click to collapse
Motorola has said so itself. The reason Droid X is locked down is because they don't want people stealing their custom UI. Widgets are only part of this UI. The inability to flash custom roms is merely a consequence of protecting their UI.
FtL1776 said:
No some custom roms fix those issues because they enable the hardware acceleration, which again shows that Google really should crack down on some of these custom versions of Android on phones.
Click to expand...
Click to collapse
Ah. Didn't know that.

Android Security: A neglected subject (long)

First of all: I'm an OSS advocate and love the idea of open source. Don't forget that while reading this.
Some 2 month ago, I got myself a Galaxy S. It's not exactly cheap, but on the other side, it's really good hardware. This thread is not about Samsung or the Galaxy S. It's about the missing parts of android security.
We all know it from our home computers: Software sometimes has bugs. Some just annoy us, others are potentially dangerous for our beloved data. Our data sometimes gets stolen or deleted due to viruses. Viruses enter our machines by exploiting bugs that allow for code execution or priviledge escalation. To stay patched, we regularly execute our "apt-get update;apt-get dist-upgrade" or use windows update. We do this to close security holes on our systems.
In the PC world, the software and OS manufacturers release security bulletins to inform users of potentially dangerous issues. They say how to work around them or provide a patch.
How do we stay informed about issues and keep our Android devices updated?
Here's what Google says:
We will publicly announce security bugs when the fixes are available via postings to the android-security-announce group on Google Groups.
Click to expand...
Click to collapse
Source: http://developer.android.com/guide/appendix/faq/security.html#informed
OK, that particular group is empty (except for a welcome post). Maybe there are no bugs in Android. Go check yourself and google a bit - they do exist.
"So why doesn't Google tell us?", you ask. I don't know. What I know is that the various components of Android (WebKit, kernel, ...) do have bugs. There's nothing wrong with that BTW, software is made by people - and people make mistakes and write buggy code all the time. Just read the changelogs or release notes.
"Wait", I head you say, "there are no changelogs or release notes for Android releases".
Oh - so let's sum up what we need to stay informed about security issues, bugs and workarounds:
* Security bulletins and
* Patches or Workaround information
What of these do we have? Right, nada, zilch, rien.
I'll leave it up to you to decide if that's good common practise.
"But why is this important anyway", you ask.
Well, remember my example above. You visit a website and suddenly find all your stored passwords floating around on the internet. Don't tell me that's not possible, there was a WebKit bug in 2.2 that did just that. Another scenario would be a drive-by download that breaks out of the sandbox and makes expensive phone calls. Or orders subscriptions for monthly new ringtones, raising your bill by orders of magnitute. Or shares your music on illegal download portals (shh, don't tell the RIAA that this is remotely possible).
The bug is probably fixed in 2.2.1 - but without changelogs we can't be sure.
But that's not all - there's a second problem. Not only are we unaware of security issues, we also don't have automated update mechanisms.
We only receive updates when our phone's manufacturers release new firmware. Sadly, not all manufacturers support their phones in the long run.
In the PC world, most Distros have a central package management - that Google forgot to implement in Android. Agreed, some phones can receive OTA updates, but that depends on the carrier. And because of the differences in Android versions it's not possible to have a central patch management either. So we do not know if our Android devices might have security issues. We also have no easy way to patch them.
Perhaps you knew this before, then I apologize for taking your time.
What do YOU - the computer literate and security aware XDA users - think about this? Do you think that's a problem? Or would you rather say that these are minor problems?
Very intresting, thanks! The update problem should be fixed with the next release, no more custom UIs and mods from phone manufacturers,at least google said that
Sent from my Nexus One using XDA App
Excellent post and quite agree with you. The other significant problem looming is the granularity (or rather, lack thereof) in app permissions which can cause problems you describe without bugs and exploits. I install an app that does something interesting with contacts and also has internet access to display ads. How do I know that my contacts are not encrypted, so making sniffing useless, and beamed back to mummy? Nothing other than blind trust!
I love Android but it's an accident waiting to happen unless the kind of changes you advocate are implemented and granularity of permissions significantly increased. I don't like much about Apple but their walled garden app store is something they did get right although IMHO, they also abuse that power to stifle competition. Bring out the feds!
simonta said:
The other significant problem looming is the granularity (or rather, lack thereof) in app permissions [...]
How do I know that my contacts are not encrypted, so making sniffing useless, and beamed back to mummy? Nothing other than blind trust!
Click to expand...
Click to collapse
I agree, although I'm not sure that less experienced users might have difficulties with such options.
simonta said:
I love Android but it's an accident waiting to happen
Click to expand...
Click to collapse
Sad but true. I'm just curious what Google will do when the first problems arise and the first users will have groundshaking bills.
If that happens to just a few users, it'll get a kind media coverage Google surely won't like.
I've seen quite a few android exploits posted on bugtraq over the years. It's a high-volume email list, but with some filtering of stuff you don't care about, it becomes manageable. It's been around forever and is a good resource if you want the latest security news on just about anything computer related.
http://www.securityfocus.com/archive/1/description
People are bashing a lot about the Android security model but the truth is you can never have 100% protection with ANY solution.
Apple is not allowing any app in their store. Fine. but mostly they are only filtering out apps that crash, violate some rules or they just don't like them or whatever. but they can never tell what an app is really doing. Therefore they would neeed to reverse-engineer every app they get etc. That's just impossible considering the amount of apps....
Speaking again of Android. I think the permission model is not bad. I mean, no other OS got such detailed description about what an app can do or not. But unfortunately it can only filter out very conspicuous apps, i.e. a Reversi game asking for your location and internet access. But then you never know... if the app is using ads it requires location and internet access, right? so what can you do?
RAMMANN said:
Apple is not allowing any app in their store. Fine. but mostly they are only filtering out apps that crash, violate some rules or they just don't like them or whatever. but they can never tell what an app is really doing. Therefore they would neeed to reverse-engineer every app they get etc. That's just impossible considering the amount of apps....
Click to expand...
Click to collapse
Not really, they do blackbox testing and let the apps run on emulated devices they then check if the app "behaves" as desired...
Of course you can't get 100% security and I don't think that's what we're saying, but there is a lot you can do.
Take for example internet access which is the biggest worry I have. The only reason most apps request internet access is to support ads. I now have a choice to make, don't use the app or trust it. That simple, no other choice.
If I installed an app that serves ads but did not have internet access, then the only way that app can get information off my phone is to use exploits and I'm a lot more comfortable knowing that some miscreant needs to understand that than the current situation where some script kiddy can hoover up my contacts.
However, if internet access and ad serving were separate permissions, you could in one hit address, taking a wild guess, 90% of the risk from the wild west that is Marketplace. With a bit more design and work, it would be possible to get the risk down to manageable and acceptable levels (at least for me).
I absolutely agree with you on Apple, one of the main reasons that I chose a Desire instead of an iPhone, but the Android approach is too far the other way IMHO.
Just my tuppence, in a hopeless cause of imagining someone at Google paying attention and thinking you know what, it is an accident waiting to happen.
marty1976 said:
Not really, they do blackbox testing and let the apps run on emulated devices they then check if the app "behaves" as desired...
Click to expand...
Click to collapse
Well, so why did a tethering app once make it into the appstore?
Also I think there are many possibilities for an app to behave normal, and just start some bad activity after some time. Wait a couple months until the app is spread around and then bang. Or remotely launch some action initiated through push notifications etc.
If there is interest, then there is always a way....
simonta said:
However, if internet access and ad serving were separate permissions, you could in one hit address, taking a wild guess, 90% of the risk from the wild west that is Marketplace. With a bit more design and work, it would be possible to get the risk down to manageable and acceptable levels (at least for me).
Click to expand...
Click to collapse
I agree that a seperate permission for ads would be a good thing.
But there are still many apps which need your location, contacts, internet access.... all the social media things nowadays. And this is where the whole thing will be going to so I think in the future it will be even harder to differenciate.
Getting back on topic: I just read that Windows 7 Phone will get updates and patches like desktop windows. That means patchday once a month plus when urgency is high...
simonta said:
However, if internet access and ad serving were separate permissions, you could in one hit address, taking a wild guess, 90% of the risk from the wild west that is Marketplace. With a bit more design and work, it would be possible to get the risk down to manageable and acceptable levels (at least for me).
Click to expand...
Click to collapse
But, how do you distinguish them? Today, (as a developer) I can use any ad-provider I want. In order to distinguish ads from general internet access, the OS would need one of:
A Google-defined ad interface, which stifles "creativity" in ad design. Developers would simply ignore it and do what they do now as soon as their preferred ad-provider didn't want to support the "official" ad system or provided some improvement by doing so.
An OS update to support every new ad-provider (yuck^2).
Every ad-provider would have to go through a Google whitelist that was looked up on the fly (increased traffic, and all ads are now "visible" to Google whether Google is involved in the transaction or not). This would also make ad-blocking apps harder to implement since Google's whitelisting API might not behave if the whitelist was unavailable. On the upside, it would make ad-blocking in custom ROMs be trivial.
Even if Google did one of these things, it still wouldn't provide any real increase in privacy or security. The "ad service" would still need to deliver a payload from the app to the service (in order to select ads) and another from the service to the app (the ad content). Such a mechanism could be trivially exploited to do anything that simple HTTP access could provide.
http://code.google.com/p/android/issues/list
issues submitted are reviewed by google employed techs... they tell you if you messed up and caused the issue or if the issue will be fixed in a future release or whatever info they find.
probably not the best way to handle it but its better then nothing.
twztdwyz said:
http://code.google.com/p/android/issues/list
Click to expand...
Click to collapse
Knew that bug tracker, but the free tagging aka labels isn't the best idea IMHO.
You can't search for a specific release, for example...
twztdwyz said:
probably not the best way to handle it but its better then nothing.
Click to expand...
Click to collapse
Ack, but I think Google can do _much_ better...
Two more things to have in mind:
1. I doubt that many Android users bother much about what permissions they give to an app.
2. Using Google to sync your contacts and calendar (and who knows what else), is a bad, bad idea.

just seen an tv advert selling Norton antivirus for android

Are you kidding me? 14 quid from pcworld! Linux needs an antivirus?!!!?
maybe corprate and government issued android phones need it, but if you have common sense and actually READ the permissions you are giving to an app (and look at the reviews, just to be sure) you should know what is or isn't "poisoning" your system. By "poison", I mean that there are not "viruses" on android, but, rather, apps which are meant to be malicious in nature by acting very similar to how trojans or malware work. Normally, these malware apps aren't very hard to remove yourself (or even discover) especially with root access which is why android users shouldn't concern themselves THAT much with antivirus measures and such.
There's a bit of malware out and about on Android. Monitoring permissions is one thing, but then there are apps that can piggyback on another app's permissions, making it hard to be sure of an app's trustworthiness every time.
There's also the frustrating reality that enthusiasts, like those on XDA, often think they're smart enough (simply by virtue of knowing what kernel means) to be above the risk of malware. These are often the same people who dive headfirst into a user's brand new first ROM the first 10 minutes it's out, and ROMs don't ask for permissions.
Hackers are much more likely to take huge risks installing mystery code based purely on a presumed trust in the XDA 'fraternity'.
Then there are regular apps on the market for, like, an sms widget, that will naturally ask for permissions to read/send texts, access contacts, etc, and those permissions unlock any number of invisible behaviors that may not be caught for weeks. *shrug*
So yeah, govt and corp people distributing handsets to employees will use AV software, as will many regular users, because it's easier and more convenient (and cheaper, in the case of employees) that training yourself or someone else to comprehend permissions and good awareness.
Though there will always be toddlers in the computing community who rant and rage about how people should fully understand what a computer does before being allowed to use it...but that childish RTFM attitude is what keeps Linux on fewer home PCs than Microsoft Bob has been on.

Petition to Microsoft to allow jailbreaking

Hi all.
Haven't seen this topic yet so I thought I'd introduce it. Has a petition ever been sent directly to Microsoft to allow jailbreaking and development of apps in a Cydia like store. I'm positive this would increase the popularity of wp8. There are are so many little things like decreasing the interval for updating live tile, and creating playlists on the phone itself. Widgets would also be nice. I just got a 920 and like it a lot. I was using launcher8 on my gn2 before and that launcher allowed widgets on tiles, more rectangular tile options etc.
Are you really think that Microsoft or somebody else care about these petitions?
Useless guy said:
Are you really think that Microsoft or somebody else care about these petitions?
Click to expand...
Click to collapse
if enough people sign, then yes I do. I'm convinced that many iOS and android users would try a windows phone. There would be far more developers making apps also.
Jailbreaking will never be allowed on windows phone becuase Microsoft wants to win over the business sector. One of the reason the secure boot was implemented was because of businesses complaining about security on WP7.
Besides, there aren't really BIG things to get from jailbreaking, other than useless things some individuals care about. the vast majority of WP8 users are happy with their phones, plus most of the things you are asking (like adding playlists on the phone), will be supported eventually.
Lowering the interval for live tiles is a really bad idea btw.
If microsoft ever allows access to the file system, there will be no need for anything else: developers will pick it up from there and do their thing.
Ain't ever going to happen. Ms is bent over backwards by OEMS and carriers
Sent from my Arc using xda app-developers app
we need to start a kickstarter or offer a bounty on xda
I am sure if we started a bounty or kickstarter and rightfully paid one of the hackers to jailbreak wp8 they could get the job done a lot sooner
so how shall we go about this?
I am ready to offer my contribution
noelito said:
I am sure if we started a bounty or kickstarter and rightfully paid one of the hackers to jailbreak wp8 they could get the job done a lot sooner
so how shall we go about this?
I am ready to offer my contribution
Click to expand...
Click to collapse
Still won't happen dude. I don't know but there seems to be some sort of aversion to WP by all the devs. The iPhone/iPad community has a number of devs piling over eachother to bring out the "next best way to JB". Android, I don't even need to get started. Other OSs too will fall in place soon. But what keeps the devs away from WP is a bit of a mystery to me.
BTW, I hope you know what happened to the kids that jailbroke the first Gen WP devices. They got hired by MS and were given a T shirt, if my memory is good.
So... that's that.
It's hilarious how you people believe that is easy to exploit WP8, Devices that use it have Secure Boot and Bitlocker so exploiting the boot process is practically impossible, exploiting on app-level is also hard as all apps run over a sandbox and the user has no administrator privileges so you can't use the sandbox exploitation available for Windows RT.
Plus there's overall no appeal for hacking it other than it runs over NT.
I think we should do it, there is nothing to loose, but it shouldn't be for jail breaking but for allowing file system access similar to Windows RT
Everybody can try to found a exploit.
If somebody will have luck, he will be the man....
But like people here say...
Its very very hard!
Sent from my GT-I8750 using Board Express
It's better for Microsoft (in the long run) that the OS will not be jailbroken: Jailbroken devices can install pirated applications, and pirated applications makes application developers angry.
Currently, app devs have no choice but to develop their applications to the 2 major OSs out there (iOS and Android), and know that in some point it is quite likely that people who jailbreak their devices can install pirated copies of their applications.
In the long run, as WP would start gaining major market share, application developers would be more keen to focus their development for WP as they'd know their property could not be pirated (if, supposedly, WP will remain unhacked).
This is of course only hypothetical - there's no protection which is made by men and cannot be hacked by men, and I'm more than sure that the more user-base and interest WP gains, the more likely is that someone would find a loophole in the OS and it'd be jailbroken...
And maybe not
Thread moved to General
I am as well very certain that Microsoft will not allow for Jailbreaking of the devices. They have some programs that will get you a free dev account to develop on top of the Plattform but they don't Support changes to the Plattform itself. If you want to make your Point about giving Devs certain APIs go to wpdev.uservoice.com and Support them with your votes.
As for jailbreaking WP: I'm sure it can be done because in the end: techniques exist to exploit basically everything but as was already said: Microsoft isn't making it easy.
StevieBallz said:
I am as well very certain that Microsoft will not allow for Jailbreaking of the devices. They have some programs that will get you a free dev account to develop on top of the Plattform but they don't Support changes to the Plattform itself. If you want to make your Point about giving Devs certain APIs go to wpdev.uservoice.com and Support them with your votes.
As for jailbreaking WP: I'm sure it can be done because in the end: techniques exist to exploit basically everything but as was already said: Microsoft isn't making it easy.
Click to expand...
Click to collapse
It may be possible, but as for now they have closed damn near every hole we could think of. I'd say the only way we can hope for SOME progress is if we can exploit the root certificate and policies somehow. I know GoodDayToDie had a few good potential ideas. It's not that the device NEEDS to be jailbroken, we need to be given more trust. I feel as if Microsoft automatically feels like we will screw everything up so it's being our overprotective mother instead. We all know what happens when you are too overprotective to those you care about.....
With that said, if we can just be given a LITTLE more freedom.. That's all I ask for. I don't think we would have to worry about any type of malware since the App Hub process is smart enough to give me the red X if I'm trying to call MessageBox.Show() from a background task.
/endrant.
What if we paid you the bounty?
Sent from my SGH-T899M using XDA Windows Phone 7 App
iOS is certified afaik for government use, so the business security issue is specious. Not everybody will hack their device anyway.
There are different levels of security certifications, similarily to Mil-Spec Standards that exist for a lot of different criteria. Allowing people to do more with their devices isn't really at the core of Microsoft's concerns here. They don't try to push it though as they want applications in the Store and not on the web. Piracy is likely to play a role here too.
As for a bounty to make a JailBreak happen - it might be an incentive for certain developers to start looking into it. With WP7 the way most of the time was to hack the Bootloader and then flash a custom ROM to allow for additional access. With WP8 people might need to look into other ways in given that Secure Boot is likely to be a very hard nut to crack. Given that the original Jailbreak for WP7 relied on custom certificates it's likely that Microsoft invested there to close this off better but it's of course still worth investigating.
The more important part in the end would be to get Microsoft to make more available through the official APIs. They are extending those and this has made more functionality available every time they did a major update to the OS (Mango, Apollo).
Another point to note is that native interop is now part of the regular SDK. It's therefore likely that native APIs will be better protected against accesses from unauthorized Apps than they have been in WP7 (where the problem was getting native code to run at all).
RCranium666 said:
if enough people sign, then yes I do. I'm convinced that many iOS and android users would try a windows phone. There would be far more developers making apps also.
Click to expand...
Click to collapse
Not trying to be negative but I don't think the would care. On their won suggestion site (http://windowsphone.uservoice.com/forums/101801-feature-suggestions/suggestions/2281201-custom-sounds-for-sms-mms-email-notifications-e) the haven't even responded to the 40,000 + petitions that people have been voting for 2 years for custom MMS\SMS; something that is so easy to do.
Thanks for everyone's responses. I just went back to my gn2. I found too many compromises in wp8. The funny thing is, I use a wp8 launcher on android and it's much more versatile than wp8 itself. The l920 was also a disappointment. I'm no stranger to phone cameras and I was rarely able to take a good picture with it. I like the l920's design better than the gn2, but not much else.

[Guide (Making One)] Please help do a thorough guide to optimising an Android.

Backstory: I've always used iPhones, was tired of the bull****, and wished for Android especially the S8. Was shocked, and I'm rarely shocked, but the agressive violation of privacy, the crazy amount of bloatware, and the unoptimised UX and system services overall.
Now, I'm in charge of a wide ecosystem of people using smartphones in our company as well as other companies I consult for. While people always blab about personal privacy (which is a concern of course), what I don't understand is how people dealing with either sensitive, contractual or strategic informations could use Android devices given that it *excuse but there's no better terms* rapes your privacy in every, but also I'm pretty sure, illegal, ways.
For exemple the Sound Detector app, even when disabled, is constantly listening to your environment without your priori knowledge or permissions. In fact it's mainly the permissions scheme that baffles me: on iOS or any PC or Mac, you can install any app without being constrained to accept giving out information or accessing functions that have nothing to do with the app, THEN you can choose what precise permissions, when and why. And of course there's the whole wider problem of usage and data tracking (which I apparently have to install...a firewall??) or even malware (I have to install a separate antivirus for...on a smartphone). Worst exemple being that of course: www.theverge.com/2018/1/2/16842294/android-apps-microphone-access-listening-tv-habits
Now I like Android for all their efforts, development and implementation, as well as Samsung efforts...but I'm on the verge of having to present a report to ban all Android phones (for a "leave at door" Policy or either iPhone, BBMs and any other "more" secure smartphones) like I just realise they did in the US government and other official institutions as well as some corporations...or...understand very well how it works, and devise a clearly guide on how to completely optimise and secure Android smartphones like I would for PCs/Macs.
So here's my mission if you accept to help me:
1. I want to deconstruct how Android works in a very simple scheme for noob.
2. From that I want to list all the system packages and services, to determine those that are critical, optional or bloatware, and actually describe exactly what they're for so people have a clear idea.
3. I want to list all the base applications, stores or packages apps, to determine those that are critical, optional or bloatware, then what they're for and most importantly the best alternative apps to these.
4. I want to list and make a simple schemes of how the device components (sensors, cam, mic...), the different data canals, and the the different permissions are circulating or violating privacy while screwing cpu time, battery and data.
5. Finally I want to learn, understand and create a simple noob introduction to the different tools like Xposed (and XprivacyLua which seems to be the best options), package disablers (I personally went for BK), Firewall, Adblockers and Antivirus (honestly didn't even think I would need those on Android).
So I guess first, I'll list all the apps, packages (and sub-services) that my Galaxy S8 came shipped with that overwhelmed me, so as to know for a basic Galaxy S8/+/Note what is a consensus of what to disable, why, how and by what to replace if there's alternative, while listing basic how-to's of the tools to that. Note that I only know about BK Disabler as of now.
Reserved
Upd: I haven't had time, but I'm starting to do a table with all the packages, what they're for and wether to disable them.
You do know that Silverpush do affect both iPhone and Android, right? And "leave at the door" policy or either iPhone or BBM? There's two errors in this sentence. Are you really what you claim to be? Or just someone with an agenda who just created an XDA account?
why would you need an antivirus for a phone if you stick to play store apps?
rashat999 said:
why would you need an antivirus for a phone if you stick to play store apps?
Click to expand...
Click to collapse
There are plenty of play store garbage apps with spy ware and crap in them
vladimir_carlan said:
You do know that Silverpush do affect both iPhone and Android, right? And "leave at the door" policy or either iPhone or BBM? There's two errors in this sentence. Are you really what you claim to be? Or just someone with an agenda who just created an XDA account?
Click to expand...
Click to collapse
iPhone (pretends to) be safe and secure and doesn't straight-up violate your privacy by forcing unneeded permission even before installing the app and running tons of spyware as per unbox while giving all your infos out to apps that demand it and more. It's also a question of procedure: iPhone are really easy to fix/secure with a jailbreak, I didn't even root this Android I got and realised how terribly aggressive their violation of privacy is.
But again, I just want to give people the choice as long as their device is secure, that's why I'm learning all the quirks of Android and how to secure them. All our IT guys confirmed that unless you know exactly how to secure Android devices like we did for our computer park, employees better go for an iPhone.
There's a difference between Apple that might have backdoors to the NSA, and Android that is a crazy open buffet for -permitted- informations stealing without even talking about spyware or silverpush. My Galaxy S8 came with apps and packages that were constantly listening through the mic without my prior knowledge, installation or authorisation, this is intolerable. But I switched for a reason, I'll see if using Android is easily manageable or if it's better to ban them from inside use.
OgreTactic said:
iPhone (pretends to) be safe and secure and doesn't straight-up violate your privacy by forcing unneeded permission even before installing the app and running tons of spyware as per unbox while giving all your infos out to apps that demand it and more. It's also a question of procedure: iPhone are really easy to fix/secure with a jailbreak, I didn't even root this Android I got and realised how terribly aggressive their violation of privacy is.
But again, I just want to give people the choice as long as their device is secure, that's why I'm learning all the quirks of Android and how to secure them. All our IT guys confirmed that unless you know exactly how to secure Android devices like we did for our computer park, employees better go for an iPhone.
There's a difference between Apple that might have backdoors to the NSA, and Android that is a crazy open buffet for -permitted- informations stealing without even talking about spyware or silverpush. My Galaxy S8 came with apps and packages that were constantly listening through the mic without my prior knowledge, installation or authorisation, this is intolerable. But I switched for a reason, I'll see if using Android is easily manageable or if it's better to ban them from inside use.
Click to expand...
Click to collapse
Mate my question still stand: are you really what are you claiming to be or you just have an agenda? Some badass company appointed you to decide what is secure and what not. Really? You? In Op you are talking about thinking to allow only iOS and BBM (it's Bbos BTW) only. BBOSS? Really? BBOS was discontinued one year ago...no more updates no more security patches, no more nothing.
vladimir_carlan said:
Mate my question still stand: are you really what are you claiming to be or you just have an agenda? Some badass company appointed you to decide what is secure and what not. Really? You? In Op you are talking about thinking to allow only iOS and BBM (it's Bbos BTW) only. BBOSS? Really? BBOS was discontinued one year ago...no more updates no more security patches, no more nothing.
Click to expand...
Click to collapse
That's not my job, but that's part of mine to decide or push in front of committees what tool we should use, purely from a utilitarian, managerial and system POV. None of us beside IT guys ever realised how Android were intolerably insecure, I've had my head in Apple buttock for years thinking "yeah, that's too limited and I heard Android is now as stable and well made".
But I don't want to go back to iPhone either, so here I am sitting with a Galaxy S8 I'm still not using because I don't where to start to secure it, whether I should try to fix everything on the factory rom or just root it.
OgreTactic said:
That's not my job, but that's part of mine to decide or push in front of committees what tool we should use, purely from a utilitarian, managerial and system POV. None of us beside IT guys ever realised how Android were intolerably insecure, I've had my head in Apple buttock for years thinking "yeah, that's too limited and I heard Android is now as stable and well made".
But I don't want to go back to iPhone either, so here I am sitting with a Galaxy S8 I'm still not using because I don't where to start to secure it, whether I should try to fix everything on the factory rom or just root it.
Click to expand...
Click to collapse
Okay...what exactly makes you to feel insecure? I understand you're bothered that some apps are accessing your microphone. That's easy... Settings-Apps. Tap on those three dots and chose app permission. You'll see what apps have access to microphone and deny permission for them. Job done. What else makes you to feel insecure?
vladimir_carlan said:
Okay...what exactly makes you to feel insecure? I understand you're bothered that some apps are accessing your microphone. That's easy... Settings-Apps. Tap on those three dots and chose app permission. You'll see what apps have access to microphone and deny permission for them. Job done. What else makes you to feel insecure?
Click to expand...
Click to collapse
I put my S8 away for now I went back to an iPhone. I'm using it off-grid to still try and figure out how it works.
Basically my problems are clear:
1. There's no transparency in background processes/services, the component they use and the data they send.
2. The way permissions are managed is intolerable: forcing you to accept non-necessary and arbitrary access to connected components or private information BEFORE installing the app is a form of extortion. The same goes when running the app: forcing permissions that are not critical to the app code actually running is a form of extortion. Baffles me how Google even allows that today.
3. The fact that there's even a need for a firewall and antivirus, and that the official stores is filled with illegal (copyright infringing app so blatant) and therefor myriads of potential malicious apps like Silverpush-enabled one, without any store control or curation on Google's part.
All this means there is no way I will use an Android rather than an iPhone and allow anyone dealing with private or "sensitive" commercial informations using one inside the company. I'm still trying to figure out if going straight to root is the solution, if I'll have to use cryptography for documents and coms, or if I'll have to spend days figuring out Xposed+Xprivacy, Packages Disablers, MicroG alternative libraries, Firewall and Antivirus and god knows what to make it decently secure like an iPhone (which doesn't aggressively violates your privacy and is really easy to secure with a jailbreak...unless there are hidden backdoors which is still far from the probably illegal open-buffet of private and sensitive informations Google provides to any potential malicious websites, scripts or apps).

Categories

Resources