×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Android Holes Allow Secret Installation of Apps

timothy posted more than 3 years ago | from the be-glad-he's-on-your-side dept.

Cellphones 132

CheerfulMacFanboy writes with a link to Heise Online which says "'Security researchers have demonstrated two vulnerabilities that allow attackers to install apps on Android and its vendor-specific implementations without a user's permission. During normal installation, users are at least asked to confirm whether an application is to have certain access rights. Bypassing this confirmation request reportedly allows spyware or even diallers to be installed on a smartphone.' One vulnerability was identified when a security specialist analysed HTC devices and found that the integrated web browser has the right to install further packages (used to automatically update its Flash Lite plug-in). Attackers can exploit this if they have found another browser hole. 'Android specialist Jon Oberheide demonstrated another hole which involved misusing the Account Manager to generate an authentication token for the Android Market and obtaining permission to install further apps from there. However, this initially requires a specially crafted app to be installed on the smartphone. Nothing could be easier: Oberheide released the allegedly harmless "Angry Birds Bonus Levels" app into the Android Market and, upon installation, this app downloaded and installed three further apps ("Fake Toll Fraud," "Fake Contact Stealer," and "Fake Location Tracker") without requesting the user's permission.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

132 comments

Makes popcorn (5, Funny)

Anonymous Coward | more than 3 years ago | (#34219706)

And sits down to watch the fanboy battle begin. Go go go

Re:Makes popcorn (2, Funny)

MobileTatsu-NJG (946591) | more than 3 years ago | (#34219746)

I dare the posters on this site to go this entire thread without mentioning Apple.

Re:Makes popcorn (1, Funny)

Anonymous Coward | more than 3 years ago | (#34219754)

Oh damn! Already foiled.

Re:Makes popcorn (2, Interesting)

WrongSizeGlass (838941) | more than 3 years ago | (#34219938)

Android has a security vulnerability? A security hole in the browser lets a malicious website infect the phone? Isn't this very similar to a problem my iPhone had just a few months ago? Yeah, it's a different method of infection and the levels of access aren't the same (I believe the iPhone could be totally rooted by this) but the fact remains that these devices aren't 100% secure.

Is this type of thing news? Only in the sense that it serves as a reminder to those who will listen that you have to be careful about what you do with your phone/computer/etc.

Re:Makes popcorn (1)

MrHanky (141717) | more than 3 years ago | (#34221166)

Why shouldn't this be news, when new Windows and iPhone exploits are news? The question is whether these holes will be fixed for all Android phones, and not only in the upcoming Android 2.3.

Re:Makes popcorn (4, Funny)

TheRaven64 (641858) | more than 3 years ago | (#34221168)

Isn't this very similar to a problem my iPhone had just a few months ago?

Nope, it's entirely different. This is a security hole, while the iPhone had a jailbreak opportunity.

Re:Makes popcorn (1)

BrokenHalo (565198) | more than 3 years ago | (#34221438)

Getting back to the topic... what I didn't get from the article is whether or not this exploit works if you use another browser (e.g. firefox) rather than the integrated one.

Re:Makes popcorn (1)

a_nonamiss (743253) | more than 3 years ago | (#34221772)

I'm not sure if you're being sarcastic or not, but jailbreak opportunity is by definition a security hole. With the iPhone/iPad vulnerability, you could literally go to a webpage and your device was jailbroken. You didn't have to approve or install anything. It was convenient, but that jailbreak code could just as easily have been a toll caller, person tracker, cookie stealer, etc.

Re:Makes popcorn (1)

msauve (701917) | more than 3 years ago | (#34221322)

"Android has a security vulnerability? A security hole in the browser lets a malicious website infect the phone?"

That's not what the summary said - it said there's one "security hole" (the user explicitly giving a browser rights to install apps) which can only be exploited "if they have found another browser hole." (my emphasis)

The Linux "login" command has the same sort of hole, because if you can only find that other hole which allows you to get root, you can do anything. One can fix that by making it so root doesn't have the privileges to do anything. :-)

Re:Makes popcorn (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34219750)

Not an issue with iOS. It is 100% secure from this type of hacks. People who value their security go with the mature platforms and apps that have been checked over by professionals to make sure they are not Trojans.

Re:Makes popcorn (0)

Anonymous Coward | more than 3 years ago | (#34219830)

Yeah, except that series of holes that could be exploited by opening a webpage with a PDF that gave ANYONE ROOT ACCESS.

Tard. Or troll. Hard to tell the difference, maybe there is none.

Re:Makes popcorn (1)

node_chomsky (1830014) | more than 3 years ago | (#34222500)

Yeah, except that series of holes that could be exploited by opening a webpage with a PDF that gave ANYONE ROOT ACCESS.

Tard. Or troll. Hard to tell the difference, maybe there is none.

The pdf root problem was an issue with adobe's viewer, not pdf's in general. A PDF is just a file format, it doesn't have special root powers. The iPhone doesn't run acrobat, it has it's own in-house pdf reader.

Re:Makes popcorn (1)

fluffy99 (870997) | more than 3 years ago | (#34219840)

Not an issue with iOS. It is 100% secure from this type of hacks. People who value their security go with the mature platforms and apps that have been checked over by professionals to make sure they are not Trojans.

A little tongue in cheek eh? Yes Apple has certainly had a few questionable and/or vulnerable apps make their way into the store.

Re:Makes popcorn (1)

icebike (68054) | more than 3 years ago | (#34220192)

Well the summary did fail to mention The browser hole has been closed in Android 2.2.

Hey, pass some of the popcorn over here, I't trade you for this here cold brewsky.

Re:Makes popcorn (1)

RDW (41497) | more than 3 years ago | (#34221170)

'Well the summary did fail to mention The browser hole has been closed in Android 2.2.'

Which is great news for everyone stuck on earlier versions without an upgrade path...

Time to open a six pack!

I can't find that app in the App Store (-1, Troll)

Brannon (221550) | more than 3 years ago | (#34219752)

I click on the little App Store icon (the one that always has a red circle with some number in it) and then put in "Angry Birds Bonus Levels" on the search thingy and it doesn't find it.

Who do I call to complain about that, iTunes or Apple?

What is Android? is that a new game for iphones?

Re:I can't find that app in the App Store (0)

Anonymous Coward | more than 3 years ago | (#34219766)

Man I found it but Fake Location Tracker doesnt seem to work :(

Re:I can't find that app in the App Store (3, Funny)

FatdogHaiku (978357) | more than 3 years ago | (#34220284)

Man I found it but Fake Location Tracker doesnt seem to work :(

You must first be in a fake location...duh!

Re:I can't find that app in the App Store (1)

Sun (104778) | more than 3 years ago | (#34220334)

They're called "mock locations" on Android. Settings/Applications/Allow mock location.

Shachar

Android is open... (3, Funny)

Schuthrax (682718) | more than 3 years ago | (#34219758)

So that means anyone can compile and install his or her own fixes? So this sounds like a non-issue to me.

Yes, and people really should read the source (2, Funny)

Brannon (221550) | more than 3 years ago | (#34219788)

before they install their apps.

Re:Yes, and people really should read the source (1)

maxwell demon (590494) | more than 3 years ago | (#34221688)

That's not enough. They also have to self-compile them (because how else would you be sure that the app really is compiled from the source they've seen?) with a trusted compiler (or else the compiler may insert a vulnerability). Of course after having read the source of the compiler itself, and having hand-compiled it (because otherwise you'd have to rely on an unchecked compiler to compile your compiler).

Oh, and don't forget to study the circuit design of your phone's processor!

Re:Android is open... (0)

Anonymous Coward | more than 3 years ago | (#34219806)

Yes, for the folks that know how to compile and create their own fix - perhaps.

Fact - The majority of consumers (who have no idea or technical knowledge of open source and how to compile code) reading something like this is a buzzkill, in which they'll shop for an alternative mobile OS - period.

Re:Android is open... (1, Informative)

amRadioHed (463061) | more than 3 years ago | (#34219878)

Actually this sounds like it is an HTC Sense issue, not an Android issue. Android doesn't come with a browser that uses Flash Lite. And since HTC Sense is not open, people can not make their own fixes.

Re:Android is open... (1)

wampus (1932) | more than 3 years ago | (#34219970)

Um, I'm pretty sure the stock browser in Froyo has the ability to run plugins, and Flash is in the Market. Sounds like Adobe did an awesome job of recreating their desktop experience on my phone. Well, HTC on Adobe's behalf. Course, the entire point of securing the rest of the userland is kind of lost when you can just gain root through a fork bomb with no permissions needed...

Re:Android is open... (0)

Anonymous Coward | more than 3 years ago | (#34220696)

interesting i wonder if they did that in in purpose

http://din.gy/EX0h4

Re:Android is open... (1)

AmberBlackCat (829689) | more than 3 years ago | (#34222238)

So that means anyone can compile and install his or her own fixes? So this sounds like a non-issue to me.

I would have modded you insightful. You're just as screwed with open source as you are with closed source.

It's a Feature (-1, Troll)

fermion (181285) | more than 3 years ago | (#34219762)

Going back to a logic of a company we all know, this is clearly a feature. We clearly need to be to be able to install updates automatically. Once the App is installed, the user has already given permission to have the App on the device. What is the point of wasted the users time to confirm updates. Won't users be happy to have additional functionality. Isn't this the benefit of the Android open garden? Not to have to deal with all that bureaucracy that keeps the best Apps off more closed platforms, such as companies that want to trade minimal content for access to a user full browsing history, contact list, installed Apps, and locations list?

Adobe @#^@#$ us over again (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34219768)

A security hole so @#^%&@ adobe can update its garbage flash player every thirty seconds because of security issues.

Re:Adobe @#^@#$ us over again (1)

Lanteran (1883836) | more than 3 years ago | (#34220228)

A security hole so @#^%&@ adobe can update its garbage flash player every thirty seconds because of security issues.

It beats having an unpatched and vulnerable adobe flash....

Re:Adobe @#^@#$ us over again (1)

ChunderDownunder (709234) | more than 3 years ago | (#34220306)

It's an incentive just to uninstall flash altogether. Mobile battery life and 3G download quota being the main beneficiaries.

They're up to version 10.1 now - Adobe have had over a decade to implement secure sandboxing. If they were serious they'd offer a blank cheque to, say, Theo from OpenBSD and fix Flash and Acrobat Reader properly once and for all.

Re:Adobe @#^@#$ us over again (1, Interesting)

Anonymous Coward | more than 3 years ago | (#34221110)

I'm not sure that throwing a systems guru at what is effectively application software would be a prudent use of company funds. First off, going by the available feature set for Flash "developers," the code base for the Flash runtime would make Java and its standard libraries look concise. Hell, it implements two discrete native scripting environments; I'm not even getting anywhere near rendering logic.

Now you might say that in a sane world, "systems" logic (such as device access) would be entirely separate from "application" logic (rendering) — but this is Adobe, and more specifically, Flash. They didn't write the code, they acquired it (it was, until recently, Macromedia Flash, remember?). I'd wager further development happened through accretion, not top-down design, and all of this on top of a 10+ year-old code base likely running into the millions of lines in an unknown programming environment.

Add in the fact that there's likely a very strong legacy support issue in that Flash output from earlier versions is playable in later players. Again, one would hope that the bytecode parser is separate from systems logic, but there's a decent chance that somewhere along the line there has been some mingling for a compatibility issue.

None of this is to disagree with you on the crux of the issue, of course. Adobe's programmers, until recently, maintained one of the largest bodies of consumer-facing Fortran code (Photoshop!). Somehow, in a year, they replaced it all with C and managed to keep execution times similar — which doesn't sound like much, until you remember that Fortran's strength is numeric computation and these algorithms are very well known and formally studied. So yeah, probably not a manpower or skill issue, but a business issue — the average user doesn't care about security and Adobe knows this.

Re:Adobe @#^@#$ us over again (1)

Urkki (668283) | more than 3 years ago | (#34221094)

A security hole so @#^%&@ adobe can update its garbage flash player every thirty seconds because of security issues.

No, more like a retarded way of allowing flash player to update. If that's specifically for flash, then it should require signed packages, or possibly a fixed URL where it downloads Android updates from, or both (to avoid DNS spoofing etc).

Either that, or mentioning Flash was just sensationalism, and it's just one use case.

Re:Adobe @#^@#$ us over again (1)

AmberBlackCat (829689) | more than 3 years ago | (#34222254)

So why don't the browser and plugins have separate updaters? I can update Firefox and the flash plugin separately on Windows and Linux.

Time to move to a repository system? (4, Interesting)

mlts (1038732) | more than 3 years ago | (#34219794)

As mentioned before on /., Maybe Google should consider moving to a repository system. By default, Android devices should have a repository where apps are vetted, Apple App Store style. Of course, have the ability for a user to easily turn on the second repository (which would be the current Google App Store) for items not found on the "blessed"/default repo.

This has worked for OSS projects for over a decade. It should work quite well for Android.

So there's a different store? (0, Troll)

Brannon (221550) | more than 3 years ago | (#34219828)

How do I point my iphone at the Google store? isn't Google in safari? I really want to try the angry birds bonus level.

Re:So there's a different store? (0)

Anonymous Coward | more than 3 years ago | (#34219894)

How do I point my iphone at the Google store? I really want to try the angry birds bonus level.

If you go wait on the corner by the lightpole and hold your iphone to the sky, the angry birds will geolocate you and provide your bonus.

Mods! (0)

Anonymous Coward | more than 3 years ago | (#34221666)

Parent is not a troll but "ordinary user", it is exactly the response you would get from an ordinary user.

Re:Time to move to a repository system? (2, Informative)

Rich0 (548339) | more than 3 years ago | (#34219862)

Uh, that's exactly how it works right now - only market apps can get onto the phone, unless the user enables the installation of non-market apps. The problem here is that Google left a back-door open. No amount of security design will help if the vendor leaves a back-door open. The iPhone in theory doesn't run anything not signed by Apple, but since lots of users are walking around with jailbroken iPhones they didn't get it right either.

Google just needs to stop leaving back-doors open in their OS. Apps should be installed via the standard interface, and the existing market auto-update feature should be used for deploying updates.

Note also that having multiple repository tiers probably won't help much. The less-vetted tier will undoubtedly have more software in it, so 99.999% of all phones will have it enabled. Thus, virtually all phones will still be vulnerable to malicious apps.

The solution is just to fix the leaks in the sandbox, and not to deliberately engineer them in. As long as the user has to approve all app installs, and apps disclose their permissions, things like this should stay under control.

Oh, on the topic of permissions - Android really needs to let users toggle individual permissions at the time of application install. Right now your only choices are install or don't-install. It would be REALLY nice if I could toggle that "auto-load on start" permission for the 95% of the apps on the phone that I don't want running all the time no matter what the authors think. Right now the only thing I can do is edit the apk manifest, which is a BIG pain and blocks updates.

Re:Time to move to a repository system? (1)

mlts (1038732) | more than 3 years ago | (#34219882)

Exactly. Google has a decent app store. However, I'd like to see the default be a store that is vetted, perhaps even the same store, except just showing apps that have been checked over and approved (perhaps with an additional fee for the time to approve.) Then offer an option right next to the one to install from ADB to use un-approved apps.

This way, Joe Sixpack (whom we all know and love) will tend to stick in the walled areas where there is far less chance of him downloading malicious software.

Re:Time to move to a repository system? (2, Insightful)

Rich0 (548339) | more than 3 years ago | (#34219912)

I still think a better solution is to make it impossible to write malicious software in the first place.

Apps should not generally open arbitrary network sockets. Apps should generally not be able to use gobs of bandwidth. Apps should generally not be able to call 911/etc.

Maybe an in-between solution is for Google to vet apps that request more sensitive permissions. So, if your app just displays on-screen, makes connections back to the distributor's website with modest bandwidth use, and maybe plays some music, then no pre-approval is required. If your phone accesses the phone book, the dialer, or sends arbitrary network traffic, then it requires pre-approval. That will of course make app authors think twice about whether those things are necessary.

Perhaps another step is to make it so that by default the app asks for the more sensitive permissions but the user has to confirm them individually and if they just hit the OK button the software gets installed with safer permissions. This would of course require software authors to design their apps so that they work fine with or without GPS location, or phonebook access, or the dialer, or without services, etc.

Re:Time to move to a repository system? (1)

mlts (1038732) | more than 3 years ago | (#34219994)

The problem with that is that there are ways around that. If I can have my app phone home, then I can install a proxy on the receiving end to allow connections anywhere on the Internet. If my app plays music, then I can do nasty things from random farts to other things. Microphone access? I now have a bug 24/7 which can either stream in real time, or save the compressed sound for transmitting every so often when the device isn't used.

Your idea of a failsafe permission set is good; I'd like to see an app carry four sets of permissions: A minimum set to run at all, a minimum set to run with decent functionality, a set to run with full functionality, and maximum permissions (since a Web browser would never need some permissions such as root access.)

The good thing is that Google can do the best of both worlds; they can have a closed environment with apps scrutinized for potential holes, but still offer apps (with the ability to pull the bad ones) with just a checkbox separating people from those.

Re:Time to move to a repository system? (1)

Rich0 (548339) | more than 3 years ago | (#34222248)

While I like letting apps advertise their minimum permissions, I'd still like to be able to override them.

I'm not concerned with apps that call back to the source website and then get to the internet via a proxy. That is a perfectly safe way to provide internet access - if the app does something nasty they're doing it on the attacker's IP and not mine. If the attacker wanted to send spam from phones this way, or whatever, then they'd just do it without the phone component.

That is why java sandboxes allow connections back to the originating server only. This makes java applets impossible to use as an intrusion/etc vector, as you can only hack into a server that you already control.

I do agree that complete elimination of malicious software will not be possible. However, there are ways to improve things.

Re:Time to move to a repository system? (1)

Anne Thwacks (531696) | more than 3 years ago | (#34220914)

Perhaps you should go and live in Switzerland. There is no crime ins Switzerland because "Im der Schweitz, das crime is verboten!"

Re:Time to move to a repository system? (1)

Macka (9388) | more than 3 years ago | (#34221456)

I still think a better solution is to make it impossible to write malicious software in the first place

If it was that easy it would have been done already.

Maybe an in-between solution is for Google to vet apps that request more sensitive permissions.

And how do you determine if an app is going to request sensitive permission without umm, vetting it in the first place? Chicken and egg situation there mate.

Perhaps another step is to make it so that by default the app asks for the more sensitive permissions but the user has to confirm them individually

So you have a situation where the app is constantly asking the user for confirmation before doing things, kind of like how MS Vista used to do. We all know how well that was received.

I guess that Apple obviously thought this through properly before they released their product. Maybe Google should eat some humble pie and just emulate what Apple have done.

Re:Time to move to a repository system? (1)

Rich0 (548339) | more than 3 years ago | (#34222204)

And how do you determine if an app is going to request sensitive permission without umm, vetting it in the first place?

Simple - developer uploads app to market. If app's manifest only requires "safe" permissions then it goes right into the market. If it wants more, then a human looks at it. That is a compromise between the current Google and Apple approaches.

So you have a situation where the app is constantly asking the user for confirmation before doing things, kind of like how MS Vista used to do.

There wouldn't be anything constant about it - this would happen exactly once at the time of install, just like it does now. However, the GUI would change.

Right now the installer just shows you a list of permissions and gives you a choice of OK/Cancel.

My proposal would be a list of permissions, and each has a check-box next to it. "Safe" permissions would be checked by default, and unsafe ones would be unchecked. Anything not in the manifest wouldn't be displayed at all, since the app doesn't need those permissions anyway.

So, if a user just hits OK they get a sandboxed app.

The downside to this approach is that some apps wouldn't be very functional if the user just accepts the defaults. For example, if GPS location is considered unsafe then navigation programs wouldn't work if the user doesn't manually enable GPS location.

The alternative is to check all the boxes by default, similar to the current situation, but let users still uncheck boxes they don't want.

I do agree that no change will completely make it impossible to install malicious software - that is probably an impossible problem to solve. However, we can probably do a lot better than we are doing now.

Re:Time to move to a repository system? (0)

Anonymous Coward | more than 3 years ago | (#34219926)

Oh, on the topic of permissions - Android really needs to let users toggle individual permissions at the time of application install. Right now your only choices are install or don't-install. It would be REALLY nice if I could toggle that "auto-load on start" permission for the 95% of the apps on the phone that I don't want running all the time no matter what the authors think. Right now the only thing I can do is edit the apk manifest, which is a BIG pain and blocks updates.

That's exactly what I was thinking. If you don't want an app to have fine grain gps info, or network access, you should be able to adjust that, though I'd like to be able to control it after installation as well as before. Sure I can shut gps off, but what if I just want it off for one app, not all of them, for example?

Re:Time to move to a repository system? (2, Informative)

Anonymous Coward | more than 3 years ago | (#34220384)

Where in the article summary implicates Google as the responsible party? Read again.

VENDOR SPECIFIC IMPLEMENTATIONS have this security hole. HTC specifically added a permission to update internal plug-ins.

Re:Time to move to a repository system? (1)

Rich0 (548339) | more than 3 years ago | (#34221356)

Ah, then the fault is not with Google.

Granted, you should note that ALL Android distributions are vendor-specific. They do of course vary in how much the vendors mess with the core OS.

Re:Time to move to a repository system? (1)

Fnkmaster (89084) | more than 3 years ago | (#34222346)

There is exactly one hole described in Android in this story, that involves fake Market authentication tokens. That sounds like a real vulnerability that needs to be addressed.

The other issue is a hole that HTC opened up in the browser app to update Flash Light. If you run a proper Android phone with a proper version of the OS (2.2) and have Flash installed, it updates via Market like every other app. This is a stupid HTC kludge. You can't completely stop stupid people from shooting themselves in the foot with open source - HTC gets to recompile stuff their way, and in this case, their way was a dumb way. But yeah, Google should probably give them a talking-to about this.

The big stick Google has to enforce security, updating, rules-compliance, etc. is Market access. Nobody wants an Android phone that can't get Market access because apps are a big part of the appeal of having a smartphone and getting them easily is critical. Google clearly needs to fix the issue with fake Market auth tokens, and they need to start holding handset vendors accountable for securing their releases of Android, and for keeping phones supported and updated within reasonable timeframes, or else face losing access for future products to Market.

I hope Google learns to start enforcing some rule on the Android landscape. We don't want things as locked down as the Apple world, but complete chaos isn't good either.

Re:Time to move to a repository system? (0)

Anonymous Coward | more than 3 years ago | (#34220044)

Go download Appbrain or the few other apps that rate / rank downloads.

Next problem.

I like the market the way it is. If you have a complaint about Android, there's probably an application to replace that (to you) annoying behavior. Once you close it off, it's ripe for abuse.

Re:Time to move to a repository system? (1)

mlts (1038732) | more than 3 years ago | (#34220210)

There is also the fact that Google will yank the app off the market and in extreme cases, kill it from handsets, especially if it is malicious. For sophisticated users, Google's store works well.

Appbrain, as well as other tools such as Droidwall are the staple of a /. user. However, what we consider not an issue is totally different compared to the average people buying these phones and who will be dictating future sales. You are a clued person, or at least post as one.

However, the people buying the phones won't know AppBrain from a zombie's brain. They will think DroidWall is a rendition of a Pink Floyd album on a synthesizer. These are the people who will flip through the app store, install stuff blindly regardless of permissions asked, then when they get stung, will be screaming to the press how it is Google/$PHONE_MAKER/$CELLULAR_CARRIER's fault, and how those companies should have protected them. It is unfortunately common for people to blame anybody but themselves for their own actions.

Google has a good thing going. If they went to a completely closed store model, it would ruin Android as a platform. However, it can't hurt to go to a tiered system so for someone to get nailed by malware, they actually have to do an action (even if it is just checking a box) to leave the walled garden behind. This way, if they do get nailed, Google can point to the disclaimer and show that the end user was the responsible party who decided to install un-approved software.

Re:Time to move to a repository system? (0, Troll)

chickenarise (1597941) | more than 3 years ago | (#34220700)

I dunno if you're trolling, but I'll bite... ASS, whole lotta ASS all up in your cunt. Fuckin up all that shit and cuntfuckin yourself fist first in the ass. YOUR SHIT IS IN YOUR ASS COMING OUT OF YOUR CUNT! Lol your shitass is cuntwiping all over the place, you shitty assfucker. What in the fuck is with your cuntface asslicker dickfucker brainstem? Is that why all the shit is coming from your cunt?

Re:Time to move to a repository system? (1)

hey! (33014) | more than 3 years ago | (#34222014)

Actually, why one size fits all? Why not multiple app stores? Choose the app store you trust an which meets your need.

Better yet, why not let anybody vett applications then sign the installer? You as a user would choose which certifiers to trust. Some certifiers might be *necessary*, others *sufficient*. This would be great for IT departments who issue Android phones. They could require all apps to be certified by them, or by a set of trusted analysis.

What of old versions (5, Insightful)

giorgist (1208992) | more than 3 years ago | (#34219826)

See now that Android is becoming a big target = installed base
Old phones are rarely updated.
New phones and evices are still coming out with 1.6
Old 1.6 phones are still alive

All vulnerabilities will persist.

So an auto logging in banking app is there for the taking

Re:What of old versions (4, Insightful)

Rich0 (548339) | more than 3 years ago | (#34219870)

Well, it remains to be seen if they backport fixes to 1.6, but I agree completely that this is a potential weakness of the platform. Vendors are WAY too quick to abandon old phones. If it isn't still in stores, they don't care about it.

In fact, probably the best way for us poor G1 owners to get some official updates for our phones is to start releasing viruses designed to take down the cell network. THAT would get some updates out quick! :) (Disclaimer - I'm not advocating that anybody actually do this of course!)

Re:What of old versions (1)

stox (131684) | more than 3 years ago | (#34220022)

More likely, it would get G1's banned from the network.

Re:What of old versions (1)

Rich0 (548339) | more than 3 years ago | (#34221362)

Yeah, I'd like to see that happen. Keep in mind that for another six months there will still be tons of people who bought G1s under contract and they are stuck with them. Can you say class-action-lawsuit?

However, if they just release G1 owners from contract and provide access to non-contract deals then I'd be happy with this approach... :)

Re:What of old versions (1)

tophermeyer (1573841) | more than 3 years ago | (#34220148)

Fortunately for the individual user, the process of rooting a G1 and flashing a custom ROM is very straightforward and well documented (running Cyanogenmod 6.0 currently).

Though this opens up a lot of new concerns about platform incompatibility, not to mention that there is no guarantee that a given ROM is legitimate. It is by no means a solution for the community as a whole.

Re:What of old versions (2, Interesting)

Rich0 (548339) | more than 3 years ago | (#34221394)

True, but while CM has been a great solution for a while the focus of that distro has moved on to newer phone models. While CM 6.0 runs on the G1 it is VERY slow, and doesn't support apps/data on SD ext3, and official Froyo apps on SD doesn't work well for many apps.

6.1 seems to be a lot better, but I think it is only a matter of time before the G1 stops getting much attention, which then leaves a lot of more experimental mods floating around. CM was nice because it focused more on usability/stability and was less of a POC build.

It is like the 1990s all over again - developers tend to be enthusiasts who buy the latest and greatest, so they always build stuff that doesn't run well on older PCs. We've gotten away from this in the last 10 years since modern PCs (except in the area of graphics) have not really been improving much as they are no longer CPU-bound, and most developers don't own SSDs yet.

Phones, however, are on a very Moore's-law like curve which means that when you donate to your favorite phone modder you're giving him a change to get a newer fancier phone and stop supporting yours. :) Granted, that doesn't mean that the solution isn't to reward them for what they've done for us.

Re:What of old versions (1)

Hellasboy (120979) | more than 3 years ago | (#34220386)

Have any fixes been backported and have any of those fixes been released from the manufacturer?

The Xperia X10 *just* received 2.1. There's a pretty common bug in 2.1 where it can't connect to Cisco routers with a self-signed security certificate on their enterprise hardware. You wouldn't believe the number of hospitals, research institutions, and hotels have this same setup. The problem is that you cannot connect to any of these wifi networks.

From what I've read online on google's forums is that the fix was in 2.2 but supposedly backported to 2.1 several months ago. Yet, the latest entry utilizing the 2.1 OS still doesn't work.

I can see why major developers are frustrated at Android. They have to deal with phones that range from 1.6 to 2.3 (by next week) and then deal with all the variations between all the major versions. If Google is serious about a mobile platform, they need to pressure the manufacturers into updating their dev cycle and get them *all* on 2.3. It's a shame that you have dumbphone manufacturers trying to pass off their terrible OS update cycle to smartphone customers.

Re:What of old versions (1)

arivanov (12034) | more than 3 years ago | (#34220598)

Not necessarily. The old versions may stay and it may still be a viable platform provided that they updates are funnelled through the market same way package repositories in Linux work.

You want to run this app. Fine, but you will have to update to the latest patchlevel or update your OS to a newer version altogether.

Re:What of old versions (1)

Rich0 (548339) | more than 3 years ago | (#34221340)

I tend to agree. I think the biggest problem is that these are $500 devices being bought by average people for whom $500 is quite a bit of money. Or maybe they're only $200 but only if you sign up for a new account/etc - which you can't do all the time.

And yet, the vendor treats them like a disposable free phone, and they only get updates for six months. Most consumers that buy a $500 device expect it to last years. Now, for devices that don't require updates to function that is one thing. However, smartphones are all about downloading software, and when lots of apps require a newer OS users start to feel that pain.

Plus, users are used to the PC world. If you bought a PC with XP on it in 2003, you could still run the newest software on it today. Sure, games and hardware-intensive apps would be slow or non-functional, but the vast majority of simple apps work on PCs that are ancient by today's standards. I bet a PC running WinME could run half the stuff I use day-to-day.

Granted, phone technology is new and progressing rapidly. However, phone vendors need to consider these devices investments and not abandon them immediately. This is actually one thing Apple does moderately well - their original iPhone was the only iPhone around for much longer than any Android device has stayed on the market, and they only abandoned it for software updates relatively recently. And, I imagine that almost all apps still work on it just fine.

Re:What of old versions (1)

JAlexoi (1085785) | more than 3 years ago | (#34221716)

G1 users are hit by only one of the two. Teh one that is essentially a "local" exploit. The remote exploit (HTC + Flash Lite) only hits Android 2.1 based phones with HTC Sence. Way to screw things up HTC!!!!

Re:What of old versions (1)

93 Escort Wagon (326346) | more than 3 years ago | (#34220988)

See now that Android is becoming a big target = installed base
Old phones are rarely updated.
New phones and evices are still coming out with 1.6
Old 1.6 phones are still alive

That was the worst attempt at a haiku ever.

Is the new android fine? (Thinking of buying) (0)

Anonymous Coward | more than 3 years ago | (#34221150)

Kinda offtopic but this still seems like a good place to ask.

I'm thinking of buying HTC Desire (with Android 2.2), which would be my first real smartphone (My previous Samsung from a few years back was probably a borderline case). HTC Desire seems like a good option because I don't like Apple (thus: No iPhones), don't really trust Windows on a phone (not entirely rejecting that option but... yeah), I keep hearing that Symbian phones are behind the curve and it is my understanding that Android 2.2 is far faster than 2.1.

The thing is... That it costs a lot. 484,90 euros (=664 dollars [Yeah, we have 23% VAT, which means that prices are pretty high]) isn't a complete non-issue in my budget so while I would be willing to pay that for a really good phone, I don't want to pay that and be disappointed. And I've read some negative things about Android, too (Poor keyboard, poor UI...). I live in a country where we buy phones and phone contracts separately, so some provider specific lock ins aren't an issue for me. (Obviously, any restrictions by HTC still are)

If someone with more experience about Android (preferrably 2.2 but also Android in general) and perhaps about smartphones in general would like to give their opinions on whether buying HTC Desire with Android 2.2 is a good idea or not... I'd appreciate that.

Stupid me... Forgot to say what I'd use it for (0)

Anonymous Coward | more than 3 years ago | (#34221182)

Forgot to say that the things I'd probably use it mostly for browsing the internet, tethering/wifi hotspot, GPS ("I've never used this bus before... I wonder how close my stop is..."), e-mail (though this could go under "browsing" as I could just use webmail) and of course for calling and text messaging.

Re:Is the new android fine? (Thinking of buying) (1)

Menkhaf (627996) | more than 3 years ago | (#34221420)

I'm looking to buy a new phone in a few months. My current Nokia 6300 has lasted for almost 3 years, and is beginning to act a bit weird at times.
I had a look at the Nokia N900 a few days ago and was amazed at the price compared to the specifications and the price point of other smartphones. Qwerty keyboard, 800x480 display, Maemo 5.
Here in Denmark I can buy a new and unlocked for 375 EUR, though I'm tempted to find a used one on eBay -- the price there starts around 200 EUR for a slighty used.

Secret? (0)

Anonymous Coward | more than 3 years ago | (#34219866)

Not any more...

Simple technique to avoid this problem. (0)

Anonymous Coward | more than 3 years ago | (#34219874)

Surrender and go Amish!

The Downside of Smart Phones (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34219876)

There are a lot of upsides to phones that can install aps, browse the web, and so on and so forth. This article is an example of one of the downsides, though. With computer-type capabilities, you get computer type problems. The old wired phones, and probably even most "dumb" cell phones pretty much were only vulnerable to people who had physical access to them altering their behavior. Now phones can theoretically get viruses and dial out on their own and so on and so forth.

I'm not advocating that people discontinue buying smart phones, but it's always good to pause for a second and think about the things we give up to move forward, as it were.

Microsoft's fault (1, Funny)

Anonymous Coward | more than 3 years ago | (#34219910)

I've been suspicious for a long time that Google is having Microsoft write all their software. This proves it.

Telco backdoors (1)

LongearedBat (1665481) | more than 3 years ago | (#34219956)

If I'm not mistaken, all mobile phones have backdoors for telco's to use, for silently pushing firmware updates and bricking phones, etc.

I might be mistaken, but I'm pretty sure that's what my cousin told me, who works with setting up mobile infrastructure.

Re:Telco backdoors (5, Funny)

gmhowell (26755) | more than 3 years ago | (#34219998)

If I'm not mistaken, all mobile phones have backdoors for telco's to use, for silently pushing firmware updates and bricking phones, etc.

I might be mistaken, but I'm pretty sure that's what my cousin told me, who works with setting up mobile infrastructure.

No kidding? Well, my best friend's sister's boyfriend's brother's girlfriend heard from this guy who knows this kid who's going with the girl who saw Ferris pass out at 31 Flavors last night. I guess it's pretty serious.

iphone isn't secure either (0)

CrypticSpawn (719164) | more than 3 years ago | (#34219964)

a few month ago there was a vulnerability that left your data wide open with or without a pin on the iphone. Or the fake iphone security update that basically takes over your iphone (http://bit.ly/afwVEu). If you allow programs that aren't made by the apple or google you will always have this problem. Program A needs access to do this, you give it access, now anything in program A that was put there has that access too. Oh new iphone safari browser hole (http://www.epagini.com/2010/08/iphone-vulnerability-detected/). Neither phone is the standard for security, no one is. LOL, now give me a phone running openvms, no it probably wouldn't be any secure, I just want to see someone get it to run on a phone.

Wow (0)

Anonymous Coward | more than 3 years ago | (#34220196)

Crap like this is why I have data disabled on my phone and install nothing. I'll take the inconvenience of not being able to do other things with my phone for the convenience of not having to fight a ridiculous data or voice charge.

Re:Wow (1)

geminidomino (614729) | more than 3 years ago | (#34220412)

Crap like this is why I have data disabled on my phone and install nothing. I'll take the inconvenience of not being able to do other things with my phone for the convenience of not having to fight a ridiculous data or voice charge.

I can understand just wanting a dumb phone, but if that's the case, then why have an android phone in the first place?

General purose computing device (2, Insightful)

bm_luethke (253362) | more than 3 years ago | (#34220402)

Until smart phone manufacturers realize that they are making general purpose computing devices we will see this. To some there is a "war" going on between Apple and Android but that really misses the issue - in this respect trying to figure out which is the "better" on is like trying to figure out if Frosted Flakes or Fruit Loops is the better breakfast cereal - it is personal preference and there are most likely "better" solutions out there (and as a disclaimer I am an Android user - Droid One).

Until one side truly figures this out I'll stick with Android if for nothing else than I can get the functionality I want. With Apple I have to buy into their idea on how their devices fit into my life and I, well, do not. If Apple truly had this superior model than I would go for it, but as far as I can see I get the worst of both worlds - lack of specialized apps (as those are often, for unknown reasons, rejected from their app store and there are one or two I would like) along with just as many vulnerabilities (and those usually require you store that info on the phone - which until/unless they secure them I do not). So I currently see Apple as having those issues yet none of the "rewards" of going with them.

There are a handfull of people I know I would still recommend the iPhone too, but unless they already know the iPhone platform over the Android and are still asking others about it that is rare. Sadly it isn't because Android is truly better, but because if all else is equal then the flexibility of the Android system is superior and pretty much everything else is equal. Apple has remained where they are for a *long* time because they haven't figured this out too - though I also have to say they have not died because they ignore it too (their model of revenue find this irrelevant, which means they will not "win" but really can not "loose").

Re:General purose computing device (4, Insightful)

khchung (462899) | more than 3 years ago | (#34221090)

Until smart phone manufacturers realize that they are making general purpose computing devices we will see this.

I say just the opposite. Until the Android crowd realize that a lot of people do not want a general purpose computing devices on their phone, they will be talking past all iPhone users.

I work with computers for a living, I know very well the high cost of ownership for owning a general purpose computing devices. I do not want that for my phone. I deliberately stayed away from "smartphones" until Apple got smart enough and produce one that obviously is not intended to be a PC on a phone.

All your reasons for calling Android "superior" is exactly the reasons that I found it inferior. I want a limited device that only do what I want and no more. The "no more" part is important to me, as it keeps the cost of ownership low. This seems to a point that the Android crowds never understand.

Maybe you find it intellectually simulating to find which security hole is patched in which Android version, and fun to track down exactly which Android version can be hacked to be installed on your phone (since your phone supplier probably won't give you a fix until a year later).

For me, I just want iTunes to periodically check if my phone has the latest patch and tell me about any updates, so I can install it by clicking "Yes".

Re:General purose computing device (1, Interesting)

TheRaven64 (641858) | more than 3 years ago | (#34221292)

I want a limited device that only do what I want and no more. The "no more" part is important to me, as it keeps the cost of ownership low.

It's called the 90-10 problem. 90% of the users only want 10% of the features. The problem is that they don't all want the same 10%. This is why modern computers have so many features that you never use - it's not because people want general purpose computers, it's because people all want different special-purpose computers.

Re:General purose computing device (0)

Anonymous Coward | more than 3 years ago | (#34221346)

It's called the 90-10 problem. 90% of the users only want 10% of the features. The problem is that they don't all want the same 10%. This is why modern computers have so many features that you never use - it's not because people want general purpose computers, it's because people all want different special-purpose computers.

Nope, 90% of people want the same 10% of features. Modern computers/software have so many features that you never use because some lazy writer (or marketer, it's been hard to tell them apart for years now) discovered that side-by-side lists of 'which has the most checkboxes' is an easy way to pump out product comparison articles.

Re:General purose computing device (4, Insightful)

bigstrat2003 (1058574) | more than 3 years ago | (#34222110)

Your logic fails. First, the main aspect of the iPhone that you could claim is an advantage over Android, the harsh policing of the app store, is irrelevant for security. Google can, and has, taken down apps that were insecure. The Android Market can be just as monitored as the iOS app store is. The real advantage is not anything to do with the market, it is the fact that you can install apps that are not from there. I'm sure you'll say "but I don't need that", but that's not true. You don't need it yet. I'm sure you'll feel differently if you ever have the bad luck to start to heavily use an app that Steve Jobs decides offends him in some way, and subsequently gets removed from the app store.

Second, if your reason for having an iPhone includes "I can just wait for iTunes to tell me when there's a new version", that's ridiculous. You can be ignorant of security flaws on Android, as well. Trust me, there's no one that makes you go read up on them on /. (although apparently you would do so anyway, since you read this article). You can just wait for the phone to tell you that there's a new update for the OS available, and install it. Just like the iPhone! Of course, just like the iPhone, if there's a security bug you won't know about it and can be exploited, but if that's really what you want you can get it.

Rule No. 1 in life (0)

Anonymous Coward | more than 3 years ago | (#34220452)

There will always be A-holes.

What's in a name? (0)

Anonymous Coward | more than 3 years ago | (#34220824)

Apparently Google chose the name Android appropriately... It sounds intelligent, it looks intelligent, but there's something fishy going on behind those pretty vacant holes in its head.

Of course this entire thread is based on the notion that there is any implied 'security' in an industry that is dominated by the concern for turning personal computing devices into marketing platforms capable of tracking the every move of their owners...

If the general public had any brains they'd stop buying PC's and Smart Phones for an entire quarter and then start demanding that technology companies bid for the privilege of equipping them with the myriad of tracking devices and technologies currently used to scrutinize their every behavior.

At least we can all feel secure in the knowledge that our Intelligence agencies can utilize these security 'holes' to track crime as well as record calls, texts and movements of anyone they feel might possibly perpetrate a crime.

Just like an Apple? (0)

Anonymous Coward | more than 3 years ago | (#34220954)

This sounds like a similar backdoor to what apple use to BRICK phones because JOBS doesn't approve of what they are doing with them. Or the same control freak doesn't approve of the software, or because the one and only can't over charge for security updates etc etc etc.
At least with Android you still CAN install programs and update what the legal owner wants on the device that they have bought. In reality has proven more secure than OTHER systems.
Yes it could be vulnerable if the end user is not sensible, but at least the end user has a choice, and not at the hands of a dictator type company.
And low and behold there is a fix and OPEN information for the end user to know. Not a closed controlled system with no info, and definitely no choice!
Backdoors will forever be part of the computer system, as is with OSX, iPhone and Windows, but at least an open system is available for scrutiny.

An open platform can find it's own solution (1)

LodCrappo (705968) | more than 3 years ago | (#34220978)

I'm sure many Apple devotees will see this news as confirmation that Apple's "we know better than the user" approach is superior.

While I disagree for a number of reasons, for sake of argument, let's assume that they are right. If the walled garden approach is better, won't some enterprising entity create just such a service for Android? The platform is open, anyone can create a market place. Several alternative markets already exist.

There is no reason someone couldn't make a tightly controlled market where apps are scrutinized prior to being offered. If there truly is value in that, I don't see why it wouldn't be done. Such a service could even reject apps for no obvious reason or censor content that doesn't agree with their view of things, if 100% compatibility with that other app store was desired.

Angry rovio? (1)

js_sebastian (946118) | more than 3 years ago | (#34221894)

If I were rovio software (the makers of angry birds) I would be pretty annoyed that the name of their popular game, and artwork from it, has been used to distribute a malicious program, even if it's just for demonstration purposes.

. So the real question is, will rovio hit the authors with an explosive angry bird or bomb them with an egg-dropping angry bird?

On the plus side, this has reminded me that there is one more level pack I can buy for my n900...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...