Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Android Malware Attacks Custom ROMs

timothy posted more than 3 years ago | from the now-that's-offsides-innit dept.

Android 146

drmacinyasha writes "Today Lookout disclosed a new form of Android malware found in Chinese markets which attacks third-party firmwares (ROMs). By using permissions granted to apps which are signed with the same private keys as the ROM itself, an app can update itself or install and uninstall other apps without user interaction. Most third-party ROMs use the private keys included in the Android Open Source Project, making them vulnerable to this attack. Last month's release of CyanogenMod 7.0.3 (and all subsequent builds) included an "important security fix" which a team member confirmed protects users against this vulnerability by preventing applications signed with the platform key to be installed to user or app-controlled storage."

Sorry! There are no comments related to the filter you selected.

first post! (-1)

Anonymous Coward | more than 3 years ago | (#36468370)

suck my cock you faggots!

Re:first post! (0)

Anonymous Coward | more than 3 years ago | (#36468466)

I'm pretty sure this makes you "King Douche" of the internet.

Re:first post! (-1)

Anonymous Coward | more than 3 years ago | (#36468576)

Do you like fish sticks?

Then you're a gay fish

Re:first post! (2)

ColdWetDog (752185) | more than 3 years ago | (#36468744)

4chan down again?

Re:first post! (-1)

Anonymous Coward | more than 3 years ago | (#36468774)

That's right, I'm the king and you're my bitch. Now suck my cock you faggot.

Re:first post! (0)

Anonymous Coward | more than 3 years ago | (#36469452)

That's right, I'm the king and you're my bitch. Now suck my cock you faggot.

That's really interesting. I take this as a compliment coming from someone who is obviously so comfortable with their own homosexuality as to blatantly request strangers to perform homosexual acts in a public forum. I'd love to suck your cock, but I'm not gay, a little bit bi-sexual perhaps based on past experiences (everyone is to some degree, particularly those who deny it the loudest), and you've posted anonymously so I don't know who you are anyway. Oh, wait...

Re:first post! (-1)

Anonymous Coward | more than 3 years ago | (#36469680)

I'm sure I'll be jizzing down your throat soon enough.

Re:first post! (-1)

Anonymous Coward | more than 3 years ago | (#36470256)

I actually prefer it down my ass.

Once again... (5, Insightful)

Daetrin (576516) | more than 3 years ago | (#36468410)

The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one (and possibly Amazon's app store) then you better be REALLY SURE you know what you're doing and not just blindly download any random app from any random source that strikes your fancy.

Of course hopefully this isn't news to people who are already computer savy.

Re:Once again... (0, Troll)

Anonymous Coward | more than 3 years ago | (#36468446)

Time to upgrade to iPhone - face the facts - it is just better!

Re:Once again... (0)

bluemonq (812827) | more than 3 years ago | (#36468510)

Yes, the platform that at one point let you root your phone by visiting a website is better.

Re:Once again... (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#36470136)

Yes, the platform that at one point (a year ago) let you root your phone by visiting a website is better.

FTFY.

Re:Once again... (0)

Anonymous Coward | more than 3 years ago | (#36469900)

Even WP7 is better than iPhone.

Re:Once again... (2)

MobileTatsu-NJG (946591) | more than 3 years ago | (#36468494)

The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs...

Heh. You should look into why people flash their own ROMs.

Re:Once again... (3, Insightful)

zonky (1153039) | more than 3 years ago | (#36468654)

Mainly because handset makes are lying, deceptive bastards who don't maintain devices.

Re:Once again... (4, Insightful)

gweihir (88907) | more than 3 years ago | (#36468504)

That is not the problem (or only part of it). The problem is that if you roll your own ROM, you need to use your own private key. Using Public Key Cryptography wrong removes any security it grants.

Re:Once again... (1)

arglebargle_xiv (2212710) | more than 3 years ago | (#36472092)

Using Public Key Cryptography wrong removes any security it grants.

You can even see the problem in the original article, which refers to:

publicly available private keys

What's wrong with this picture?

Re:Once again... (0)

Anonymous Coward | more than 3 years ago | (#36468528)

O rly? [mashable.com]

Re:Once again... (4, Informative)

errandum (2014454) | more than 3 years ago | (#36468640)

No, half of what you said is completely wrong.

Flashing a 2.3 ROM will allow you to get the latest security fixes on those mobile phones that are no longer supported by the manufacturer. Even 2+ year old phones get the latest versions from cyanogen, so it extends the life of your device way beyond that of an iPhone.

Furthermore, unlike apple, that seems to abandon a device when they decide it is too hard to update for it, most of the custom ROMs are made from people that actually own the device, so they simply strip down some features and/or add alternatives so that everyone ends up with the latest fixes.

The only truth on what you said was, try not to install apps that didn't come from the Android Market and/or reputable sources. Just because you have the choice of installing something else, doesn't mean you should trust everyone.

Why are you talking about Apple? (1, Flamebait)

Brannon (221550) | more than 3 years ago | (#36468704)

This is an Android story.

And since when does Apple not support software on 2+ year old phones? Can you name a single vulnerability for any version of iPhone which doesn't have an available Apple-supported patch?

Any single one. Dating back to the original iPhone from 4 or so years ago. Go ahead, I'll wait.

Re:Why are you talking about Apple? (0)

errandum (2014454) | more than 3 years ago | (#36468780)

http://support.apple.com/kb/HT4291 [apple.com]

where is the original iphone in the sentence:

"Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later

I haven't read, just searched google for "iPhone security updates"

There, you can stop waiting. That too the grand total of 2 minutes to find.

Re:Why are you talking about Apple? (0)

Anonymous Coward | more than 3 years ago | (#36468856)

From Wikipedia:

Highest supported OS:
iPhone (original) - iOS 3.1.3
iPhone 3G - iOS 4.2.1

There is also some people working on an Android version for the old iPhones.

Re:Why are you talking about Apple? (1)

errandum (2014454) | more than 3 years ago | (#36468900)

That's exactly my point. After a while they stop supporting them - didn't think to look in Wikipedia.

Those android versions, how do they work without the extra buttons?

Re:Why are you talking about Apple? (1)

geminidomino (614729) | more than 3 years ago | (#36470020)

Iffy, at best, I'd wager, but not impossible. The Autonooter ROM for the Nook Color uses "softkeys' as a passable but far-from-perfect replacement that implements the buttons in software. Cyanogenmod has a much nicer and better functional one, but unfortunately, I don't know what it is.

Re:Why are you talking about Apple? (1)

Lanteran (1883836) | more than 3 years ago | (#36470520)

None that I know of are operational yet- don't even know of any that are bootable at all.

Re:Why are you talking about Apple? (3, Interesting)

errandum (2014454) | more than 3 years ago | (#36468838)

And I speak from experience because I did own an original iPhone that stopped being supported long long ago.

And the way every single major version of Mac OS stops being supported not too long after a major version goes out. Unless you buy the upgrade you're screwed.

That means 2 years support (as I said) is the norm. Compare that to the 7 years of support windows XP had and you'll get my point.

Re:Why are you talking about Apple? (0)

Anonymous Coward | more than 3 years ago | (#36469258)

Long ago being in 2010? It was supported for 3 years. Far longer than most Android phones since most never get an update let alone Android has only been on the market for 3 years.

http://www.zdnet.com/blog/apple/apple-dropping-support-for-iphone-2g/6578 [zdnet.com]

As for Apple and it's OS support, they typically continue to support 2 concurrent versions of the OS with a little overlap into a third for security patches. When it comes to MS and XP, they tried multiple times to kill the support early but were unable to due to poor adoption rates of Vista, especially in the corporate sector.

Re:Why are you talking about Apple? (1)

errandum (2014454) | more than 3 years ago | (#36470014)

Show me those 3 years please. Count the months. Most go for 2.x years. iPhone 4 might go for a lot longer simply because the iPhone 5 is nowhere to be seen. But that's it.

Even that article proves my point. That's when they announced no more updates, but the last update was 3.1.3 that got released way before the "3 years" you claim.

Re:Why are you talking about Apple? (1)

peragrin (659227) | more than 3 years ago | (#36469886)

true but Android handset manufactures only give you 6 months, of bug fixes, and maybe 18 months if it was a really popular handset,

Apple gives you 30 months(my iphone 3G is updated to 4.1 ) Then again apple doesn't let the battery to be easily changed. so after 3 years the battery life is drastically reduced. With proper care they can still be good(I still get 2-3 days out of mine) but I take care to turn off wifi and bluetooth when not in use.

Windows Phone only gives you bug fixes if the carriers approve taking 2-6 months longer than MSFT, so no emergency bug fixes will be pushed through.

All that said I have to go root my nook color soon. The built in web browser and email client are beginning to annoy me.

Re:Why are you talking about Apple? (2)

errandum (2014454) | more than 3 years ago | (#36470030)

That's the whole point of the original argument (that fanboys modded down)

While there is people out there that use a phone, anyone can compile the latest fixes -(or get them from someone who knows how), hence, having a very long term support.

Saying "ohh, don't install custom roms or you might get viruses" is stupid because those custom roms will give you access to the latest version on most phones when it comes out (with all the security features).

You don't depend on a company (Apple or HTC or Samsung) to get your updates. If you want them, you can do it yourself.

PS:2 years, 2.5, what's the point? It's limited support and, sometimes, crappy (if you have a 3G you know that iOS 4 kind of made it... crap - hanging a lot etc).

So, to sum up, no, ROM's aren't evil and if you still take care with the places you get apps from there is no problem whatsoever.

Re:Why are you talking about Apple? (2)

simmonsjeffreya (2259752) | more than 3 years ago | (#36470880)

The way Apple does updates is a non-issue for most Mac users and makes sense to drop support for older versions.

A.) It keeps most people on a similar OS version, making it easier for Apple and I'd suspect most developers appreciate this as well. It's no fun trying to support a million different OS configurations, which is the case with Windows.
B.) They still support even the oldest Intel Macs with the latest OS, no one is being left out. This again allows everyone to be on a similar OS, making it easier for them.
C.) Unlike Windows where upgrading costs hundreds, even for a laptop that may have only cost $400, an OS X full system upgrade is only $30. If you paid $1,500-$5,000 for a system, $30 shouldn't be making you cringe, and personally, the features added are well worth the $30.
D.) It minimizes the amount of users who, for one reason or another, choose to stick with an OS that is over ten years old. Again, this is an issue for developers, who have to support all these configurations or lose out on a good portion of potential sales.

IMO, Apple is doing things the right way, and if I were in charge of a tech company that produced one of the major consumer operating systems, I would much rather go the route they chose, than the route Microsoft chose. All of these reasons apply to OS X as well as iOS.

Re:Why are you talking about Apple? (2)

colinnwn (677715) | more than 3 years ago | (#36471382)

It is only $30 if you are careful to never miss an upgrade cycle. If you do, the cheap upgrade disks disappear from availability, and you have to call 800-i-fanboi to be told the upgrade will now set you back something like $180. Found that out the hard way after my aunt purchased an iPhone against my recommendation, then she discovered she couldn't sync it to her only computer, a PowerPC Mac.

Re:Why are you talking about Apple? (1)

simmonsjeffreya (2259752) | more than 3 years ago | (#36471730)

May I suggest eBay? After one search, I found tons of copies of both Leopard and Panther, for less than $30. The average price is around $20, so it seems it would be even cheaper. $20+$30 for both full retail discs to get you current is a lot better than $150-$200 for a Windows upgrade, though I have to admit their retail upgrade/full OS prices have come a lot down.

Re:Why are you talking about Apple? (1)

teh kurisu (701097) | more than 3 years ago | (#36472014)

I think you're getting muddled up - Snow Leopard was the first release to be priced at around $30 (and Lion will be the second). Previously, releases cost around $130.

Both of these releases were Intel only. The last version of OS X to support PPC was Leopard, and upgrading from Tiger to Leopard would have cost $130.

Re:Why are you talking about Apple? (1)

teh kurisu (701097) | more than 3 years ago | (#36471996)

And the way every single major version of Mac OS stops being supported not too long after a major version goes out. Unless you buy the upgrade you're screwed.

Generally I find that it's support from app developers that starts to disappear first, as they start to take advantage of new OS features. Apple security updates for a given version of OS X are usually the last to dry up.

Re:Once again... (1)

dudpixel (1429789) | more than 3 years ago | (#36471084)

wait, you're comparing apple with custom rom makers now?

I love android but this is not an apples to apples comparison, pun intended.

How much support does Google give you for your phone software updates?
How much support does the manufacturer of your phone give?

I'd say Apple supports their hardware AND software a lot better than either of the above.

Its great that Android is open source, but you cant compare the efforts of ROM makers with an actual manufacturer. If Apple released their source code, do you not think the jailbreak community would have something equally as good?

Lets not make this story into something it isn't.

What we do have with Android is greater freedom which brings greater responsibility. "Look before you leap" definitely applies when flashing custom ROMs on your phone AND when installing apps on your phone.

I use Lookout Mobile security on my phone (no I dont work for them) since I'm a bit paranoid, and it doesn't slow down the phone.

Re:Once again... (1)

TehDuffman (987864) | more than 3 years ago | (#36468646)

Of course hopefully this isn't news to people who are already computer savy.

Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.

Re:Once again... (2)

hedwards (940851) | more than 3 years ago | (#36468694)

I don't know, I think that people who aren't computer literate aren't likely to know that they can. But some of the apps out there will handle it for you, with little interaction on your part.

Re:Once again... (2)

Eric(b0mb)Dennis (629047) | more than 3 years ago | (#36470178)

It's weird but I've experienced the opposite...

People who are very illiterate with computers ask me about 'hacking' their device constantly, for free stuff.

Re:Once again... (2, Insightful)

tooyoung (853621) | more than 3 years ago | (#36468806)

Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.

Well, we see a lot of posts on /. where people are advocating that their non-technical friends buy Android instead of an iPhone so that they can avoid the walled garden. I have to assume that they aren't suggesting they stick with a stock Android phone, as the vendors load the phones with so much crap-ware and the phones are just as locked down as the iPhone. I can only assume is that the advice is to buy an Android phone from a vendor and flash it. Doesn't this open a number of non-technical people to issues like this?

Re:Once again... (4, Informative)

artor3 (1344997) | more than 3 years ago | (#36468880)

Nice flamebait, but Android phones can leave the walled garden with a simple checkbox in the options menu. Flashing your own ROM is something else entirely.

Re:Once again... (1)

znerk (1162519) | more than 3 years ago | (#36469372)

I have to assume that they aren't suggesting they stick with a stock Android phone, as the vendors load the phones with so much crap-ware and the phones are just as locked down as the iPhone.

I have to assume you're an idiot who can't be bothered doing a few seconds of research to see just how incredibly inaccurate that statement is.

Yes, some companies (hi, Sprint) lock their android devices down nice and tight, preventing the user from removing the stock apps, etc... others (such as AT&T) have a system that is remarkably open, and you wouldn't feel the need to root your device unless you were trying to circumvent specific things (the lack of wi-fi hotspot capability unless you pay an exorbitant fee, for example).

I bought an Atrix, and my Sprint/Cricket-using friends were all amazed when I showed them that I can uninstall/reinstall the stock AT&T-branded apps at will, with no flashing or rooting required.

Re:Once again... (1)

thegarbz (1787294) | more than 3 years ago | (#36470196)

Vendors don't load phone with crapware, carriers do. Also carriers only have one lockdown feature available which is the standard carrier lock on all phones.

But even looking at the worst vendor, Motorola, there is no additional lockdown in the functionality of the phone. Your Motorola Droid is every bit as functional as a Google Nexus S operating system wise. The only additional locks some dodgy vendors put in the system is one that prevents the kind of tinkering that allows you to play with custom ROMs or flashing the bootloader. The Droid is as locked down as the iPhone. It's also not very popular.

But again that's just one vendor. Pick another if you don't like it. For the major tinkerer who likes to play with things such as Cyanogen mod the Samsung Galaxy S for instance you hold down 3 buttons and it puts you into download mode. Run a tool on the computer and you can flash whatever the hell you want to the phone.

Re:Once again... (1)

Kalriath (849904) | more than 3 years ago | (#36470602)

Actually, that's wrong. Carriers can also lockdown Android to not allow installation of non-market apps. AT&T used to.

Re:Once again... (1)

thegarbz (1787294) | more than 3 years ago | (#36471574)

Actually it's still right. But you're right too. This is the result of the strange relationship vendors have with specific carriers rather than a result of the carriers themselves. Carriers can add CSCs to Android which do things like push the aforementioned bloatware, but they can NOT disable features of the OS. They rely on vendors creating a specific handset for the carrier with specific firmware modifications if they wish to do that. e.g. There are two HTC Arias in circulation. One has an AT&T logo on it and comes with the restriction you mention. This is HTC's doing, not AT&Ts, and there's nothing stopping me from getting the normal HTC Aria and signing up to a pre-paid AT&T without restrictions.

The way your mobile vendors and carrier work together to bring the same product with a different logo on it is incredible to say the least. The example I used before the Samsung Galaxy S there are:
Samsung Captivate - AT&T
Samsung Vibrant - T-Mobile
Samsung Fascinate - Verizon
Samsung Epic - Sprint
Samsung Galaxy S - The rest of the bloody world.

These phones are so close to identical that you can cross load the firmwares between them. They have minor differences in buttons but are all a Samsung Galaxy S underneath.

In comparison in Australia you get
Samsung Galaxy S with the OPS CSC - Optus
Samsung Galaxy S with the VAU CSC - Vodaphone
Samsung Galaxy S with the XSA CSC - Telstra

All the same phone with CSCs just as intended by the Android system. All phones have an identical feature set save for the added bloatware.

Re:Once again... (1)

MikeBabcock (65886) | more than 3 years ago | (#36471416)

In the world of "custom rom with one possible problem as a result that's been fixed in cyanogen" vs "stock rom that never gets updated with security fixes two years later", I'll take my chances with the first.

Re:Once again... (1)

ColdWetDog (752185) | more than 3 years ago | (#36468812)

Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.

Rooting an Android phone (or an iPhone) doesn't take a whole lot of computer savvy. Basically it's script kiddie level - 1. So, you might THINK you know a lot about computers and ROMS and whatnot, but you might not keep up on the security aspect. You might not be the most discerning of people when it comes to a 'neat' app. Further, as the malware designers get more sophisticated, it will be harder to tease out a reputable developer from some jackass trying to screw you.

There will be some 'survival of the fittest' selection here and the vast majority of users that don't root their phones won't have many problems, but there the malware authors think there is enough of a market to spend the time to hack at the platform.

Re:Once again... (1)

TehDuffman (987864) | more than 3 years ago | (#36470416)

Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.

Rooting an Android phone (or an iPhone) doesn't take a whole lot of computer savvy. Basically it's script kiddie level - 1. So, you might THINK you know a lot about computers and ROMS and whatnot, but you might not keep up on the security aspect. You might not be the most discerning of people when it comes to a 'neat' app. Further, as the malware designers get more sophisticated, it will be harder to tease out a reputable developer from some jackass trying to screw you. There will be some 'survival of the fittest' selection here and the vast majority of users that don't root their phones won't have many problems, but there the malware authors think there is enough of a market to spend the time to hack at the platform.

Apparently your reading level is elementary school -1...

We aren't talking about rooting or jail breaking a phone here. This is completely changing the operating system on your phone. It requires quite a bit more time and effort than rooting your phone. Most people who are changing the ROMs on their phones know what they are doing. Only something like 500k use CM which is a tiny fraction of the android user base.

Re:Once again... (1)

Daetrin (576516) | more than 3 years ago | (#36469300)

Please note the "and/or" in the original statement. I don't know how many people flash new ROMs who aren't as computer savy as they think they are (though i suspect it's a non-zero number) but installing "unapproved" apps is pretty easy to do.

Re:Once again... (1)

AvitarX (172628) | more than 3 years ago | (#36471390)

I'd be willing to bet plenty of the "computer literate" type do. It's not that hard to follow step by step directions.

I suspect many do it for free/reduced price apps from shady sources even.

The type of person that said ie7 was essentially Firefox at the office (they were digging the tabs, which I guess made them somewhat similar at a glance. The type with 10s of thousands of dollars of software on their computer that they don't even vaguely know how to use. Pretty much anyone with 'lite skillz would be a pretty easy target for this I bet.

Hell, it makes me nervous to know that an app can bypass the permissions granting on my phone, it's kind of a big deal.

Re:Once again... (0)

Anonymous Coward | more than 3 years ago | (#36468666)

Android is open and allows you to do pretty much whatever you want

Eh... that's not often true.

Re:Once again... (0)

Anonymous Coward | more than 3 years ago | (#36468784)

You're not an iphone user by any chance?

Re:Once again... (1)

PopeRatzo (965947) | more than 3 years ago | (#36468854)

The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one then Google will send its army of hackers to try to destroy your life with malware

Fixed.

Re:Once again... (0)

Anonymous Coward | more than 3 years ago | (#36471644)

The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one then Google will send its army of hackers to try to destroy your life with malware

I'm a retard.

Fixed.

Re:Once again... (1)

syousef (465911) | more than 3 years ago | (#36469096)

The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one (and possibly Amazon's app store) then you better be REALLY SURE you know what you're doing and not just blindly download any random app from any random source that strikes your fancy.
Of course hopefully this isn't news to people who are already computer savy.

That's the lesson you took from this? I would have thought the lesson to learn was that customer hostile bullshit, like trying to allow apps to install without their consent, is a breach of basic security principles.

Re:Once again... (1)

w0mprat (1317953) | more than 3 years ago | (#36469248)

Once again... it's still massively better than the desktop software ecosystem. Significant malware problems are largely absent considering the millions of devices kicking about now. Android and indeed other platforms can still be called "Virus free" as a rule, although there have been some exceptions.

Android also has a pretty good security model in the OS. There's certainly no cause for alarm.

Massive respect to the ROM community for releasing a security update fast.

Re:Once again... (1)

Jonner (189691) | more than 3 years ago | (#36469818)

It's always a really dumb idea to download random apps from anywhere as anyone who has downloaded trojans from the Google Market knows. The other important lesson from this is that you should not sign code with a well-known private key. It was a pretty dumb thing for the CM team to do.

Re:Once again... (1)

colinnwn (677715) | more than 3 years ago | (#36471486)

I couldn't find a reference to whether CM was signing their ROM with the ASOP private key or not. Maybe they were, or maybe they weren't. This summary and the link to the CM developer comment doesn't by itself suggest CM was actually doing that dumb thing. What the CM 7.0.3 update supposedly prevents is the installation of any external apps signed with the ASOP private key. It is like how the native ActiveSync client in Android doesn't allow the use of self signed certificates anymore.

Just like with a PC (0)

Anonymous Coward | more than 3 years ago | (#36468452)

It's all about careful usage of your device.
Fortunately all the desktop-world AV companies are starting to make AV software for smart phones that mostly works... I think...
Although I esteem ESET I still don't really know if their mobile app *does* anything. Ditto for Lookout... and all the others.

Re:Just like with a PC (1)

errandum (2014454) | more than 3 years ago | (#36468682)

I have a theory that cloud AV is the way for mobile phones. Just insert a layer before install that will check signatures of what you have, report a positive/negative if it knows the file, and upload for checking if it doesn't.

That way you'd save on batter and computing power and, lets face it, if you're installing something from the internet, it means you have it, so no harm done.

Permanent AV protection is not needed in a mobile phone, I think.

Incompetent key handling. No surprise. (4, Interesting)

gweihir (88907) | more than 3 years ago | (#36468476)

Those that do not understand how Public Key Crypto works should not use it.

Even better... (1)

xded (1046894) | more than 3 years ago | (#36468714)

If somebody does not even wonder why a private key is called like that, he should be kept away at all times from any computer system more complex than a pocket calculator.

Re:Incompetent key handling. No surprise. (1)

errandum (2014454) | more than 3 years ago | (#36468734)

You have to understand that most of the people doing ROMs are hobbyists with no idea about the fundamentals of a lot of stuff. They have some programming skills and follow a tutorial on how to get things to work... and that's about it.

There isn't that much information going around about what keys or how they should be used in relation to Android :\

Re:Incompetent key handling. No surprise. (1)

Abreu (173023) | more than 3 years ago | (#36469268)

Nothing more dangerous than a little knowledge, eh?

Re:Incompetent key handling. No surprise. (4, Insightful)

rwven (663186) | more than 3 years ago | (#36468752)

That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."

Re:Incompetent key handling. No surprise. (1)

Anonymous Coward | more than 3 years ago | (#36468852)

That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."

No, it's like saying, "Those who don't know how a locking mechanism works shouldn't be rekeying locks."

Re:Incompetent key handling. No surprise. (1)

rwven (663186) | more than 3 years ago | (#36469278)

No... That would be like saying "Those that do not reverse engineer Public Key Crypto should not use it."

Re:Incompetent key handling. No surprise. (1)

F.Ultra (1673484) | more than 3 years ago | (#36468860)

No it's more like "Those who don't know how a locking mechanism works shouldn't try to make their own car lock"

Re:Incompetent key handling. No surprise. (0)

Anonymous Coward | more than 3 years ago | (#36468862)

You don't need to know the inners of locking mechanism. It's enought to know that once you lock you car, is not good to leave the key in the lock; you must keep the key in your pocket.

Re:Incompetent key handling. No surprise. (1)

Amouth (879122) | more than 3 years ago | (#36468866)

but they shouldn't trust it fully.. no one should.. unless they understand it.

Honestly a lot of people are surprised that locksmiths can make them a new key by just having the VIN of the car..

If you understand it then you can trust it as much as you are willing based on that understanding.. sadly there is this blip on the curve when it comes to "security" where most people who know nothing about a method will trust it because they don't understand it and don't want to bother to.

Re:Incompetent key handling. No surprise. (1)

rwven (663186) | more than 3 years ago | (#36468916)

Yes, but it's completely unreasonable to develop everyday end-user systems and then say that "unless a person as a CS degree and understands the underpinnings of the software, they shouldn't be using it." The OP posted a shortsighted, ego-ridden comment that is completely ridiculous in any real-world context.

Re:Incompetent key handling. No surprise. (1)

Amouth (879122) | more than 3 years ago | (#36469102)

Your right about the OP - and i agree with you on that..

I feel the problem is in peoples lack of taking the time to understand the basics of the tools they are using and are relying on.. it doesn't take a CS degree to understand the basics.

Re:Incompetent key handling. No surprise. (1)

mysidia (191772) | more than 3 years ago | (#36469660)

That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."

No. "Those who don't understand how a lock is operated shouldn't use a car that requires keys"

"How public key crypto works" is a basic cryptography topic; at the same level as knowing that you turn a key to open a lock.

Re:Incompetent key handling. No surprise. (1)

rwven (663186) | more than 3 years ago | (#36470680)

Saying public key crypto is a basic cryptography topic is one thing. Righteously expecting the average joe to understand "basic cryptography" is egotistical bullcrap.

Re:Incompetent key handling. No surprise. (1)

allo (1728082) | more than 3 years ago | (#36472000)

who uses it, should understand the principle. not the maths behind it, but the idea. If the user does not understand the basic idea, he will mess up the security.

Re:Incompetent key handling. No surprise. (1)

dudpixel (1429789) | more than 3 years ago | (#36471092)

More like "Those who don't know how a locking mechanism works shouldn't be the ones installing locks."

Re:Incompetent key handling. No surprise. (1)

blair1q (305137) | more than 3 years ago | (#36468944)

I didn't understand your post. Could you send me your private key so that I can decode it?

Re:Incompetent key handling. No surprise. (0)

Anonymous Coward | more than 3 years ago | (#36469058)

"Those that do not understand how Public Key Crypto works should not implement it."

Fixed that for you.

Re:Incompetent key handling. No surprise. (1)

dkf (304284) | more than 3 years ago | (#36472054)

Those that do not understand how Public Key Crypto works should not use it.

In other news, gweihir has announced that he will no longer be accessing any website via HTTPS.

(The number of people who understand the whole of a public key crypto system and deployment is vanishingly small. The underlying math is difficult. The programming is easy to make errors in. The way to use it, not all that obvious either going by the massive quantities of misinformation I see here and elsewhere on the 'net. Public key crypto is only practical to use if you don't understand it all; fortunately, there are useful abstractions for most of it that are accessible. Now, if only the firmware makers grokked even that little bit...)

To hell with the app culture (0)

Anonymous Coward | more than 3 years ago | (#36468740)

Installing random application can be a threat to your computer's (or phone's) security. Whose moronic idea was it to take some damn fine open source projects and build a culture of closed source apps around them? That person deserves to be shot. Give me a phone platform with only open source apps and stop thinking that you will be rich by selling stupid nonsense apps.

Re:To hell with the app culture (1)

Anonymous Coward | more than 3 years ago | (#36470588)

Give me a phone platform with only open source apps and stop thinking that you will be rich by selling stupid nonsense apps.

*gives fellow AC Maemo*

(It's OK, Nokia wasn't using it anyway. They're too busy setting their Meego platform on fire so they can jump off it.)

Really, it's basically what you describe. We have a community open-source repository with an automated build system. Submit your Debian source package, it builds, and the deb shows up in "extras-devel"; if you like it, you (the developer) can promote it to "extras-testing", and after a community testing process (n people have to rate it as ready for promotion), it's automatically promoted out to plain "extras" which is intended for end-users.

Of course, in reality a ridiculous proportion of power-users run extras-testing or even extras-devel daily, and only pin something to an older version (and ideally file a bug, but you know that's rare) if/when something breaks.

Last year Nokia finally brought their "ovi" app-store to the N900, but it has laughably few and pitiful apps compared to the extras repo.

I have no clue if something similar will exist for the Nokia Meego device whenever they finally crap one out, but it's one of the biggest strengths of the platform IMO.

What % of 3rd party installed ROM base is non-CM7? (1)

technomom (444378) | more than 3 years ago | (#36468770)

Of the ROM-installing community, what percentage is NOT using CM 7.0.3?

Re:What % of 3rd party installed ROM base is non-C (2)

Anonymous Psychopath (18031) | more than 3 years ago | (#36468820)

Of the ROM-installing community, what percentage is NOT using CM 7.0.3?

Everyone using a custom ROM on a device that CM does not support. I'm not sure how many that is, but it includes the HTC Thunderbolt users.

Re:What % of 3rd party installed ROM base is non-C (2)

namalc (66960) | more than 3 years ago | (#36468868)

Those on devices where the CM 7.0.3 port is still very much a (buggy) work in progress, such as the LG Optimus.

Re:What % of 3rd party installed ROM base is non-C (3, Interesting)

rrossman2 (844318) | more than 3 years ago | (#36468974)

A lot. I was using's Doc's Rom Kitchen as it had a lot better support for my SGS. I ended up trying a CM7 nightly for my SGS, it was alright, but the cameras were too dark to be functional, and my ability to text went out the window. Reverted to a stock ROM, and while I can receive texts, I still can't send (which is more so confusing to me than anything as I really don't text).

I'm now using the Insanity CM GalaxyS ROM (which is based on CM7, but is very stripped down and lite.. I love it). Also flashed the 2.6.35_7_Glitch Insane Edition V10 ROM for the i9000, which is freakin sweet!

Re:What % of 3rd party installed ROM base is non-C (0)

Anonymous Coward | more than 3 years ago | (#36469124)

up until maybe a month ago...everyone using a Galaxy S phone. And until they add GPS capability, why would they?

disclaimer: I haven't looked at cyanogen's progress in the past 2ish weeks..perhaps they've fixed the gps? Without checking, I doubt it.

Re:What % of 3rd party installed ROM base is non-C (0)

Anonymous Coward | more than 3 years ago | (#36470050)

I have been heavily involved in the custom ROM scene for Galaxy S devices since they first came out and have never installed CM; looks like Ubuntu for phones to me and I'd prefer to have more choice in what tweaks or apps are pre-installed.

Many people also try flashing a number of different ROMs, find one that they like which is stable and fast then don't upgrade for a long time. What makes you think everyone wants the latest and greatest and not just a working phone?

Here's a current custom ROM list for the SGS (not including custom kernels and other packages that make customisation options even more user-specific)

MIUI
ROM Kitchen
Ultimate
GingerCriskelo
Darky's Extreme
Juwe's Smart Edition
Deodexed Stock Firmware (Ramad)
Turbo Ginger
Simply Honey
c0llal0-rel0ad3d-3.2
HaWkiSH 2 ROM
Serendipity (v6.3)
insanity (v8.1)
GingerReal (v3.1)
Tiramisu (v3.20)
Orion ROM
Thunder (v1.0)
Laila's ROM
DebusROM (vG1)

So I think it's pretty safe to say a large percentage is NOT using CyanogenMod, especially one particular version of it.

Re:What % of 3rd party installed ROM base is non-C (1)

dudpixel (1429789) | more than 3 years ago | (#36471096)

Of the ROM-installing community, what percentage is NOT using CM 7.0.3?

anyone with a samsung galaxy s/s2 phone for a start.

Not wanting to start a GLP flame war but... (2)

nickovs (115935) | more than 3 years ago | (#36469044)

... while the code for Android is GPLv2, the move of various other projects towards GPLv3 is only going to make this sort of problem worse. The 'anti-Tivoisation' [wikipedia.org] clause basically demands that some authorised signing key gets distributed with any GPLv3 code that needs to be signed in order to run, and that the available signing key grants all the rights necessary for that code to function. While it is of course possible for users to completely rebuild the trust hierarchy with their own keys, very few people will be willing to do so. As a result it seems likely that any GPLv3 project will be unable to make effective use of signing as a mechanism for preventing the execution of rogue code, even if the license allows for it in theory.

Re:Not wanting to start a GLP flame war but... (0)

Anonymous Coward | more than 3 years ago | (#36469172)

Not a worry anytime soon. The anti-xaaS clauses in GPLv3 mean the kernel will be GPL2 for the foreseeable future, and Android itself is Apache licensed (this is why Android is actually being deployed, imagine if HTC needed to open Sense up to everyone else instead of suing anything that looks like it).

Re:Not wanting to start a GLP flame war but... (0)

Anonymous Coward | more than 3 years ago | (#36470006)

Eh? It's really simple -- have a checkbox for "run unsigned code" -- default unchecked. Also have a whitelist of public keys, to which the user can add their own or those of any developers/3rd-party app stores whose stuff they want to run.

Don't distribute any private keys, since you don't need it signed to run. Anyone who rebuilds from source can use their own key, and add their public key to the whitelist, or build it unsigned and check the box.

90% of users won't recompile it, won't modify the whitelist, and won't check the box. The other 10% think they know what they're doing, so let them.

Re:Not wanting to start a GLP flame war but... (1)

klapaucjusz (1167407) | more than 3 years ago | (#36470494)

... while the code for Android is GPLv2,

No, it isn't. The kernel is GPLv2, but that's just a tiny wee bit of Android. The user-space code uses a mixture of non-copyleft licences (mostly the APL).

the move of various other projects towards GPLv3 is only going to make this sort of problem worse.

Much as I dislike the GPL (and especially the GPLv3), that's nonsense.

--jch

Re:Not wanting to start a GLP flame war but... (0)

Anonymous Coward | more than 3 years ago | (#36471002)

The user-space code uses a mixture of non-copyleft licences (mostly the APL)

Apache License, you mean? APL is the Apple Public License or Adaptive Public License, which I don't believe Android uses.

Re:Not wanting to start a GLP flame war but... (0)

Anonymous Coward | more than 3 years ago | (#36471546)

Much as I dislike the GPL (and especially the GPLv3), that's nonsense.

Just curious, what have you got against the GPL? Does the LGPL bother you too?

Not ROMs (0)

Anonymous Coward | more than 3 years ago | (#36470148)

Firmware isn't stored in ROMs, which stand for READ-ONLY MEMORY. You whippersnappers should know this. If you can write to it, it's NOT ROM. ...Now log off my lawn!!

Why not lock parts of the flash? (0)

Anonymous Coward | more than 3 years ago | (#36471782)

Precisely!!! You can't 'flash a ROM' either - ROM means that its either written during manufacture (mask-ROM) or in programmers (EPROM/OTP/MTP). In other words, it has to be physically removed from its PCB (possible if it's using a package socket), put into a programmer, re-programmed and then put back in.

Timothy should have said 'New Android Malware attacks the firmware' - he'd have been more accurate. Essentially, you have the flash there, and the malware is trying to alter it. Incidentally, is it NOR flash or NAND flash that's being used? If the latter, pretty straightforward, but if the former, one would have to know the brand in use (Numonyx, Spansion, Samsung, et al) before one can corrupt it. And typically, manufacturers would use different types to ensure that it's multi-sourced.

Besides, some flash vendors, like Numonyx, have multiple locking mechanisms that's hardware locked to prevent things like this. The Android designers should have made use of such features. It allows one to lock certain areas of the flash, while allowing others to be updated.

P.S. So let me get it right - a nerd site like /. is not IPv6 capable, has shortcomings in handling Unicode, and now thinks that ROM can be corrupted? What next - not knowing the difference b/w GB and Gb?

open indeed (0)

Anonymous Coward | more than 3 years ago | (#36470942)

open to trojans and viruses.

Meanwhile, my closed-shop iPhone is doing just fine thankyou.

I might get a second hand android for use as a toy, to play with.

But for when I want to do more important things, eg dial 911, i'll have my iPhone.

Grammar nitpick (1)

jabberw0k (62554) | more than 3 years ago | (#36471318)

You don't have "firmwares" any more than you can have "softwares" or "hardwares" or "clothings" -- no; you have two firmware sets, two pieces of software, two pieces of hardware, and two items of clothing. These are all collective nouns.

It started simpel (1)

Babystrauss (2276264) | more than 3 years ago | (#36472070)

Welcome to the new world. I am still waiting for the first virus to kill my office mobile ^^
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?