Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Gaining a Remote Shell On Android

Soulskill posted more than 2 years ago | from the poking-google-with-a-stick dept.

Android 124

SharkLaser writes "The security of Android devices has come under scrutiny in recent months. Android Market has been plagued with a number of trojaned apps, and researchers have identified various root exploits and permission leaks that can be exploited, for example, to send premium rate SMSs. Now researcher Thomas Cannon of ViaForensics is demonstrating a method for setting up remote shell on an Android device without using any exploits or vulnerabilities. The security hole is not new, and it has been pointed out for a number of years, but Google has yet to fix it. The method works on various versions of Android, up to and including the newest Ice Cream Sandwich."

cancel ×

124 comments

Direct link to Vimeo How-To (4, Informative)

xmas2003 (739875) | more than 2 years ago | (#38443052)

Thomas has a pretty low-key way of presenting the shell access in the linked article - here's the Vimeo how-to video. [vimeo.com]

goog: pls try harder! (-1, Flamebait)

noh8rz (2535268) | more than 2 years ago | (#38443562)

geez, if android is going to rip off the iPhone, why not rip off the security features as well? why try to go it alone there? stick with your strengths, google!

Re:goog: pls try harder! (0, Funny)

Anonymous Coward | more than 2 years ago | (#38443616)

Is this the iphone that was rooted by downloading a PDF?

Re:goog: pls try harder! (0, Troll)

noh8rz (2535268) | more than 2 years ago | (#38443674)

please send me a link to a single example of malware on an iPhone and i'll search to see if I can find an ex/////OH WAIT THERE'S AN EXAMPLE RIGHT UP TOP

Re:goog: pls try harder! (-1, Flamebait)

spyder-implee (864295) | more than 2 years ago | (#38443806)

Doesn't your iPhone come with malware from the factory? Why re-invent the wheel? http://apple.slashdot.org/story/11/04/20/1357248/apple-logging-locations-of-all-iphone-users [slashdot.org]

Re:goog: pls try harder! (-1, Troll)

noh8rz (2535268) | more than 2 years ago | (#38443890)

I'm glad that you're very efficient with your time, and don't bother reading anything but flame bait headlines. good for u! the thing was, "Apple" wasn't logging locations, the phones were logging locations. OMFG STFU! just like a phone logs calls in and out, all text messages, and other stuff. The point is, this data stays on the phone for Apple's case. For Goog, it all goes back to the mother brain.

Re:goog: pls try harder! (-1, Troll)

spyder-implee (864295) | more than 2 years ago | (#38443988)

TL; DR :D

Re:goog: pls try harder! (1, Troll)

noh8rz (2535268) | more than 2 years ago | (#38444114)

Your past comments [slashdot.org] are racist and I don't interact with that sort of people

Re:goog: pls try harder! (-1, Troll)

spyder-implee (864295) | more than 2 years ago | (#38444276)

It warms my heart to know I got so far under your skin :)

Re:goog: pls try harder! (0)

noh8rz (2535268) | more than 2 years ago | (#38444356)

thats what ur mom said

Re:goog: pls try harder! (0)

spyder-implee (864295) | more than 2 years ago | (#38444576)

You misspelled mum.

Re:goog: pls try harder! (0)

Anonymous Coward | more than 2 years ago | (#38445824)

Also, you didn't capitalise your "T", misspelled "that's", misspelled "your" and failed to use a period at the end of your sentence. Furthermore, you meant to say, "that's what I said to your mum", not "that's what your mum said."

I guess Google usually corrects all that for you.

Re:goog: pls try harder! (2)

PNutts (199112) | more than 2 years ago | (#38443946)

Is this the iphone that was rooted by downloading a PDF?

You must be referring to the two exploits in the previous version of iOS that were quickly patched. Apparently Apple has trouble porting functionality to subsequent versions of iOS. Who says Apple can't learn anything from Google?

_NSAShell (3, Interesting)

Anonymous Coward | more than 2 years ago | (#38443096)

Why do these tinfoil hat types keep bringing up the _NSAShell functionality? Enough already!

Re:_NSAShell (0)

smpoole7 (1467717) | more than 2 years ago | (#38444332)

> Why do these tinfoil hat types keep bringing up the _NSAShell functionality? Enough already!

Because it hasn't been patched yet, and because it's a significant vulnerability.

Clear enough?

Re:_NSAShell (1)

CanEHdian (1098955) | more than 2 years ago | (#38444616)

I guess the sarcasm tag is missing in the parent posting (reference to the _NSAKEY cryptographic API key exposed by the WinNT SP5 updater).

DON'T WORRY !! BE HAPPY !! (-1)

Anonymous Coward | more than 2 years ago | (#38443098)

Hey, I bet you could do a song with that !! Regarding the hole, be safe !! Guard your back !! Guard your front !! Guard your sides !! Guard your top !! ANd for heaven's sake, GUARD YouR BOTTOM !!

TFA is blank (1, Interesting)

Culture20 (968837) | more than 2 years ago | (#38443108)

I'm guessing it loads all its content via javascript anf my noscript is blocking it. I'm glad I'm also using adblock so they didn't get any ad-views for not showing content.

Re:TFA is blank (5, Informative)

Anonymous Coward | more than 2 years ago | (#38443256)

No-permission Android App Gives Remote Shell

I have been working at viaForensics as the Director of R&D for about 5 months now, and in that time I’ve been involved in some exciting research projects. I haven’t had the opportunity to blog on our company site yet so I thought I’d take a little time out and record a video to demonstrate an Android issue that is of interest to many of our clients.

When talking with people and reading posts on the web I’ve often heard people say that the Android permission system protects their device such that apps without certain permissions are therefore safe to install. The permissions system on Android is a fantastic idea and generally well implemented, it gives apps just enough permissions or capabilities to perform the required functions without exposing capabilities that could be used in a dangerous way. It is a step up in protection when compared with a typical desktop system but this increased protection can give rise to a false sense of security.

Putting aside the issue of users ignoring the permissions when installing apps, can we rely solely on permissions to decide if an app is safe? There are multiple controls in Android and its ecosystem that protect a user and their device, but one should not automatically assume that installing an app, even if it requires no permissions, is safe.

To demonstrate this we’ve built an app which requires no permissions and yet is able to give an attacker a remote shell and allow them to execute commands on the device remotely from anywhere in the world. The functionality we are exploiting to do this is not new, it has been quietly pointed out for a number of years, and was explained in depth at Defcon 18 [1]. It is not a zero-day exploit or a root exploit. We are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel. This has been tested on Android versions ranging from 1.5 up to 4.0 Ice Cream Sandwich, and it works in a similar way on all platforms.

Please see the video below with accompanying audio for further explanation.

Link to video: Android No-permissions Reverse Shell

I should also mention here a recent paper by Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang from NCSU who have developed a tool to detect capability leaks in Android devices. Using their tool they found a number of capability leaks, such as being able to send an SMS, in various Android applications usually added by OEMs. Malicious applications can call the vulnerable apps and exploit the lack of protection around permission/capability use and therefore do not need to request permissions themselves. In a similar way we’ve exploited the Android Web Browser, although we are not exploiting a vulnerability due to bad coding, but rather using the functionality it legitimately offers to other applications.

In this demonstration Android’s power and flexibility were perhaps also its downfall. Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user. This power combined with the open nature of Android also facilitates the customisation of the system to meet bespoke security requirements. This is something we have even been involved in ourselves by implementing a proof of concept Loadable Kernel Module to pro-actively monitor and defend a client’s intellectual property as it passed through their devices. It is no surprise that we have seen adoption of Android research projects in the military and government as it can be enhanced and adapted for specific security requirements, perhaps like no other mobile platform before it.

I hope this demo was of interest and that it generates some discussion around the best ways to select and use apps which offer the least risk to your device and data.

Update 20-Dec-2011: As mentioned these issues are not new and have been discussed before. Updated to include a link to one such talk which does a good job of explaining some of the issues (thanks Tim):
[1] Defcon 18 Presentation “These Aren’t The Permissions You’re Looking For” by Tim Wyatt, David Luke Richardson and Anthony Lineberry. PDF Link.

Re:TFA is blank (0)

Anonymous Coward | more than 2 years ago | (#38443872)

Why do people feel so good about creating poor web experiences for themselves?

Re:TFA is blank (3, Insightful)

A nonymous Coward (7548) | more than 2 years ago | (#38444454)

Amazing web page. A security page that requires javascript to display. If you look at the source, the entire readable content a dozen short paragraphs at the end, each written on one line, and being mere verbaige around the real content, which is a video hosted elsewhere.

Somehow I don't think I'll be taking any of this site's suggestions very seriously.

Re:TFA is blank (1)

aitan (948581) | more than 2 years ago | (#38446538)

Sorry, clicked wrong while moderating the post.

Re:TFA is blank (0)

Anonymous Coward | more than 2 years ago | (#38447122)

You really can't view a webpage running Javascript?

Firewall (0)

Anonymous Coward | more than 2 years ago | (#38443116)

Easily defeated by a firewall like iptables, which can be easily installed from the market if you have root.

Re:Firewall (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38443186)

And if you don't have root, you can use one of the many remote root exploits to give yourself root access.

Re:Firewall (1)

Ethanol-fueled (1125189) | more than 2 years ago | (#38443972)

Pardon my naivete, but why would something as useful and non-destructive as iptables not be easily installed with the phone's default condition?

( signed, a guy who uses his ancient phone just to make calls and take the occasional low-res video )

Re:Firewall (2)

Overly Critical Guy (663429) | more than 2 years ago | (#38444056)

Yes, it's perfectly reasonable to expect users to install and configure iptables on their cell phones. We know this because you wrote "easily" twice!

Re:Firewall (2)

Fri13 (963421) | more than 2 years ago | (#38447510)

If leaving out the rooting part... (what is app install from market + single click to root/unroot) the iptables is easy to use in Android

1. Install droidwall (or any other iptables firewall)
2. Start application and check/uncheck applications rights to have connection when in 2G/3G or WiFi mode.

I hope it would be as easy with Linux distributions....

Re:Firewall (3, Interesting)

muridae (966931) | more than 2 years ago | (#38445380)

So you would have the firewall prevent your browser from connecting to pages that aren't in your whitelist? Because that's how the exploit works, by using the built in browser to contact a webpage and then execute local instructions.

No vulnerabilities? (4, Informative)

Hatta (162192) | more than 2 years ago | (#38443132)

Unintended root access is a vulnerability by definition.

Re:No vulnerabilities? (5, Informative)

BlueBlade (123303) | more than 2 years ago | (#38443182)

This doesn't give root, it just allows you to run a command within the context of the installed app. The app launches the web browser to pass data to and from a middleware server. So if the app itself doesn't have any specific access (including network access) it can still transfer data through launching a browser session.

It's more of a conscious decision by the android team. If you allow an application to launch an URL, then of course it can transfer data through the http session. However not allowing apps to launch a simple URL link would be very limiting, so they chose not to do that. I'm not sure there's a fix really, as this is a classic security / convenience problem.

Re:No vulnerabilities? (4, Interesting)

Culture20 (968837) | more than 2 years ago | (#38443234)

"Allow App 'Foo' to open a browser? Yes/No/Always/Never/Maybe/Sometimes/EverythirdTuesdayoftheMonth"

Re:No vulnerabilities? (4, Interesting)

shutdown -p now (807394) | more than 2 years ago | (#38443452)

Interestingly enough, you get something of a kind if you install more than one browser on your phone - then, whenever a link is opened by an app, you'll get a dialog prompting you to select the browser to use for this protocol henceforth (and a checkbox to not ask again).

Unfortunately, the setting isn't per-app, so not as useful. Still, can be a handy trick for the more paranoid (but then they're probably using N900, anyway).

Re:No vulnerabilities? (0)

Anonymous Coward | more than 2 years ago | (#38445870)

app can specify specific handlers, not generic actions

e.g. most apps force the SMS intent, even my phone having several apps (gvoice, etc) that handles messaging, infact, gvoice is my default and i never see the dialog when an app calls the messaging intent. yet, some other apps just bypass that and go straight to sms.

Re:No vulnerabilities? (0)

Anonymous Coward | more than 2 years ago | (#38443488)

The fix is to ask for permissions that an app requires *plus* the permissions of other applications/services that it uses or depends upon.

Re:No vulnerabilities? (3, Informative)

rabtech (223758) | more than 2 years ago | (#38443542)

This doesn't give root, it just allows you to run a command within the context of the installed app.

How many times do we need to revisit the MS Word VBScript virus problem before we learn from it?

Here are some obligatory automatic security fails (on any platform) that guarantee your wonderfully architected system will be oft and immediately bypassed:

1. Asking the user to decide. Users don't read dialog boxes and just click/tap to make them go away. They will often happily answer YES to the "Install unsigned ActiveX control" dialog so they can see the dancing monkey or play some game. How often do you think they will pay attention to what rights an app wants and make a reasoned decision about whether that is a good idea or not? (Hint: almost never)

2. Asking the developers to oh-so-politely make sure they use best-practices and don't have any exploits or holes. They can and will not only willfully ignore your security best-practices but in fact will go out of their way to hijack the system because *their* app is special and like totally has a really good reason for it man! (See apps that hijack the right-click menu/sys tray/startup group/install 15 services/drivers that all auto-start/etc on Windows and the awful state of many drivers).

3. Assuming that an app should be able to do what the user can do - Granted this is not a problem with a sandbox system but still... Apps can't be trusted. Even when there is no ill intent there can still be unintended exploits (or just bad designs like running in the background constantly draining the battery when not necessary - part of the reason iOS still doesn't let apps run continuously unless they have an explicit reason like audio playback).

4. Assuming the user has the time or a f**k to give. In most cases the computer, phone, etc is just an appliance and they don't know or care about automatic updates, patches, security, etc. They just want the damn thing to work and stop annoying them. After all... most dangerous things have warnings and/or safety features and don't require you to check the manufacturer's website on a daily/weekly basis to see what new way to kill yourself has popped up. It can be impossible to keep up with even for technically-minded people who happen to have busy lives.

Re:No vulnerabilities? (-1)

Anonymous Coward | more than 2 years ago | (#38445272)

Why would "some idiot user" be concerned about getting remote shell access on their phone?

Your rant is misplaced.

Re:No vulnerabilities? (0)

Anonymous Coward | more than 2 years ago | (#38445462)

Orly? So by your logic, "some idiot user" should just allow a random third party shell access to their phone?
 
This isn't a "Look at this cool thing your phone can do" article, rather it's a "look how easy it is to hack an unsuspecting person's phone" warning. The more idiot users that know about this, the better.

Re:No vulnerabilities? (0)

Anonymous Coward | more than 2 years ago | (#38444138)

Well I've just lost a little trust in Android because of this decision.

I wonder what other Apps an App can connect with to use their permissions instead of it's own.

Re:No vulnerabilities? (1)

thsths (31372) | more than 2 years ago | (#38445854)

> It's more of a conscious decision by the android team.

And what makes them decide this for me? Shouldn't this be a permission like so many other features of Android? I am asked whether I grant network access, and calling URLs should be pretty much the same.

Re:No vulnerabilities? (1)

thetoadwarrior (1268702) | more than 2 years ago | (#38446380)

If someone wants to know if their app accesses the network (ie cost them money) then they want to know under all circumstances not just something primarily made for net access. It's a flaw in Google's design.

Re:No vulnerabilities? (1)

Trisha-Beth (9231) | more than 2 years ago | (#38443226)

In that case it's lucky the method in the article doesn't gain root access, and can do nothing beyond what the "shell proxy" app can do.

Re:No vulnerabilities? (5, Informative)

JAlexoi (1085785) | more than 2 years ago | (#38443268)

It's not root access. It's shell access.

Re:No vulnerabilities? (2)

StikyPad (445176) | more than 2 years ago | (#38444618)

A shell which provides a convenient attack vector for root access if and when a vulnerability is discovered/crafted.

Re:No vulnerabilities? (3, Informative)

JAlexoi (1085785) | more than 2 years ago | (#38446504)

Shell access is irrelevant in that case. Because the app itself would root the device without any shell access.
Even in that case the shell is ridiculously restricted on Android. You can't even run sqlite command from the app.

Re:No vulnerabilities? (0)

Anonymous Coward | more than 2 years ago | (#38443824)

I hear you can get the AIDS if you drop your Android phone in the shower at the state prison.

Re:No vulnerabilities? (1)

Neil Boekend (1854906) | more than 2 years ago | (#38446902)

You'd better have a Defy or some other ruggedised phone or it'll get damaged by the shower.

Or Just a Local Shell (4, Insightful)

Doc Ruby (173196) | more than 2 years ago | (#38443154)

Until my phone's Android lets me run the Android Perl shell app on it without rooting, it's not "open", no matter what Google says. The source code might be open, at least "open readonly", and the binary might be "open execute" by hackers onto unauthorized hardware. But the OS instance is not open if it's not open to me as a user to invoke its API with an app that can do the job.

Re:Or Just a Local Shell (-1)

Anonymous Coward | more than 2 years ago | (#38443178)

Wait, so if you can't do stuff that requires root without rooting, then it's not open? You're a fucking idiot.

Re:Or Just a Local Shell (2)

bemymonkey (1244086) | more than 2 years ago | (#38445634)

If rooting consisted of entering "su" in a console and then typing your password/PIN or whatever, I'd agree with you - but have you seen the hoops some users have to jump through to get root on their Android devices?

Re:Or Just a Local Shell (0)

Anonymous Coward | more than 2 years ago | (#38443336)

Would a Ruby shell do? See if you can install Ruboto IRB. I could on an un-rooted Acer Iconia. YMMV.

Re:Or Just a Local Shell (3, Funny)

Anonymous Coward | more than 2 years ago | (#38443366)

Android is "open" like a stripper's pussy. Pay at the door, look but don't touch.

Re:Or Just a Local Shell (1)

Baloroth (2370816) | more than 2 years ago | (#38443566)

I also can't use apt-get on Ubuntu unless I'm root. So... would that also make Ubuntu "not open" by your definition? Plenty of other things I can't do without root in Linux.

Do not confuse "security" with "closed." Don't know anything about the app you reference, but I'm guessing it requires privileges not normally granted to a user-installed app. For security reasons. That's pretty common to Linux in general.

Re:Or Just a Local Shell (1)

Archangel Michael (180766) | more than 2 years ago | (#38443646)

You're right, right up to the point where you are 100% wrong.

The difference between Android running on a Phone and Ubuntu running on your Computer, is that with Ubuntu, you probably have ROOT control, even if you have to grant it to yourself *sudo", and type a password, to do it. On Android, you don't even have that ability ... by default.

Re:Or Just a Local Shell (0)

Anonymous Coward | more than 2 years ago | (#38444046)

So if someone hands you a Linux box but doesn't tell you the root password, whatever distro that is running on there is no longer open source? Got it.

Re:Or Just a Local Shell (0)

Anonymous Coward | more than 2 years ago | (#38445514)

Straw man argument alert! If you PAID someone for the computer and they didn't give you the root password, well the OS may be open source but are you really going to enjoy your new computer?

Re:Or Just a Local Shell (1)

Lehk228 (705449) | more than 2 years ago | (#38443684)

I set up sl4a/python on my eee pad transformer without jumping any hoops

Re:Or Just a Local Shell (0)

Anonymous Coward | more than 2 years ago | (#38443816)

This is trivial. Linky: SL4A [google.com]

Re:Or Just a Local Shell (1)

assassinator42 (844848) | more than 2 years ago | (#38443886)

Are you talking about an existing "Android Perl" app that requires root permissions? Do you have a link?
I don't see why you'd need root access. You can download one of the terminal emulator apps and run anything within the context of the app.
You may need to figure out how to get it compiled, though.

This isn't even close to new (4, Insightful)

StealthHunter (597677) | more than 2 years ago | (#38443164)

Woah, if you install an app, it can do stuff! Presentations (Defcon 18), numerous student thesis and a number of academic papers do nearly (or exactly) this. (agreed that apps w/o INTERNET permission probably shouldn't be able to leverage the browser, etc, but again, not new or newsworthy)

Not new, but scary! (2)

nullchar (446050) | more than 2 years ago | (#38444914)

Right, big deal, the app calls the browser to do something in the background while the screen is locked. However, you may be scared after reading the following PDF Systematic Detection of Capability Leaks in Stock Android Smartphones [google.com] -- I was!

Jump to page 9 for the table.

Three HTC phones allow rouge apps (without the defined permissions) to record phone calls and send SMS! The SMS example is neat as they broadcast an intent with the phone number in it; then stock apps on the phones actually send the message. Also, the Samsung Epic 4G allows rouge apps to follow a similar method to wipe the phone to factory defaults! Most of the exploits are in the default packages that come with the bloated firmware from either the device maker or carrier. The Google Nexus phones were the safest as they had the fewest apps installed.

From the PDF:

"...by simply including a premium number in the intent, the built-in app will start sending SMS messages to this premium number!"

"For example, the explicit leak of CALL PHONE capability in Samsung Epic 4G involves passing a component a “technical assistance” phone number, which it calls after considerable processing. Similarly, all the tested HTC phones export the RECORD AUDIO permission, which allows any untrusted app to specify which file to write recorded audio to without asking for the RECORD AUDIO permission."

Re:This isn't even close to new (1)

gl4ss (559668) | more than 2 years ago | (#38445748)

well, the "big" thing here is really that browser doesn't need NETWORK capability.

An annoying thing (-1)

Anonymous Coward | more than 2 years ago | (#38443194)

On the subject of entrance testing, I had a good grasp of English, Spanish, French, German, Latin and Russian by my 15th birthday. I did an MLAT, used as a pre-interview filter for some uni courses, and scored well. I also found a practice test for something called the "DLAB" which is used to screen potential Americunt military linguists - I failed horribly. (Thank goodness I wasn't planning a US military career.)

The latter test involves three or four very narrow exercises, and the opinion is that your ability to become an effective foreign linguist is measurable based on your performance on these exercises. The crowning bullshit is the requirement to multiple-choice-select the "correct" spoken sentence based on an increasing number of rules which modify English as she is normally spoken, e.g.

"Adjectives come after the nouns they're describing."

"All verbs end with an 'oh' sound."

So ten questions in you're supposed to have retained all these rules and be able to instantly apply them to reject sentences which do not conform to all rules presented so far. You hear each sentence only once, and do not get to see it in written form.

This essentially wipes out everyone who learns primarily by reading/writing or visually or by pattern-matching. Languages are easy not because they're full of random rules created by little quiz-writing Hitlers but because almost everything about them makes sense if you take a while to understand their development.

Take another more obvious human endeavour: law. No lawyer treats the law as an arbitrary list of legislation and cases. Common law countries employ and evolve well-known principles, some narrowly and some very broadly applicable, upon which decisions are based. The more you read about the law, the more you understand the interpretation and nuances of these principles. If someone were to suddenly announce for shits that specific random cases had been decided differently then the law would likely lose an element of consistency and sense. A lawyer would need to understand the reason for the change and to examine all cases which rely on the ratio of each.

We all know that the modern US military is nothing more than a tool for a few powerful special interests. But it still provides an opportunity for intelligent people to do some of the things they enjoy. Why do these intelligent people tolerate bullshit aptitude testing?

a little off topic but,,, (0, Offtopic)

phrostie (121428) | more than 2 years ago | (#38443272)

what is the best way to install vim to my android?

TIA

it is not root access (5, Informative)

craftycoder (1851452) | more than 2 years ago | (#38443338)

What happening here is that the app he installed opens the web browser to when you lock the screen. The app is then, in here in lies the secret sauce, is able to get the commands from the the browser is receiving. The browser part is simple, it can poll looking for input. How the app gets that input is interesting part. I don't know how its doing that. It may have created a callback from the browser to there app. Android has excellent inter process communication tools, but I don't know how he is doing this from an app he doesn't control. I've only thought about it for 5 minutes though. With this app and another app you control, this exploit would be trivial (one with internet access and another with sdcard access for example). I think any app can execute process with would give it access to the shell. That doesn't mean it has root access, but Android will let you view much of the file system without root. You cannot get to private app data storage, but you can see the sdcard and other basic parts of the file system like /framework or /etc.

http://developer.android.com/reference/android/os/Parcel.html [android.com] this shows inter-process communication.
http://developer.android.com/reference/android/content/Intent.html [android.com] this shows how to launch the browser.

Re:it is not root access (2)

shutdown -p now (807394) | more than 2 years ago | (#38443466)

Yup, so basically "gaining a shell" is not at all interesting here, since it doesn't let you do anything the app can't otherwise do. The real gem is being able to do network communications without requesting the appropriate permission for your sandbox when installing.

Re:it is not root access (4, Informative)

craftycoder (1851452) | more than 2 years ago | (#38443654)

The magic is getting the browser to return its data back to the app without privileges. That turns out to not be hard either. I found an example and posted it below. With this, you have a functional two way link from app without privileges to webserver and back. I'm not impressed and I don't consider this an "exploit". If you want a system that allows apps to communicate with each other, which we all do, then you have to be careful of what you install on your phone. This is better than a PC which almost always has full root access. This is just voyeur access...

http://www.android10.org/index.php/forums/49-other-coding-problemsarticles/1575-example-communication-between-an-activity-and-the-browser-callback [android10.org]

Re:it is not root access (1)

shutdown -p now (807394) | more than 2 years ago | (#38443762)

It is an exploit in a sense that Android does have a "permission to use networking" for apps, and if I install the app that does not have such a permission in the Market, it shouldn't have network access.

You've got a point regarding inter-app communication. Perhaps that should be a separate permission; or, better yet, prompt it whenever the app tries it (though then the app could just open some kind of "about" page in the browser on first launch, user gives it permission... and then it does the whole thing again).

Re:it is not root access (1)

craftycoder (1851452) | more than 2 years ago | (#38443870)

I'd support a permission for launching intents originating outside this signed package. Starting an Activity, like a new screen in the current app uses the same code as starting the browser or any other activity. If Android is able to tease apart the difference, and I think that would be possible, then that seems reasonable. I have an app that launches a service for listening for an Accessory (ADK) mode device that is outside the original package because ADK requires Android 2.3.4 but the app only requires 2.2. I compiled them separately because of the different kernel requirements but they still talk to one another. While I'd be VERY put off if I could not do this at all, I am ok with documenting it to the user.

Re:it is not root access (1)

gl4ss (559668) | more than 2 years ago | (#38445776)

well, install opera, when it asks you which browser to use to fill a browser opening request, choose opera and don't tick the box to open it always if you think it might work through opera too.

anyhow. on maybe 80%+ of android phones, if you get shell access you can run some exploits to get root access.

Why does Android forbid root to the owner? (5, Insightful)

Morgaine (4316) | more than 2 years ago | (#38443470)

This is a question which doesn't seem to get asked much, probably because Google is an unmovable behemoth that's not really interested in the owners of devices, but only in advertisers. Nevertheless, it needs to be asked.

These cellphones and tablets belong to us, they don't belong to the device manufacturer, nor to the cellphone service operator, and even less to Google. They are ours. So why are we, the owners, forbidden direct root access to our own devices? It's like owning a Linux desktop without root, or owning a Windows machine and not being allowed Administrator access.

It's daft, and it's completely wrong.

Currently the crackers seem to have easier access to root than the device owners. Google, stop navel gazing and caring only about profit, and do something for users for a change. Add to standard Android a legitimate method for users to have access to root on their own devices, so that "rooting" becomes a thing of the past. It's not your right (nor anyone else's) to deny it.

Morgaine.

Re:Why does Android forbid root to the owner? (1)

Anonymous Coward | more than 2 years ago | (#38443494)

good rant.

It's just a pity that it's 100% factually incorrect.

Re:Why does Android forbid root to the owner? (0)

Anonymous Coward | more than 2 years ago | (#38443734)

How so? I have had no luck getting root on my Dell Streak 5* and Archos 43** simply to change the LCD density. Any apps to do that require root. It was a cinch to do on my first Android tablet, a Pandigital Novel once I learned of the technique to gain root with an exploitable vulnerability. And that is the trick for getting basic control of your Android device: gaining root by means of EXPLOITing a vulnerability - just to have basic control like changing the lcd density or installing a quick reboot app. Ridiculous!

* If I pursue it diligently enough, it appears I could root the Dell, but have not wanted to mess with running Windows enough to go through all those hoops.
** Only working exploit a while back for the Gen 8 (whatever the 43 is?) Archos models was a mysterious EXPLOIT posted on xda-devs by someone calling himself "Archangel". That caused no end of discussion and anxiety as any number of gurus (and the rest of us) tried to figure out how it worked as he never divulged how he did it - unlike most other root'ers. All that just to change some basic settings or get some convenient features only possible by means of rooting???

What other GUI-enabled OS is that locked down against its own users for such simple, legitimate functions ?? (dunno about iOS, but if so, that explains "jail breaking").

Re:Why does Android forbid root to the owner? (1)

bemymonkey (1244086) | more than 2 years ago | (#38445684)

Google didn't lock down your streak - Dell did. Same thing goes for the Archos thing... next time, buy Nexus or research properly (whether or not a viable root method is available for the device you intend to buy) before purchasing.

Of course, (IMO) this situation shouldn't exist in the first place - Google shouldn't be allowing carriers and manufacturers to lock down phones this way at all... but that's a different topic. :(

Re:Why does Android forbid root to the owner? (1, Informative)

0123456 (636235) | more than 2 years ago | (#38443560)

It's like owning a Linux desktop without root, or owning a Windows machine and not being allowed Administrator access.

Uh, 'Secure Boot', dude. With Windows 8 you will only have whatever control Microsoft allow you over the Windows computer you thought you owned... if they disable admin access in Windows 9, you won't be able to patch the loader to re-enable it because it will refuse to run.

Re:Why does Android forbid root to the owner? (0)

Anonymous Coward | more than 2 years ago | (#38443892)

And obviously Windows 10 will make you eat puppies and punch your grandma in the face! This is fun!

Oh wait, you were trying to be serious?

What are you smoking buddy? (2)

0ld_d0g (923931) | more than 2 years ago | (#38443906)

"Secure Boot" is nothing new. They had that over ten years ago in their xbox game consoles. Its a simple chain of trust where the OS is loaded in a modular approach starting with the BIOS/UEFI handing off control to the next link only after cryptographically verifying their signatures. It has nothing to do with "locking" you out. Its a method to be reasonably sure that the OS is not compromised w/o hardware access (disabling secure boot is a bios option IIRC). If they wanted to lock you out from admin, they would simply not ship the OS with any way to allow you to create an admin account. Secure boot is irrelevant here.

Without resorting to paranoid delusions and conspiracies I don't see how Microsoft benefits if you don't have admin access. As it stands on windows you require admin access for dozens of important things like installing drivers, applications, system maintenance, debugging applications and many such tasks. Besides Windows would never change the existing user & process privilege model if they want to continue to be backwards compatible with previous versions. Hell they include a copy of the heap mnager from w95 just so broken programs continue to work. http://technet.microsoft.com/en-us/magazine/ff625273.aspx [microsoft.com]

Re:Why does Android forbid root to the owner? (0)

Anonymous Coward | more than 2 years ago | (#38444372)

With Windows 8 you will only have whatever control Microsoft allow you over the Windows computer

Now you've ruined it for me. I was looking forward to Windows 8.

Re:Why does Android forbid root to the owner? (0)

Anonymous Coward | more than 2 years ago | (#38444400)

You're wrong and you're just repeating group-think about a feature that you don't understand. Get informed about secure boot and the TPE.

Secure Boot will allow you to boot code that the TPE recognises. This just means it needs to be signed by the correct key. I would expect that all of the commercial distributions of Un*x will have solutions for this because they'll be signed up and will have paid whatever it is to be a part of the group that gets signing keys.

If the signing keys for the TPE BIOS ever become public or accessible to people outside of the trusted circle, then the TPE will be useless because those with nefarious intentions will be able to produce correctly signed executable data that is infected.

I expect that Secure Boot will ultimately fail because someone in a position of responsibility will either unintentionally leak a key, create a path to the signing keys that is insecure or will simply be bribed into it.

Re:Why does Android forbid root to the owner? (0)

Anonymous Coward | more than 2 years ago | (#38443574)

Googles branded phones basically do provide root access. You have to enable it, but it's no more complicated than typing in a couple commands. Don't blame them for what the carriers impose on other models.

Re:Why does Android forbid root to the owner? (0)

Anonymous Coward | more than 2 years ago | (#38445208)

Googles branded phones basically do provide root access. You have to enable it, but it's no more complicated than typing in a couple commands. Don't blame them for what the carriers impose on other models.

No, you can unlock the boot loader on Nexus devices. You cannot root them by "typing in a couple commands".

Re:Why does Android forbid root to the owner? (0)

Anonymous Coward | more than 2 years ago | (#38443658)

So why are we, the owners, forbidden direct root access to our own devices?

If having root access is important to you, then purchase a device that allows it. My Nexus S allowed me root access quite easily. I can also compile and install Android onto my device all by myself.

Re:Why does Android forbid root to the owner? (1)

mjwx (966435) | more than 2 years ago | (#38443716)

This is a question which doesn't seem to get asked much, probably because Google is an unmovable behemoth that's not really interested in the owners of devices, but only in advertisers. Nevertheless, it needs to be asked.

For years we've been saying that local users should never operate as administrator by default. Now someone is doing it, you're getting pissy? Double standards much.

Besides this Google has answered it. Root should be as simple as SU.

The enforcement of non-admin privileges is done by the Android manufacturer, they do it because the carriers demand it. Want to stop it, stop buying phones from the carriers and make sure they know.

Re:Why does Android forbid root to the owner? (0)

Anonymous Coward | more than 2 years ago | (#38445490)

For years we've been saying that local users should never operate as administrator by default. Now someone is doing it, you're getting pissy? Double standards much.

Android doesn't deny operation as root by default. It denies it altogether, because it does not provide a standard legitimate and fully supported "su" or root login app that would allow an owner to become root whenever they desire simply by entering a password.

Instead, the owner has to use unsupported and risky methods to crack their own device.

Imagine if you had to do that on your own desktop computer. It's totally not right.

Re:Why does Android forbid root to the owner? (0)

Anonymous Coward | more than 2 years ago | (#38445558)

Google enables you to install the superuser apk and binaries on all the Nexus phones. So, yeah. You're wrong.

Re:Why does Android forbid root to the owner? (1)

bemymonkey (1244086) | more than 2 years ago | (#38445668)

While I agree with your premise somewhat, you're confusing a few things.

Google's phones (Nexus) are all easily unlockable and rootable. That's no accident...

The problem is the carriers and manufacturers, who just love locking down their phones to turn them into featurephones with apps... no doubt, Google should be looking for a way to force complete openness on both the carriers and the manufacturers, but it looks like that might be far easier said than done...

Now if only Google would release Motorola's next few phones completely unlocked (fastboot oem unlock, or what was it?)... then I'll buy a Droid 5.

Re:Why does Android forbid root to the owner? (1)

Fri13 (963421) | more than 2 years ago | (#38447556)

There are many phones what are easily rootable. Depending the country where you live.

Example all Android phones in my country are unlocked to carrier and SIM. So you can do what every you want with them. Rooting phone is just installing root application and pushing button.

And user does not even void varranty because that unless problem is caused by software. (if your MicroUSB plug brokes so you dont get good connection, it does not matter if you have third party ROM installed. But if your CPU burns and they find out you have third party ROM with custom CPU scheduler and overlock... you dont get anything).

Re:Why does Android forbid root to the owner? (1)

PolygamousRanchKid (1290638) | more than 2 years ago | (#38446082)

It's like owning a Linux desktop without root, or owning a Windows machine and not being allowed Administrator access.

. . . which is why I bought a Nokia N9 with Meego Linux. Do you want root access? Switch on "Developer Mode", which warns you of the risks, and you must press "Accept".

. . . and this is why I will (hopefully) buy a Tizen device in the future. A post recently to the Tizen mailing list stated something like, "This will be a real Linux distro, where you can do anything, not like Android."

There is no reason to whine, moan and complain that you have to jailbreak Android for root access. This is already well-known, clearly stated and is there for a good reason: not to let dumb-asses screw up their phones.

I prefer the Nokia N9 Meego model, which lets me choose to have root access, but makes me responsible for accepting the consequences.

Re:Why does Android forbid root to the owner? (1)

Fri13 (963421) | more than 2 years ago | (#38447582)

. . . which is why I bought a Nokia N9 with Meego Linux.

N9 comes with Harmattan aka Maemo 6.0.
MeeGo is Maemo 5.0 + Moblin 1.1

Harmattan is not 100% compatible with MeeGo and almost only way is to use pure Qt in your applications and even then repackage your software to RPM and DEB to deliver both.

Even Nokia developers needed to explain that Harmattan != MeeGo but it is just a marketing....

There's a reason (0)

Anonymous Coward | more than 2 years ago | (#38443698)

They don't close "flaws" like this.

I run apk's superhost++ configuration (-1)

Anonymous Coward | more than 2 years ago | (#38443770)

and am immune to exploits on all platforms;

sorry android lusers, Windows Phone 7 + apk super++

== win.

apk

#i8c.trolltalk.com (-1)

Anonymous Coward | more than 2 years ago | (#38444670)

Networkin6 test. [goat.cx]

Erm (1)

ctnp (668659) | more than 2 years ago | (#38444766)

Couldn't find anything mentioned in this thread about how it was the _simulator_ he was demoing, not an actual device... Big difference.

Re:Erm (1)

Fjandr (66656) | more than 2 years ago | (#38445068)

The simulator was for ease of recording the video, not because that's the only place it was tested.

Thats for sure (-1)

Anonymous Coward | more than 2 years ago | (#38445372)

I am sure its root access tbh.. check http://www.letmejerk.com

Maybe use only Opera or Firefox or (other browser) (0)

Anonymous Coward | more than 2 years ago | (#38445426)

So, Google has made a browser that ignores our rights to privacy... Are you surprised?

Maybe Opera (from Norway) or Firefox (from all around Earth) does not do that...

Does anyone know for sure if this exploit is possible in other, quality, Android-ready browsers?

I find this to be a good thing (2)

LostMyBeaver (1226054) | more than 2 years ago | (#38445534)

I did some experiments a long while back... the most interesting one was releasing a VNC viewer to Version Tracker which during installation popped up a huge license message which highlighted in bold print "Do Not Install This App... It includes a trojan and by clicking continue below, it will also gain root access and add the text 'Ha Ha Ha' to the heading of every Word and text document on your file system". It did not actually do that, but it did actually call home and provide statistics regarding the number of times the installer was opened, whether the user just clicked through, whether there was any form of anti-virus on the computer I knew how to check for and then it would call home each time the VNC viewer was run afterwards. As a bonus feature, it also popped up a fake "look-alike" dialog to ask for the administrator password to install the program... it would then pretend like the user typed something wrong and then pop-up the real dialog. I didn't transmit the passwords... but I did collect stats of who actually typed their password.

Shockingly, because Mac users were so damn gung ho on how absolutely secure their OS was, there was an over 90% installation rate. 40% used the application more than once. It took 6 weeks for the app to be taken down... and people were still downloading it even though the comments screamed about how it was a virus.

Microsoft Windows 7 is EXTREMELY secure now because of several things...
    1) People DON'T trust Windows apps like the used to... they're skeptical about viruses.
    2) People run anti-virus software... which may be useless on zero-day bugs and often can be more harmful to the user experience than any virus they can block, but they run it.
    3) Microsoft bought a gazillion anti-virus vendors and has produced one of the best anti-virus programs I've ever seen... they give it away for free... they respond QUICKLY to new viruses and by having access to all system internals, produce applications that can remove even the nastiest viruses from the system.
    4) Microsoft now listens to their anti-virus group and makes changes to the OS to make it more secure from user blunder. Things like the ever annoying "Are you sure you want to run this app?" and also, in Windows 8, trying to deter the user from installing applications that are in their central online as harmful or incompatible.

Apple iOS is pretty damn secure because it's a bit harder for the vendor of a malicious app to get an app into the app store. If someone chose to add a virus/trojan/etc... to the app store, it's taken down very quickly if it's detected as such (unless we're talking about apple approved trojans) and the amount of information that has to be gathered on an app developer before they can publish an app makes it much harder to put things there without there being some recourse. Unlike the rest of the Apple Stores, it's not possible to purchase through PayPal. A developer has to use some identifying form of payment. Prepaid credit cards do however work... so if you get one of those and forge some info on it... you're good. Still... quite a big obstacle.

Mac OS X is still a rats nest of security hell as almost no one installs anti-virus software on it. The Anti-virus companies don't even take it seriously since the market for Mac sucks... most Mac anti-virus software really only checks to make sure you're not transmitting known Windows viruses through e-mail. People still trust it too much and the market for Mac is still probably heavily dominated by people who want to use FaceBook but can't find the 'Any Key'. They bought the Mac because the guy at the store said "You want a Mac because you don't ever have to worry about viruses" and they trusted the guy who was obviously a highly educated computer expert working for $10 an hour at a company who treats their employees like slaves and makes them wear a stupid blue shirt.

BlackBerry... haha I won't even begin to bash how useless their device security is. What's even better is... people actually think it's secure because it is certified as secure. Umm... how cute :) Let's just say... it's secure with just the default applications on it. QNX is a great OS, but it's never been a true hacker target before. What's more is that the kernel source is still floating around from when it was open source. Let's not even mention that they made their own IP stack... when they were a rinky dink 200 person company in with over 50% of the developers working on deployment projects as opposed to kernel projects. Oh... and given their ass backwards coding guidelines which include "Make it more complex than necessary because 100,000 lines of unmanageable code is far better than 40,000 lines of unmanageable code".

Too many people trust Android at the moment.... there IS NOT ENOUGH PARANOIA on the platform. Even if it's slander and bullshit, awareness needs to be raised about how Android is not secure.... even if it isn't as bad as it's made out to be. It WILL NOT cut back on the sales of Android phones. In a world where you can get Android phones in cereal boxes (intended as an exaggeration to make a point) they will keep getting out there like crazy. The point is... people need to know to be more careful about where they get their apps. They need to understand that just like every other platform... they need to make backups and they need to trust the vendors of the apps they download. Get them to stick to apps which have been out a little while. Wait a week or two before downloading an update to an app so that people who will recognize security holes will have a chance to check them out.

If you really want to "Score The Big Bucks"... make a telephone app for viewing Lookbook.nu and Chictopia. The primary audience for these sites is teenaged and young adult females that like to take pictures of themselves using their phones in the mirror. Then sell it to a porn site and given them a way to download the photos from the phones its installed on. You can even stick huge warnings all over the app and it wouldn't matter... so long as it gives these girls their fashion fix and makes it easier to use... they'll use the app even knowing there's a virus in it. Hell, you can even put a nice big warning there saying "By using this app, you give the app permission to read and transfer items from your photo library". Hopefully, we are more honest than that... but I'm sure there are plenty of people out there who aren't.

Re:I find this to be a good thing (0)

Anonymous Coward | more than 2 years ago | (#38445712)

You know nothing of QNX. Their coders are good. Real good. About 10 years ago they had an x86 version of their OS that had a nice desktop environment, common network drivers, and a nice web browser. The entire thing booted and ran off of a 1.44 MB floppy disk. Their coding guidelines work very well.

Re:I find this to be a good thing (2)

minus9 (106327) | more than 2 years ago | (#38445758)

"Microsoft Windows 7 is EXTREMELY secure now because of several things...
1) People DON'T trust Windows apps like the used to... they're skeptical about viruses."


Windows is EXTREMELY secure because of its history of MASSIVE insecurity and the tens of thousands of viruses?

Microsoft logic at its finest.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...