Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Android Master Key Vulnerability Checker Now Live

timothy posted 1 year,17 days | from the free-anonymous-testing dept.

Security 76

darthcamaro writes "Last week, Rain Forrest Puppy (aka Jeff Forristal) first disclosed the initial public report about an Android Master Key flaw. Code was released earlier this week for attackers to exploit the flaw — but what about users? Google has claimed that it has patched the issue but how do you know if your phone/carrier is safe? Forristal's company now has an app for that. But even if your phone is not patched, don't be too worried that risks are limited if you still to a 'safe' app store like Google Play. 'The only way an Android user can be attacked via this master key flaw is if they download a vulnerable application. "It all comes down to where you get your applications from," Forristal said.'"

cancel ×

76 comments

Even the Android fanboys know (3, Insightful)

MoronGames (632186) | 1 year,17 days | (#44250175)

That most phones that are "in the wild" will probably never receive this patch unless they are current flagship devices. That said, do not download things from untrusted sources! That goes for not only smart phones, but computers as well!

Re:Even the Android fanboys know (3, Interesting)

h4rr4r (612664) | 1 year,17 days | (#44250293)

1. People seem to not care. This is why I only buy Nexus devices though.
2. Totally correct.

I wish google would use their leverage over the android trademarks, not the software, to force updates for X amount of time and a longer amount of time for security patches. The real issue here is the whole carrier model. If you bought your PC from your ISP and they provided all the software for it you would be in the same boat there.

Re:Even the Android fanboys know (1)

jeffmeden (135043) | 1 year,17 days | (#44250573)

1. People seem to not care. This is why I only buy Nexus devices though.
2. Totally correct.

I wish google would use their leverage over the android trademarks, not the software, to force updates for X amount of time and a longer amount of time for security patches. The real issue here is the whole carrier model. If you bought your PC from your ISP and they provided all the software for it you would be in the same boat there.

Except, that is exactly what Google is doing. This vulnerability is being patched by pushing updated apps directly to the phones via the shadowy Google "remote control", and the carriers don't need to do anything about it. My handset was patched as soon as the Google updates started rolling out, and my carrier could care less.

Re:Even the Android fanboys know (1)

h4rr4r (612664) | 1 year,17 days | (#44250653)

I more meant for vulnerabilities in the phones non-writeable partitions. /system is normally mounted read only. So if you need to patch something more basic to the OS, I would assume a carrier would be standing in the way.

Re:Even the Android fanboys know (0)

Anonymous Coward | 1 year,17 days | (#44250793)

I more meant for vulnerabilities in the phones non-writeable partitions. /system is normally mounted read only. So if you need to patch something more basic to the OS, I would assume a carrier would be standing in the way.

Not that it is impossible, but it has yet to happen which makes the hubbub about slow OS-level updates rather overblown.

Re:Even the Android fanboys know (2)

h4rr4r (612664) | 1 year,17 days | (#44250839)

What do you think root exploits often are?

Any APK could contain one and use that to do anything it likes. The only trick would be getting users to install it. Which for most users just means telling them their is a shiny bunny or sexy woman in the application.

Re:Even the Android fanboys know (0)

Anonymous Coward | 1 year,17 days | (#44251193)

What do you think root exploits often are?

Any APK could contain one and use that to do anything it likes. The only trick would be getting users to install it. Which for most users just means telling them their is a shiny bunny or sexy woman in the application.

Yes, but my question was where are these root exploits that are going unpatched at the OS level? Sure, it would be "Better" if any vulnerability at any level were able to be reliably patched very close to the moment of discovery, on any affected device. The reality is much different, obviously, and that leads us to judge design by way of performance. And to that end, the security of Android has performed very well, considering the distinct lack of "wildfire exploits" akin to what we see in the PC realm.

Re:Even the Android fanboys know (2)

h4rr4r (612664) | 1 year,17 days | (#44251315)

RageAgainsttheCage was one it, used an adb setuid exhaustion attack, and there was a udev exploit. These were patched in AOSP a long time ago, but some devices never got updates that closed these holes.

The android app store keeps these things from being put in apps from there, but nothing stops them from ending up in alternative (read pirate) app stores.

Sure the fact that most people never enable third party apps and stick to the google store keeps them mostly safe. It simply would be better to go ahead and patch the devices as well.

Re:Even the Android fanboys know (1)

Dishevel (1105119) | 1 year,17 days | (#44251489)

What do you think root exploits often are?

Any APK could contain one and use that to do anything it likes. The only trick would be getting users to install it. Which for most users just means telling them their is a shiny bunny or sexy woman in the application.

I am very ok with those people getting infected.

Re:Even the Android fanboys know (1)

Beardo the Bearded (321478) | 1 year,17 days | (#44251617)

Sexy bunny woman? Where do I click?

WHAR LINK WHARE?

Re:Even the Android fanboys know (0)

Anonymous Coward | 1 year,17 days | (#44251329)

My Nexus 7 is unpatched/vulnerable and there are no system updates available for my tablet so it is up-to-date.

Re:Even the Android fanboys know (1)

h4rr4r (612664) | 1 year,17 days | (#44251385)

You are basing this on what exactly?
What OS version are you running?

Re:Even the Android fanboys know (1)

Anonymous Coward | 1 year,17 days | (#44251487)

I am basing the fact that I am vulnerable on the Bluebox Security Scanner app linked in this article. My Nexus 7 is running Android 4.2.2

Re:Even the Android fanboys know (1)

Rob Y. (110975) | 1 year,17 days | (#44254795)

Ditto. My Nexus 4 has never received an OS update (unless it does this silently, which My old Nexus One never did).

Anyway, it's running 4.2.2 with a build date back in January.

Re:Even the Android fanboys know (1)

Rob Y. (110975) | 1 year,17 days | (#44254815)

That said, and even though I'm rooted (hey, is that why I haven't gotten any updates - I'm still on the stock ROM), I don't believe I've been hit by this exploit. Has anyone?

Re:Even the Android fanboys know (0)

Anonymous Coward | 1 year,17 days | (#44250401)

Wait. So 'open' isn't automatically, and innately good? The ability to side-load apps has its own, unique dangers?

Wow. It's almost like the iOS users actually knew what they were talking about!

Re:Even the Android fanboys know (1)

h4rr4r (612664) | 1 year,17 days | (#44250731)

So the mere risk of something bad happening means you have to give up control to someone else? It's almost like personal responsibility is totally dead!

Re:Even the Android fanboys know (-1)

Dishevel (1105119) | 1 year,17 days | (#44251541)

So the mere risk of something bad happening means you have to give up control to someone else? It's almost like personal responsibility is totally dead!

Get out from under your rock.
Look around. Hot coffee is something to sue over. Everything is someone else s fault and they must pay.
Warning labels designed to warn those with less brains than an earthworm. Cities that want to mandate the size of your drinks and if you can have salt on your table.
Personal health insurance mandates. Unemployment forever. Participation awards.
No one is expected to be responsible for their own behavior. It has been this way for many years and it is only getting worse.

Re:Even the Android fanboys know (1, Insightful)

h4rr4r (612664) | 1 year,17 days | (#44252773)

That hot coffee lawsuit was not frivolous. This is an urban legend, they had been cited many times since it was too hot to safely drink. She suffered serious burns and required skin grafts.

Personal health insurance mandates are personal responsibility. You not having insurance and using the ER then skipping on the bill costs me and other insured folks money.

Unemployment does not last forever, and employed folks are paying for it. I sure as hell expect to be able to collect from an insurance policy I buy.

Re:Even the Android fanboys know (1)

Dishevel (1105119) | 1 year,16 days | (#44261595)

It was frivolous. People got that coffee BECAUSE it was that hot. We got it because it lasted the commute. I knew it was really fucking hot. It was not her first time getting coffee there. She made the decision to purposely buy that coffee having already known how hot it was. They coffee temperature did not come as a surprise to her. If I buy something that I know is really hot and decide to buy it anyway then I spill it, it would be my fault. Only in the last 20 - 30 years have we been so ingrained as a people that we are responsible for nothing that happens in our lives.

Re:Even the Android fanboys know (1)

h4rr4r (612664) | 1 year,16 days | (#44261641)

The coffee was undrinkable, it would have cooked your insides.

You can't sell a product not fit for purpose. Personal responsibility would have been McDonalds covering all her bills and giving her a nice settlement with no lawsuit. Instead McDonalds wanted someone else to cover their debts.

Re:Even the Android fanboys know (1)

Dishevel (1105119) | 1 year,15 days | (#44270343)

So you are saying that she did not ever have McDonalds coffee before? That she had no knowledge of the fact that their coffee was considerably hotter than that sold by most other chains? Or. Are you saying that regardless of the fact that she made an informed decision, it still must be the rich guys fault.

Re:Even the Android fanboys know (0)

Anonymous Coward | 1 year,17 days | (#44250871)

Yes, removing training wheels have its own, unique dangers.

It doesn't mean welding them on is best idea ever.

Re:Even the Android fanboys know (1)

sjames (1099) | 1 year,17 days | (#44251323)

With great power comes great responsibility.

Re:Even the Android fanboys know (0)

Anonymous Coward | 1 year,17 days | (#44250449)

From TFS:

But even if your phone is not patched, don't be too worried that risks are limited if you still to a 'safe' app store like Google Play.

What language is this in?

Re:Even the Android fanboys know (0)

RaceProUK (1137575) | 1 year,17 days | (#44251061)

Engilsh

Re:Even the Android fanboys know (3, Funny)

somersault (912633) | 1 year,17 days | (#44251667)

It's in a dialect of English usually known as Careless Autocorrect

Re:Even the Android fanboys know (0)

Anonymous Coward | 1 year,17 days | (#44250525)

My old Nexus One on factory reset (back to 2.x) is now currently running the newest Google Play store application without me needing to do anything asides from connecting to the Internet and waiting a few minutes. This means I'm protected because this master key business as this is a Play Store issue.

Individual applications are updated individually and do not require a complete OS upgrade. What kind of stupid assumption / design would you have if you needed to use the system-wide/OS patcher for a bug in a single application? Oh wait, never mind.

Re:Even the Android fanboys know (0)

Anonymous Coward | 1 year,17 days | (#44250553)

That most phones that are "in the wild" will probably never receive this patch unless they are current flagship devices. That said, do not download things from untrusted sources! That goes for not only smart phones, but computers as well!

Troll. Google is patching this via the play store, bypassing the carriers. Even phones that will never see another carrier update will get this patch, if they don't already have it.

Re:Even the Android fanboys know (0)

Anonymous Coward | 1 year,17 days | (#44250867)

That most phones that are "in the wild" will probably never receive this patch unless they are current flagship devices. That said, do not download things from untrusted sources! That goes for not only smart phones, but computers as well!

Troll. Google is patching this via the play store, bypassing the carriers. Even phones that will never see another carrier update will get this patch, if they don't already have it.

Idiot. The bug is that a malicious application can inject their own code (or data, or whatever) into an already installed application. The APK's cryptographic signature would then be invalid because the contents have been altered, but the OS doesn't actually recheck before executing.

Re:Even the Android fanboys know (1)

Beardo the Bearded (321478) | 1 year,17 days | (#44251599)

Your smart phone IS a computer, FFS.

My new G3 has a dual-core 1.5GHz processor, 2G RAM, and 80G of SSD on a 720-line display.

My old netbook has a dual-core 1.5GHz processor, 2G RAM, 256 SSD and a 600-line display. (Until a month ago, it was my primary computer.)

They both run Linux (CM and Ubuntu, respectively). They both play movies. The phone will play better games than the netbook. I can carry the phone around and have it track my bike rides and runs.

They aren't phones. They're socially acceptable computers that happen to be able to make phone calls. We figured out what, 20 years ago, that if you DL ph@t w@r3Z... half the time it's real, half the time it's a virus.

Split-screen (1)

tepples (727027) | 1 year,17 days | (#44254607)

I agree that an Android smartphone is a personal computer. But when you plug your smartphone into an HDMI cable, how many windows can you keep open on the screen at once? Like you, I own an Android device and an Ubuntu netbook, in my case a Dell Inspiron mini 1012. When I'm programming on my netbook while riding the bus to and from work, I routinely split the screen down the middle to see the source code on the left and the output, another source code file, or documentation on the right. I imagine that even non-programmers find it useful to see both the document you're referring to and the document you're writing. But Google has strongly resisted any sort of split-screen feature in stock Android.

Re:Split-screen (0)

Anonymous Coward | 1 year,16 days | (#44256847)

I agree with you. An Android smartphone is a personal computer with a shitty OS.

Re:Even the Android fanboys know (1)

Beorytis (1014777) | 1 year,17 days | (#44251985)

That said, do not download things from untrusted sources!

Especially a thing claiming to be "Vulnerability Checker".

Re:Even the Android fanboys know (0)

Anonymous Coward | 1 year,17 days | (#44252045)

My Nexus 4 is unpatched (and has the latest OTA update), so I'd say good luck to anyone who thinks they might have a patch... if I don't, who the hell does?

Re:Even the Android fanboys know (1)

bill.e.gloat (948787) | 1 year,16 days | (#44259923)

I only ever install from the Play Store with the single exception of the Avast Anti-Theft app. While Avast AV itself comes from the Play Store, I have to enable the option for downloading from untrusted sources to get the Anti-Theft portion. Why is that? (It seems poor design, but I assume there's a good reason.) I figure that if I trust Avast for AV than I should be able to trust their instructions for Anti-Theft. I always disable the untrusted sources feature immediately after the install/update, but I still wonder if I'm vulnerable during that time. Can other apps already installed leverage that window for malice?

Is there an App to check for bogus APKs? (1)

Jah-Wren Ryel (80510) | 1 year,17 days | (#44250189)

For people who are stuck with vulnerable phones it should be possible for an app to scan the .apk you are considering side-loading and checking if it is a trojan using this particular vulnerability.

Re:Is there an App to check for bogus APKs? (2)

Jerry Atrick (2461566) | 1 year,17 days | (#44250321)

It should be easy to catch the package installed/updated broadcast and intercept exploits immediately after they install but before they can execute. About 20lines of Java should do it.

The other interesting aspect of this exploit is you could automatically strip the malware payload and recover the safe, original apk, or a close enough facsimile of it.

Re:Is there an App to check for bogus APKs? (0)

Anonymous Coward | 1 year,17 days | (#44250457)

I suspect Google already does this if you choose to use their built in APK scanner.

Re:Is there an App to check for bogus APKs? (1)

Jerry Atrick (2461566) | 1 year,17 days | (#44251485)

If they have any sense the built in scanning will detect the malformed APK before allowing it anywhere near the installer service... it is trivially easy to detect.

Re:Is there an App to check for bogus APKs? (1)

raburton (1281780) | 1 year,17 days | (#44251939)

I would assume opening the file in your favourite zip tool and checking there is only one classes.dex file should be sufficient.

Re:Is there an App to check for bogus APKs? (0)

Anonymous Coward | 1 year,12 days | (#44291583)

norton halt.

Master key? (1)

synackpshfin (1622285) | 1 year,17 days | (#44250223)

I have no idea what the mentioned 'master key' is supposed to be.
AFAIK the actual exploit is using duplicate filenames which aren't checked against hashes upon installation of apk...

Re:Master key? (3, Informative)

Andy Dodd (701) | 1 year,17 days | (#44250273)

That was the word Bluebox used to describe it... Honestly, their original press release blew this way out of proportion.

Most Android devices now have support for scanning of sideloaded APKs for Malware now (it's a Google Play service), and I'm assuming that while a week or two ago that detector wasn't configured to detect this exploit, it almost surely does by now.

Re:Master key? (2)

jeffmeden (135043) | 1 year,17 days | (#44250651)

That was the word Bluebox used to describe it... Honestly, their original press release blew this way out of proportion.

Most Android devices now have support for scanning of sideloaded APKs for Malware now (it's a Google Play service), and I'm assuming that while a week or two ago that detector wasn't configured to detect this exploit, it almost surely does by now.

Why should that get in the way of a good story? "Master key" sounds like something that will grant anyone access to your device, any time they want, without your permission, and plays so well with the "Android devices take months/years to get patched" meme. Which is all much more salacious than the reality, considering that only apps intentionally sideloaded by the user (After deactivating the default protection) can run with unchecked permissions, IF you havent gotten the Google Play Store updates yet, which are pushing out with quite rapid speed.

Re:Master key? (1)

chowdahhead (1618447) | 1 year,17 days | (#44255283)

My understanding is that the Play store was patched, so this vulnerability can't be exploited for apps uploaded to and downloaded from there. The AOSP patch addresses the part of Jellybean that verifies the cryptographic signature of sideloaded apps. That has to be updated on the device end--it's the "Verify Apps" option in the security menu. It's not part (yet?) of Google Play Services; it works without GApps installed. However, if you don't download .apk's from the internet, which 99.9% of people don't do, then it's immaterial whether your device is patched because that function isn't being used anyway. So you're absolutely right that it was blown out of proportion.

Re:Master key? (1)

Andy Dodd (701) | 1 year,16 days | (#44263435)

" The AOSP patch addresses the part of Jellybean that verifies the cryptographic signature of sideloaded apps. That has to be updated on the device end--it's the "Verify Apps" option in the security menu."

Nope. Those are two separate things. The "Verify Apps" operation applies some or all of the same Play Store checks to sideloaded apps, and I believe is only available with gapps installed (I'll poke at that this weekend.)

The signature verification is part of the core Android system (even without gapps) and has been since long before that "Verify Apps" feature existed.

If the signature verification vulnerability is patched on a given device, the "verify apps" and Play Store scanning becomes unnecessary (but still a good idea for defense in depth)

If the signature verification vulnerability is not patched on a given device, the "Verify Apps" function should still act as a line of protection for sideloads.

Guarrantee (-1)

Anonymous Coward | 1 year,17 days | (#44250255)

So, if I download an app from Google Play, I can always trust that it doesn't do harmful things, like collect data from my device, etc? No? That's what I thought. The whole model of having binary apps in an app-store is completely broken. It fells like Windows 95 all over again.

Re:Guarrantee (0)

Anonymous Coward | 1 year,17 days | (#44250363)

i agree one hundred percent/ its gonna be a long time untill i feel safe again

risks are limited if you still to a (0)

Anonymous Coward | 1 year,17 days | (#44250291)

"don't be too worried that risks are limited if you still to a 'safe' app store like Google Play"

It's like I'm in third grade all over again. Thanks, Slashdot!

MITM (2)

SirJorgelOfBorgel (897488) | 1 year,17 days | (#44250337)

I'm not sure if this is still true, but I do know that last week the Play store was still using HTTP downloads for the actual APK files instead of HTTPS (even though the API calls do use HTTPS). As such, even downloads from Play may be susceptible to man-in-the-middle attacks. I can't possibly explain it better than this group of comments:

http://it.slashdot.org/comments.pl?sid=3950207&cid=44220885 [slashdot.org]

I'm not saying it's likely - but it doesn't seem impossible either. Seeing as it will be a long time before the average Android user will be running a phone with this patch, I would call "crisis averted" too soon. Of course, we don't know if the complete HTTP download is still verified with checksum gotten from the HTTPS API, but somethow I doubt it.

Re:MITM (0)

Anonymous Coward | 1 year,17 days | (#44250619)

I tried Googling this issue, and I couldn't find any sources to back it up. Seems like someone would have mentioned it...

Just tried adding a block on HTTP and play.google.com to my router and nothing seems to have changed.

Re:MITM (1)

PNutts (199112) | 1 year,16 days | (#44256493)

I tried Googling this issue, and I couldn't find any sources to back it up. Seems like someone would have mentioned it...

Try Bing. ;)

Re:MITM (1)

Applekid (993327) | 1 year,17 days | (#44250889)

I'm not sure if this is still true, but I do know that last week the Play store was still using HTTP downloads for the actual APK files instead of HTTPS (even though the API calls do use HTTPS). As such, even downloads from Play may be susceptible to man-in-the-middle attacks. I can't possibly explain it better than this group of comments:

http://it.slashdot.org/comments.pl?sid=3950207&cid=44220885 [slashdot.org]

I'm not saying it's likely - but it doesn't seem impossible either. Seeing as it will be a long time before the average Android user will be running a phone with this patch, I would call "crisis averted" too soon. Of course, we don't know if the complete HTTP download is still verified with checksum gotten from the HTTPS API, but somethow I doubt it.

A feature at the request of the NSA or your local union spook agency.

so in other words... (0)

Anonymous Coward | 1 year,16 days | (#44259441)

So the comment you quote essentially says that unsecured downloads from untrusted locations are not secure and should not be trusted. Who would have thank. News at 11.

The real problem still remains (0)

Anonymous Coward | 1 year,17 days | (#44250459)

The real problem here remains unsolved, which is the way that any app can be cracked open using ApkTool, messed with in creative ways, then packaged again and signed with the crackers own keys. It's pretty unbelievable how straightforward and robust this works out with most any app from Play Store or wherever, paid or not.

Re:The real problem still remains (1)

Knuckx (1127339) | 1 year,17 days | (#44250649)

And what prevents you from doing this with any executable file format, be it APK, EXE, ELF or JAR? Diassemblers, unpackers and resource editors exist for all of those file formats. If you can run it, you can edit it, unless the format/architecture is totally undocumented.

Re:The real problem still remains (1)

Jerry Atrick (2461566) | 1 year,17 days | (#44251581)

The signing isn't meant to stop that, it's meant to stop updates to installed apps being replaced by malware. Re-signing won't let you update an installed app, you have to trick the user into uninstalling first. Which usefully can't be done for system apps by non-rooted users. Can't directly be done by any user.

Ultimately all signing does is verify that your still dealing with the packager of the existing installed copy. The chain of trust still depends on trusting the first install, with this bug you're now reliant on checking each update hasn't been tampered with as well as checking the signature is the same. Good thing its so easy to spot tampering.

Establishing trust through SSL CAs (1)

tepples (727027) | 1 year,17 days | (#44254661)

The chain of trust still depends on trusting the first install

There are ways to establish trust for the first install even if it is not from Google Play Store. For example, if I download the APK of VLC from https://www.videolan.org/ [videolan.org] then I'm piggybacking on the SSL CA infrastructure, which assures me of one of the following:

  • A. The APK is authentic.
  • B. Somebody compromised www.videolan.org and uploaded a trojan.
  • C. A man in the middle compromised the private key of www.videolan.org and my Internet connection.

How likely are the scenarios other than A?

Conflict of interest? (1)

140Mandak262Jamuna (970587) | 1 year,17 days | (#44250641)

So this flaw affects mostly app stores competing with Google marketplace. Not fixing this bug would give an edge to Google's marketplace. Though it is orders of magnitude different, this was similar to a situation early in the days of IE-vs-Netscape fights in the early days.( IIS and IE would work around each other's bugs making other web servers and browsers appear to be broken). How is Google handling it?

In some strange way Google is having the cake (open and competing app stores, instead of the total lock down on the Apple-iOS side of things) and is eating it too (its app store is less vulnerable than its competition due to its own bugs).

In the long run, having reliable and competent competition is what going to create lasting value to the customers, keep Google on its toes and keep it nimble. So if Google is really not evil and if it is interested in long term success, it should not take short cuts to maintain an edge over competing app stores. Hope it does.

Re:Conflict of interest? (0)

Anonymous Coward | 1 year,17 days | (#44250849)

Not fixing this bug would give an edge to Google's marketplace

I'd say fixing it does too. What will users remember after this issue is fixed?

I bet the TL;DR version will be "use only Google Play."

Re:Conflict of interest? (1)

Merk42 (1906718) | 1 year,17 days | (#44250885)

The flaw doesn't affect 3rd party app stores any more than it does Google's. The issue is that an app store could host an app that takes advantage of said bug. As the Play Store is the most trustworthy to not do this, it is the recommended store.

Permissions (0)

8Complex (10701) | 1 year,17 days | (#44250845)

Simple enough, if your app knows what it needs to do, there is no need for "Full Network Access". I smell scam app.

Re:Permissions (0)

BasilBrush (643681) | 1 year,17 days | (#44251219)

Android is a phone for ordinary consumers. 13 year old girls, middle aged builders, grandparents, everybody. Do they all know that "Full Network Access" is a clue that it might be a scam app?

Re:Permissions (1)

Beardo the Bearded (321478) | 1 year,17 days | (#44251783)

A lot of people don't read that.

My co-worker has a taxi company's app. They want full permission for everything. I didn't load it.
https://play.google.com/store/apps/details?id=com.appbuilder.u66459p124918 [google.com]

Same with the Cineplex app. Way too many permissions for something that's just showing a ticket:
https://play.google.com/store/apps/details?id=com.fivemobile.cineplex&hl=en [google.com]

Re:Permissions (0)

Anonymous Coward | 1 year,17 days | (#44252477)

Isn't it disturbing that to point out issues like in the comments, one actually has to install (or at least "send" it to install -thinking I got around that once by turning off the tablet, making the comment, then somehow canceling the installation...) the app. So much for "peer review" if negative.

Privately (1)

tepples (727027) | 1 year,17 days | (#44254863)

People who choose not to install can always contact the application's developer privately.

Permission rationales (1)

tepples (727027) | 1 year,17 days | (#44254923)

Most of the permissions on the Cineplex app are perfectly justifiable. "Full network access" is needed to contact the payment processor and venue to buy your ticket. "Add or modify calendar events" is to remind you when the event for which you bought a ticket is about to occur. "Take pictures and videos" appears to be needed for scanning barcodes on tickets and related documents. And perhaps "precise location" is used for getting directions to the venue. My only suggestion is to make Google Play Store require the application publisher to add an explicit rationale for each permission it uses.

Re:Permissions (2)

Miamicanes (730264) | 1 year,17 days | (#44253493)

> Simple enough, if your app knows what it needs to do, there is no need for "Full Network Access". I smell scam app.

Or an app that, like 98% of the free apps in Android Market, embeds Google's ads in the app. Then it needs full network access, coarse location, and read phone state & identity, among other things. It's the killer flaw in Android's permissions system... to serve ads from any common ad network, you have to practically give the app complete access to everything.

Instead of embedding ad-handling into apps, ad-supported apps should require the installation of a content-provider app for the ad network (common to all apps using it) as a prerequisite, register itself with Android as an ad service provider, then allow apps declaring a permission like "Communicate with Advertising Service" to blindly embed content from that service provider into the app as a black box that the app itself can't influence or communicate with (so an app can't try to leak user information back to its own servers using the ad network as a backdoor). THEN, we could have apps with no app-related need to access the internet that declared only "Communicate with Advertising Service" as a permission, and a separate set of permissions for the Android-firewalled adserver content provider that would be unable to communicate directly with the ad-displaying app.

CM 10.1.1 (2)

Riddler Sensei (979333) | 1 year,17 days | (#44251039)

For those running Cyanogenmod this has been patched in 10.1.1 [get.cm] .

Re:CM 10.1.1 (1)

Miamicanes (730264) | 1 year,17 days | (#44253363)

Here's the scary part -- 10.1.0rc5 is STILL the latest non-nightly build you can get for d2att (AT&T Galaxy S3), and it's ABSOLUTELY still vulnerable. I just ran the checker app now. :-(

Re:CM 10.1.1 (1)

Riddler Sensei (979333) | 1 year,17 days | (#44253451)

Huh, are these d2att stable builds [get.cm] not what you're looking for?

It is about the appstore you use. (2)

briancox2 (2417470) | 1 year,17 days | (#44251103)

If it's about the appstore you use, then F-droid has a leg up. Unlike Google's, everything on F-Droid has had human eyes look at what it does.

Re:It is about the appstore you use. (0)

Anonymous Coward | 1 year,17 days | (#44252413)

everything on F-Droid has had human eyes look at what it does.

With zero guarantee anyone besides the auhtor(s) have actually checked the code line by line.

Re:It is about the appstore you use. (1)

briancox2 (2417470) | 1 year,16 days | (#44261907)

While the only guarantee on Google's is that no one has checked a single line of the code, besides the author.

F-Droid, games, and anti-features (1)

tepples (727027) | 1 year,17 days | (#44255039)

According to this post [f-droid.org] , using any of the anti-features [f-droid.org] will hide an application from most users. How should one fund the development of, say, a video game to be distributed to users who have switched to F-Droid without putting in ads (which requires the "Ads" anti-feature) or charging for mission packs after the first (which requires the "NonFreeAdd" anti-feature)?
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...