back to article Yet another Android app security bug: This time 'everything is affected'

Yet another potentially serious security flaw has been revealed in Android. This time the problem involves the mobile operating system's ability to run more than one app at once – as opposed to its handling of multimedia messages, which was the crux of a cyber* of vulnerabilities last month. The latest security blunder opens …

Page:

  1. Stella Duvel
    Linux

    A flap of flaws?

    1. Anonymous Coward
      Anonymous Coward

      A fucket of flaws.

    2. Bob Vistakin
      Facepalm

      A Corbyn of flaws.

      Its heart is in the right place, but ultimately its policies cannot work in the real world and will destroy the very thing it strives to uphold.

  2. bluefin333

    A scrubbing of flaws?

    1. Irony Deficient

      flaw vs. floor

      bluefin333, it doesn’t work as well for speakers of rhotic dialects.

      “A scourge of flaws” was my first thought, but since “scourge” is already used with mosquitoes, I’d go with “a knout of flaws” instead.

      1. Michael Wojcik Silver badge

        Re: flaw vs. floor

        since “scourge” is already used with mosquitoes

        You do know this whole collective-noun nonsense is just a Victorian parlor game, right? There's no law that prevents reusing one of these middlebrow witticisms.

    2. Daggerchild Silver badge

      Nice :) A 'Scrubber' will let theReg slip more double-entendre's in tho ;-)

  3. Anonymous Coward
    Anonymous Coward

    Many

    A giraffe of exploits?

    (you'd be sticking your neck out to say there are not more)

  4. chivo243 Silver badge

    old term?

    shed load? a sandbox full of lincoln logs?

    1. Anonymous Coward
      Anonymous Coward

      Re: old term?

      A "metric f*ckton". As opposed to the old "imperial f*ckton" which is slightly larger, but harder to convert to Blue whales.

  5. Anonymous Coward
    Joke

    But...but..but...

    it's Linux, it has no flaws!

    1. Necronomnomnomicon

      Re: But...but..but...

      Linux running Java, it's a lovely sturdy wooden desk that someone's put their horrible woodworm colony on.

      1. P. Lee

        Re: But...but..but...

        >Linux running Java, it's a lovely sturdy wooden desk that someone's put their horrible woodworm colony on.

        ... and then placed outside in the park under a tree with low-hanging branches, right next to the street.

  6. Zog_but_not_the_first
    Facepalm

    In God's name

    And people carry out - are encouraged to carry out - financial transactions on their phones.

    1. charlie-charlie-tango-alpha

      Re: In God's name

      +1 to that

      But regardless of whether or not there is any remotely exploitable vulnerability, trusting a bloody phone for sensitve transactions is just loopy. The damned things get lost and stolen.

      http://www.ibiblio.org/Dave/Dr-Fun/df9604/df960410.jpg

    2. chivo243 Silver badge

      Re: In God's name

      Sitting here in a tinfoil hat, I never use mobile banking, and am slightly paranoid about even using a personal workstation for financial transactions.

      I remember the day back in the 80's I got my first ATM card, wow what a technology. I didn't need to visit the cutie at the teller window. I was told "It's designed to keep banking costs down???" I'm afriad to know how much the mobile technology adds to the monthly fee/per transaction fee the banks continue to charge. and reap profit.

    3. Anonymous Coward
      Anonymous Coward

      Re: In God's name

      I pay my bills. So if someone wishes to pay mine for me on my phone, then more to them for the effort.

      How they could turn that into paying themselves, I leave to the banks to sort out. No doubt they will help with that feature soon enough.

  7. Fraggle850

    But where's the attack vector?

    I assume this would require malicious code to be installed on a device in order to leverage the internal multitasking? Not defending weak security practices in the Android environment, just curious.

    By the way thumbs down for 'cyber' as a collective noun, just doesn't feel right.

    How about a skynet of flaws? ROTM and all that, might work particularly well in an IOT context? Conveys a sense of impending menace as we surrender bit by silicon-hewn bit to our robot overlords

    1. Anonymous Coward
      Anonymous Coward

      Re: But where's the attack vector?

      guess the exploit would be via apps that haven't been properly vetted either in official stores or third party stores.

      1. Fraggle850

        Re: But where's the attack vector?

        Aye, but it would be nice to have that covered in the article. They've not identified any software exploiting said bug, have they? One would like to think that app stores would be checking for this...

      2. P. Lee
        Unhappy

        Re: But where's the attack vector?

        >the exploit would be via apps that haven't been properly vetted

        The whole thing is designed to provide a way to download random software from people you don't know, have no relationship with and certainly and aren't (intentionally) paying any money to. What could possibly go wrong?

        We measure trust by relationship cues, but IT replaces personal and real relationships with a mediated, crippled proxy for real ones. The trust measures therefore will always be garbled. If I go into a bank branch, I have a building (which I may recognise) and staff (again, whom I may recognise - or if I don't, I have confidence that someone does and would stop interlopers) which implies some investment and permanency. On a computer (of any sort) I have little picture of a logo. If I install stuff on a Windows computer, I'm fairly sure Mr Gates or Mr Cook haven't approved the action and I get little warnings ("admin privileges required"). On a phone, the phone vendor appears to have curated and certified apps which he is now encouraging me to use. There are no warnings about "admin privileges required" or "this may harm your computer." "GET" and "Download Now" is all over the place and the full-screen nature of applications further gives the impression that if you can't see an app, it isn't running.

        I get that security is a hard problem, but knowing that, there should have been extra care taken in OS design, not dumping it all on the J/Dalvik/whatever VM which was originally designed to run trusted enterprise applications on protected servers. It feels as though we're back with IE6.

        Most depressingly of all, the outsider in the mobile game, who is likely to need to be the most innovative and could use security as a USP to gain a foothold, is MS, and they have decided just to ape the others. They could have re-written Windows for mobile as Apple re-wrote IOS from OSX. MS could have rewritten Windows to build on all the things we have learnt about security, but they haven't. They just want to reuse existing code. Its the very worst of accountancy-driven product development and ignores the users requirements, stated or not. At least Apple try to anticipate users' needs. They may be locked into a mobile model with no incentive to change, but MS is not. As for Google, they've got profits, they should at least be hiring extra bodies for code review.

    2. Michael Wojcik Silver badge

      Re: But where's the attack vector?

      thumbs down for 'cyber' as a collective noun

      Yes. Could we please, please, please stop abusing the "cyber" prefix? It meant something when Wiener coined the term "cybernetics". Now the idiots have largely ruined it, but that's no justification for participating in this particular barbarism.

  8. Adze

    A facepalm of security flaws?

  9. Chronos

    Tip o' the hat to Mr Pratchett

    "An embuggerance of flaws."

    1. Michael H.F. Wilkinson Silver badge
      Happy

      Re: Tip o' the hat to Mr Pratchett

      In the name of preserving the good Anglo-Saxon tradition of alliteration (Beowulf and all that), I would turn that into

      "An embuggerance of exploits"

      Doffs hat (the Panama, today) to both Powernumpty and the late great Sir Terry Pratchett

  10. PCS

    If this was a Microsoft story you would all be tearing them apart.

    1. petur
      Mushroom

      nah, we're used to hear this stuff from Microsoft, that's why their security issues don't even get on news sites any more, it would get boring...

    2. Anonymous Coward
      Anonymous Coward

      >If this was a Microsoft story you would all be tearing them apart.

      I hope we are ripping Android to shreds. We get fixes for Microsoft products for at least several years. I might as well chuck my practically new Samsung phone in the bin.

      And I don't believe the blame should just attach to the tardy phone manufacturers and operators - this is as much a consequence of the design of the Android ecosystem.

      1. Daggerchild Silver badge

        Re: >If this was a Microsoft story you would all be tearing them apart.

        Yup. But unless you're Apple and do an end run around the whole damned game, that is how you have to start.

        "Scuse me Samsung, Nokia, Sony, do you mind if I wrap your products in my branded software layer, which I control and will change when I like, without needing to check with you? *SLAM*"

        Now we're into the next phase, with the populous demanding that Google take monopoly control over their phones. Just like Apple already has with theirs. Monopolies are cool, apparently.

        1. asdf

          Re: >If this was a Microsoft story you would all be tearing them apart.

          >Monopolies are cool, apparently.

          Not really but regular security updates sure are.

      2. Loud Speaker

        Re: >If this was a Microsoft story you would all be tearing them apart.

        I get fixes for my two year old, carrier supplied, Samsung phone every few weeks, You must be doing it wrong.

        I also get frequent notifications of "Security Policy Updates" - I have no idea what these are supposed to do, nor whether they are malicious - so I have to assume they are. If someone want some to take a security update seriously, they had better tell me what the change is, who they are, and how I can proved that they are not lying. I am really not thrilled at having my "security policy" updated by Goog, let alone hackers.ru or gchq, and if it is Samsung or 3, then they need to come clean about what the changes are. A "Security policy update" that allows my phone to put random charges on my bill without me knowing is not an attractive option.

        1. This post has been deleted by its author

  11. Michael H.F. Wilkinson Silver badge
    Coat

    A Fright of Flaws?

    Just my tuppence

  12. Anonymous Custard

    A wall of flaws?

    Unless you get to a ceiling of them of course...

  13. NP-HARD

    Frottage

    ... of flaws

  14. Caff

    Python

    Following on the tradittion of appropriating terms used in python sketches ( spam )

    I propose 'lurgy' instead of 'cyber' as used in the Goon Show. To be preceeded by 'Dreaded' when required.

    1. Alister

      Re: Python

      You can't get the wood, you know...

  15. Anonymous Coward
    Anonymous Coward

    A Fractal Defect

    A defect which brings to light a certain architectural flaw, exposing entirely new classes of exploits and their variations.

    1. Daggerchild Silver badge

      Re: A Fractal Defect

      Ooh, yes, a fracture of flaws. Maybe a rending. Could dip into nearby earthquake terminology too.

  16. I_am_Chris

    An alphabetti spaghetti of flaws...

    As per subject

  17. Anonymous Coward
    Anonymous Coward

    a felatio of flaws...

    Sucks to be android right now...

  18. JimmyPage Silver badge
    Coat

    A storey of flaws ?

    Anyway, all of this seems to underscore what I said nearly two years ago, after messing around on the fringes of Android (because my wife has accessibility issues).

    Android is a great toy operating system. But it's not ready for any real work.

    Having bought a new phone, with a much later version of Android, I'm still of that opinion.

  19. JASR

    a clutch of flaws.

    As Google scramble to clutch the straws of security

  20. This post has been deleted by its author

    1. Irongut

      Re: It's a Cluster F**K !

      I was just about to suggest a clusterfuck of flaws myself.

      1. Ken Hagan Gold badge

        Re: It's a Cluster F**K !

        I suspect that "Mongolian" or a "Mongolian horde" will pass through censorbots more easily.

      2. Daggerchild Silver badge

        Re: It's a Cluster F**K !

        Maybe a flustered cluck before watershed?

    2. Notas Badoff
      Devil

      Re: It's a Cluster F**K !

      Rather, it's a fucket full of flaws.

      (for the non-bit-fiddlers, that's only one picked bit different)

    3. xybyrgy

      Re: It's a Cluster F**K !

      Absof**kinglutely!

  21. Cosmo

    An Omnishambles of flaws

    Kinda sums it up

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like