A flap of flaws?
Yet another Android app security bug: This time 'everything is affected'
Yet another potentially serious security flaw has been revealed in Android. This time the problem involves the mobile operating system's ability to run more than one app at once – as opposed to its handling of multimedia messages, which was the crux of a cyber* of vulnerabilities last month. The latest security blunder opens …
COMMENTS
-
-
Thursday 20th August 2015 16:26 GMT chivo243
Re: In God's name
Sitting here in a tinfoil hat, I never use mobile banking, and am slightly paranoid about even using a personal workstation for financial transactions.
I remember the day back in the 80's I got my first ATM card, wow what a technology. I didn't need to visit the cutie at the teller window. I was told "It's designed to keep banking costs down???" I'm afriad to know how much the mobile technology adds to the monthly fee/per transaction fee the banks continue to charge. and reap profit.
-
Thursday 20th August 2015 15:07 GMT Fraggle850
But where's the attack vector?
I assume this would require malicious code to be installed on a device in order to leverage the internal multitasking? Not defending weak security practices in the Android environment, just curious.
By the way thumbs down for 'cyber' as a collective noun, just doesn't feel right.
How about a skynet of flaws? ROTM and all that, might work particularly well in an IOT context? Conveys a sense of impending menace as we surrender bit by silicon-hewn bit to our robot overlords
-
-
-
Friday 21st August 2015 02:19 GMT P. Lee
Re: But where's the attack vector?
>the exploit would be via apps that haven't been properly vetted
The whole thing is designed to provide a way to download random software from people you don't know, have no relationship with and certainly and aren't (intentionally) paying any money to. What could possibly go wrong?
We measure trust by relationship cues, but IT replaces personal and real relationships with a mediated, crippled proxy for real ones. The trust measures therefore will always be garbled. If I go into a bank branch, I have a building (which I may recognise) and staff (again, whom I may recognise - or if I don't, I have confidence that someone does and would stop interlopers) which implies some investment and permanency. On a computer (of any sort) I have little picture of a logo. If I install stuff on a Windows computer, I'm fairly sure Mr Gates or Mr Cook haven't approved the action and I get little warnings ("admin privileges required"). On a phone, the phone vendor appears to have curated and certified apps which he is now encouraging me to use. There are no warnings about "admin privileges required" or "this may harm your computer." "GET" and "Download Now" is all over the place and the full-screen nature of applications further gives the impression that if you can't see an app, it isn't running.
I get that security is a hard problem, but knowing that, there should have been extra care taken in OS design, not dumping it all on the J/Dalvik/whatever VM which was originally designed to run trusted enterprise applications on protected servers. It feels as though we're back with IE6.
Most depressingly of all, the outsider in the mobile game, who is likely to need to be the most innovative and could use security as a USP to gain a foothold, is MS, and they have decided just to ape the others. They could have re-written Windows for mobile as Apple re-wrote IOS from OSX. MS could have rewritten Windows to build on all the things we have learnt about security, but they haven't. They just want to reuse existing code. Its the very worst of accountancy-driven product development and ignores the users requirements, stated or not. At least Apple try to anticipate users' needs. They may be locked into a mobile model with no incentive to change, but MS is not. As for Google, they've got profits, they should at least be hiring extra bodies for code review.
-
-
Friday 21st August 2015 15:06 GMT Michael Wojcik
Re: But where's the attack vector?
thumbs down for 'cyber' as a collective noun
Yes. Could we please, please, please stop abusing the "cyber" prefix? It meant something when Wiener coined the term "cybernetics". Now the idiots have largely ruined it, but that's no justification for participating in this particular barbarism.
-
-
-
Thursday 20th August 2015 15:43 GMT Anonymous Coward
>If this was a Microsoft story you would all be tearing them apart.
I hope we are ripping Android to shreds. We get fixes for Microsoft products for at least several years. I might as well chuck my practically new Samsung phone in the bin.
And I don't believe the blame should just attach to the tardy phone manufacturers and operators - this is as much a consequence of the design of the Android ecosystem.
-
Thursday 20th August 2015 21:57 GMT Daggerchild
Re: >If this was a Microsoft story you would all be tearing them apart.
Yup. But unless you're Apple and do an end run around the whole damned game, that is how you have to start.
"Scuse me Samsung, Nokia, Sony, do you mind if I wrap your products in my branded software layer, which I control and will change when I like, without needing to check with you? *SLAM*"
Now we're into the next phase, with the populous demanding that Google take monopoly control over their phones. Just like Apple already has with theirs. Monopolies are cool, apparently.
-
Friday 21st August 2015 20:15 GMT Loud Speaker
Re: >If this was a Microsoft story you would all be tearing them apart.
I get fixes for my two year old, carrier supplied, Samsung phone every few weeks, You must be doing it wrong.
I also get frequent notifications of "Security Policy Updates" - I have no idea what these are supposed to do, nor whether they are malicious - so I have to assume they are. If someone want some to take a security update seriously, they had better tell me what the change is, who they are, and how I can proved that they are not lying. I am really not thrilled at having my "security policy" updated by Goog, let alone hackers.ru or gchq, and if it is Samsung or 3, then they need to come clean about what the changes are. A "Security policy update" that allows my phone to put random charges on my bill without me knowing is not an attractive option.
-
This post has been deleted by its author
-
-
-
Thursday 20th August 2015 15:28 GMT JimmyPage
A storey of flaws ?
Anyway, all of this seems to underscore what I said nearly two years ago, after messing around on the fringes of Android (because my wife has accessibility issues).
Android is a great toy operating system. But it's not ready for any real work.
Having bought a new phone, with a much later version of Android, I'm still of that opinion.
-
This post has been deleted by its author