Half of Android devices open to silent hijack Hacker Zhi Xu has found that seemingly legitimate apps can unleash a hidden dark side to compromise almost half of all Android devices. The Palo Alto Networks senior engineer says legitimate Google Play apps can establish a kind of beachhead on devices that can be invaded by a second app installed from legitimate third party …
the gardeners don't want to let someone else plant prettier flowers, or let you grow mint.
I install f-droid for GPL apps , and I'll bet that the Google Play store doesn't allow them because it is not built with their closed-source malware library with the click-jack "YOU HAVE A VIRUS" show_us_your_privates(phonehome, victim).
Walled gardens only work if you are allowed to tend a bit of the garden and you trust the landlord....
P.
This, especially at the bottom end of the market.
I bought a Samsung Galaxy Fame earlier this month, new, running 4.1.x and it tells me that there is no update, which I dare say is true for a Clintonesque interpretation of "is".
One could argue that a phone, designed to be connected to the public network, isn't fit under the Sale of Goods Act if no-one patches the known bugs.
Users should upgrade to at least Android 4.4 to avoid being exposed.
In practical terms, this translates to buy a new phone for at least most people in the US who own a vulnerable device. How cynical mobile providers are not to bother patching customer's phones! I have been wondering when there is going to be a flurry of class action suits filed to get them to send out updates on a reasonable timetable. Or just because it's the US, you know...
I can be wrong, but as, former, Android fanboi, this Mobile OS seems a bad hoax from google.
Upgrades... don't even think about it, still having 4.1.4 on a 2 yo former high-end phone.
The permissions that apps from the google play shop request are ridiculous. Google does not check a thing in there, apps for wifi monitoring request permission to read calls, sms and pictures. And things seem simple, just deny apps by default access to this personal data, but then, there will be a business model behind it.
There's updates, and there's updates that are timely, frequent (if needed), and that arrive over the lifetime (or an approximation thereof) of the phone. My - cynical - impression has rather been that very few vendors/OS's manage the better sort - but then perhaps I am mistaken. Is a security update really worth its name if it's weeks or months late? And with a phone it's not like you can be reasonably expected to diy a (temporary) solution as you might with a pc.
You're a hostage to the vendor, and the security updates are late (again). Putative future updates don't make your phone secure right now. Hence my cynical remark (but perhaps if I could justify the spend on an iphone I could be just a little smug instead?)
This post has been deleted by its author
That's not really the same thing. That is not a vulnerability in the system, you are saying you want to export the key. There's no point in exporting it to somewhere you can't get to and if you can get to it, so can any nasties.
The problem isn't with PGPs export process, it's that you'd already been infected by something monitoring that folder with malicious intent. I would be more concerned about how this malicious software got onto the device than PGP exporting keys to user-readable space.
You're right about storing the APKs in world-writable space though and personally, I think SD card access needs better access control, as it stands now, you have a read/write to the external storage permission, which gives you full access to all of it, regardless.
This post has been deleted by its author
Just as a passing remark, and not as any reflection on the content of your post, but from my perspective there's very little difference between a generic AC and your pseudonym here.
I don't know the background of the AC, nor do I know yours. Neither of you have shown us a CV (where at least you might make in-principle falsifiable claims as to your expertise), or supplied personal references which we might check to judge your track record. I suppose with you at least I might look at your other attributed posts, but who's to say what you might post at other times as AC? And maybe the AC here often posts quite useful remarks under their preferred name/pseudonym?
I suppose, therefore, you are just arguing with an Anonymous Coward because you think they are wrong? :-) So make your points (as you have), and their accuracy and/or relevance will have to stand on their own merits. Just like the AC did.
This post has been deleted by its author
The correct way of doing this is to use sharing intents - you write the file to export to your internal app directory (only accessible by that app).
Then you given the receiver of the share intent the rights to read that file (see http://developer.android.com/reference/android/content/Intent.html#FLAG_GRANT_READ_URI_PERMISSION)
The Palo Alto Networks senior engineer says legitimate Google Play apps can establish a kind of beachhead on devices that can be invaded by a second app installed from legitimate third party stores like Amazon.
The above quoted line from the article incorrectly asserts that this vulnerability affects the Google Play app store where as the actual report says:
[Android Installer Hijacking] only affects applications downloaded from third-party app stores.
and goes on to explain that this is because:
Google Play downloads Android packages (APKs) to a protected space of the file system. Third party app stores and mobile advertisement libraries usually download APK files to unprotected local storage (e.g. /sdcard/) and install the APK files directly.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
