Pull the kill switch
<schmidt>Android more secure</schmidt>
Google has pulled multiple Android apps that relied on a popular mobile app library that posed a severe security risk. The ad library, codenamed “Vulna” (or Ap Vulna") by FireEye, the net society firm that uncovered the threat, aggressively collects sensitive data as well as being able to perform dangerous operations such as …
And you won't find that problem on windows mobile since there are no 3rd parry apps ;-) [I'll await the flames - I'm joking...but somebody had to do it]
Childish tech jokes apart, there is an element of truth in it. Fewer apps mean fewer holes. But as the windows app store grows the same issues will haunt it. You've got insagram, whataapp and ...I forget the other one all arriving soon so its gaining some traction from bigger players so expect the holes to start appearing as others jump aboard.
And just in case you didn't pick it up from the articles this is a 3rd party library (not android os) so the same will inevitably happen on windows phone at some point.....
"But as the windows app store grows the same issues will haunt it." - not likely. Like iOS, Windows Phone apps have to go through a registration and clearing process before they go up on the store - the "walled garden" that so many are so quick to decry, but none-the-less does a pretty decent job of protecting the masses.
... as opposed to Android, where (at worst case) all I have to do is convince users to check a checkbox in the settings then download and install an app from my website that could be *anything*. Even when going through an official channel eg: Google Play, all I have to do is upload my app and hit publish.
I'm not saying that the walled garden approach is totally secure - there will always be some loopholes that those with enough time and determination will find a way to exploit. But it is many times more secure against opportist script-kiddies.
The tech-savvy may moan and wail about the "closed" nature of the walled garden until the cows come home - in some cases because they have a genuine need for full openness, others as just a knee-jerk reaction to anything that is closed/Microsoft/Apple/not Linux/[insert preference here]. But your average user - who knows next to nothing about keeping their device secure - is the target audience here, and Google would do well to remember this before they end up with as bad a reputation for phone security as Microsoft have/had on Windows PCs.
" ... Google would do well to remember this before they end up with as bad a reputation for phone security as Microsoft have/had on Windows PCs."
It didn't exactly stop Windows becoming somewhat successful, though, did it?
(OK, we're not quite comparing like with like - there hasn't been a reasonable option to Windows*, but there are options to using Android.)
*Sorry, FOSS advocates - if they were reasonable options in the minds of purchasers/users, then there would be more being used.
"It probably was until Amazon was stung with the "1984" scandal. Suddenly, people wondered: if the app stores can remove apps from my device, what's to say they could abuse it to, say, remove sideloaded apps?"
Like an image scraper that publishes my selfies from my photo albums to their portal?
Quite. Back in 2010 IIRC (and as this link points out) : http://readwrite.com/2010/06/25/google_activates_android_kill_switch_zaps_useless_apps
I'd have thought they could remove the app from the phone, unless there are paid for app issues - but if you don't "return/uninstall" an app after 15 mins nowadays, you're money is gone anyway.
They can still add/remove stuff - system stuff too,
A few months ago, gmail was removed from my /system partition - I had to install the latest version as an app.
I thought I was going mad, but they helpfully left behind a little log file showing the activity.
Did anyone bother to proof-read this in between copying and pasting from the press release?
A few pointers:
- Sentences shouldn't start with 'But'
- You don't need a comma between the final element of a list and the 'and'
- 'It can also performs dangerous operations' makes no sense
- 'a skilled hackers' makes no sense
- I'm not sure what 'unsecured HTTP' means. I know what unencrypted HTTP is, though...
- There are various clunky and awkward phrases dotted around the place
I don't claim to be anywhere near perfect, but I can at least make myself understood. Can we have this article sorted, please?
In all fairness, you can start a sentence however you like, whether you like the style is up to you, but it's not unusual in less formal writing to start with "But", "However" or the like.
I'm quite partial to the Oxford comma too, it's certainly an established and accepted bit of punctuation.
My post probably fails to live up to so many of the rules we were taught as children too, but I rebut those rules thus: sod it.
So's "however" and "on the other hand," yet these are considered improper to follow a comma. You need at least a semicolon for these if not a full period. I recall these aren't well-suited to precede an adverb (think "But lately..."). Also, one needs to consider the degree of connection between the previous and current statement, as a comma-conjunction or a semicolon imply a strong connection which you may not want if the connection is looser, but you still need to indicate that the following statement somewhat contradicts the former. What could you use besides "but" or "yet"?
"- You don't need a comma between the final element of a list and the 'and'"
Such a comma is permitted if your style manual allows for it. It's optional, in other words.
When introducing a list with a colon, it's usual to separate items in that list with line-final semi-colons (ignoring the line-initial character, or any capitalisation on the items, for the moment). Furthermore, the semi-colon after the penultimate item in the list is usually followed by " and"—and, of course, the list is terminated with punctuation of some kind, usually a full stop.
If you re-read my post, you'll notice that I wasn't actually trolling (though I did leave myself well open to the light roasting).
It's just that I've seen more and more articles like this recently - I'm sure I'm not the first to pick El Reg up when they slip from their usually high quality, and I certainly won't be the last. The pedantry endemic to the commentarati is what makes this place, after all.
I'm wondering about the viability (and advisability) of outsourcing the proofreading and correction of El Reg articles to the commentardiat. There would need to be some parameter tweaking by the official Reg staff and some heavy initial scoring, along with an algorithm for determining which commentards were given the tasks, etc. You know what would be needed ......
Grammatically correct responses would be appreciated.
I wonder why nobody says what it is.
1.8% is a lot of apps so I assume it's one of the more popular replacements for admob. But given the horrific set of permissions most adware libs demand, I'm surprised many app authors would ever use them. The potential for abuse (and the damage to the app's reputation) must be pretty high.
Yeah, it's nice that they've contained any future damage, but could we please have a list of the affected apps! Just because updates have been made available, doesn't mean they've been installed and I, for one, don't like allowing auto-update. I'll update (or remove) the affected apps if I know what they are and if I have them.
We should be told to ensure we are not on the list of compromised people. I would prefer to change my passwords everywhere now if I knew I had been snooped than wait till they start using what they slurped.
Maybe someone should start cataloguing the Google App Store so we can see what has vanished.
Late? Try plain wrong...
Trouble is that everyone is bitching about Microsoft's lack of security in the past and just not realising that exactly the same thing is happening all over again with Google and Android.
Stop living in the past and focus on what has the potential to become a Windows-sized security problem on mobile!
> Stop living in the past and focus on what has the potential to become a Windows-sized
> security problem on mobile!
Potential? I think we're pretty much there - not least because Google have limited appetite not to let it happen. Given Google's business model with Android, so long as droids continue to be activated and linked to Google accounts, why *should* they care?
No surprise if the black-hatted ones move as double-plus-quickly as possible to ensure that each and every planted bad-thing stays where put for as long as possible. (Time is money, after all.) There being so many new, neat, and nifty things you can do with the data to be found on mobile, the problem is likely to end up being much, much bigger than security on Windows was.
Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.
People need to give themselves a shake and stop using MS products!
I'm pretty sure I have seen this posting a few times in the past in Apple or Android or Linux threads.
An evil bizarro leprechaun version of Eadon?
... that a library named "wound" does harm?
I can't help feeling that if I were distributing a library that contained malware I'd name it for something warm and comforting , rather than "wound". We can hardly claim not to have been warned!
[Latin: vulnerare: to wound or pierce with a weapon.]
There's one already, annd it's FREE - not only can you get it to scan all installed apps, it can also scan apps as you install them.
It can even be set to link in with the 'play store' app, and warn you about an app when you simply visit it's store page.
Whilst its name gives clue to it's original purpose, it now covers most (all?) of the main ad providers, and also reports generic suspicious activities (e.g. 'Warning: The ball-bounce game you have just installed has permissons to raid your bank account and take the soul of your first born' etc.)
I don't know if it particularly targets this 'unnamed ad sdk' but it probably does - a note to the developer could confirm this.
I have no affiliation, just a satisfied user etc.
More details, and link to the play store here:
In theory, the google has the information to warn you if you may be at risk. In reality, guck foogle and the horse you rode in on.
Here's a related story from Japan. It's from a couple of months ago, which mostly proves that the google is too EVIL to fix or even look at such problems even AFTER the barn door has been left open.
Today I'm actually in the same prefecture where the criminals were arrested. There were (at least) 7 of them (as reported to the public), led by a poker shark, which I translate as a professional gambler and probably yakuza (a kind of professional criminal in Japan, sort of like being in a biker gang, but generally with better discipline). The scam involved a number of Android apps, some of which had apparently been available on the Google Play website for a long time. There were a variety of apps, none of which were labeled "software supporting crime". Surprise, surprise.
After the story hit the papers and Web, I actually contacted the police to see if they could identify the apps. The vague report indicated that several of them were games of the sort that I might have tried for the sake of Japanese study. I'm not surprised that the police couldn't answer, but I also pursued the matter with the google. I accept that the police are not especially competent when it comes to cyber-crime, but the google has no excuse save being EVIL.
By the way, I used to think it wasn't the google's fault. They are forced to play the game by American rules, which means according to laws that are written by the most easily bribed politicians working for the (tiny minority of) least ethical and greediest businessmen. Of course large American companies are basically forced to become evil just to survive. Then I found out that the google has become a large, probably the largest, lobbyist among high-tech companies. That is the google's fault. EVIL is as the google does.
Why not tell us if we are at risk for the crimes the google sponsored? Evidently because we don't work for the NSA.
OK, why wasn't this something all the security software providers were all over? I would think, especially those who pay for their security software, that they should have been notified of this security breach in the apps that they scan. On the other had I am certain that the security software industry is in the Android market just to turn a quick buck while providing minimal if any security at all.
Biting the hand that feeds IT © 1998–2019