Are they going to wait 90 days and then publish demo code?
A couple of related vulnerabilities on the Google Play Store have left Android users vulnerable to malware-slingers. Security watchers warn that an X-Frame-Options flaw – when combined with a recent Android WebView (Jelly Bean) bug – creates a means for hackers to silently install any app from the Google Play store. Tod …
Wednesday 11th February 2015 14:30 GMT Mike Flugennock
Wednesday 11th February 2015 14:55 GMT Anonymous Coward
Wednesday 11th February 2015 15:50 GMT Dave Fox
Re: Say what you want about Apple's walled garden...
Really? Not a dig at iOS or the Apple AppStore, but these sorts of vulnerabilities aren't just Android specific.
I suspect in the case of this particular Android flaw, the issue is likely to be fairly limited since it states that it silently downloads apps from Google Play. Given these are scanned for malware (although I'm not suggesting it has 100% efficacy), it should really limit the exposure to malware.
Wednesday 11th February 2015 17:35 GMT chasil
Microsoft, PLEASE fork Android!
The difference here is that, unlike Apple updates, Google has no intention of ever patching this vulnerability, and has flatly refused to do so.
If you want to fix this flaw, Google thinks that you should buy a new phone.
Microsoft tried this stance a decade ago, and finally came to Patch Tuesday after great reluctance.
I wish that we had Patch Tuesday for Android. I think Microsoft could give it to us. Google hasn't suffered enough to redesign Android to make this possible. I would trust Microsoft's capabilities in this area far more than any other (potential) Android player.
And I would love to run Microsoft Cyanogenmod. I think that would work, and I'm glad they're putting money into it.
This post has been deleted by its author
Thursday 12th February 2015 08:52 GMT RyokuMas
Re: Microsoft, PLEASE fork Android!
"Google thinks that you should buy a new phone."
Isn't it the carriers that ultimately determine when/if you get an updated version of Android on your phone?
Also, patch Tuesday works for Windows because Microsoft have total control over it - hardware vendors can install their own skins and applications, but it's still the same Windows underneath. Given that vanilla Android is open source, and even Google-droid still gives the hardware manufacturers a lot of room to maneuver, I don't think that an equivalent would be feasible for Android - not without turning it into another walled garden, which even Google doubts would be successful.
Wednesday 11th February 2015 17:47 GMT asdf
More reinforcement that my experiment to run Cyanogenmod without Gapps was the way to go. You can get virtually everything you would ever need (at least I was able too) with F-Droid and if need be Amazon app store. I did it mostly to avoid Google's 24/7 spying but security is just an extra bonus. It is nice to go under settings>account and not see one single account.
Wednesday 11th February 2015 18:34 GMT Jes.e
Re: Cyanogenmod ftw
Right. Avoid Google spying by using the Amazon app store..
You do realize that any Amazon purchased Android app will stop working in a month if it can't report back to the mothership right?
Amazon wraps the app in its DRM which requires frequent checking in unless Amazon has changed their software model.
I'm also guessing that Amazon collects usage statistics as the do so because.. big data. Why not.
Yes. Amazon cares much more for your privacy then Google (anybody) does..
Wednesday 11th February 2015 19:33 GMT asdf
Re: Cyanogenmod ftw
The difference is as you mention you can actually turn off (not open) the Amazon store unlike Google's always on services/frameworks. I don't have any purchased apps on that phone so DRM is not a problem (and you are going to open the app occasionally anyway to check for app updates). You can also easily control the data the app collects because unlike Google's stuff its just another non root non system app. Not saying Amazon is not evil just their app is not allowed to bury itself any near as deep into the OS and can be controlled with existing tools much easier.
Wednesday 11th February 2015 17:52 GMT ItsNotMe
Another case of the Pot calling the Kettle Black
"Google Threatens to Air Microsoft and Apple's Dirty Code"
Really Google? Well it sure is a good thing that you don't have any "dirty code" in any of your products.
Thursday 12th February 2015 01:00 GMT eulampios
Re: Another case of the Pot calling the Kettle Black
Well it sure is a good thing that you don't have any "dirty code" in any of your products.
I am sure they have, however, they would appreciate (not rage at, for certain) if anyone finds some little dirtiness in their code and products, including Microsoft, and most probably would fix it within 90 days, unlike that big, old-fashioned, unwieldy colossus, our ... you know who :)