Sign in / up

back to article Android's Hover feature is a data HOOVER

That took a while: Android's had Hover since Ice Cream, but boffins have taken until now to work out how to attack it. Hover is a set of interface calls that let application designers imitate mouse-over behaviours people know from PCs, and it only needs to be implemented on a phone or tablet to be vulnerable - whether or not a …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. P. Lee

    >Google will have to balance how to restrict Hover's permissions without crippling legitimate apps.

    How about: "Don't let notifications look like an application" or "Notification windows always include the application name" or "No transparent notifications" or even "all notification overlays are logged along with the application they overlay" for after-the-fact checking.

    Until an OS is built for the user rather than the producer, this kind of thing will be a problem.

    5 0 Reply
    1. Michael Thibault
      Reply Icon

      >or even "all notification overlays are logged along with the application they overlay" for after-the-fact checking.

      Given the timing considerations, you wind up with a means to home in on such an overlay almost in real time. But what then?

      0 0 Reply
      1. AMBxx Silver badge
        Reply Icon

        Or, force applications to use the OS system of notifications. Works pretty well in Windows 10 (waiting for the downvotes) where all the notifications are standard.

        3 0 Reply
        1. Joe Werner Silver badge
          Reply Icon

          Re: Works pretty well in Windows 10 [..] the notifications are standard

          ... until MS changes the standard. :p (still no downvote from me - standardistation is a good thing in general)

          0 0 Reply
          1. handle
            Reply Icon
            Happy

            Re: Works pretty well in Windows 10 [..] the notifications are standard

            Yes indeed - that's why there are so many standards!

            0 0 Reply
  2. Brian Miller

    ROTM, Machine Learning

    "A bit of machine learning was required to train the attack..."

    Oh, goody, the researchers have just trained our robotic overlords to capture our secrets! Even if we devise ways of securing the operating system and hardware from their nefarious goals, they have been trained by mad scientists to transparently capture out every finger movement on our fondle slabs.

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: ROTM, Machine Learning

      the researchers have just trained our robotic overlords

      Did they really? Or was it just fancy algos and some brute forcing to see what worked?

      These days, if you want a few column inches you ALWAYS use the term "machine learning", because artificial intelligence is soooooo last century.

      0 0 Reply
  3. Anonymous Coward Silver badge

    So, android should:

    1: rate-limit notification windows (a good think irrelevant of this issue)

    2: when an app shows an overlay (transparent, or 1% opacity etc, but actually just always do this), implement a darkened background to it. That way the app that's being targeted will appear to the user to be disabled so they'll wait for the notification to clear.

    Simples

    1 0 Reply
  4. Planty Bronze badge
    FAIL

    bbbzztt wrong. Try again.

    "That's where the SYSTEM_ALERT_WINDOW permission comes in. People routinely allow apps to use this permission, because it lets them get a popup when a new text message arrives – or a new Facebook notification."

    From Android SDK.

    SYSTEM_ALERT_WINDOW

    Added in API level 1

    String SYSTEM_ALERT_WINDOW

    Allows an app to create windows using the type TYPE_SYSTEM_ALERT, shown on top of all other apps. Very few apps should use this permission; these windows are intended for system-level interaction with the user.

    1 1 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: bbbzztt wrong. Try again.

      What are you claiming is wrong?

      Despite the API documentation, this permission is requested by a broad set of apps (including Facebook, Messenger, LastPass, Link Bubble, MusixMatch), and people _do_ routinely grant permission for it.

      2 0 Reply
  5. allthecoolshortnamesweretaken

    Well, let's just switch to using

    a rotary dial cellphone or

    a rotary dial smartpgone.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like