Another way to read this is that users are so easy to trick, it's not worth coding complicated intrusion techniques...
Google claims ‘massive’ Stagefright Android bug had 'sod all effect'
Despite shrill wailings by computer security experts over vulnerabilities in Android, Google claims very, very few of people have ever suffered at the hands of its bugs. Speaking at the RSA security conference in San Francisco on Tuesday, Adrian Ludwig, director of Android security, said the Stagefright hole – which prompted …
COMMENTS
-
-
Wednesday 15th February 2017 12:22 GMT Mikel
Finally a sane article on Android security
As I've been saying for quite some time. Real people with real Android who get their apps from Google Play just don't have this problem. It's shifty third party app stores, apps from websites emails and torrents that do. Or we would know about it. And if you let Google scan your third party apps, seldom even then.
But now the Microsoft shills will come and shout "secure software is unpossible!" - because they refused to believe they've been using shoddy quality low security poorly engineered software this whole time.
And again: antivirus and firewalls are snake oil. They are worse than useless. They are completely the wrong answer to security.
-
Wednesday 15th February 2017 14:24 GMT Anonymous Coward
Re: Finally a sane article on Android security
"Real people with real Android who get their apps from Google Play just don't have this problem. It's shifty third party app stores, apps from websites emails and torrents that do"
Oh really?
A simple search of tech news suggests Google Play has frequently found to be hosting malware of various types:
http://www.zdnet.com/article/gooligan-android-malware-grabs-a-million-google-accounts-in-huge-google-play-fraud/
http://www.ibtimes.co.uk/google-removes-13-android-apps-play-store-infected-brain-test-malware-1537049
https://blog.lookout.com/blog/2016/09/16/embassy-spyware-google-play/
https://www.grahamcluley.com/advertising-trojan-100-android-apps-google-play-store/
...and many others...
-
Wednesday 15th February 2017 15:34 GMT William 3
Re: Finally a sane article on Android security
As soon as people make unfounded allegations about other people being shills (usually a main competitor) if they dare disagree with them, I know that it's them who is the shill.
Cast your mind back, and remember them as the kid in class that used to drop farts, make really loud noises about it being someone else.
The really good ones at doing this end up in corporate PR or politics.
-
Wednesday 15th February 2017 16:46 GMT sabroni
Re: As soon as people make unfounded allegations about other people being shills
It's not unfounded to read someone's post and say "that makes you sound like a shill". It's understandable when all they're saying is "See! I told you so! This product is great!!".
I very much doubt the OP is paid by Google, but his cheerleading does smack of salesman.
-
This post has been deleted by its author
-
-
-
Wednesday 15th February 2017 17:08 GMT Charlie Clark
Re: Finally a sane article on Android security
Mikel,
I agree with most of what you say but I think Jason Bloomberg below makes the better point. People harping on about security flaws in Android aren't necessarily Microsoft (or more likely Apple) shills or fanbois. They're more likely to be just excitable users or occasionally journalists writing clickbait. All software companies should take security seriously. In the Android eco-system this is acknowledged to be less Google's problem than the manufacturers and I don't see it improving without regulation.
Sometimes you have to go outside the Google Play Store – I do it to get stuff that is geo-blocked for some reason – and this should be possible in any market. Google handles this correctly by disabling it by default but allowing the user to disable it.
Ant-virus products are mainly fig-leaves but can be useful for some users even if they only spot VBA mischief. Firewalls, depending on your definition, can be very useful, but, yes there is also industry that has spotted a niche by scaring rather than educating users.
-
Wednesday 15th February 2017 19:05 GMT Mikel
Re: Finally a sane article on Android security
~ Sometimes people go outside the Play Store
And if you do that, and you haven't disabled Verify Apps, the app will be verified by Google. If it's known to carry nastiness, it is blocked. If other people who install it drop off the system too often, it is blocked. If it contains any known form of nastiness, it is blocked (a rare form of legitimate malware scan, the app is scanned once per version not once per installation or run). If there's anything at all suspicious about it, it's flagged for review. Then you have to give specific permission for it to have access to features and you can decide if you trust the author and publisher with those features only - not the whole device.
And if you install it anyway, or disable the Verify Apps feature, or give it access to features that it shouldn't need, then you can't say it's a software insecurity that you suffer the consequences of that choice.
Don't pretend it's just the app store that's protecting people. It's a lot more than that.
-
-
Wednesday 15th February 2017 20:29 GMT David Lawton
Re: Finally a sane article on Android security
You do know that Stage Fright was exploited by sending a specially crafted picture message? Did not need a dodgy app installed, the OS was vulnerable to it out the box.
I am surprised a tool to exploit this did not end up in the wild and made easily accessible. Would have been interesting if it had.
-
Wednesday 15th February 2017 21:25 GMT TheVogon
Re: Finally a sane article on Android security
"But now the Microsoft shills will come and shout "secure software is unpossible!" - because they refused to believe they've been using shoddy quality low security poorly engineered software this whole time."
No, it's not "unpossible" - at least to a degree:
http://news.softpedia.com/news/white-hat-hacker-claims-windows-phone-is-the-most-secure-mobile-platform-495841.shtml
http://news.softpedia.com/news/Kaspersky-Says-Windows-Phone-Is-the-Most-Secure-Mobile-OS-483901.shtml
etc.
-
Monday 20th February 2017 03:06 GMT Planty
Re: Finally a sane article on Android security
Indeed, I have never ever seen a single Android device infection, yet deal with malware infested Windows devices day in day out.
In many people's eyes, Android is the Windows of the mobile world, which frankly ridiculous, and makes them appear like either a rabid fanboy, a nutter, or a pleb.
I personally blame security researchers, who seem to want to either sell snakeoil software off the back of the myth, or are basically just a paid Apple pen.
-
-
Wednesday 15th February 2017 12:29 GMT Jason Bloomberg
Risk assessment
What we have seen recently, in terms of software security, the arguably more serious issue of terrorism, and for any matter of concern really, is the propagation of the notion that if there is a risk it will be exploited to the maximum possible extent.
Exaggerating the risk is simply fearmongering, but it plays well to the audience of paranoiacs who believe that if it could happen it will happen and there's no guarantee it won't.
People simply need to get a grip. But that's not the nature of the world we live in today.
-
-
Wednesday 15th February 2017 19:53 GMT Anonymous Coward
Re: I installed an app from play
There's your problem right there. You were socially engineered and duped.
The program you were supposed to download was Kaspersky, but those clever malware people got you with their 1 digit spelling mistake.
Better be careful, you can get caught just as easily on the web with mistakes like that...
-
-
Wednesday 15th February 2017 16:02 GMT YourNameHere
Targets?
"but exploits abusing the security blunder peaked at less than eight infections per million users"
Its perfectly secure unless your the people trying to make a difference or are pointing out issues by almost any government any more. At which time you and your family will become one of the 8 in a million. If your just some arm chair quarterback sitting in your lounge chair pointing fingers at everyone else, then your safe.
-
Wednesday 15th February 2017 17:59 GMT DrXym
Kind of obvious really
The main threats to people are downloading warez and dodgy "sexy screensaver" apps that wants permissions to make calls. There are also occasional Chinese OEM phones with malicious apps preinstalled.
I expect most people running brand devices and using the Google store are completely safe. Of course if they check their brains in at the door and install some APK that promises a free game, movies or whatever then they could be in for a nasty shock. But sometimes freedom also means the freedom to make stupid decisions.
-
Wednesday 15th February 2017 18:26 GMT Anonymous Coward
Re: Kind of obvious really
Yeah, the fear mongering is what makes a smashing story, but now we know what really happened; few, very very few handsets were compromised, and those at the hands of their idiot master. I switched off of those wacky sammy phones and got a fruity fone, mostly for security and for knowning first hand the device my child uses day in/out. But I still keep my S4, it's light and runs my android purchased wares, and has not received more than one OS update ever. Pixel or iPhones are the only way to go these days. Like it or not. The other choices seem to be:
"Chinese and Amazon Android-based gadgets"
Don't. Just, don't. There is no valid third choice, it's a trick question! :P
-
-
Wednesday 15th February 2017 18:20 GMT Anonymous Coward
Depends on your motivation
Exploiting a random Android user is pretty pointless. What's the gain that you can't get other methods?
Exploiting a particular Android phone, like say an orange president who insists on using his personal phone for tweets and carries it with him everywhere, is a different story entirely. That's easily worth the investment to use one of these bugs to develop a silent exploit that lets you e.g. activate the microphone so you can listen in to conversations taking place near it.
-
-
Wednesday 15th February 2017 22:31 GMT razorfishsl
The guy is an idiot, "very few people" he needs to get out of his little ivory spy tower and start looking at Chinese Android, see if he thinks a few million devices are a "few people"
Or he could try running a corporate network in china factories, and get to see the "shill devices" that have been specifically engineered to hack corporate networks from the inside.
Perhaps take a look at WIFI.com, a company that specializes in the theft of corporate WIFI network credentials in the attempt to turn a profit by spreading advertising malware inside corporate systems.
Then maybe he can be qualified to talks about android "security"