Android O-mg. Google won't kill screen hijack nasties on Android 6, 7 until the summer Nearly 40 per cent of Android users are vulnerable to a security design flaw that Google won't fix until the next major revision of the mobile operating system. The cockup is a strange one, and was spotted by researchers. It affects Android 6.0.1 (aka Marshmallow) phones and above, which according to the official Android …
I think you have reading and comprehension problems....
Might want to read AND UNDERSTAND the "article". This isn't a flaw, it's by design, and due to external pressure from companies that were using(abusing) the functionality in the past and then threw their toys out the pram when told not to overlay ontop of other apps. As a grade period, they were told to sort their crap out, and granted a stay of execution as long as they were publishing on the play store. Apps in the wild were outlawed from overdrawing on the UI period.
Seems Google did something reasonable here, as there is no proof that any apps on the Google Play store are abusing their power, and Checkpoint are (yet again) making themselves look like they are the security gutter-press, desperate to publish anything, regardless of how lame, and how damaging it is to their reputation. (I would never trust checkpoint, purely based on nonsense like this, they clearly can't differentiate between REAL threats and FAKE News)
Not a Google problem. With every app you install, you are asked to grant the permissions. Some people are so stupid that they do not read the screen and simply grant everything. You can also install the app, then deny it permission to a particular permission.
How is Google supposed to fix people who don't protect themselves? I can see only 3 possibilities.
1. Grant the permission without any user approval - yeh, right.
2. Take the permission away altogether.
3. Somehow educate people that apps asking for permission is an important thing to take notice of.
Which would you prefer?
"The first time the app tries to pop open an overlay, and SYSTEM_ALERT_WINDOW permission isn't granted, you'll be asked if you're OK with the intrusion. .....
.....Users wouldn't or didn't know how to enable access so the application wouldn't work properly."
Am I really that stupid?
@big_D a bit harsh...but anybody stupid enough to let Facebook apps on their phones are certainly in that category.
Bit of a Schoolboy error on Google's part. Especially when you consider when apple says no to something everybody just says that's the apple walled garden and deal with/put up with it, but Google didn't take the same stance and in this instance should have.
I'm a massive android fan but this has face palm all over it.
I have to configure about half a dozen Android devices every week, because the users don't know how to set them up themselves - they can't even follow the on screen prompts for setting up their email account.
Outside the office, I am constantly being asked why so and so dialog has appeared, what does it mean, must the user do something. Generally, I just need to look at the explanatory text displayed on the screen and react to it...
That is because the user does not see the connection between his action and the dialog box that subsequently shows up, and the reason he doesn't is a reflection of poor interface design combined with really low user trust in the whole online business.
Fix the interface to reflect the reality, which is that most users have very low levels of trust in their phones and reflexively say 'No' to anything that looks like a warning of adverse consequences. The fix is : This Action will enable Geo-whatever. Is this what you want?" No (default) / Yes (please proceed).
Stop blaming the users. Think your elderly mother, if you wish. Or your grandkids.
"That is because the user does not see the connection between his action and the dialog box that subsequently shows up"
The whole thing was designed very carefully over several iterations to minimise this problem. The button was put in place so the OS prompt was always user initiated. It was put on a screen showing the default position on a map with nothing else to distract the user. There was a sentence explaining why we needed the position and what the consequences of refusing would be. The button used the same phraseology as the OS. And 99.9% of users managed fine. There was just this residual who couldn't manage it.
But, yes, at least some of them seemed to think they grant permission by pressing our button and see the Android dialog as something separate. So they didn't see the connection.
"Since most users won’t be able to approve the permission manually, such apps could be hurt by it."
Most users should be able to follow some simple instructions on what to do, just tell them how to enable it in your app if you want to use that feature.
It's not like the android settings menu is as complex as say, the Windows Registry.
Heck, my file browser uses this method to tell the user how to enable SD card access, so it's not like it's not been done before.
Oh, and that facebook messenger 'bubble'? It can go die in a fire. I won't let facebook's apps anywhere near my phone, but on other's phones who use it, it is constantly covering useful bits of other apps which are, funnilly enough, not designed to have a chunk of their UI hidden.
Of course you can move it, but then it is hiding something else, if not in that app, in another.
Intrusive crud.
Having an android is just like owning a swiss army knife. If you're dumb, you'll end up slicing your fingers off. If you're a normal user, there are a tonne of features that you'll never use, and if you're a power user, then it's the only option.
iOS on the otherhand is like owning a safety cutter. It's brightly coloured, can be safely operated by a child, is unlikely to hurt you but is fairly useless for anything other than what the designers envisioned it to be used for.
And then there is Windows phone which is just the brain-damaged love-child of the above.
"just tell them how to enable it in your app if you want to use that feature"
There're about just slightly more than a million Android "Distros" out there each with a ever slightly different UI logic&design&layout, so good luck getting your user to find that option they needed,
The big problem with Android still exists. Users of anything other than brand new models will never get the updated Android with security fixes. Once you've paid your cash, phone manufacturers don't give a crap any more. People's only option is to flash a 3rd party Android on their phone, something which the average Joe won't have the skills for.
Google really need fix the problem of users being left out in the cold.
And then break them.
Last Android update (to Nougat) has borked so many of my apps it would have been quicker to buy a new phone.
Some borks were really subtle too, like the Bluetooth stack - my phone stopped pairing with my car. First I knew of it was when the phone rang
Sadly, this off- and on-against fsck'ing with the Bluetooth stack has been an ongoing PITA since Android 4.3 (maybe even marginally) earlier. Even between minor updates behaviour would flip-flop from working to/from no-working. I'd love to get myself Bluetooth handsfree et al for my car, but really aren't keen on the crapshoot of now-it-works-now-it-doesn't.
"> Google really need fix the problem of users being left out in the cold.
Wrong, I'm afraid. The manufacturers need to be forced by the courts to do this: Google has no obligations whatsoever to individual consumers."
Ordinarily, I'd agree - but in this case Google are exacerbating the problem by choosing not to address it until the next major version. That's just so incredibly... well, Google, actually.
They'll fix it, but users won't get it
False. It's managed by play service and play store, so EVERYONE will get it, and get it pretty soon after Google toggles the switch.
Your failure to grasp this, suggests you have no understanding the differences between Android, Google Play Services.
"Users of anything other than brand new models will never get the updated Android with security fixes. "
Untrue. Google have been moving parts into updatable modules via play services. BoringSSL is a serviceable Google play module, as is much of the media playback library. All android devices get these updates.
Most phones get reasonable patching, my wife's 18 month old Samsung S3 got March 2017 update.
What the real agenda is, is purple are hoping to get full version android upgrades on old devices, that's simply not going to happen, even apple don't do that (not even after aging apple premiums), they pretend they do with feature lite pretend updates, that have the correct number but missing key features
This is crap (what Google are doing, not the article).
Google care more about the potential lost ad revenue from (malware) apps running on outdated versions of Android than backporting a dialog with allow/deny buttons the first time overpaint is used or whatever it is they're going to do in Android O.
The fix would eventually arrive on many phones, more phones than Android O will.
It's less backporting since Lollipop and previous already have this. It's more fixing the cockup of implementing a feature they made allowed by default in Marshmallow & Nougat. To me it's bullshit feature because isn't this exactly what notifications is for?
The Google Planty strikes again.
No, of course it's not news. Google just enabled the play store to grant permissions for apps so I don't have to approve them at install time. Saves me a whole load of time reading permissions screens and trying to understand them.
Thanks Google, I trust you implicitly with the security of my device. If you think an app should be granted some permissions on my phone then that's good enough for me!
I'm seeing something like this regularly on my iphone in Safari. A pop up fills the window, and cannot be shut down unless I click the button being offerred that will "let me speak to a microsoft technician who will remove the malware from my PC". The image seems to be perfectly sized so that I cannot scroll up or down to get to the control bars at the top or bottom. If I kill safari, then once I start it back up, the last page viewed is shown, and blam, I'm back to the same screen. To get around it I have to kill safari, then go into the settings and erase the safari history.
That Safari thing sounds like what was described here - in July 2015 - and elsewhere.
http://www.tomsguide.com/us/stop-ios-crash-popup-scam,news-21354.html
You seem to be on top of it, up to a point. Stated preventions include disabling popups in Safari and/or disabling JavaScript. I'd also suggest "don't use web sites that do this" and maybe "press the Escape key or Ctrl Alt Delete" :-)
If it's in advertisements in web pages - if you have narrow interests, you may get the same advertisement over and over again, and this is the one......
So the remedy is to use Facebook...... then the internet knows everything about you......
Or block the ads? All the cool kids are doing this.
If the user has installed an apparently useful app, then they will probably also give it permissions. So having to click to give a permission is probably no safeguard at all to the average user.
The fundamental problem is installing the malware, not giving it the permissions. Many legitimate apps need permissions that would be very dangerous if the app were malware (starting with virtually all of Google's own apps.) This permission would seem reasonable for any app that gives "important" notifications, so most people would just grant it.
Having said that, of course Google was still wrong to deliberately bypass their own permissions system, specifically in order to allow an app to behave very intrusively. And more wrong to withhold the remedy from most existing users.
"Android O, which will most likely be out this summer or autumn"
and on most "newish" devices sometime next year...and on slightly older devices...HAHAHA
And things like cyanogen don't count. If the users are unable to manually grant a permission they are also unable to install an alternate OS.
I run a number of apps on my (rooted LineageOS-powered) phone that ask very nicely when they want you to grant a certain permission - explaining why it's required before you go anywhere near the settings screens...
...if a one-man outfit can put in the effort to do this ... (to borrow from Clarkson) how hard can it be...?
Shame on Facebook for the sheer laziness (and bloodymindedness) in not getting this sorted out - and Google for letting them get away with it...
(I always turned chat heads off anyway - a simple notification was sufficient for me... and then I dumped the official apps entirely for the likes of Folio and Friendly that just act as wrappers around the mobile web site - 95% of the functionality, and 95% saved space not installing things I never need)
"Google has told Check Point that the issue will be fixed in Android O, which will most likely be out this summer or autumn."
Probably busy working on their new OS that doesn't rely on a non-google-controlled kernel...
It is worth pointing out though - that key parts of the OS can't be hijacked with this method. Ask anyone who runs a full screen overlay like Twilight. You can't for instance tap the Install button, or factory reset the device, or approve a new device administrator app while Android thinks that an overlay might be trying to trick you.
... go to the image's regmedia link and remove the crop and size tags:
https://regmedia.co.uk/2017/05/09/marshmallow_shutterstock.jpg
Marshmallows cooked by the Chef from South Park, maybe?
"However, this soon caused problems, as this permission is also used by legitimate apps, such as Facebook, which requires it for its Messenger chat heads feature. Since most users won’t be able to approve the permission manually, such apps could be hurt by it."
I'm sorry but I fail to see the loss here. Here's a thought. If it was impacted they could update their app so it can see if the permission is granted and if it isn't then it points the user to a page where they can read how to give it permission. Instead we've got one door wide open for a few apps that were abusing the feature to begin with.
As someone that uses Google stuff a lot I'm amazed at how short-sighted this 'solution' is to the problem. I'm annoyed that they are seemingly fine with this being left alone until the next version. I couldn't care less if this wiped Facebore off the face of the planet but clearly a bunch of people having to pull down a notification shade to chat is more problematic than a gaping hole in your OS.
I have a solution. Tell Facebore et al to go die in a hole, release patches where possible and promptly give access to documentation on permissions and what they mean. I've thought for a long time now that every app should clearly explain why it needs each permission before you grant it access at install time. Those who get caught by bad malware and scams will ignore it and click accept as they always do (and suffer for it) but everyone else gets to see what they are allowing apps to do. I'd also make it clear that any app update must come with a changelog and not just "Bug fixes and performance improvements".
Take your pick, people:
1. A fully locked down environment.
2. An open environment where safety requires good IT security skills that are regularly updated.
3. Something in the middle.
What I want to know s this: Are the same voices that bitch about the lockdown the same people who bitch about security weaknesses?
Empirically we know what happens when the system allows users to give away their security to achieve better application functionality. I can tell you where the model is headed as it matures. Operating systems used by the masses get increasingly locked down. App store policing increases. Eventually we end up with a phone/tablet/computer that won't allow an idiot to circumvent its security. Or at least, make it very difficult.
And the invincible space cadets will continue to complain for a long time because they have to.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
