Ouch, not another Android problem?
No doubt the deniers will be out in force.
A github user has demonstrated that the Android APK vulnerability isn't a trivial matter, posting “quick and dirty” proof-of-concept exploit code on github. The demo, here, occupies just 32 lines of shell script – it doesn't actually plant malware into the target code, it merely allows an app to masquerade under another app's …
The reality is, Android is actually far more secure than iOS, it has proper app sandboxing, fine grained security permissions and digital signing. None of which iOS has.
Sigh. I don't know why I even bother with this, but I would advise anyone actually interested in iOS security mechanisms (which include sandboxing, ASLR, NX, code signing, yadayada) to read this rather informative document:
http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf
"Android is actually far more secure than iOS"
Erm but Android is based on Linux which has a weaker security model and more vulnerabilities than any other commonly used OS. IOS is at least based on Free BSD, which has somewhat better security....
The best mobile security model at the moment is Windows Phone (completely uncracked) followed by Blackberry 10 (1 x critical vulnerability)
>The best mobile security model at the moment is Windows Phone (completely uncracked)
Yep even the blackhats have never seen a Windows Phone or know anybody with one. The only reason to crack a Windows Phone would be to punish Microsoft and Nokia employees which are the only ones with the devices.
>The best mobile security model at the moment is Windows Phone (completely uncracked)
Notice how the Windows folks brag about their security when their market share is tiny. Isn't that why they say things like OpenBSD have far less critical CVEs than the beloved Windows is because of tiny marketshare?
....its availability depends on whether the OEM has shipped the new code through carriers to end users.
And this is where the whole Android model dies like the dog it is. Chances of this critical fix making it as an official release to any device that went into production more than 12 or so months ago? I'll have a fiver on "bugger all" please.
'And this is where the whole Android model dies like the dog it is. Chances of this critical fix making it as an official release to any device that went into production more than 12 or so months ago? I'll have a fiver on "bugger all" please.'
Whereas the chances of ever knowing what is critical / fixed / broken / serious with anything from Apple are about as high as them issuing a press release saying: Sorry, guys, time to admit we do software and hardware crap sometimes just like every other profiteering, mug-exploiting, worker-exploting company; only we rely on buyers who aren't generally the best endowed in the savvy stakes to be able to get away with it and, yes, sometimes we don't even reckon it's worth our time to acknowledge, let alone fix our problems. Hey, just buy a new one and, you know, maybe it will be better. Trust us.
That'll be tomorrow, then?
What a badly constructed and ill thought out rant. The issue is that older Androids do not get updates. It's nothing to do with how stupid Apple customers are or whether Apple publish full lists of vulnerabilities and fixes. Apple do have issues with security. But they don't have problems pushing updates to devices. So bringing them into the argument only emphasises the fact that Android's update infrastructure is crap.
Well done!
Android's update infrastructure is crap.
Is it that the infrastructure is crap, or is it that the policies regarding updates are crap?
It is basically left to the discretion of device manufacturers (and potentially network operators) to integrate, test and push updates to end users. The ability of those people and their willingness to do so varies dramatically. Google don't twist any arms, certainly.
Manufacturer's customisations are a pain in the butt.
Network customisations are even worse!
I gave up with network customised phones many years ago. I was using Nokias at the time. The UK networks never updated their custom firmware. Eventually I unlocked, reflashed the model number to generic Euro and got back on Nokia's direct update train which turned the Orange supplied N95 dog into a very useful smartphone. I still use it as my backup (3 days+ battery life is good for things like that!).
After Nokia completely lost the plot I jumped to Android. They're all unlocked. The instant HTC failed to pass on an update for my old Desire Z it was unlocked, rooted and jumped to Cyanogenmod which had the security update rolled into its build within a week.
These days it's Nexus devices all the way.
It's swings an roundabouts. If you want a phone which you have no control over, and you can endure the shortcomings, then you can buy an iPhone and you'll be pretty much safe (just don't plug in that USB cable eh?).
If you want more choices than you can shake a stick at, then go Android, but you'll probably want to install an good AV app.
Want to have the latest updates first, get a Nexus, or vanilla version S4 etc.
Oh, almost forgot, want a novelty phone with squares all over the screen, go windows.
I feel bad for the people who are unfortunate to have to buy a budget phone and made the mistake of choosing android over blackberry.
Once you're stuck in the android ghetto you constantly have to fear your data leaking all over the Internet but I do believe that's a design choice given the is was developed by the commercial arm of the NSA.
I see what you did there, you pretended all Android phones were entry level.
Ironically, Apple has a far worse track record for " data leaking all over the Internet". For years, any app could simply upload your call log, address book and location history without needing any special permission, and many apps took advantage of this, including Facebook.
I seem to dimly recall this Blackberry thing you mention, are they still around?
"Once you're stuck in the android ghetto you constantly have to fear your data leaking all over the Internet but I do believe that's a design choice given the is [sic] was developed by the commercial arm of the NSA"
That'll be the same NSA to which Apple is a signed-up data feeder?
....its availability depends on whether the OEM has shipped the new code through carriers to end users
Err .. I have a Nexus - so my updates come direct from Google - and according to the information on the phone, it hasn't been updated since January. What happened to this update in March?
This post has been deleted by its author
The Play Store has been patched. If you choose to side-load something from an untrusted source and grant it permission to send SMS to premium rate numbers then Android will warn you, but not stop you. The vulnerability is useless to criminals - they can defraud you in much better ways.
No, I mean fun like stripping 15Mb of foreign language dictionaries out of the keyboard apk and still having a working keyboard. Probably with a broken signature (not checked) but working. 15Mb I'd rather waste on games ;)
Anyway, had a look at the purported bug fix and it looks like Google (for a change) haven't overreacted and outlawed all zip file manipulation.
But it's a serious bug, trivially simple, trivially simple to exploit. Also however trivially simple to detect exploits and it looks like that detection could be added without a full OS update. Just don't wait for Google to get off their lazy arses and actually do it.
...although modifying the actual dex chunk does have it's appeal. Just tends to be easier to find a less abusive app than recompile one.
@Sabroni
No, the claim "our OS is super secure" is not attributed to Android. However, every story about Android malware is BS and plays on the fact that you can install malware if you really want to, and grant it permission to send premium rate SMS if you really want to. Some people fall for it, but plenty of Commentards point out that the reported vulnerabilities are massively overstated. Do Not make the mistake that they are claiming it's super secure.
Yes, the vulnerability is useless.
>The Play Store has been patched. If you choose to side-load something from an untrusted source
Not really - Play only uses http for the actual apk download.......so it's quite simple to install side-load if you control dns or poison the (web) cache....like when someone chooses to use the 'free public wifi' some kid or other is supplying from a Euston Square coffee shop etc ..... previously with Play, installation would have failed so it didn't matter, but no more.
.... a lot of money involved for telcos if they supplied the phone and still provide it with network service....but I suspect they'll just give away new handsets rather than playing catch-up patch-up.....consumer outrage will be non-existent to short-lived either way.
Although the vulnerability is serious it is only going to affect people who use 3rd party app stores or side load them, which even if this vulnerability hadn't been found are still a risk of getting malware if they are dodgy. So even if your phone doesn't get patched it shouldn't be a big deal if you only install apps from the Google play store
Not sure what the big alternative to the google play store the Amazon app store are doing about this but i expect they will release a patch soon
"..you're saying that Apple's walled garden approach is the only way to be secure?"
No, sabroni - the only way to be secure is not to use any mobile phone at all. Slightly less secure is not to use smartphones at all. A bit further down the list is to use a smartphone but don't download any apps from anywhere. Just a little way down is to use a reliable store, regardless of supplier. Perhaps twice that last distance is to use an unauthorised app store. Even then, you are barely 5mm down a 10cm scale of "risk".
The store shouldn't matter in that sense. If you download the same app from two different app stores and assuming there's no store-specific code in it (e.g. DLC), the apk will have the same code and the same signature. It's the OS which enforces the signature check. All the app stores can do is not serve malware in the first place, signed or unsigned.
The fact that the install setting is all-or-nothing is the problem (as with app permissions too, incidentally). It should a) enforce the signature check on all apks and b) enforce the origin check on all apks. All legitimate app stores should be taken as acceptable origins. How do we know what's an acceptable app store? Google should serve it up on Google Play, much as it may pain them. That way there the user has no need to touch the 'Install everything' setting.
Google Play is not a guarantee of no malware. Remember that advertising networks have been known to change app code, and that's precisely because there's a borked code sign check. This kind of thing should have shown up in testing. One has to wonder why Google aren't taking security seriously. I hope it's not to 'fix' the problem by enforcing Google Play only.
What worries me is not that an exploit exists, but one so simple.
As far as I can tell from the code, all it does is extract the APK with apktool, lets you modify files that were inside, then zips it back up again (using a python zip library, so nothing fancy) into an "evil apk".
It seems, then, that all the cryptographic verification or integrity of an APK has absolutely no relevance to its actual contents whatsoever. Which kind of makes you wonder why you'd bother to sign anything in the first place.
That's just worthless. And no wonder it takes a firmware update to fix - you've actually got to put in the damn checking you were supposed to have in the first place. It's not a question of finding some clever flaw in the signing or installation process - it's just literally changing the executable you run but keeping it called the same thing and having the same signing details stuck inside it.
Google Play, Amazon, et al can scan their stores with updated verification.
The flaw is in the phone's cert verification, but Google Play, Amazon etc can update their server-side verification to detect any dodgy packages.
From what I understand of this particular exploit, it's detectable now that it's understood.
Cyanogenmod users will be happy to know it looks like they're busily releasing new CM7 thru CM10's.