No sexy vulnerability name yet?
Fresh from sorting out the Stagefright flaw, Google has another serious security vulnerability in Android on its hands. A privilege escalation hole allows normal apps to gain superpowers to snoop on a device's owner, smuggle in malware, and wreak other havoc. Youtube Video The vulnerability, CVE-2015-3825, affects about 55 …
> This sort of reporting ranks alongside such tosh as 'advanced persistent threat' and 'sophisticated cyber-attack'
Bear in mind, I hate those words and usually kill them on sight.
> I read El Reg for their technical accuracy not their ludicrous hyperbole
Why not both? Seriously though, the story has the technical accuracy, and the headline is a headline - have you not noticed that we go a little OTT? ;-) You wanna know the truth? I picked "stunning" because it fitted the space better on the page.
Since it's a privilege escalation, yes it is a shock. Or do you normally expect "Hello, world!" to surreptitiously boost itself to root and own your device ever-after?
(if you do then at least some kudos for realistic paranoia, but not being able to run apps takes a lot of the smart out of smartphone)
I give far more credence to the number of and nature of permissions requested than the number of g+ users who give it 5 stars and usually some indecipherable comment.
The raison d'etre of the permissions model is to limit what an app can do. If it fails to do this then it is a critical flaw. But imagine there was some bug in your phones PIN entry screen where pressing the volume rocker logged you in. I suppose you would argue that such a bug isn't too bad because one should expect that anyone who can physically access it could pwn it.
I happen to agree. It's no more shocking than the virus/trojan/whatever munching your system after downloading some supposedly neat PC application from "a dodgy site." The apps on my tablets are downloaded only from legit sources and, aside from upgrade keys, are a very stable set.
Look people, if you play Russian Roulette with the software loaded on your tablet, some "thing" probably will get through despite the best screening in the world at a store and then your "bulletproof" malware checker on that device. Vulnerabilities exist as the software development process is fundamentally broken. I'll spare you my sermons on that topic. I've yet to see proper OS security which obviates any application's security right out the gate.
That whole reap-sow process will get you.
Isn't the ability to spy on the user pretty much demanded by damn near every app out there anyway?
It's time for Google to take that ability away from the APP developer community.
Permissions belong only in the hands of the phone OWNER, IE ME!
A weather app does not need access to my contacts, photos, texts, email, etc. etc. etc. Obvious misuse of personal info should mean permanent banning from the app store, inadvertent misuse should mean not uploading product on the app store until you PROVE there are no issues with 3rd party verification.
Have an upvote. However, since Google wants all of their apps to have full rights to you, they would be pretty hypocritical if they tried to stop other app developers from doing the same. I recently bought an Android phone just to check out the advances in the last 3 years, and the permissions requested by the Play Store boggle my mind.
You own the phone hardware, but not the software that is running on it. You don't get to decide what permissions the apps get, the software author (i.e. Google) does.
The same is true on an iPhone, but despite their reputation for control freakery, Apple lets you enable/disable various permissions on apps and change your mind later. The app may warn or possibly even crash if it doesn't have a permission it needs or thinks it needs, but you don't have to worry about Facebook slurping your contact list or whatever.
On a serious note, as a developer (a real one not an app developer :p) being able to stipulate the permissions you don't need is quite a nice security layer. If I decided that the world didn't have enough photo editors and that I should release my own, I can stipulate that it should not access the contacts. If my advertising network started spewing out malware, perhaps a more conservative token collection may mitigate the malware.
"A privilege escalation hole allows normal apps to gain superpowers to snoop on a device's owner, smuggle in malware, and wreak other havoc."
Hmmm, what would be handy would be a privilege escalation that allows you to remove un-needed and un-wanted default Google apps without having to root the device in a more traditional way.
Another reason to move to Windows Phone 10 once it's released if your device has an upgrade available - given that you can now sideload APKs. Only Xaiomi have confirmed an upgrade will be available so far, but Microsoft have stated that they are planning to "make this software available on more devices in time."
Which has the better overall security, Android or IPhone?
Windows Phone. I'm the only person I know that uses it, so its pretty much a waste of time anyone developing attack vectors. Security through obscurity - it's like the 80s never ended!
I suspect no mobile OS has good security. Since most internet access is now via a phone/tablet rather than PC, these are the most common attack surfaces. Regardless of which OS you run on a proper computer, I'd bet the security is considerably better when factoring in firewalling, virus/trojan scanning, logging, and system/network monitoring tool sets etc.
Paris, because she didn't have anything left to fear from the iCloud leak.
All OS have security issues. The issue is how quickly the problem can be fixed and the fix deployed to users. Even if Google fixes this tomorrow, only nexus owners will receive the fix quickly. The rest of us have to hope that the OEMs and the Network operators pull their fingerpost and prepare and deploy the fix.
This is a problem that only affects android phones. Apple, blackberry and Microsoft can all deploy fixes quickly.
But would encrypting the device help in any of these security issues help? Or as these app's/vulnerabilities are running from within the system would it not make a blind bit of difference?
Or perhaps even something like an AV product that had a very restrictive policy from the server (no system app's allowed, no apps apart from the ones on the allowed list allowed to run), I am on this latter point referring more to corporate devices with a server policy applied, say perhaps using Kaspersky Endpoint security.
One can't help thinking, in the current climate of forced "openess" encouraged by our spymasters i.e nothing is off limits any more, that these "vulnerabilities" are nothing of the sort to those who would really 0wn you.
Who wrote and refined them, and put them into the mobile ecosystem, I wonder? It's as likely to be a home-grown spook as a Russian gangster.
Sure, they're inherent in (all) mobile OS' but it makes you wonder..make me wonder, anyway