Yet another Android app security bug: This time 'everything is affected' Yet another potentially serious security flaw has been revealed in Android. This time the problem involves the mobile operating system's ability to run more than one app at once – as opposed to its handling of multimedia messages, which was the crux of a cyber* of vulnerabilities last month. The latest security blunder opens …
Sitting here in a tinfoil hat, I never use mobile banking, and am slightly paranoid about even using a personal workstation for financial transactions.
I remember the day back in the 80's I got my first ATM card, wow what a technology. I didn't need to visit the cutie at the teller window. I was told "It's designed to keep banking costs down???" I'm afriad to know how much the mobile technology adds to the monthly fee/per transaction fee the banks continue to charge. and reap profit.
I assume this would require malicious code to be installed on a device in order to leverage the internal multitasking? Not defending weak security practices in the Android environment, just curious.
By the way thumbs down for 'cyber' as a collective noun, just doesn't feel right.
How about a skynet of flaws? ROTM and all that, might work particularly well in an IOT context? Conveys a sense of impending menace as we surrender bit by silicon-hewn bit to our robot overlords
>the exploit would be via apps that haven't been properly vetted
The whole thing is designed to provide a way to download random software from people you don't know, have no relationship with and certainly and aren't (intentionally) paying any money to. What could possibly go wrong?
We measure trust by relationship cues, but IT replaces personal and real relationships with a mediated, crippled proxy for real ones. The trust measures therefore will always be garbled. If I go into a bank branch, I have a building (which I may recognise) and staff (again, whom I may recognise - or if I don't, I have confidence that someone does and would stop interlopers) which implies some investment and permanency. On a computer (of any sort) I have little picture of a logo. If I install stuff on a Windows computer, I'm fairly sure Mr Gates or Mr Cook haven't approved the action and I get little warnings ("admin privileges required"). On a phone, the phone vendor appears to have curated and certified apps which he is now encouraging me to use. There are no warnings about "admin privileges required" or "this may harm your computer." "GET" and "Download Now" is all over the place and the full-screen nature of applications further gives the impression that if you can't see an app, it isn't running.
I get that security is a hard problem, but knowing that, there should have been extra care taken in OS design, not dumping it all on the J/Dalvik/whatever VM which was originally designed to run trusted enterprise applications on protected servers. It feels as though we're back with IE6.
Most depressingly of all, the outsider in the mobile game, who is likely to need to be the most innovative and could use security as a USP to gain a foothold, is MS, and they have decided just to ape the others. They could have re-written Windows for mobile as Apple re-wrote IOS from OSX. MS could have rewritten Windows to build on all the things we have learnt about security, but they haven't. They just want to reuse existing code. Its the very worst of accountancy-driven product development and ignores the users requirements, stated or not. At least Apple try to anticipate users' needs. They may be locked into a mobile model with no incentive to change, but MS is not. As for Google, they've got profits, they should at least be hiring extra bodies for code review.
thumbs down for 'cyber' as a collective noun
Yes. Could we please, please, please stop abusing the "cyber" prefix? It meant something when Wiener coined the term "cybernetics". Now the idiots have largely ruined it, but that's no justification for participating in this particular barbarism.
I hope we are ripping Android to shreds. We get fixes for Microsoft products for at least several years. I might as well chuck my practically new Samsung phone in the bin.
And I don't believe the blame should just attach to the tardy phone manufacturers and operators - this is as much a consequence of the design of the Android ecosystem.
Yup. But unless you're Apple and do an end run around the whole damned game, that is how you have to start.
"Scuse me Samsung, Nokia, Sony, do you mind if I wrap your products in my branded software layer, which I control and will change when I like, without needing to check with you? *SLAM*"
Now we're into the next phase, with the populous demanding that Google take monopoly control over their phones. Just like Apple already has with theirs. Monopolies are cool, apparently.
I get fixes for my two year old, carrier supplied, Samsung phone every few weeks, You must be doing it wrong.
I also get frequent notifications of "Security Policy Updates" - I have no idea what these are supposed to do, nor whether they are malicious - so I have to assume they are. If someone want some to take a security update seriously, they had better tell me what the change is, who they are, and how I can proved that they are not lying. I am really not thrilled at having my "security policy" updated by Goog, let alone hackers.ru or gchq, and if it is Samsung or 3, then they need to come clean about what the changes are. A "Security policy update" that allows my phone to put random charges on my bill without me knowing is not an attractive option.
This post has been deleted by its author
Anyway, all of this seems to underscore what I said nearly two years ago, after messing around on the fringes of Android (because my wife has accessibility issues).
Android is a great toy operating system. But it's not ready for any real work.
Having bought a new phone, with a much later version of Android, I'm still of that opinion.
This post has been deleted by its author
Hmm, that still party suggests an upwards movement, and as far as I can see it's all going downhill.
I'd call it a laxative of flaws on account of possible bowel loosening potential if you dare look at the sheer scope of this mess, also because you're up sh*t creek if you bought into this platform.
Given that Google has been trying to patch its, er, patchy history on security with running some teams, I think they fully deserve to be associated with this gaggle, no, google of security issues, and they must have set a record now. They've even beaten Microsoft's best efforts, and by some considerable distance.
After all, we also use terms like "doing a Ratners" ..
I did think along those lines but I think el Reg need a generally applicable term here and many fellow commentards seem to be focusing on the little green robot. It wouldn't work so well when applied to other proprietary systems: 'Microsoft patch Tuesday fixes a Google of edge flaws'?
I did think along those lines but I think el Reg need a generally applicable term here
But that's the point - by naming it a Google you convert it into a generic term, and at the same time ensure this string of cockups is never forgotten. That's why I referred to "doing a Ratners" - that's now happened to a few companies, most notably by the BP guy after the Deepwater disaster where he decided to announce to the world that he'd go sailing in a clean bit of water.
The Android mess is now potentially at this level. There is also an aside that this is the *perfect* cover for Google to grab more of your data as you'd blame it on hackers, but that's off topic.
"a Google of" something: something that is fundamentally so screwed up that it resists any attempt at cleaning it up.
Actually, you're right, that is an alternative along the same line. Maybe we ought to make "an Adobe of" and "a Google of" aliases of each other. The "Adobe of" more for software, and the "a Google of" for firmware and hardware.
I had been thinking about "a Flash of", but that leaves out so much other software that's creaking at the seams. The Adobe Air that BBC's iPlayer is using also sucks badly.
A kiss of flaws, A scion of flaws, A nonce of flaws, A fix of flaws, A defect of flaws, A blush of flaws, A doodle of flaws, A aardvark of flaws, A abortion of flaws, A matrix of flaws, A singularity of flaws, A abyss of flaws, A band of flaws, A baptism of flaws, A banzai of flaws, A trench of flaws, A sigh of flaws, A bastard of flaws, A beast of flaws, A fog of flaws, A bilko of flaws, A blancmange of flaws, A botch of flaws, A campus of flaws, A cache of flaws, A cabbage of flaws, A quantum of flaws, A zest of flaws, A feast of flaws, A wrath of flaws, A vogue of flaws, A ulcer of flaws, A crush of flaws, A satchel of flaws, A sabot of flaws, A rodeo of flaws, A punk of flaws, A ounce of flaws, A orgy of flaws, A neglect of flaws, A minion of flaws....er.......A monkey tennis of flaws?
I'm torn. I like the current collective words such as brood of bugs, a bevy of breaches or an array of inadequacies but I'm not against hijacking a word to give it a new meaning like a fluster of flaws or an absurdity of exploits. Perhaps it deserves a new word but it would require someone smarter than I to invent, fortunately that's not exactly a high bar to clear.
Google installed most of those flaws themselves. Every app I get wants access to everything on my tablet. It wants the microphone, it wants the camera, it wants the wi-fi, it wants to be able to modify the contents of the SD card. Google did that so *they* could get at our data. All those other guys are just unintended (but unpatched) consequences. Google wants our data, and they weren't even competent enough to keep it to themselves!
> We're told the vulnerability can be exploited to show a spoofed user interface, controlled by an attacker, when someone starts an app: the owner will not be aware that they are typing into another program masquerading as a legit application.
So the alleged 'vulnerability' is:
User is running latest version of Android with multi-tasking
User uploads malware app from unknown sources.
User starts malware app
User starts another app
Malware app spoofs app's screen*
User is confused and types into the wrong app
* only if malware app knows how to spoof that particular app.
It's a CYBERGEDDON ! Cyber by itself just sounds incomplete,or lacking. And could be confusing.
But it sure is reassuring that some bimbo at Google has the answers.....NOT !! Only the uninformed would buy that crap! Google needs to pull their collective heads out of their asses, BUTT quick. As do all the rest of the techies across the board.
Just when I finally get up the gumption to move back to Android with my next phone, here comes vulnerability after vulnerability. Can't Android be made secure by anyone other than Silent Circle? Silent Circle won't sell to consumers, apparently. Just Enterprise customers deploying 25 or more devices.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
