back to article Android Lollipop sucks at security, says researcher

Skycure security researcher Yair Amit has revealed a chained Android attack path that will greatly enhance attackers' ability to compromise 1.34 billion devices, or 95 percent of those in use. The Accessibility Clickjacking attack exploits flaws in protections for Android's accessibility and draw-over-apps features to allow …

  1. gnufrontier

    Promotional hack for security "researcher".

    "Some applications, notably those security-related and for lost devices, request accessibility, draw-over-app, and root features."

    My suggestion is don't download those kind of apps from a play store. Most of the article is about gaining access to accessibility features which doesn't really get the hacker anything. Yeh, if you download an app that is security related it's going to require you to give it permission to get into the guts of your system.

    People download all kinds of crap and that is what happens. Phones may be smarter but people aren't.

    If you are doing social media you already have compromised your "security" and the government has no road blocks to your stuff. This whole security business reminds me of all the health scares one sees on the evening local news shows where they twist some study in order to come up with catchy headline spouted by some smiling empty headed teleprompter reader and keep you watching through the ads for the next "news segment".

    Security is a joke just about everywhere for any connected device.

    1. Anonymous Coward
      Anonymous Coward

      Re: Promotional hack for security "researcher".

      Indeed scaremongering. In the real world this isn't happening. All this does is embarrass anyone passing nonsense around

      1. TheVogon

        Re: Promotional hack for security "researcher".

        "In the real world this isn't happening"

        There know there are many Malware infected Android phones, so clearly it is.

  2. Anonymous Coward
    Anonymous Coward

    Only Google

    are allowed to suck your personal data.

  3. JimmyPage Silver badge

    Barely anyone operates Marshmallow

    Banging the drum for Wileyfox Swift (Cyanogenmod) here.

    Upgraded automatically last week.

    1. Ugotta B. Kiddingme

      Re: Banging the drum for Wileyfox

      it certainly would be nice if we could get those on THIS side of the pond. Perhaps some day but not this day... dammit...

  4. jb99

    What is the exploit here?

    I'm struggling from reading this to understand what the issue is here.

    The use installs an app. The app does what it was meant to.

    Ok, the user installed an app that probably did something they didn't want it to but that's hardly android's fault.

    1. tiggity Silver badge

      Re: What is the exploit here?

      Exploit based on fact that when a user installs an app it tells you what permissions that app requests.

      Apps can request all sorts of permissions - it relies on user having a clue when they look at what an app is requesting, but lots of users accept regardless.

      So the exploit works on lots of users who accept reagrdless

      If you have android try an install of something "safe" e.g. the official facebook app (I recommend you do not install it - just look at the permissions it wants, not security hole per se but massive privacy hole)

      On Android versions below Marshmallow you cannot so anything (bar uninstall the app) to prevent an app using permissions you gave it.

      With Marshmallow you can restrict, e.g. with Facebook you could not allow it to access your contacts, camera etc.

      Depending how well coded an app is, it *should* not break on Marshmallow if e.g. it tries to access contacts when you have disallowed contacts access

      Big problem is most handset makers are not upgrading handsets (e.g. manufactuerer of my particular model has announced no upgrades beyond lollipop) so users stuck on less secure OS version

      .. Though if someone is going to install an app that asks for excessive privelidges, even if they had marshmallow they would probably not tweak settings for security

      It is an Android fault (IMHO) as user control of access should have been there from day 1 (instead of current scenario where, in my case, I install hardly any apps as most take the P in permissions they want, but most people just want to install a given app regardless of permissions)

      1. Anonymous Coward
        Anonymous Coward

        Re: What is the exploit here?

        Quote: It is an Android fault (IMHO) as user control of access should have been there from day 1...

        From what I understand, this was the original plan, to have a proper access model.

        But the bigger players who Google wanted on board to write apps for the platform in the early days (at launch), wouldn't play ball, and refused to support the platform if users could control what an app did at a granular level.

        Now Google control the marker (by share), they've decided they are now in a position of strength, so have re-introduced what they wanted to do originally.

        I do like the new system, install an app with no, or very few permissions, and if you try use a service/function within that app that needs additional permissions, it asks you at the point of use, and you can choose to refuse and do without that function, or allow if it's something you want to add.

        And of course you can just list the apps current permissions from within the Android OS system settings, and deny specific permissions from there.

    2. dajames

      Re: What is the exploit here?

      Ok, the user installed an app that probably did something they didn't want it to but that's hardly android's fault.

      It's not the fault of the Android OS, per se, no.

      However, what we commonly see is that an app advertises itself as providing one useful feature but in fact also (or instead) does something quite different. That instances of such malware can get itself into the official Android store is the fault of the Android ecosystem, if not of the OS.

      That the Android OS doesn't (until Marshmallow) give the user any way to vet the permissions actually requested by an app, and deny them on a permission by permission basis, is a shortcoming of Android, if not a fault.

  5. Runilwzlb

    webOS to the rescue

    Its time to revive webOS and non-data-sharing apps. Oh, for the good-old-days when your data was YOUR data and not public property. Android...if your going to give these kinds of powers in your API's...someone's going to use them. Duh!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like