Any flaw that requires physical access to exploit is important to fix but for most situations a yawner. This will only become critical when the phone is lost, stolen, or in the hands of the your local Stasi.
Security researcher Jon Sawyer says a limited backdoor has been found in some Foxconn-manufactured Android phones, allowing attackers to root phones they have in hand. The backdoor is the result if a debugging function left over in Foxconn apps bootloader code which can be exploited by attackers wielding appropriate software …
Indeed. It's a service to have that feature in there. A lot of people want to root their phone for various reasons (most common one I've heard is to get rid of all the shovelware in there). Granted, I've been lucky with Android devices so far in that none of them don't have the duff in there, but several people I know bought cheap Android phones (as well as not so cheap ones- I'm looking at you, Samsung and Lenovo!) that are chock full of those, and the only way to remove them is to root the device and then remove the junk APKs from the system image.
"Concentrate on making the encryption secure"
Actually secure encryption on a mobile device is mostly an illusion. Encryption always requires you to have a secret which is ungessable. However entering a secret is virtually impossible on a touchscreen. Even if you could use a strong passphrase, since your device will be always on, you can often just fish the secret out of RAM.
Storing a secret un a security chip doesn't solve the problem, as there are multiple attacks against chips theese days. Pay-TV companies use the most secure chipcards you can have on a budget, and yet they have in the past regularly broken their competitor systems.
So actually your chances of security are best if you root your device and install some propper Linux OS. Once you have iptables you can enforce actual security by only allowing your device to talk to your server. (big security benefit!) Then use ssh with public key authentication and make the server erase you key regularly so you are forced to rekey.
Linux? Please, I've been running Linux on my desktop since the turn of the century but I'm not dumb enough to believe that Linux adds some magic invulnerability to security issues. IPtables and SSH do fuck all to help you against an attacker with physical access.
A security chip may not be 100% unbreakable, but if used properly the phone is WAY more secure than it would be if you rooted it and installed Linux. I don't know what pay TV companies you're talking about, but in the US Directv's system hasn't been broken since they were hacked in the early 2000s and revamped their security. And given they have stuff like the NFL Sunday Ticket exclusive, I'm sure many have tried to hack it.
" if used properly the phone is WAY more secure than it would be if you rooted it and installed Linux."
I'm sorry, but unless you root your phone you cannot even prevent your vendor from installing new malware via the update feature, or your browser from exposing its security bugs to the web.
You probably mean "adb" which is the Android debugging utility which runs on PCs.
Yes, I've noticed several phones that let you ask for a root shell from adb, and production phones aren't supposed to do that. It's even documented:
"adb root - restarts the adbd daemon with root permissions"
You're SUPPOSED to get "adbd cannot run as root in production builds" however.
"As we talked of salty meat and Turkish Bob, I began to sweat and dribble, the shop became a giddy plughole of plastic, price cards and a father and child asking if I had finished with the lap top, I opened my mouth to answer but words don’t really form in a boiling geyser of pork..."
I suspect I'm not alone in being reminded of this.
If they aren't able to reliably remove debugging, how abysmal is the rest of the code?
Every proper bit of source code I've seen has all the debugging functions in an #ifdef block right at the top that contains all debug definitions. The Linux Kernel does it, MySQL does it, KDE does it, even Windows does it, so if software of that scale can do it, why the hell isn't FoxConn doing it?
Biting the hand that feeds IT © 1998–2021