"I'm just letting you know this message appeared on my Norwegian Samsung XCover 4,"....
That wouldn't happen to be the Samsung GALAXY Xcover 4 would it?
Concern is growing over the security of Samsung's Android infrastructure after readers from around the world told The Register that yesterday's Find my Mobile push notification affected them – including on devices where the offending app was disabled. Readers from as far afield as New Zealand, the US, Scandinavia and even …
Just another demonstration of how little you actually "control" your mobile phone.
All the big names are doing it, it's just this time it's Samsung that got caught. Somebody fat-fingered a config file and notifications were sent when they shouldn't have been.
It'll be interesting watching how Samsung is going to try to weasel its way out of this one.
I'm not sure whether the hacks at Vulture Central have used some third-party software or similar to disable the Find My Mobile app, but it is a "system app" which I don't think can be disabled through the regular Settings... (based on an S9, I can force stop it but the Disable option is unavailable... YMMV).
Don't know whether there's some option, once you've signed in with a Samsung Account, to say "I don't want Find My Mobile"... but since I have no intention of ever registering for one, I don't know...
(Not even the manky looking carrots that are being able to make the Bixby button do something useful, or having Samsung's bloatware automatically update has tempted me that way...)
I'm not sure whether the hacks at Vulture Central have used some third-party software or similar to disable the Find My Mobile app, but it is a "system app" which I don't think can be disabled through the regular Settings... (based on an S9, I can force stop it but the Disable option is unavailable... YMMV).
Don't know whether there's some option, once you've signed in with a Samsung Account, to say "I don't want Find My Mobile"... but since I have no intention of ever registering for one, I don't know...
I deleted the app from my Xcover 4 after this little incident. Not sure if it's a system app as it no longer exists on my phone to check. I don't have a Samsung account either for that matter. Maybe you have to buy a top of the range phone for that app to be undeletable.
Not just DEFCON, but also any contact or contactless payment card. They all run on smartcards, with OS, RAM, flash memory and CPU. They're powerful little things for something you can wirelessly power (think implants... that's my field).
They don't generally have ints but the main work done on smartcards is cryptography - byte arrays and the like see heavy use in JavaCard.
SIMs directly communicate with the baseband too - the phone doesn't see or know about communication and remote push of applets and the like via a remote APDU interface.
Yes, the abysmal security of SIMs is well-documented - the SimJacker vulnerability and other issues with the S@T Browser were big news last year, and LaForge's presentation from 36C3 goes into some other weaknesses.
But what does that have to do with the post you replied to? It was about software on the main device, which is a different part of the attack surface.
Is that how notifications work? I thought notification delivery was Google and Apple's job and they wake the app to handle it.
Otherwise all apps would be polling. If you try that you app gets accused of being a battery drain.
This was one of my main reasons for leaving the Android ecosystem. Even on the Nexus type phones there was too much squirrely nonsense about zombie process, locked applications, and hidden surprises.
I'm pretty sure this is hitting the Reg close to home to, as they have received at least one high profile leak of classified material.
Hopefully the "Disabled-not-removed" code wasn't sending location data, and just listening.
This was one of my main reasons for leaving the Android ecosystem.
I would think about it but there doesn't seem to be an alternative.
My first workphone was a Blackberry. They had a possible something in the works.
Nokia were working on something when MS destroyed them.
I thought the Windows Phone looked promising.
The various Firefox and other Linux variants seem to have vanished.
The only possible future alternative may be Huawei and that depends on Trump staying in office indefinitely abd I doubt many want that...
This was one of my main reasons for leaving the Android ecosystem. Even on the Nexus type phones there was too much squirrely nonsense about zombie process, locked applications, and hidden surprises.
Not that any of the other options are paradise. Allowing Google to suppress and control the phone OS market is a tragic mistake. No one other than Apple can survive against a free OS backed by Google, and no new challengers can enter the market. Hopefully the EU will lead the way on an antitrust suit.
I'm pretty sure this is hitting the Reg close to home to, as they have received at least one high profile leak of classified material.
Hopefully the "Disabled-not-removed" code wasn't sending location data, and was just listening.
I think the failed code will be serverside not on your handset. Notifications work by pushing a message to google. Google map from the apps id to your phone and google pushes the notification to the phone. Wrong way for location data to be involved.
It can be pull, given stories of disabled apps receiving the message its seems unlikely.
Probably a test by our Alien Overlords to make sure they still have access to all the Samsung phones. Hell, even the Alien Overlords don't trust Samsung to not fuck up the phones with shitty updates.
There's likely a big attack coming soon. From space. But today's Friday, so time for beer.
Edited to add: what makes it weirder (or more understandable) - I just checked and my Galaxy S8 now says it has System Update 32 to install.
It's possible to remove most of the Samsung junkware from a phone by removing it from the current user profile. The software is still on the system, but it is not running for the user. The same goes for other vendor's junkware/shovelware of course. This does require enabling USB debugging and the ADB tools but is pretty easy, if rather beyond the average user. Importantly it's not rooting the device therefore applications that depend on non-rooted devices work fine.
Doing so made a previous Samsung phone of mine operate very smoothly and have enough battery life for a day plus compared to the jittering half day battery experience that it came with out of the box. Replacing the camera app with Open Camera completed the transformation from a really disppointing and mediocre device to one that worked quite nicely.
Needless to say, I dropped the phone on the floor shattering the display a week or so after doing this...
Never mind. Reminisce about the bad old days.
Not using Internet on my phone goes a long way and turning off any notification (that can be tuned off) also helps. Just phone calls, SMS and camera that's all I need and use. I regularly delete without reading any SMS that does not come from someone I know and I don't have any account for email or social media on my phone. Yes, they can still have some data about my location but there's no way they can show me ads.
Well, maybe they meant it was "limited" to every Galaxy branded device ever produced?
"Limited" is such a wonderfully vague word that has the effect of sounding reassuring to the vast majority of people and rarely means anything useful, especially in a PR context.
Same notification, never even setup the app. Assumed it was just a glitch, but perhaps it was someone accidentally sending a test notification globally instead of just to a test build. In fairness, if it was easy to 'disable' an app of this sort, it might pose some rather big problems in cases of theft - but I'd definitely prefer Samsung to explain exactly what happened rather than leaving the community to FUD itself into a panic.
Same here with a German S10e. I don't have a Samsung Account set up on the device, so whilst they didn't have my details to display on someone else's profile page, they still had control of my phone. I (theoretically) use the "find my phone" service of my selected antivirus provider, not the built-in one. Prior to this I assumed the built-in one would be inactive, but now I realise it's not only active, but there seems no way to fully disable it.