back to article Android devs: If you're using the Google Play Core Library, update it against this remote file inclusion CVE. Pronto

Infosec bods from Check Point have discovered that popular apps are still running outdated versions of Google’s Play Core library for Android – versions that contained a remote file inclusion vulnerability. While Google patched the vuln in April, long before its public disclosure, Check Point found in recent research that it …

  1. Nate Amsden

    users may be more inclined to update apps

    If the developers (of both OS and apps) would develop versions that just have the security fixes not new features. Also sorely lacking is the ability to easily roll back as well.

    Was burned too many times early on after switching to Android many years ago I have had auto app updates off and only update when I really have to.

    Two cases in point. Ironically both Weather apps. perhaps before their app was sold to IBM had a pretty good Android app. Then they improved it I guess and wrecked it pretty royally in my opinion anyways. Fortunately I had a backup of the older version(v4.2) and it continued to work for several years(some MINOR things broke, but 85% of the app was workable which was better than the new official version). I was actually quite impressed how long the older version lasted. I powered up my Note 3 just now with that app and it does not work anymore(no errors, just no weather data), but it did at least up until July 2019 when I moved to a newer phone as my daily driver.

    On my newer devices I switched to Accuweather, which too had a really nice(in my mind anyway) user interface worked well, paid for the no ads version. Then recently they revamped it. Wrecked it again (check google reviews MANY complaints). Fortunately again I had a backup and reverted to the older version. For whatever reason since I downgraded the notification bar doesn't update automatically anymore no matter what I do, I have to click a little icon on the bar to get it to update. But it works otherwise and again is better than the alternative of using their new app. They started sending popups in the app to get me to upgrade but have ignored them. Not sure if I will get lucky enough to be able to use this older version in the years to come, or if I'll need to find another weather app.

    1. Jamie Jones Silver badge

      Re: users may be more inclined to update apps

      I agree. I now back up automatically all my apk's so I can rollback if necessary.

      Unfortunately, there are at least 3 apps I no longer update because the newer versions are rubbish.

  2. Anonymous Coward
    Anonymous Coward

    apps or pages

    yearly I have to review phone security and make company recommendations. Every year this recommendation is the same, but with more data to back my summary. Android should have been one of the most secure Linux mini OS developed, but it's exploitable by design to grant data collecting for marketing by the main developer goog. This has led to constant patching tying to block bad guys yet keep analytic data accessible. It's not secure, and can't be by design for analytics. iPhones seem a little less exploitable, but still not trustworthy enough to put on the corp network unless we manage/restrict apps - and that isn't happening.

    There is so much room for this product category to mature, but I don't think that can happen while a marketing company is at the helm of software development and not security.

    I've seen some good small phone OS companies, but it's not something adoptable for us, and no matter what, people don't like being told they can't install apps as they please.

    I might be the only person I know that doesn't have any non stock apps, web pages in place of apps works without managing. I have a shortcut for weather and what not. Besides, I spend all day at a PC, so I keep my phone as a phone. That doesn't work for everyone - for many people it's their only internet device.

    anyways, fingers crossed security becomes as important to goog as marketing data is. (but I ain't hodin my breath) whatever.

    1. Claptrap314 Silver badge

      Re: apps or pages

      This. I was already highly dubious of "smart" phones when I went to work for the Goog in 2015. At the time, they had three classifications for devices on their network, "Trusted, untrusted, and 'partially trusted'". The Android phone that they issued me to do my job was classified, "partially trusted". I concluded that G cannot secure Android. That's the only "smart" phone I've had.

  3. Lorribot Bronze badge

    This is one of the key benefits of open source software that is freely distributed.

    The devs can pick and choose which versions they want to stick with as all the testing with new versions of all the libraries they use as and when they are patched means they get to decide how much of their customers data they want to comprise, so are in complete control.

  4. Jamie Jones Silver badge

    Android can block/revoke apps with discovered viruses etc. What's stopping them doing so for these cases?

    1. Alumoi Silver badge

      Users disabling Play Protect? And a truckload of Google services baked in every freaking app?

      Fun fact, Google Keyboard has 16 services of which only ONE is the actual keyboard.

      1. Jamie Jones Silver badge

        Well yeah, and of course, users can ignore play protect if they wanted to, too. They could also sideload any old shite.

        That doesn't answer the question though. By your logic, play protect is no use at all, because it's possible to ignore its findings!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021