Android devs: If you're using the Google Play Core Library, update it against this remote file inclusion CVE. Pronto

Thursday 3rd December 2020 18:10 GMT Nate Amsden

users may be more inclined to update apps

If the developers (of both OS and apps) would develop versions that just have the security fixes not new features. Also sorely lacking is the ability to easily roll back as well.

Was burned too many times early on after switching to Android many years ago I have had auto app updates off and only update when I really have to.

Two cases in point. Ironically both Weather apps.

Weather.com perhaps before their app was sold to IBM had a pretty good Android app. Then they improved it I guess and wrecked it pretty royally in my opinion anyways. Fortunately I had a backup of the older version(v4.2) and it continued to work for several years(some MINOR things broke, but 85% of the app was workable which was better than the new official version). I was actually quite impressed how long the older version lasted. I powered up my Note 3 just now with that app and it does not work anymore(no errors, just no weather data), but it did at least up until July 2019 when I moved to a newer phone as my daily driver.

On my newer devices I switched to Accuweather, which too had a really nice(in my mind anyway) user interface worked well, paid for the no ads version. Then recently they revamped it. Wrecked it again (check google reviews MANY complaints). Fortunately again I had a backup and reverted to the older version. For whatever reason since I downgraded the notification bar doesn't update automatically anymore no matter what I do, I have to click a little icon on the bar to get it to update. But it works otherwise and again is better than the alternative of using their new app. They started sending popups in the app to get me to upgrade but have ignored them. Not sure if I will get lucky enough to be able to use this older version in the years to come, or if I'll need to find another weather app.

8 0 Reply
1. Friday 4th December 2020 00:44 GMT Jamie Jones
  
  Re: users may be more inclined to update apps
  
  I agree. I now back up automatically all my apk's so I can rollback if necessary.
  
  Unfortunately, there are at least 3 apps I no longer update because the newer versions are rubbish.
  
  1 0 Reply
Thursday 3rd December 2020 20:23 GMT Anonymous Coward

apps or pages

yearly I have to review phone security and make company recommendations. Every year this recommendation is the same, but with more data to back my summary. Android should have been one of the most secure Linux mini OS developed, but it's exploitable by design to grant data collecting for marketing by the main developer goog. This has led to constant patching tying to block bad guys yet keep analytic data accessible. It's not secure, and can't be by design for analytics. iPhones seem a little less exploitable, but still not trustworthy enough to put on the corp network unless we manage/restrict apps - and that isn't happening.

There is so much room for this product category to mature, but I don't think that can happen while a marketing company is at the helm of software development and not security.

I've seen some good small phone OS companies, but it's not something adoptable for us, and no matter what, people don't like being told they can't install apps as they please.

I might be the only person I know that doesn't have any non stock apps, web pages in place of apps works without managing. I have a shortcut for weather and what not. Besides, I spend all day at a PC, so I keep my phone as a phone. That doesn't work for everyone - for many people it's their only internet device.

anyways, fingers crossed security becomes as important to goog as marketing data is. (but I ain't hodin my breath) whatever.

5 0 Reply
1. Thursday 3rd December 2020 23:40 GMT Claptrap314
  
  Re: apps or pages
  
  This. I was already highly dubious of "smart" phones when I went to work for the Goog in 2015. At the time, they had three classifications for devices on their network, "Trusted, untrusted, and 'partially trusted'". The Android phone that they issued me to do my job was classified, "partially trusted". I concluded that G cannot secure Android. That's the only "smart" phone I've had.
  
  2 0 Reply
Thursday 3rd December 2020 22:13 GMT Lorribot

This is one of the key benefits of open source software that is freely distributed.

The devs can pick and choose which versions they want to stick with as all the testing with new versions of all the libraries they use as and when they are patched means they get to decide how much of their customers data they want to comprise, so are in complete control.

1 0 Reply
Friday 4th December 2020 00:47 GMT Jamie Jones

Android can block/revoke apps with discovered viruses etc. What's stopping them doing so for these cases?

1 0 Reply
1. Friday 4th December 2020 11:33 GMT Alumoi
  
  Users disabling Play Protect? And a truckload of Google services baked in every freaking app?
  
  Fun fact, Google Keyboard has 16 services of which only ONE is the actual keyboard.
  
  3 0 Reply
  1. Friday 4th December 2020 17:28 GMT Jamie Jones
    
    Well yeah, and of course, users can ignore play protect if they wanted to, too. They could also sideload any old shite.
    
    That doesn't answer the question though. By your logic, play protect is no use at all, because it's possible to ignore its findings!
    
    0 0 Reply