Malicious Android apps slip into Google Play, top third party charts Malicious Android applications have bypassed Google's Play store security checks to enslave infected devices into distributed denial of service attack, advertising fraud, and spam botnets. The apps are legitimate games that in some stores outside of Google Play have made it to highly-contested top free games charts. …
Android's shoddy approval system ("access files == access all files" for example) and the lack of permissions-on-action is the reason that my "smart phone" is most decidedly dumb. Two extra apps and that's my lot: every download is a risk I am not prepared to take. Hell, I don't even allow vanilla google apps to keep on with their rampant rights bloat - there are an ever growing list of google apps I haven't updated in months due to extra permissions.
They aren't thick, so the fact google doesn't seriously revisit the permissions suggests they don't want to for internal reasons. Tin-foil hat time?
If you are running an up to date android then it asks for permissions as the app needs them which you can refuse on an individual basis or retrospectively. Also access to files != access to all files.
Depending on the file type and location files are secured to the individual app.
These games were asking for admin access and root permission - for a game, ffs!
Google do provide a decent update system. They provide all the code for their latest OS in full regularly. They also post security updates releases regularly.
All the manufacturer has to do is make their own customisations and add their drivers and away they go. Cyanogen seem to do a pretty good job of it for a large range of devices.
There are a number of difference with Microsoft and WIndows. WIndows OS is proprietary and noone is allowed to change the source code. Therefore they can just release the binary update knowing that the updated software will be the same. Third parties have to conform to the Windows interfaces, it is not the fault of Microsoft if a new version of Windows is not compatible.
It is completely up to manufacturers what parts or changes they make to Android so would not be impressed if Google rolled out an update that undid their changes. If they go stock then they could roll out OTAs in a few weeks for their devices and easily within the same timeframe as the Nexus devices get it.
Also if you look at the Windows 10 fiasco where Microsoft are steamrollering the user and causing all sorts of misery , then I don't think the Microsoft model is the one to follow.
It's not really a very good way of updating at all. They all use libstagefright, it should be possible to check if it's unmodified or if it's been customised and if it's unmodified (and I'm sure it will be) then that can be updated from Google. It shouldn't be necessary to have to wait for the manufacturer or the operator to do it (if they ever do).
No, it's not too difficult a problem to solve, Microsoft manage to update windows.
Leaving aside the fact that Microsoft manage to make a right pig's ear out of Windows updates, from time to time, even when they're not trying to force-feed one with Windows 10 ... the problems are not the same.
Windows is Windows. Virtually all of the updates that Microsoft shift through Windows Update are updates for Microsoft software that has not been touched by anyone else (the remaining tiny fraction consists of updates for third party device drivers that are shipped with Windows by Microsoft).
Android is not sold unaltered by (most) OEMs. The likes of Samsung and HTC apply their own user interface layers (TouchWiz, HTC Sense, etc.) to the software and these too need to be patched. That requires extra work by the developers at the OEM -- work that often isn't done because the engineers responsible are busily working on applying those layers to newer versions of Android and haven't time to go back and patch legacy (i.e. more than six months old) versions.
The majority of Android devices are phones, and many of those (in the UK, at least) are sold by the airtime providers, who add their own customizations to Android. These customizations may also need to be patched and, as with OEMs, the skilled staff needed to apply the patches and test the resulting code are busy elsewhere.
Android is Open Source, anyone can build an Android version without a contract with Google. Those OEMs who preload their devices with Google's Android applications and provide access to the Play Store must have a contract, and Google could amend the terms of that contract to make the OEMs liable to a stiff financial penalty if they didn't apply patches and reissue firmware within a stipulated timescale. However, Google don't have contracts with OEMs that don't bundle their apps, and don't have contracts with the airtime providers, so they have no leverage there.
Yes, this update system is deficient. Google are aware of that, but there's a limit to what they can do about it. They now provide a lot of support functions in the shape of a monolithic process called "Google Services" and that remains under their control, with the result that it can be patched via the Google Play update mechanism regardless of any (unpatched) OEM code that may be running, and this helps but only on devices that have Play Store access. It is unfortunate that whenever Google bring more functionality under the auspices of Google Services they get criticised in the press for exerting yet more control over the platform
Sounds like you know nothing about android at all. Access files permission does no such thing. Android is extremely secure, every app is sandboxed from every other app. App A can't read app B data in any way whatsoever. App A , could if it wanted (and had permission to) write sharable data to an external SD card. App B could, if it had permission to do so, read that sharable data. By default however all data is private and sandboxed to only that app. Uninstall the app, the entire app and its private data is wiped, no reliance on crappy windows style uninstallers.
Looking at iOS and Android , Android has a far superior set of security safeguards, but due to its widespread adoption (nearing 90%) everyone wants to cash in, checkpoint included..
Form the developer documentation: "Caution Although the directories provided by getExternalFilesDir() and getExternalFilesDirs() are not accessible by the MediaStore content provider, other apps with the READ_EXTERNAL_STORAGE permission can access all files on the external storage, including these. If you need to completely restrict access for your files, you should instead write your files to the internal storage".
Sounds like you need to read the permissions somewhat better.
The most annoying thing about this is the fact that Android does not allow disabling the internet access on a per-app setting. Most other permissions can be blocked but ads require internet to work, so this cannot be blocked.
That's why the first thing you do with Android is to root it, wipe the bloatware (Google crap included), replace the keyboard app with Hacker's Keyboard, install AdAway, AFWall and DisableService
Problem solved! No more keystrokes sent to the mothership, no more ads in apps, a great firewall and a way to disable any service from any app.
What a joke. It's hilarious all the security vendors clambering to scare people into buying their Android products. Don't they understand that the more the post this nonsense, there less credibility they have and the LESS likely anyone with even half a brain brain will take them seriously.
What a joke. It's hilarious that advertising business scrambling to reasure people they're safe when they buy Android products. Don't they understand that the more they post this nonsense, the less credibility they have and the LESS likely anyone with even half a brain brain will take them seriously.
My Android phone is going to be fine, I upgraded it to an iPhone 6s+ and switched to a less-assholy carrier; t-mobes. The old S4 and other Sammy devices will have their ears nipped and no longer will they be allowed to roam on the open Internet, with a capital i, no less. Samsung just doesn't give two shits about their crap after they make the sale. Period. One fucking OS update in three years of use! Samsung is not worthy to smell my old phone case, let alone fool me again with orphan devices. Google should have forced-fed the OS updates through these idiots, and not allowed them to sit on the updates forever.
Well, that's why I've never bought a Samsung. I've had a couple Nexus and a couple Motorola devices that have been fairly well updated, and also don't have TouchWizz.
My problem is I usually root my devices, which means you say goodbye to updates anyway.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
