It looks like Loonib to me! Maybe she said no though
63 posts • joined 27 Oct 2011
"Could be, but I'd have expected them to be crowing about it as soon as Google pushed the update, especially once it had been pushed to Nexus devices. As it is, at least 3 months after release to ASOP, I'm not convinced."
From the article.
"We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users," a Google spokesman told El Reg in an emailed statement.
And the reason they waited 3 months is probably to give OEMs a chance to push the update too.
Which phone and version of Android are you using?
When I had this problem on my S3 it was with every other application apart from Chrome. It looked like Chrome worked around the problem using their own clipboard buffer because Chrome would quite happily cut and paste while every application would crash or just not paste store anything in the clipboard.
"Granting permissions implies that the person using the app is experienced enough to know what all of that means."
If they're not, they're probably not experienced enough to to enable the installation of 3rd party applications that's also required.
I agree with your point about denying permissions by default though.
From the article..
"SpamSoldier infects smartphones and spews out thousands of SMS messages without the user's permission."
From the blog http://blog.cloudmark.com/2012/12/16/android-trojan-used-to-create-simple-sms-spam-botnet/
"Then you have to grant permission to the app to do all sorts of things that no Angry Bird should ever need to do, like surfing the web and sending SMS messages"
From the Symantec article
"To send a spoofed SMS message there is no need to send a text message over the air. In fact, a message is never sent or received, instead, the system service in charge of receiving text messages is tricked into thinking a message has arrived—and it will happily store the text message and notify the user of the event. One can specify any arbitrary "from address" for the SMSishing attack and no special permissions are required to insert a spoofed message."
Based on the number of actual SMS messages that I receive with SMSishing attacks in though, it's nothing new.
That reminds me I must find out what's happening about my PPI claim. Funny thing is I don't remember taking it out...
Yes, some of this is exploited using Intents that apps have exposed and it is a powerful mechanism but as the paper says it's not tightly controlled on some of the applications. If an application is exposing a function that requires permission, the application (or ideally Android itself) should check that the requester has sufficient authority. It's the equivalent of locking your front door but leaving your windows open.
And your statement that "If anyone is that concerned it is fairly trivial to decompile applications to see what they are up to" is quite frankly ridiculous. Are you seriously suggesting that the average Android user would be able to decompile and understand what an application is doing?
Actually it appears to be that there are applications installed on these phones that expose an unprotected public interface for doing things that are usually protected by the permissions system. For instance rather than getting permission to make a call, a malicious application could just broadcast a particular message (for which it doesn't need permission) and the rogue application picks up the message and makes the call.
The Nexus rogue application doesn't actually sound too serious. Apparently a malicious app can uninstall the com.svox.langpick.installer application! Which sounds like it stops you installing voices for the speech synthesiser.
1 - It depends where the app is storing it's data. I believe the memory usage in the settings screen shown just indicates memory used by the application in it's "authorised" storage area. It could look to see if an SD card is available and store it there in which case it wouldn't show up on that screen.
Biting the hand that feeds IT © 1998–2020