Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Drive-by Android Malware Exploits Unpatchable Vulnerability

timothy posted about 6 months ago | from the bad-people-are-out-there dept.

Android 120

An anonymous reader writes "Attackers have crafted the E-Z-2-Use malware code that exploits a 14-month-old vulnerability in Android devices. The vulnerability exists in the WebView interface a malicious website can utilize it to gain a remote shell into the system with the permissions of the hijacked application. Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market. The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google."

cancel ×

120 comments

Sorry! There are no comments related to the filter you selected.

there must be evidence (-1)

Anonymous Coward | about 6 months ago | (#46299737)

this lady is gay so she says http://youtu.be/IJcOWQ1rym8

errr that's Unpatched not Unpatchable (3, Informative)

Anonymous Coward | about 6 months ago | (#46299761)

it was fixed in v 4.2 so it is patchable
QED

Re:errr that's Unpatched not Unpatchable (0)

Anonymous Coward | about 6 months ago | (#46299843)

not every phone has the ability to get to 4.2 though... mine is 4.1.2 :(

Re:errr that's Unpatched not Unpatchable (5, Interesting)

Penguinisto (415985) | about 6 months ago | (#46299959)

it was fixed in v 4.2 so it is patchable
QED

Not exactly QED: Most Android phones are unpatchable due to the carrier not giving a damn (for various reasons), the phone hardware being too old (or too low-end), and/or the manufactuer not giving a damn (they'd prefer you buy a new phone from them instead). There are of course jailbreaks, if your carrier doesn't cut you off for using it, and if there's one that works on your phone, and if you have the technical 'oomph to install it without bricking the thing.

To put it bluntly? Unless you paid at least $300 for your Android smartphone and it's less than 3 years old (if you're lucky), you're pretty much screwed.

(Before anyone gets butthurt about it, no, I don't own an iPhone. I have a cheap Android device, but as I bought it recently, it has 4.2 on it.)

Re:errr that's Unpatched not Unpatchable (0)

Anonymous Coward | about 7 months ago | (#46300705)

So, a better title would be:
  "It's a problem we could fix but we won't cause you're in our slave OS contract (ha ha ha) so we'll call it unmatchable to confound the simple folk."

Re:errr that's Unpatched not Unpatchable (0)

Anonymous Coward | about 7 months ago | (#46300725)

you mean unpatchable not unmatchable - I presume

Re:errr that's Unpatched not Unpatchable (4, Informative)

Nemyst (1383049) | about 7 months ago | (#46300879)

With 4.4 a lot of low-end phones could technically be supported when they couldn't run 4.3. The largest hurdles are carriers and manufacturers dropping support after an obscenely short time.

Re:errr that's Unpatched not Unpatchable (2)

chuckugly (2030942) | about 7 months ago | (#46300927)

Cyanogenmod

Re: errr that's Unpatched not Unpatchable (-1)

Anonymous Coward | about 7 months ago | (#46301441)

Yeah.. if you don't want half the shit on your phone to work any more, sure.

Re:errr that's Unpatched not Unpatchable (5, Informative)

pepty (1976012) | about 7 months ago | (#46301567)

Chrome. Or firefox. Or Opera ... So long as you skip the Android browser (and Webview) the exploit can be avoided.

Re:errr that's Unpatched not Unpatchable (3, Informative)

GNious (953874) | about 7 months ago | (#46302073)

There is an unofficial Cyanogenmod version for my phone - the instructions for installing it is incomplete, and refers to multiple articles that basically lead in circles.

Wrong metrics (1)

Vlijmen Fileer (120268) | about 7 months ago | (#46301159)

My HTC phone, ~1 1/2 years old, ~$400,- is and will remain stuck at 4.1.2.
And not supported by Cyanogenmod or anything else.

Re:Wrong metrics (1)

ChunderDownunder (709234) | about 7 months ago | (#46301243)

Did you check xda forums?

e.g. My HTC phone is 2.5 years old but volunteer(s) produce an unofficial port of CM 11. (Which you wouldn't know by looking at the Cyanogenmod home page)

err not 4.2 (2, Informative)

nazsco (695026) | about 7 months ago | (#46301337)

The still most widely deployed version, 2.3, is fine. At least if you don't run apps with ads, but then, there's no hope left for you anyway.

Nobody mentions which version introduced the bug in the browser, but I'm guessing it's 3.1. But i know very little.

Re:errr that's Unpatched not Unpatchable (2)

gl4ss (559668) | about 7 months ago | (#46301493)

switch to a different web browser...

only fix, really. and make sure it doesn't use the built in webkit renderer.

Re:errr that's Unpatched not Unpatchable (1)

GNious (953874) | about 7 months ago | (#46302063)

Not exactly QED: Most Android phones are unpatchable due to the carrier not giving a damn (for various reasons), the phone hardware being too old (or too low-end), and/or the manufactuer not giving a damn (they'd prefer you buy a new phone from them instead).

Should be trivial enough to remind the relevant party that if you get hacked from a severe bug they are aware of and not fixing, that you will hold them liable...

Re:errr that's Unpatched not Unpatchable (3, Insightful)

aztracker1 (702135) | about 6 months ago | (#46300165)

Given that the manufacturer and carriers are distributing software devices without proper updates for at least the expected life of the device (2 years at least for the terms of a contract), perhaps a massive lawsuit is in order?

Re:errr that's Unpatched not Unpatchable (1)

exomondo (1725132) | about 7 months ago | (#46300679)

it was fixed in v 4.2 so it is patchable

There's no patch for the vulnerable versions though.

All software is shit (1)

Anonymous Coward | about 6 months ago | (#46299763)

Can we PLEASE work on writing CORRECT code before adding ever more features?

Re:All software is shit (0)

Anonymous Coward | about 6 months ago | (#46299851)

Can we PLEASE work on writing CORRECT code before adding ever more features?

No. -Sofware Devlopers Association of America

Because... (1)

Anonymous Coward | about 6 months ago | (#46299919)

Because all those Indian programmers produce perfect code *rolls eyes*

Re:All software is shit (0)

Anonymous Coward | about 6 months ago | (#46299957)

Can we PLEASE work on writing CORRECT code before adding ever more features?

No. -Sofware Devlopers Association of America

That will take another year - software developers association of america
If you don't push this shit out the door and get started on the new Big Thing we'll find someone who will - software developers' bosses association of america

Re:All software is shit (1)

suutar (1860506) | about 7 months ago | (#46301551)

No. -Software Marketing Association of America

My first FTFY! :)

Re:All software is shit (0)

Anonymous Coward | about 6 months ago | (#46299991)

Tell that to the PHBs that kept changing specs throughout development.

Re:All software is shit (0)

Anonymous Coward | about 6 months ago | (#46300037)

Tell that to the PHBs that kept changing specs throughout development.

Heck, I've seen specs changed though verification.... That's skill... That's Agile...

Re:All software is shit (2)

Penguinisto (415985) | about 6 months ago | (#46299993)

Can we PLEASE work on writing CORRECT code before adding ever more features?

Welcome to the consumer electronics industry! You must be new here, so I'll try to be helpful: these things are, in the industry's eyes, disposable. Bugs and vulns simply mean that the next phone models will get the fixes, and unless you shelled out enough money for yours? You most likely won't.

Re:All software is shit (1)

Krojack (575051) | about 6 months ago | (#46300111)

Also when you get something this complex, you will never be able to have it 100% perfect IMO. If we followed the OP's method, we would never get new features.

Re:All software is shit (0)

Anonymous Coward | about 7 months ago | (#46301533)

That isn't in the contract with the offshore provider. If you want that, you have to ditch the $18,000/year H-1Bs and actually hire Europeans or Americans who actually have experience as opposed to whatever cheap group gives the lowest bid.

Re:All software is shit (0)

Anonymous Coward | about 7 months ago | (#46302133)

No operating system would have anywhere near the current features that they have if they fixed every single bug.

All rooted / jail broken device has been hacked and is exploitable by malware. (note: this doesn't apply if the OS natively supports root / admin access natively like Windows)

Do you know of a phone or tablet that hasn't?

Fragmentation not an issue eh? (5, Interesting)

Anonymous Coward | about 6 months ago | (#46299841)

Some carriers still sell android 2.x devices. If you don't buy a mainstream/high end device your phone will likely never see a patch, ever.

Not saying my iphone is invulnerable, but my almost 4 year old iphone4 still gets patches. So does my 5s, and I expect it will 3-4 years from now.

And no, normal users can't and don't install Cyanogen. Sorry.

Re:Fragmentation not an issue eh? (0)

Anonymous Coward | about 6 months ago | (#46300003)

This will perhaps finally break Android's staggering left-behind numbers, once someone writes malware to abuse such an unpatched issue in a way that effects people in a serious way (not just people installing illegal or otherwise wildly non-mainstream apps).

And, just maybe, it will happen to someone in the media that will start a witch hunt to blame the carriers and manufacturers for not patching their devices.

Re:Fragmentation not an issue eh? (4, Interesting)

Penguinisto (415985) | about 6 months ago | (#46300087)

This will perhaps finally break Android's staggering left-behind numbers, once someone writes malware to abuse such an unpatched issue in a way that effects people in a serious way (not just people installing illegal or otherwise wildly non-mainstream apps).

No, it will more likely drive the average consumer to buying iPhones (if they have the money) or WinMo devices (if they don't.)

You see, people aren't all that technically in-depth, and so they're not going to (rightly) blame the manufacturers or carriers for blocking patches/upgrade - they'll blame "Android", and avoid it like the plague, even if the newer versions are fully patched against it.

Re:Fragmentation not an issue eh? (1)

Gavagai80 (1275204) | about 7 months ago | (#46300453)

This is true, but hopefully the companies making android phones eventually notice the lack of repeat sales and connect the dots and start offering updates. Okay, that may be unrealistically optimistic.

Re:Fragmentation not an issue eh? (0)

Anonymous Coward | about 7 months ago | (#46302139)

That's not even true, which is the funniest part.

Most people won't know what's going on and will simply chalk it up to being an old device and just buy a new one.

Re:Fragmentation not an issue eh? (0)

Anonymous Coward | about 7 months ago | (#46302455)

people aren't all that technically in-depth

they'll blame "Android"

no... actually people that "aren't all that technically in-depth" likely have no idea what Android is... if anyone has a problem with their phone, they ALWAYS first blame who they bought it from, and if that's not the carrier (might be a reseller, agent, etc) then the next most blamed is the carrier.

out of the relatively small percentage of phone users that know what Android is, there is an even smaller percentage that know who Android is... and people don't generally blame things; they much prefer to blame other people

it will more likely drive the average consumer to buying iPhones (if they have the money)

you wish

money talks... always

Re:Fragmentation not an issue eh? (0)

Anonymous Coward | about 7 months ago | (#46303197)

Yeah, it'll be just like how everyone blamed "Windows" and moved away from that platform..

Re:Fragmentation not an issue eh? (1)

Krojack (575051) | about 6 months ago | (#46300145)

I would guess less than 3-4 years. My first gen iPad stopped getting updates a while back. I really could care less though as it just collects dust.

Also if the iOS source was leaked, I bet there would be more holes in it than pores on your face. Just a guess though.

Re: Fragmentation not an issue eh? (1)

Karlt1 (231423) | about 7 months ago | (#46302705)

It's a bug in the Webview. The source code for Apple's implementation of Webkit is open source as well as the kernel (Darwin).

Re:Fragmentation not an issue eh? (4, Insightful)

vux984 (928602) | about 6 months ago | (#46300223)

Not saying my iphone is invulnerable, but my almost 4 year old iphone4 still gets patches.

The iphone 3GS was discontinued in september 2012 (as in up until sep 2012 people were still buying them new on 2 year contracts usually "free") and it isn't supported with ios7 released in september 2013 one year later.

Don't get me wrong, Apple is by far one of the best phone manufacturers out there for longevity of software updates for phones, but even they drop support on users who would still be under contract, only 1 year in.

As for android... that's not really an android vs ios thing, that Apple vs Samsung etc. There is nothing preventing a good Android manufacturer to provide patch longevity, and some phones have been well supported by some manufacturers.

But sure, again, I readily concede that a lot of android manufacturers have really dropped the ball there.

On the other hand, apple supports like 2 skus at a time. Android collectively covers dozens of skus available at any given time, all over the feature and price map and I prefer having that range of choices, even if some of the choices are crap.

Re:Fragmentation not an issue eh? (0)

Anonymous Coward | about 7 months ago | (#46300467)

This is not a fragmentation issue. Unless you count the fact that the exploit doesn't work on 2.4 as fragmentation.

Re:Fragmentation not an issue eh? (0)

Anonymous Coward | about 7 months ago | (#46300685)

And no, normal users can't and don't install Cyanogen. Sorry.

Sometimes a user needs to empower themselves rather than just wait for someone else to fix their problems (if ever). Rooting and installing a ROM like CyanogenMod (not Cyanogen, the correct spelling of which you didn't even bother to check) is the easiest it's ever been for Android users. Taking control over your own hardware is a necessity for the sake of freedom. It takes more effort and time, absolutely, but again it's for the sake of freedom. You apple fuckheads would never appreciate it.

Re:Fragmentation not an issue eh? (1)

noh8rz10 (2716597) | about 7 months ago | (#46300861)

you're right, i guess I'm a fuckhead because I don't appreciate what you're saying. what do you mean about for the sake of freedom? Do you mean like in a political way? not trolling, please tell me more..

Re:Fragmentation not an issue eh? (0)

Anonymous Coward | about 7 months ago | (#46301563)

I wasn't even replying to you (unless you're the OP and just hadn't logged in before). But if you must know - it's a situation where Android users have the ability (the freedom) to perform updates on their own, indeed, updates that their carrier might not even provide or allow, simply because of the open nature of Android and all the ROMs that have been created (never mind the Google proprietary apps, that's another story entirely). This means you can easily keep up to date with the latest updates... but only if you're sufficiently interested in doing so (i.e. willpower). Apple provides a much greater chance of your device being a target for updates, absolutely, but this is only due to their tighter level of control. In return you give up some level of freedom so that they can play mommy and daddy and look after you more. A lot of people are happy to give up this freedom in order to be babysit, but it's empowering to know you can be free to...

Ah fuck it. I'd rather fuck Amanda Knox and be murdered by her than try to explain this all to a fuckhead like yourself.

Re:Fragmentation not an issue eh? (0)

Anonymous Coward | about 7 months ago | (#46302021)

You forgot to mention (conveniently, I'm sure) of the multiple exploits available only on iOS that are unpatched in the wild right now. My company can't even allow iDevices onto the network anymore because some employees have such a high infection rate.

Attention Fanboys (1)

Anonymous Coward | about 6 months ago | (#46299875)

Android: Tell me again why you think your platform is more secure when the vast majority of the user base cannot access software updates?

BlackBerry: Anyone at BlackBerry can easily intercept everything your phone does, so don't even try.

iOS: No, your fingerprint scanner does not make your phone more secure. Get over it.

Re: Attention Fanboys (1)

Anonymous Coward | about 6 months ago | (#46300011)

If that is the only point you have regarding iOS, its users can stay happy and sleep tight.

Re:Attention Fanboys (1)

tlhIngan (30335) | about 7 months ago | (#46301955)

iOS: No, your fingerprint scanner does not make your phone more secure. Get over it.

Apple doesn't say its safer. In fact, Apple considers LESS safe than the PIN, because you can always enter the PIN. Or if the reader fails to get a valid fingerprint, you need the PIN to unlock. Or if you reboot. PIN trumps reader every time

The only way it's "safer" is that it encourages you to use a PIN where you might not have used one before because it's less annoying to unlock.

So if the option was PIN or slide to unlock, most people picked slide to unlock. However, PIN+Fingerprint makes it just as easy to unlock as slide to unlock, you may just use a PIN and secure your phone just that bit better.

It's why Android's pattern unlock is probably the most popular lock system - it's just only an itty-bit more complex than slide to unlock.

Re:Attention Fanboys (2)

teg (97890) | about 7 months ago | (#46303225)

iOS: No, your fingerprint scanner does not make your phone more secure. Get over it.

Apple doesn't say its safer. In fact, Apple considers LESS safe than the PIN, because you can always enter the PIN. Or if the reader fails to get a valid fingerprint, you need the PIN to unlock. Or if you reboot. PIN trumps reader every time

The only way it's "safer" is that it encourages you to use a PIN where you might not have used one before because it's less annoying to unlock.

Another big advantage: Since you don't have to enter it as often, you can use a password rather than a pin. I exchanged my 4 digit pin code for an alphanumeric password of length 9 after I got a 5s. Thus, it has increased safety for my phone.

Re:Attention Fanboys (1)

teg (97890) | about 7 months ago | (#46303253)

Android: Tell me again why you think your platform is more secure when the vast majority of the user base cannot access software updates?

BlackBerry: Anyone at BlackBerry can easily intercept everything your phone does, so don't even try.

iOS: No, your fingerprint scanner does not make your phone more secure. Get over it.

What about Windows Phone? Just because you haven't seen one, it doesn't mean they don't exist. People who thought the same about unicorns have been proven wrong [theguardian.com] .

Cognitive dissonance (4, Informative)

Dachannien (617929) | about 6 months ago | (#46299877)

Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market.

The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google.

But apparently not so difficult as to make it impossible? Is there something I don't understand here, or was this summary just horribly written?

Re: Cognitive dissonance (2)

PixetaledPikachu (1007305) | about 6 months ago | (#46299931)

If the vulnerability is on GTS, Google can patch it directly, as long as those devices are registered to Google services. Since it's in android, it's up to the device makers, or in USA case, device maker and carriers to push android 4.2 to the affected devices

Re:Cognitive dissonance (2)

Zocalo (252965) | about 6 months ago | (#46299969)

I think they mean it's something that would need to be pushed out by each of the hardware vendors as a 4.2 OS update, not something that Google could patch via the Play Store update mechanism as would be the case if the issue was with one of their apps built on top of GMS. Kind of like expecting Microsoft to fix a bug in a PC's BIOS. Given how badly vendors are doing at upgrading to new versions of the OS, I suspect that getting them to go back and patch a version that is already out of date is going to be an even harder mountain to climb.

Re:Cognitive dissonance (2)

wonkey_monkey (2592601) | about 6 months ago | (#46299973)

It's very horribly written.

The vulnerability exists in the WebView interface a malicious website can utilize it to gain a remote shell

Missing some punctuation, or something.

Vulnerable devices are any device that is running a version earlier than 4.2

That's a pretty poorly written sentence. "Android versions prior to 4.2 are vulnerable" would have been much better.

The vulnerability is in Android itself rather than the proprietary GMS application platform

What does GMS stand for?

Re: Cognitive dissonance (1)

Anonymous Coward | about 7 months ago | (#46302103)

GMS=Google Mobile Suite. The proprietary closed-source spyware bundled with an Android phone.

Re:Cognitive dissonance (0)

Anonymous Coward | about 6 months ago | (#46300055)

The difficulty comes from the fact that hardware vendors rarely update their devices. Even the big telcos are bad about this, and the little ones are far worse. My budget phone is still running Android 2.3.6! Of course I could root it and install 4.x myself, but the hardware might not be fully supported and I'd risk my service being suspended.

Re:Cognitive dissonance (0)

Anonymous Coward | about 6 months ago | (#46300075)

Developers can patch it, and indeed they did. So it is 'patched'.

But many users cannot because these patches are not being backported to their older devices. So for them it is 'unpatchable'.

Re:Cognitive dissonance (1)

jrumney (197329) | about 7 months ago | (#46300365)

To fix the bug in older versions, you'd have to fork the Android API, as the patch involved an API change which Google themselves have not backported to older versions.

Re:Cognitive dissonance (1)

exomondo (1725132) | about 7 months ago | (#46300731)

Well they "patched" - or more accurately "fixed" - it in 4.2 but they can't really patch the older versions because they can't get the updates to the devices whereas with Play Services that is piece of software that they do control and can update on any device regardless of the underlying Android version.

Re:Cognitive dissonance (1)

Nemyst (1383049) | about 7 months ago | (#46300909)

Google's generally pretty good at fixing vulnerabilities, but manufacturers and carriers generally stop supporting Android phone a year or two in, worse if the phone is low-end (in which case you can even get 2.3 phones, which is beyond ridiculous).

That's the problem with an open, free-for-all OS: you get manufacturers who just don't give a shit and shove ancient versions out just because it's cheaper for them than renewing their crap additions for the new APIs. At that price point, people generally just don't know any better, either, so they accept it as being what it is when they most certainly could run a much more recent OS on similar or even identical hardware.

Re:Cognitive dissonance (0)

Anonymous Coward | about 7 months ago | (#46302229)

If it's a glitch in the browser that's allowing access to the "GMS Application Platform" (what does that even mean?), then the browser can simply look for the HTML that causes it?

Google has detached practically all apps (browser included). I can't see why this is hard to patch against?

Everything old is new again (3, Informative)

mt1955 (698912) | about 6 months ago | (#46299983)

Android feels like it is steadily becoming the new Windows.

-- It's showing up everywhere.

-- The version issues hark back to the days of "DLL hell"

-- This drum beat of exploits has a familiar rhythm too.

-- As a multi-platform developer I find I'm always having to reboot my device, and the IDE just to get a clean test run.

Call me a fan boy but iOS is a much better world to work and play in

Re:Everything old is new again (1)

cheesybagel (670288) | about 6 months ago | (#46300069)

Hah. iOS. It has exploits too. Every heard of jailbreaking?

Apple hasn't upgraded my iPhone 3GS for yonks now. In fact I have good reasons to believe someone stole my Apple account login ID last month when I access the Internet via 3G. Then you tell it is more safe? Hah.

Re: Everything old is new again (1)

Sancho (17056) | about 6 months ago | (#46300157)

Well most jailbreaks require plugging your device in. That means that your exposure is pretty small and there won't be drive-by exploits like this one.

And Apple may not support the 3GS anymore, but their support record is still stronger than most android phone manufacturers.

Re:Everything old is new again (0)

Anonymous Coward | about 7 months ago | (#46300789)

Yeah dude because I've had my iPhone jailbroken by drive by hackers. lol

Re:Everything old is new again (4, Informative)

cheesybagel (670288) | about 7 months ago | (#46300829)

Impossible of course [tgdaily.com] .

Re: Everything old is new again (1)

Anonymous Coward | about 7 months ago | (#46300973)

Fixed for every affecting phone 3.5 years ago within days.

Yeah. Quite the same. Not.

Re:Everything old is new again (1)

Ol Olsoc (1175323) | about 7 months ago | (#46300971)

I feel your pain brother.

My first iPhone blew up in a McDonald's, blinding 5 people, and caused a woman to miscarry.

My second one emitted a radioactive substance that permanently sterilized myself and ht erest of my family, so my family lineage ends here.

My third iPhone automatically cc's every email I make to law enforcement with every website I visit

My latest iPhone rooted itself, install cyanogenMod, then purposefully installed an early version of Android so I could be exploited. Then my dog ran away from home, and my milch cows went dry.

Re:Everything old is new again (1)

bobbied (2522392) | about 6 months ago | (#46300095)

Call me a fan boy but iOS is a much better world to work and play in

Where I cannot argue, I must point out that iOS pretty much locks you into a single vendor. You have to buy your development equipment AND your devices from ONE vendor. Further, if that vendor decides your app doesn't meet with their approval? You are OUT of business.

But if you like iOS, then power to you. If the vendor likes your app, that's great too. Just don't come crying to me when iOS 9 breaks everything or the vendor decides to make your life harder and more expensive.

Re:Everything old is new again (1)

Billly Gates (198444) | about 6 months ago | (#46300191)

Oddly I posted today about my Nokia expecting to get a -1 troll FAST. Surprised I got modded up.

My older android 2.x no longer receives updates and was slow as a 286 running Windows towards the end of its life.

IOS and Windows phone are light and run well on lower end hardware. Surprising since I have the same exact kernel as the desktop one believe it or not. WinCE was depreciated.

Re:Everything old is new again (1)

cheesybagel (670288) | about 7 months ago | (#46300505)

Light? Try using a fully upgraded 3GS and tell me its fast. It isn't. Plus its full of security holes because Apple doesn't support it anymore.

Re:Everything old is new again (1)

Xenex (97062) | about 7 months ago | (#46301895)

An iPhone 3GS running iOS 6 vs a phone stuck with Android 1.6? I'd take the iPhone.

Re:Everything old is new again (1)

Ol Olsoc (1175323) | about 7 months ago | (#46300937)

Android feels like it is steadily becoming the new Windows.

-- It's showing up everywhere.

-- The version issues hark back to the days of "DLL hell"

-- This drum beat of exploits has a familiar rhythm too.

-- As a multi-platform developer I find I'm always having to reboot my device, and the IDE just to get a clean test run.

Call me a fan boy but iOS is a much better world to work and play in

I had noticed the windows'ish aspect also. Next the fans will be telling us that iOS is just as vulnerable, but no one can tell, because no one is using an iPhone.

Re:Everything old is new again (0)

Anonymous Coward | about 7 months ago | (#46300949)

Call me a fan boy but iOS is a much better world to work and play in

If only it ran on most devices.

Re:Everything old is new again (1)

Anonymous Coward | about 7 months ago | (#46300983)

I think that was the idea...

Google adopted Microsoft's strategy of controlling the OS but not the hardware. The result was a huge install base across a multitude of different devices. Considering that Google makes much of their money by advertising to their users, a huge install base is preferable to a small group of devoted users which is what they might have if they followed Apple's model.

The problems you list all stem from that choice.

Re:Everything old is new again (2)

gnoshi (314933) | about 7 months ago | (#46301139)

You mean like Windows, which in the case of XP has received updates for 12 years which can be installed on any XP computer irrespective of manufacturer-included crapware? I wish Google provided updates for Android like Microsoft did for Windows.

Also, I think you're overstating:
1. the version issues - Google's compatibility libraries are pretty damn good. Inter-device compatibility is a bigger problem, and is more similar to trying to support a range of video cards well on PCs
2. the 'drum beat' of exploits? The 'master key' vulnerability, which only affected users who sideloaded apps (which is significant, no denying) and this one which affects apps which use WebView content in an insecure way. There are also the exploits used to gain root on devices, of course, but iOS has them too in order to jailbreak - although some exploits to gain root on Android don't require being plugged in (but usually require debugging to be enabled which is in a hidden menu).

So.. wait... (1)

Anonymous Coward | about 6 months ago | (#46300017)

If I never browse the web on my android device and just use it to read novels or play games, am I safe?

Well, crap. (1)

idontgno (624372) | about 6 months ago | (#46300089)

I like my Droid 4 just fine, but it's running 4.1, and Verizon has pretty much promised they're not updating it ever again... So I guess I'll break down and switch over to CyanogenMod.

Because of Motorola's locked (probably forever more, thanks Verizon) bootloader, you have to do the ridiculous rigamarole of SafeStrap bootload intervention before romming.

Tried Cyanogenmod for this very reason (3, Informative)

sparkyradar (908639) | about 7 months ago | (#46300421)

My HTC One X has been abandoned last year at 4.1.2, with still more 2yrs left on the contract :-O :-( While that sucks, I did move to Cyanogenmod, through a few different flavours. I'm running CM11 Milestone 2, but I think I can safely predict what will and will not work for anyone who goes this route (because these issues have persisted through several releases in Cyanogenmod):

1) you will have Bluetooth for audio, but not for keyboards, game-controllers (no HID stuff)
2) you will not have IPv6. Not a big deal for most people, but this is News for Nerds :-)
3) returning to a previous WiFi location may require toggling Airplane Mode to get it to reconnect

But for a non-technical person like my wife, using CM11 / KitKat 4.4.2 truly *IS* a viable answer (hahaha - using. Getting to CM11 is most definitely not for her... that's my thing). For the future, Nexus devices or Play devices are likeliest.

Re:Tried Cyanogenmod for this very reason (1)

idontgno (624372) | about 7 months ago | (#46300913)

Actually, I looked at the current buglist for my system under CM10 or CM11.

The main showstopper is no HDMI... I actually use the HDMI out. Along with that is no WebTop mode. (Don't know if that's a fundamental issue, or just fallout from not having the HDMI driver in AOSP or Motorola released source.)

Shit. CM10 or other AOSP ROM may not be an option after all.

Drive by exploit (0)

Anonymous Coward | about 6 months ago | (#46300131)

Maybe there is good reason I am confused here, but this sounds very much like the drive by google war drivers caught a couple of years ago stealing passwords.. from home computer systems, a crime for which g00GLe was fined $1 US by a judge. Is this a coincidence, or do I hate g00GLe even more now?

Only patchable if carriers allow upgrade (0)

Anonymous Coward | about 6 months ago | (#46300151)

The issue with Android is the same old issue. Some device get updates to OS some don't. Android to me is a mess and always has been a mess.

Re:Only patchable if carriers allow upgrade (0)

Anonymous Coward | about 7 months ago | (#46302251)

Why do you care about Android as a whole? You buy one or two phones and one or two tablets, usually from the same company.

Who cares if random old phone doesn't get updated. It's not yours. Company reputation for updates is established by now, so buy a phone that has updates and bam, problem solved?

mood up (-1)

Anonymous Coward | about 6 months ago | (#46300159)

D'oh (1)

multimediavt (965608) | about 6 months ago | (#46300297)

"The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google."

Unpatchable by design? [face-palm]

Re:D'oh (1)

exomondo (1725132) | about 7 months ago | (#46300769)

I thought GMS was introduced to address this issue (among other reasons) so that any bugs in new features could be fixed by sending out a GMS update, of course that doesn't solve the issue of not being able to push fixes for AOSP bugs directly to handsets.

Re:D'oh (1)

EmperorArthur (1113223) | about 7 months ago | (#46301943)

I thought GMS was introduced to address this issue (among other reasons) so that any bugs in new features could be fixed by sending out a GMS update, of course that doesn't solve the issue of not being able to push fixes for AOSP bugs directly to handsets.

That's the marketing pitch, but the reality is really much more sinister. The true goal is to replace AOSP with proprietary Google components.

http://arstechnica.com/gadgets... [arstechnica.com]

Closed Software Someone is Liable (0)

Anonymous Coward | about 7 months ago | (#46300391)

With the mobile movement, brought the same problem we have all been facing since the start of the PC. If the code is locked(no root/ priority software) then the software makers should be Liable.
          With all these malware exploits there is nothing the user can do Legally. If you could Root your phone, watch the processes, and fix your device it might help.
          The problem is that there is a Windows standerd, Software Companies are not responsible for flaws. Seems Legit

Summary doesn't make sense (0)

Anonymous Coward | about 7 months ago | (#46300583)

"Hey Steve, it looks like that vulnerability is in our layer, not that proprietary layer."

"Our layer? Shit. That's going to be difficult to fix. It's practically impossible to change our layer. If only it had been in the proprietary layer I know nothing about it could have been easily fixed."

Re:Summary doesn't make sense (0)

Anonymous Coward | about 7 months ago | (#46300805)

Its Googles proprietary layer, of course they know about it and the great thing about GMS is that Google can send out updates for it. What Google cant do is send out updates to Android so the problem isnt fixing the vulnerability, thats easy, but patching the vulnerable devices which is virtually impossible as most cannot have their Android version updated. See? If it were in GMS they could fix vulnerable devices but because it is in Android they cant.

If I understand TFA (1, Informative)

Lawrence_Bird (67278) | about 7 months ago | (#46300691)

the attacker can gain the same access that the Android built in web browser has That doesn't sound that bad on the face of it and you can avoid entirely by using a different browser. It may not get you 100% security from the exploit but should get you pretty near.

Re:If I understand TFA (5, Informative)

noh8rz10 (2716597) | about 7 months ago | (#46300955)

the attacker can gain the same access that the Android built in web browser has That doesn't sound that bad on the face of it

FTFA:

The code exploits a critical bug in Android's WebView programming interface that was disclosed 14 months ago. The security hole typically gives attackers remote access to a phone's camera and file system and in some cases also exposes other resources, such as geographic location data, SD card contents, and address books.

The easiest way to exploit the bug is to lure a vulnerable user to a booby-trapped webpage. Within seconds, the site operator will obtain a remote shell window that has access to the phone's file system and camera. In some cases, the exploit can also be triggered by performing a man-in-the-middle attack while the victim is on an unsecured Wi-Fi network.

I would say this is a big deal.

remote shell (0)

Anonymous Coward | about 7 months ago | (#46301599)

can I use this to run a root shell on my old android device? or is this like a "you're facing lotsa prison time for trying this exploit" type of scenario?

Re:If I understand TFA (1)

MadGeek007 (1332293) | about 7 months ago | (#46300999)

Except that many 3rd party apps use that WebView under the hood.

Re:If I understand TFA (1)

alostpacket (1972110) | about 7 months ago | (#46301127)

I think it's that it gains the permissions of the app hosting the webview. This isn't really browser related AFAICT

Re:If I understand TFA (1)

alostpacket (1972110) | about 7 months ago | (#46301197)

Scratch that, looking through the links, even one of the AOSP browsers is affected.

Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell.

i'm confused (1)

buddyglass (925859) | about 7 months ago | (#46301009)

The Ars article says it affects the stock Android browser. The "dead && end" blog post they reference, however, discusses apps that load untrusted content in Javascript-enabled WebViews and inject Java objects via addJavascriptInterface(). That's very specific, and much less of a big deal than an exploit affecting the stock Android browser. So which is it?

This is why you unlock/root/ROM your phone (4, Insightful)

Thanosius (3519547) | about 7 months ago | (#46301605)

If you're gonna get an Android phone and care at all about updates, before you spend ANY money make sure you can find instructions on how to unlock/root your phone as well as check the level of development of ROMs available for the phone. If the phone of interest is sufficiently popular that there's good instructions on how to unlock and root it and there's a reasonably healthy community involved in developing ROMs for it (and hence updates), then it's probably a good phone to get. Short of buying a Nexus, this is really the only way to guarantee that you'll be able to keep updating your phone as time goes on.

I bought my Samsung Galaxy S2 in February of 2012. My carrier (Telstra) has long forgotten about supporting my particular phone (I think the last official Telstra supported update was 4.1.2). However, I'm running 4.4.2 and can only run that due to the wonderful community that's still developing ROMs for this thing, long after corporate interest has dried up. I have absolutely no intention of replacing it until it breaks, since it's still quite fast and capable.

Take a look at Reddit (1)

bminuk (72761) | about 7 months ago | (#46301623)

This is covered in a Reddit conversation involving a person involved in the exploit here. [reddit.com]

It seems that Android 4.0 and 4.1 are affected by the web browser vulnerability, and apparently some OEMs have patched it, but it is still a big deal. A web site is provided to test for the problem, but I can not vouch for it. I can confirm that the site indicates a vulnerability in the browser in the Android 4.0.3 emulator, and that it does not in in a 2.2 emulator.

Re:Take a look at Reddit (2)

bminuk (72761) | about 7 months ago | (#46301661)

I must clarify that the WebView vulnerability affects all Android versions before 4.2. The new exploit in question affects the built-in web browser, not just third party apps that make use of WebView. This, of course, makes this even more dangerous.

Re:Take a look at Reddit (2)

ChunderDownunder (709234) | about 7 months ago | (#46302799)

They should really deprecate the stock browser and retrofit a lightweight Chrome instance (Chromium in the AOSP) to implement the API.

That way, carriers and vendors can bundle Chrome but since it's in the Play Store, it gets automagically updated.

But, in having a plain-Jane webkit browser, I guess they didn't want the iexplorer grief from euronazis demanding that they remove Chrome as a dependency. Savvy users like me will install firefox from f-droid anyway...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>