×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

One Billion Android Devices Open To Privilege Escalation

timothy posted about 8 months ago | from the that's-beeeeeellion dept.

Android 117

msm1267 (2804139) writes "The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks. Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges. The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.

The researchers said they found a half-dozen different Pileup flaws within Android's Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said."
Handily enough, the original paper is not paywalled.

Sorry! There are no comments related to the filter you selected.

Nope (5, Informative)

AmiMoJo (196126) | about 8 months ago | (#46554559)

What the summary fails to explain properly is that this vulnerability only works with permissions that are new when the device gets an OS update. Say you install an app and it asks for permission to use NFC, but your device's OS is old and doesn't support NFC (pre 4.0 I think). You install it anyway. Then you upgrade the OS and now it supports NFC. The app then gets the NFC permission without any further prompts or warning to the user.

That is certainly an issue, but not the huge gaping security flaw the summary makes it sound like. Apps can only ask for normal permissions that the OS offers, not bypass security or the sandbox. It's basically a UI issue.

Re:Nope (2, Insightful)

Anonymous Coward | about 9 months ago | (#46554617)

Is that even a problem? When you download an app from the Play Store, it gives you a list of permissions that the app requests. You give it permission when you download the app. If Play does not list an app if your version of Android or phone does not support the feature, then that's potentially a problem, but an easy one to fix.

Re:Nope (0)

Anonymous Coward | about 9 months ago | (#46555105)

Is that even a problem?

Why do you think Slashdot posts so many anti-Android FUD stories and so many pro-Microsoft puff-pieces?

Even the article on Microsoft reading other people's Hotmail accounts is mostly about how some dicredited blogger claims Google read his Gmail....

Re:Nope (1)

RabidReindeer (2625839) | about 9 months ago | (#46557689)

Is that even a problem? When you download an app from the Play Store, it gives you a list of permissions that the app requests. You give it permission when you download the app. If Play does not list an app if your version of Android or phone does not support the feature, then that's potentially a problem, but an easy one to fix.

Sounbds like "grandfathering". If the permission was available in the older Android by virtue of not having an explicit block, it continues to be available on the newer version even though blocking is now available.

Proper security paranoia says that the opposite should occur. That if a service is now blockable, it should block until the user explicitly agrees otherwise.

On the other hand, recent updates on my tablet have listed privileges that they were newly requesting as part of the update approval process, so I'm not sure how serious this problem really is.

Re:Nope (4, Insightful)

Rick Zeman (15628) | about 9 months ago | (#46554637)

What the summary fails to explain properly is that this vulnerability only works with permissions that are new when the device gets an OS update. Say you install an app and it asks for permission to use NFC, but your device's OS is old and doesn't support NFC (pre 4.0 I think). You install it anyway. Then you upgrade the OS and now it supports NFC. The app then gets the NFC permission without any further prompts or warning to the user.

That is certainly an issue, but not the huge gaping security flaw the summary makes it sound like. Apps can only ask for normal permissions that the OS offers, not bypass security or the sandbox. It's basically a UI issue.

Yeah, and since the carriers update Android devices so infrequently the threat exposure is more theoretical than practical.

Re:Nope (2)

AmiMoJo (196126) | about 9 months ago | (#46556453)

PROTIP: Never buy a carrier branded phone. It should be obvious to everyone by now, but apparently not.

Re:Nope (1)

phorm (591458) | about 9 months ago | (#46556929)

Then you upgrade the OS and now it supports NFC. the carriers update Android devices so infrequently the threat exposure is more theoretical than practical.

Indeed. Beyond that, many such upgrades are inherently hardware-based, rather than software. Even if you upgrade your old Galaxy 2 to an OS version that has NFC, the hardware lacks the capability and thus the permissions mean nothing.

Re:Nope (1)

Rob Y. (110975) | about 9 months ago | (#46557401)

I wonder, though. When you buy a new Android phone and sign in to Play, it downloads (or at least offers to) all the apps you had on your old phone. Does the same thing happen there - i.e. if you had apps with privileges that weren't available on your old phone, do they get automatically installed on the new phone with all the privileges - or is it treated like an update with new privileges, where you need to agree to the installation before it will install? If so, I imagine that could be changed in the Play Store without having to get an OS update out to devices currently on the shelves.

In any case, Android permissions could use to be a lot more specific (i.e., limited). "Modify or delete the contents of your USB storage" is a bit vague at best. Aren't apps given their own data folder that they can use? Does this permission grant access to all data folders, and if so, why? And 'full network access' - that could mean just about anything. Sure, it's needed for just about any app that accesses remote data, but what - if any - limits are placed by the OS once you grant it. It's pretty much to the point where you'd better only ever install very well-known apps (since just about everything asks for "modify usb storage", "view contacts" and 'full network access').

Re:Nope (4, Informative)

alostpacket (1972110) | about 9 months ago | (#46557929)

I wonder, though. When you buy a new Android phone and sign in to Play, it downloads (or at least offers to) all the apps you had on your old phone. Does the same thing happen there

No, this particular exploit requires the malicious app be on a phone prior to an OS update. Additionally these apps would never* make it on the Play store as they have detectable characteristics (such as trying to use the same "Shared UID" of another app). In order to upload an app with the same Shared UID, you would need the same keystore to sign your app. Basically the way this bug works is exploiting the reverse of how the package manager grants precedence. The package manager give precedence to what is on the device first. So anything "updated" from the Play store, even if they spoofed the Shared UID and signature, would fail to install. The bug is that an app can "steal" the ability to control the permission completely, AND install itself or block the install of the legit version of an app.

So TL;DR: This definitely is a rather nasty privilege escalation bug in the package manager (if the paper is correct and I am reading it correctly), but one would likely need to side-load (or use a different app store) the malicious app prior to an OS update to get caught by it.

Agreed about permissions in general though. Personally I try not to give out contacts to any app unless they happen to be a type of "contact manager/replacement". Most apps can request a user use the default "contact picker" to add a contact, or share, or the like. No permission is required for this. The only reason apps request this is to prefill those "share with a friend" fields and to spam. This is similar to READ_PHONE_STATE, there are few legit reasons for an app to need this anymore. Apps can launch the dialer and prefill the number sans the permission, just not complete the call. They also have other ways to generate a UUID for the device without the IMEI, or the other info provided by READ_PHONE_STATE.

The USB storage permissions are antiquated, but not as sensitive. Apps do have private storage but this used to be quite limited in the earlier days of Android. The Nexus S was one of the first to come with a single, large internal storage (although even that was still partitioned). Prior to that you had a limited protected storage and an SD card. Nowadays they are adding better "Read" file permissions.

Finally, I think much of this stuff could be requested at time-of-use, rather than install. But they have to balance the "Are you sure you want to allow X?" disaster that was Windows UAC vs. sensible permissions. It is not as easy as it looks.

* (Well maybe not never, but very close to never...)

Nevertheless, I do thank MS for pointing it out ! (3, Interesting)

Taco Cowboy (5327) | about 9 months ago | (#46554681)

That is certainly an issue, but not the huge gaping security flaw the summary makes it sound like

A security flaw is a security flaw. Whether or not it's a "gaping hole" it still can be exploited.

For that, I sincerely thank Microsoft for so kindly pointed out that security flaw.

No matter what's the ultimate intention / agenda of Microsoft in this case, with this security flaw exposed, let us hope that Google can do something to plug it, and make those "Billion Android Devices" just a little bit more safer.

Re:Nevertheless, I do thank MS for pointing it out (3, Insightful)

Jane Q. Public (1010737) | about 9 months ago | (#46554915)

"For that, I sincerely thank Microsoft for so kindly pointed out that security flaw."

"Kindly"? Are you serious? There was nothing "kind" about it. It's anti-Android PR for Microsoft. Why the hell do you think Microsoft was involved with looking into it in the first place? The goodness of their hearts? Puh-leeeeeze.

Re:Nevertheless, I do thank MS for pointing it out (0)

ericloewe (2129490) | about 9 months ago | (#46554975)

Certainly kinder than discreetly e-mailing their findings to every shady source of malware they know of. With so many years of experience, I'm sure they have a list.

Re:Nevertheless, I do thank MS for pointing it out (5, Interesting)

symbolset (646467) | about 9 months ago | (#46555175)

The source of malware still has to get you to install their app and then update your Android. And it's only a problem if you didn't already assume that when you gave the app that permission it would gain it when available. The risk is way overstated. If this is the mud Microsoft can sling, I find that comforting.

Now let's talk about that last patch batch where IE couldn't even safely display a JPEG in any currently supported version on any version of Windows.

Re:Nevertheless, I do thank MS for pointing it out (0)

Anonymous Coward | about 9 months ago | (#46556533)

Why so defensive? A vulnerability exists and yes, people have certainly installed stuff that's going to cause problems when they upgrade. The good thing is, upgrading Android is a real PIA and few will bother doing it.

Re:Nevertheless, I do thank MS for pointing it out (1)

Anonymous Coward | about 9 months ago | (#46556037)

Certainly kinder than discreetly e-mailing their findings to every shady source of malware they know of. With so many years of experience, I'm sure they have a list.

Er yes, but this is the company that insists everyone else does responsible disclosure and has threatened security researchers who don't. I sure hope the next people to find a major, wormable Microsoft vulnerability remember about this generosity.

Re: Nevertheless, I do thank MS for pointing it ou (1)

Anonymous Coward | about 9 months ago | (#46556199)

That would be true if the security flaw could be exploited. But apparently, it would appear that this flaw is mostly theoretical. This article is MS funded anti-Android FUD.

Re:Nevertheless, I do thank MS for pointing it out (1)

Anonymous Coward | about 9 months ago | (#46555009)

Probably the same reason google does the same thing, to analyse how their competitors are doing. This method of exposure of vulnerabilities is what google want (as was demonstrated by them using the same method when they found vulnerabilities in MS products). They should be kindly thanked as they are following the procedure that Google want people to follow, their motivation is irrelevant,.

Re:Nevertheless, I do thank MS for pointing it out (3, Interesting)

Chokolad (35911) | about 9 months ago | (#46555323)

"Kindly"? Are you serious? There was nothing "kind" about it. It's anti-Android PR for Microsoft. Why the hell do you think Microsoft was involved with looking into it in the first place? The goodness of their hearts? Puh-leeeeeze.

What do you think of IE vulnerabilities found by Googlers ?

http://www.google.com/about/ap... [google.com]

Re:Nevertheless, I do thank MS for pointing it out (2)

Jane Q. Public (1010737) | about 9 months ago | (#46555435)

"What do you think of IE vulnerabilities found by Googlers ?"

I wasn't saying Microsoft is any worse. Just that they weren't doing it for the sake of charity.

Re:Nevertheless, I do thank MS for pointing it out (0)

Anonymous Coward | about 9 months ago | (#46556821)

1. I don't recall Google sending out puff pieces to tech tabloids like how Microsoft seems to have done in this case.

2. Google didn't severely exaggerate the severity of the flaw in an attempt to spread FUD about their competitor.

Re:Nevertheless, I do thank MS for pointing it out (4, Insightful)

gerardrj (207690) | about 9 months ago | (#46555391)

Considering the amount of money that Microsoft makes in patent licensing fees from Android I don't know how they could have any financial reason to want Android to go away. At the moment I suspect that Microsoft makes more money from Android than it does Windows Phone.

Re:Nevertheless, I do thank MS for pointing it out (4, Insightful)

Jane Q. Public (1010737) | about 9 months ago | (#46555485)

"Considering the amount of money that Microsoft makes in patent licensing fees from Android I don't know how they could have any financial reason to want Android to go away. At the moment I suspect that Microsoft makes more money from Android than it does Windows Phone."

That last bit is exactly why they want Android to go away. They don't make nearly as much money on Android as they'd make if all those same phones were Windows. Every Windows phone they can sell in place of an Android phone is more money in their pockets.

Sure, they'll make money off of Android where they can. But they'd rather it simply wasn't there.

Re:Nevertheless, I do thank MS for pointing it out (0)

macs4all (973270) | about 9 months ago | (#46556305)

Sure, they'll make money off of Android where they can. But they'd rather it simply wasn't there.

So, we should be expecting a similar report from MS regarding iOS, then?

Oh, wait; I said "iOS", right?...

Re:Nevertheless, I do thank MS for pointing it out (0)

Anonymous Coward | about 9 months ago | (#46556333)

iOS is already failing without Microsoft's help.

Re:Nevertheless, etc. (0)

Anonymous Coward | about 9 months ago | (#46557431)

LOL - you keep telling yourself that whilst getting fscked by Google.

Re:Nevertheless, I do thank MS for pointing it out (1)

VortexCortex (1117377) | about 9 months ago | (#46555457)

"For that, I sincerely thank Microsoft for so kindly pointed out that security flaw."

"Kindly"? Are you serious? There was nothing "kind" about it. It's anti-Android PR for Microsoft. Why the hell do you think Microsoft was involved with looking into it in the first place? The goodness of their hearts? Puh-leeeeeze.

That was a big one. You're lucky the mods nearly got it full force too. Next time you hear someone yell "duck" don't stand there looking for one just hit the deck or the Woosh may be fatal.

Re:Nevertheless, I do thank MS for pointing it out (2)

Sun (104778) | about 9 months ago | (#46555831)

As long as the research is valid and the conclusions correctly presented (which, in this case, they do not seem to have been), I don't care for the motive.

Shachar

Re:Nevertheless, I do thank MS for pointing it out (2)

swillden (191260) | about 9 months ago | (#46556923)

As long as the research is valid and the conclusions correctly presented (which, in this case, they do not seem to have been), I don't care for the motive.

No argument. The research seems decent and worthwhile. The tone of the press release is what's eye-rollingly ridiculous. This is a minor security UI deficiency, but they're selling it as a "privilege escalation", which is normally understood to mean the ability to break out of the sandbox at least, and usually implies root access.

Re:Nevertheless, I do thank MS for pointing it out (0)

Anonymous Coward | about 9 months ago | (#46554985)

Sign up now for patch+Mondays! Simply log in to your gmail....

When O When (1)

invictusvoyd (3546069) | about 9 months ago | (#46555685)

am I going to open an xterm and type call_accept on a nice debian system.

Re:Nope (-1, Troll)

BasilBrush (643681) | about 9 months ago | (#46554697)

Interesting how you play down Android vulnerabilities whilst playing up iOS ones.

Re:Nope (1)

Billly Gates (198444) | about 9 months ago | (#46554877)

Interesting how you play down Android vulnerabilities whilst playing up iOS ones.

It is slashdot. What do you expect?

Go to www.neowin.net and you see Linux get slammed as insecure and obsolete and then read about what Balmer had for lunch as exciting pro MS news etc.

Pick your poison?

Re:Nope (1)

ericloewe (2129490) | about 9 months ago | (#46555011)

To be honest, "Ballmer having lunch" sounds like a very entertaining film.

Re:Nope (0)

macs4all (973270) | about 9 months ago | (#46556371)

Interesting how you play down Android vulnerabilities whilst playing up iOS ones.

And, unlike the case with the vast majority of Android Devices, since Apple actually pushes update notices to iOS Devices, there is actually a pretty good chance that yours will be on the list."

And before the haters cry that the latest ssl patch wasn't pushed out to iOS 5 users (or before), remember that the ssl vulnerability came with iOS 6; iOS 5 and before did not have the vulnerability.

Re:Nope (0)

Billly Gates (198444) | about 9 months ago | (#46554863)

Oh please.

Anyone can write an escalation ad on a mobile website and make it pretend it is an os update and have it installed that way.

If this were Windows Phone everyone would be screaming INSECURE.

?!?! Is that any way related to the topic at hand? (1)

raymorris (2726007) | about 9 months ago | (#46555237)

What are you talking about? A fake OS update? Does that have anything at all to do anything? A fake update wouldn't add any new system capabilities, so apps wouldn't gain any new capabilities.

Did you read the comment you replied to? Or TFA, or anything to get a clue what that topic is?

Re:Nope (5, Insightful)

Todd Knarr (15451) | about 9 months ago | (#46555583)

The problem here is that the permissions system goes beyond just ordinary user permissions. The system itself uses permissions to control which parts of the system can do what, and those permissions are normally only available to system components (trying to install an app that asks for those permissions results in the app being rejected because it doesn't qualify to get those permissions). For instance, the "Across_users" permission was added to Android 4.2, and allows system components to break through the normal restrictions that separate different users in the system. An app with this permission can reach out and directly affect everything on the phone, not just the things that belong to it. It's restricted to Android system components only. But if I install an app that asks for it on an Android 4.0 device, the app will install without any warnings. If the device is then upgraded to 4.2, the app will silently get the "Across_users" permission activated. So now we have a user-installed app which has a permission that it could never legitimately have that lets it bypass security and the sandbox, and the user will be unaware of the problem. It's very definitely NOT just a UI issue.

In the Unix world it'd be equivalent to finding an other-writable directory sitting in the root user's PATH, and in that directory are executables named "ls", "cat" and so on. It's the kind of thing that'd make a security admin excrete cinder blocks at velocities sufficient to have them achieving high orbit, ceilings nonwithstanding.

Re:Nope (3, Insightful)

Bert64 (520050) | about 9 months ago | (#46556229)

On the other hand, the likelihood of this vulnerability actually being exploited is quite low for quite a few reasons... Primarily, because it requires that you first install a malicious app and then upgrade to a version of android which actually implements some new permissions...

1, very few users ever update (or even have updates available)
2, manufacturers will sometimes patch android but usually not provide updates to whole new versions and the small incremental patches wont introduce any new permissions
3, now that this issue has been discovered its highly likely that future updates will contain a fix for it, and users are unlikely to update to a version that isnt the latest available for their particular handset, so *if* they can and do update they will be patching this issue anyway.

Re:Nope (2)

AmiMoJo (196126) | about 9 months ago | (#46556619)

Also, you would have to side-load any such app because Google won't allow apps that request system permissions on to Play.

Re:Nope (1)

phorm (591458) | about 9 months ago | (#46556941)

Or to just commandeer the next "flappy bird" or whatever from the author. Of course, for stuff like that most people would ignore new permissions even if the phone displayed them in a floating red hologram hovering right in front of the users' eyes.

Re:Nope (1)

SirJorgelOfBorgel (897488) | about 9 months ago | (#46556285)

Did you actually test this ?

Re:Nope (1, Interesting)

macs4all (973270) | about 9 months ago | (#46556399)

But if I install an app that asks for it on an Android 4.0 device, the app will install without any warnings. If the device is then upgraded to 4.2, the app will silently get the "Across_users" permission activated. So now we have a user-installed app which has a permission that it could never legitimately have that lets it bypass security and the sandbox, and the user will be unaware of the problem.

Mod Parent UP.

That is EXACTLY it in a nutshell. Perfectly described.

Pretty devious way for someone like the NSA (or a Prince from Nairobi) to get their hooks into your Android.

Shudder...

Re:Nope (0)

Anonymous Coward | about 9 months ago | (#46556869)

I'm not sure if this is actually true. I'd have to test it specifically or more realistically, somebody else would have to test it. But there are certain system permissions an app cannot grant itself. For example, if you were to try to turn on GPS or reboot the device, I can't remember what permissions those use uses, but you can grant your application the correct permissions to do this. The problem is, this can only be executed by system, so as such, your application must have a line in its manifest that says it uses the systems user id. If the application doesn't use the system user id, the permission will not be granted, and if I recall correctly, this isn't a check done at install time, it's done at run time. An additional problem with that is, an application can only be granted the system user id if it was signed with the system key. This means, that writing an application with that permission, and installing it, still won't allow it to run.

Now, I fully admit, I haven't experimented with this bug, so maybe this allows a bypass to that protection, but it doesn't sound like it. And a lot of the truly important permissions that applications aren't supposed to have are protected with this user id check. I did some quick checks, and the "across_users_full" is one of these types of system permissions, so unless this problem bypasses the user id check, it won't work.

Re:Nope (1)

rabtech (223758) | about 9 months ago | (#46557531)

That is certainly an issue, but not the huge gaping security flaw the summary makes it sound like. Apps can only ask for normal permissions that the OS offers, not bypass security or the sandbox. It's basically a UI issue.

Correct. The huge, gaping security flaw with Android is the same one that afflicted ActiveX in Internet Explorer: Assuming that the majority of users
a) have a clue what any of the permissions actually mean
b) can trust the app not to abuse the permissions it has (or contain flaws that allow it to be hijacked)

The reality is that 100% (rounding up from normal people to geeks) of people simply tap accept, click OK, etc and move on with their lives. Those annoying dialogs are just how you use phones/computers. They've learned if they choose Cancel they don't get the game/app they wanted, so the correct course of action is to always accept.

Any security decision that relies on users to take the correct course of action is an automatic failure. If making the wrong choice results in being pwned, having a $10/mo premium SMS subscription added to your bill, etc then the system is badly designed and broken.

Re:Nope (0)

Anonymous Coward | about 9 months ago | (#46557597)

Which is why the Google Play store searches for and bans any knows threat. Even the mud-slinging studies (sponsored by some antivirus company) even show that infections through Play Store are for all intents and purposes, 0.

The user permissions are there if you want to go outside the play store (which most noobs won't) or if you're super-concerned about privacy.

Re:Nope (1)

ThomasMcA (2986113) | about 9 months ago | (#46557851)

Wait, so you're trying to tell me that a study funded by Microsoft exaggerates a "flaw" in its competition? No way!

Researchers from Indiana University and Microsoft (4, Funny)

MrKaos (858439) | about 8 months ago | (#46554583)

Handily enough, the original paper is not paywalled.

Wow, a freeby from Microsoft, how incredibly generous. Google will probably thank them for pointing it out. Isn't it nice how everybody just, *gets along*.

Re:Researchers from Indiana University and Microso (1, Flamebait)

Celexi (1753652) | about 9 months ago | (#46554875)

A Microsoft research into Android would be highly neutral and non-biased as Microsoft has no direct competition with Android.

Re: Researchers from Indiana University and Micros (1)

aap (108982) | about 9 months ago | (#46554993)

Well, no /effective/ competition anyway.

HMmm (2, Insightful)

Stumbles (602007) | about 9 months ago | (#46554623)

I expected better from Google.

Re: HMmm (0)

Anonymous Coward | about 9 months ago | (#46556167)

Sarcasm?

Re: HMmm (0)

Anonymous Coward | about 9 months ago | (#46557441)

Or stupidity?

Not a problem (2)

sqlrob (173498) | about 9 months ago | (#46554627)

This depends on upgrades. Carriers, upgrade?

Hell, my wife and I are on different versions of Android, same carrier, same phone, both say they're fully up to date.

JOKE'S ON YOU, MS! (0)

Anonymous Coward | about 9 months ago | (#46554655)

I have a shitty Alcatel on 2.3.7 which won't get its OS upgraded in a million years. No 13 years of updated like XP, woohooooo. This is what happens when you provide decent support for your best OS, MS!

Ha ha (-1, Troll)

Anonymous Coward | about 9 months ago | (#46554665)

Android sucks worse than slashdot beta!

Android's a Linux (0, Flamebait)

Anonymous Coward | about 9 months ago | (#46554759)

For years here on /., all you heard was "Linux = Secure, Windows != Secure", well... explain what's been going on for nearly a decade Penguins, on your 'invulnerable Linux' once it's the most used OS there is on a given computing platform"

(Like Windows ia, was, has been, + will be always on PC's & Servers combined over ANY other competing OS)

* You know - Lines of bullshit you fed people here from your "Open 'SORES'" crew around here, for decades, vs. many 1,000's of occurences over a decade now, like this article's an example of.

APK

P.S.=> Oh, yes folks: The torrent of bullshit & downmods of this post are inevitable - I am going to sit back, AND lmao (since no matter WHAT they say, they now have to (& you KNOW I'm going to say it, don't you? Of course) "Eat their WORDS" (lol)...

... apk

Heh... (0)

Anonymous Coward | about 9 months ago | (#46554855)

> ...on your 'invulnerable Linux' once it's the most used OS there is...

And then you win!

The cycle is complete.

Re:Android's a Linux (0)

Anonymous Coward | about 9 months ago | (#46555037)

If only your hosts stuff was in the play store, then andy'd be as secure as windy!

Hosts are on Android (0)

Anonymous Coward | about 9 months ago | (#46555613)

It's already there in hosts (Linux uses hosts too - anything iwth a normal BSD based IP stack does)...except some KitKat miodel). Altering it's cake. ADB Pull command.

APK

P.S.=> Like I said though - a LOT of bullshit would flow (lol) from anyone replying to my post, but no answering my question (How "invulnerable" Linux is? Look no farther than this article & 1,000's yrs. before it on the SAME thing - look @ the other replies - just b.s. avoiding my question & they can't explain why Penguins on /. must "eat their words" (lol): Plus, My initial predictions came true as I knew they would, on downmods of my post in effete "retaliation"... apk

Re:Android's a Linux (1)

Anonymous Coward | about 9 months ago | (#46555473)

For years here on /., all you heard was "Linux = Secure, Windows != Secure", well... explain what's been going on for nearly a decade Penguins, on your 'invulnerable Linux' once it's the most used OS there is on a given computing platform"

Sure.

One simple fact: Android now outnumbers Windows in both sales and installed base, yet has several orders of magnitude less malware.

Vulnerabilities are patched rapidly and malicious apps are weeded out of the Play store. Even social engineered malware which DOES get installed by the user can be simply removed because NOT ONE instace of malware breaching its sandbox has ever been detected.

Ahem: WRONG... apk (0)

Anonymous Coward | about 9 months ago | (#46556409)

Android's being infested FASTER, by far, than Windows EVER was IN THE SAME TIMEFRAME of existence...

APK

P.S.=> Fact... & another one is this:

The MORE USED AN OS IS, the apt it IS to be attacked + abused by malware makers etc. ...

However, in ANY event - YOU NEVER ANSWERED MY QUESTION: Why did you Penguins here say (for years here) basically "Windows != Secure, Linux= Secure" when the fact is, what you all said, isn't true (articles like this, & 1,000's like it the past few years now too) tend to "second my motion"... apk

Re:Ahem: WRONG... apk (0)

Anonymous Coward | about 9 months ago | (#46556445)

NO IT ISN'T!!!!!!!!!!

Sure it is, and? (0)

Anonymous Coward | about 9 months ago | (#46556471)

YOU NEVER ANSWERED MY QUESTION: Why did you Penguins here say (for years here) basically "Windows != Secure, Linux= Secure"?

Especially when the fact is, what you all said, isn't true (articles like this, & 1,000's like it the past few years now too) tend to "second my motion"...

APK

P.S.=> Like I said, predicting I'd be unjustifiably downmodded for telling it HOW IT REALLY IS here on Linux and Android, & that I'd hear more BULLSHIT than was considered normally humanly possible in evasion of answering that question of mine above... & as per my usual? I was right, as always... apk

Impossible~! (-1, Flamebait)

Billly Gates (198444) | about 9 months ago | (#46554873)

Linux is sooo secure. Ask any slashdotter.

One told me Windows was 100% secure as a limited user and privilege escalations were impossible because of security feature X.

Guess what? They exist in the wild and their are ways around things.

Re:Impossible~! (1)

Anonymous Coward | about 9 months ago | (#46554887)

Android's firmware loader != Linux. Sorry to burst your bubble.

Re:Impossibrue~! (1)

VortexCortex (1117377) | about 9 months ago | (#46555487)

Lemme guess. You think key-loggers are vulnerabilities Trucrypt should patch too, right?

Re:Impossibrue~! (1)

noh8rz10 (2716597) | about 9 months ago | (#46555815)

yes, key-loggers are vulnerabilities.

Ask any man... (-1)

Anonymous Coward | about 9 months ago | (#46554891)

... and he'll tell you just how dangerous PMS can be. :-P

Re:Ask any man... (1)

Ukab the Great (87152) | about 9 months ago | (#46555359)

Quit being alarmist--the exploit only works once every 28 days.

Luckily, Android is never updated (5, Funny)

mveloso (325617) | about 9 months ago | (#46554899)

Luckily for most Android users Android is almost never updated, so in real life there's no real vulnerability.

SecUP? No, that's not the name... (1)

Tumbleweed (3706) | about 9 months ago | (#46554927)

You'll find the scanner titled "Secure Update Scanner" in the Play store.

The short version .. (1)

DTentilhao (3484023) | about 9 months ago | (#46554929)

Old version of Android may be susceptible to hijacking by a malicious app. Such a malicious app can only get onto the device by direct user action ..

Wow (4, Interesting)

slapout (93640) | about 9 months ago | (#46555055)

There are one billion Android devices? That's awesome!

Re:Wow (2)

symbolset (646467) | about 9 months ago | (#46555197)

Just shy of a billion were sold last year alone.

Re:Wow (0)

Anonymous Coward | about 9 months ago | (#46557465)

Wow indeed - that's a lot of landfill.

Isn't this Obvious? (0)

Anonymous Coward | about 9 months ago | (#46555079)

I suspected this as soon as I put a typo in the permissions required for my very first android app.

Does it really take that many researches to verify it and write a paper. I just assumed it was obvious. Maybe most people don't make as many typos as I do?

The only time... (0)

Anonymous Coward | about 9 months ago | (#46555093)

that the term check your privilege actually makes sense in a Slashdot article.

Imagine the reverse (1, Flamebait)

mr_mischief (456295) | about 9 months ago | (#46555173)

Think of all the help Microsoft could get spotting security flaws if Google and Stanford could look through the Windows source whenever they chose.

Re:Imagine the reverse (0)

Anonymous Coward | about 9 months ago | (#46555447)

Most governments and educational institutions as well as many companies DO have access to the source code. It is only the general public that don't have open access to it, regardless though most vulnerabilities aren't found from source code reviews even in open source. It is found from crashes and bugs and sometimes fuzzying, only a fraction are found from source code review.

Matthew 7:15 (1)

PopeRatzo (965947) | about 9 months ago | (#46555183)

I'm pretty sure this story calls for a little Bible verse, from the book of Matthew.

"Thou hypocrite, cast out first the beam out of thine own eye; and then shalt thou see clearly to cast out the mote out of thy brother's eye."

Now brothers and sisters, please join me in a song from page 126 of your hymnal, "Open My Eyes That I Might See".

Re:Matthew 7:15 (1)

Great Big Bird (1751616) | about 9 months ago | (#46555707)

This is oddly appropriate.

I'm a loyal Android user. (1)

tpstigers (1075021) | about 9 months ago | (#46555325)

And I still don't give a crap.

In other news... (2)

Ukab the Great (87152) | about 9 months ago | (#46555381)

That there are 3,500 customized versions of Android developed by handset makers and carriers is really a news story unto itself.

Re:In other news... (0)

Anonymous Coward | about 9 months ago | (#46556283)

It's the power of open source. Not all those versions are for handsets, BTW. Android is used in the most disparate applications.

Re:In other news... (2)

AmiMoJo (196126) | about 9 months ago | (#46556459)

Counting the way they do you could say that there are 10,000+ versions of Windows out there. Every random OEM that loads up some crapware or changes the wallpaper counts as a new custom version to them. Of course in reality it makes little difference to developers or users (updates are provided by Google, the same way as "custom" versions of Windows still get updates from Microsoft).

PMS leads to privilege escalation... (0)

Anonymous Coward | about 9 months ago | (#46555383)

so much for robotic companionship...

you Fail qIt..9. (-1)

Anonymous Coward | about 9 months ago | (#46555399)

Not to worry (0)

Anonymous Coward | about 9 months ago | (#46555711)

Android is open. Open is beautiful. Open is great. Open to unpatched vulnerabilities forever is the best.

Privilege escalation? (1)

swillden (191260) | about 9 months ago | (#46555745)

Privilege escalation? That phrase, I don't think it means what you think it means.

Android has an even bigger problem with priveleges (5, Insightful)

Srin Tuar (147269) | about 9 months ago | (#46555843)

In that it still doesnt allow line-item veto of app priveleges.

This should be the most basic feature.

Re:Android has an even bigger problem with privele (0)

Anonymous Coward | about 9 months ago | (#46556701)

Spelling "privilege" should be a more basic feature. #fail

Cyanogenmod Privacy Guard (4, Interesting)

emil (695) | about 9 months ago | (#46557109)

http://wiki.cyanogenmod.org/w/... [cyanogenmod.org]

Using Privacy Guard, I can see that Facebook has attempted to read my contact list 94 times. These attempts were blocked.

Android has PMS? That explains sooo much... (0)

Anonymous Coward | about 9 months ago | (#46555953)

I love Android but sometimes its just really hard to get along with it.

Android Users (0, Insightful)

Anonymous Coward | about 9 months ago | (#46556381)

Android users are disgusting fat blobs who shit their pants and work at Best Buy.

Re:Android Users (0)

Anonymous Coward | about 9 months ago | (#46556907)

Agreed! Very insightful I wish I had mod points.

IU School of Informatics and Computing (0)

Anonymous Coward | about 9 months ago | (#46556553)

Represent!

Android has an even bigger problem with priveleges (0)

Anonymous Coward | about 9 months ago | (#46556729)

oh yeah, i like it
HTML la gi [thietkewebsite6886.com]

Thank you Verizon for protecting me from this flaw (1)

unfortunateson (527551) | about 9 months ago | (#46556865)

So sweet of Verizon to not provide updates on a timely basis, then, which prevents this kind of attack from ever causing problems.
So I turn to CyanogenMod or similar, which I'm sure will have patched this by the time there's another upgrade.

70 MILLION I DEVICES VULNERABLE (0)

Anonymous Coward | about 9 months ago | (#46557613)

Each and every one of them can be jail broken.

Why isn't THIS news?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?