Nice article to read.. Just thought I would share.. MODS PLEASE DELETE IN CASE THIS IS A DUPLICATE.
http://news.yahoo.com/theres-zombie-...013019842.html
There's a Zombie-like Security Flaw in Almost Every Android Phone
LikeDislike
Abby Ohlheiser 56 minutes ago
Technology & Electronics
.
View gallery
There's a Zombie-like Security Flaw in Almost Every Android Phone
Almost every Android phone has a big, gaping security weakness, according to the security startup who discovered the vulnerability. Essentially, according to BlueBox, almost every Android phone made in the past four years (or, since Android "Donut," version 1.6) is just a few steps away from becoming a virtual George Romero film, thanks to a weakness that can "turn any legitimate application into a malicious Trojan."
While news of a security vulnerability in Android might not exactly be surprising to users, the scope of the vulnerability does give one pause: "99 percent" of Android mobiles, or just under 900 million phones, are potentially vulnerable, according to the company. All hackers have to do to get in is modify an existing, legitimate app, which they're apparently able to do without breaking the application's security signature. Then, distribute the app and convince users to install it.
Google, who hasn't commented on the vulnerability yet, has known about the weakness since February, and they've already patched the Samsung Galaxy S4, according to CIO. And they've also made it impossible for the malicious apps to to install through Google Play. But the evil apps could still get onto a device via email, a third-party store, or basically any website. Here's the worst-case scenario for exploitation of the vulnerability, or what could potentially happen to an infected phone accessed via an application developed by a device manufacturer, which generally come with elevated access, according to BlueBox:
Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.
The company recommends users of basically every Android phone double check the source of any apps they install, keep their devices updated, and take their own precautions to protect their data. But as TechCrunch notes, Android users really should be doing this anyway, as the devices tend to come with a " general low-level risk" from malware. That risk, however, is elevated for users who venture outside of the Google Play store for their apps.
So while the actual impact of the vulnerability is not known, neither is the timeline for fixing it. Manufacturers will have to release their own patches for the problem in order to fix it, something that happens notoriously slowly among Android devices.
Mr_Jay_jay said:
/snip
Click to expand...
Click to collapse
As always, this really boils down to the same thing: don't be a fool in the most non-pejorative way possible. With the exception of the Syrian Electronic Army fiasco awhile back, secured and verified app vendors like Google Play (or Apple's App Store) continue to provide all the services most users will need without exposing the end-user to this kind of vulnerability. If you don't expose yourself, you're not at risk.
That said, this all relies on the notion of the end-user being at least somewhat vigilant, which can be quite dangerous.
Rirere said:
As always, this really boils down to the same thing: don't be a fool in the most non-pejorative way possible. With the exception of the Syrian Electronic Army fiasco awhile back, secured and verified app vendors like Google Play (or Apple's App Store) continue to provide all the services most users will need without exposing the end-user to this kind of vulnerability. If you don't expose yourself, you're not at risk.
That said, this all relies on the notion of the end-user being at least somewhat vigilant, which can be quite dangerous.
Click to expand...
Click to collapse
Not every Android device has access to Play Store though, by-default. I have a tablet now that doesn't have access. If a normal user had such a device, they wouldn't likely go through the process needed to get Play Store, and would just deal with whatever marketplace app existed.
This exploit will likely only ever affect users that by default use devices that do not have Google support. Many of these are distributed among 3rd world nations and are typically a hot bed of illicit activities anyways. Of the first worlders that would be affected, it would be those using black market apps without knowing the risks involved in doing so. Most black market users are knowledgeable enough to know to check their sources and compare file sizes before installing apk's.
Also the notion that 99% of devices being affected has nothing with the OS being flawed (Google reportedly fixed the flaw in March), but rather the OEMs being slow in pushing out (or not pushing out at all) the patched hole.
Also I would be weary of a security outfit that has been around since 'mid-2012' and continues to pride themselves as a start-up mobile security firm.
espionage724 said:
Not every Android device has access to Play Store though, by-default. I have a tablet now that doesn't have access. If a normal user had such a device, they wouldn't likely go through the process needed to get Play Store, and would just deal with whatever marketplace app existed.
Click to expand...
Click to collapse
Granted, but the Play Store reduces the attack surface by a considerable margin. Right now, I consider non-Google blessed Android to be something akin to stock Windows 7 with Defender and Firewall turned off-- you can do just about anything with it, but you're running at a risk by not deploying some vendor-based add-ons (in this case, choosing to use the unit available).
I do understand that many devices sell outside of the Google world, before anyone jumps on me, but it doesn't change how the vulnerabilities play out.
This boils down to:
If users install a virus then they get a virus!!! This affects all Android phones!!!!!!!! Oh Nos!
Sucks that this is being patched. Guess there will be no more modding games for me.
Hi friends,
I need advice on a pressing issue I am facing right now about an android app I got developed through a freelancer.
I am webmaster of a website for numerology enthusiasts. On this website, we were offering a numerology calculator (basically a combination of html pages with some javascript embeded - all compiled in an .exe format) Later, on some suggestions, we decided to prepare an Android version of this tiny program by hiring a programmer of South India. It was 2011 and the Gingerbread was the prevalent Android platform. The programmer created the App and we published it on Android Market where it is still available on playstore (search for com.namecalculator.lite on playstore and the first result 'Your Lucky Name' is the app in question.)
The problem is that this was an app which was not compatible with the later version of Android. As such, after sometimes, when the ICS version of Android was launched, the app stopped working for ICS devices. As of now, except for some old Android devices, this App is useless.
When I contacted the guy who originally developed this App, he told that the source file of the Apps were not saved by him and as such, he expressed his inability to do anything about it. He told me that if I again wanted him to develop the app for later versions of Android (like ICS, Jellybean etc), I will have to pay him the full development fee as he will have to start again from scratch.
Since my website is only a hobbyist website with negligible revenue, it was not possible for me to again hire this programmer just to develop an upgraded version of the app.
As of now, a very popular part of my website (the app) has become unavailable for its intended users. In this background, I want guidance on the following:-
(1) If an App is already built for an earlier Android version, does making it compatible with future/latest version of Android require the same amount of energy and effort which was needed when the app was developed the first time?
(2) Since the App in question is basically a compilation of html files with some javascript embeded in some pages, will it be really difficult to reconstruct the app if the source file of earlier app has been lost ?(I still have the raw html pages with me)
(3) I am not a programmer but have experience of web-designing, creating blogs etc. Can I self taught myself to create the above mentioned app by reading and following the online tutorials ? If yes, what in your opinion is the expected time an average learner (with no programming background) can do it? Also kindly point me to some good tutorials.
(4) Any other advice on the above issue some of you might be having ?
Regards
Eklavya
Dear XDA,
just looking for a friendly discussion here. With Android O dev preview, it has blocked apps from drawing on the UI due to a security issue. But to my knowledge it just forces a system wide notification with the ability to turn off the ui elements, and gives the option to allow ui drawing (hiding the notification) per app and if the apps use the newer API can show up as a trusted app. But so many tech articles says otherwise. Are these really a big security loop hole in your opinion? Like for example after the nougat update, os monitor stopped working and the dev stopped support due to a security patch. So I am wondering if android is really getting more closed to security updates or is this just articles fear mongering? I mean I am all up for security and lucky for me all my apps such as emulators, settings, tools, linux containers and such so far I have not needed to root at all and it has really helped me since I use mobile payment on my s7 edge. I do dabble into rooting on my nexus 7 but rooting hasn't been mandatory, unless ofcourse most of my app breaks because of android updates, then I would have to root. So is android really becoming more closed or are these security updates actually required??
Hey there,
as I'm sure some of you are aware, there has been a rather big security problem concerning WPA2 -> https://www.krackattacks.com/
Also this
Does anybody know Sony's stance on this?
panecondoin said:
Hey there,
as I'm sure some of you are aware, there has been a rather big security problem concerning WPA2 -> https://www.krackattacks.com/
Also this
Does anybody know Sony's stance on this?
Click to expand...
Click to collapse
Our devices are probably vulnerable,
as I read it from the news articles - if you have a patched router you're covered (well, when is that even the case ?), but you can also close the door with updated clients (Android phones !).
In essence: if only one side is patched - the connection is secure
so with recent Android "Stock" ROMs the security is and can be compromised (reading WiFi traffic, injecting HTML stuff and adding potentially malicious code to your browsing data)
That means:
NO Online Banking or Shopping Online via WLAN/WiFi
I'm pretty sure Sony will provide an update to "patch" the system up (updating the components affected)
If they'll stay with latest ROM version (32.4.A.1.54) and provide no further updates - it shall backfire spectactularly
Thanks for the links
Thanks @zacharias.maladroit, for providing the appropriate consequences that users should be aware of. Lets hope for the best and see what Sony has in storein this regard.
Hi All, I used to play around with SSL certs and openssl and all that stuff... so I have a bit of knowledge on the topic but am by no means an expert... please give me a bit of leeway if I misspeak...
I have a Nexus 10 that I still like and that I still use.... yes I'm a cheapskate! It runs Android 5.1.1... my Nexus 6 (yes I still use that one too!) runs Android 7.1.1. That fact will be made relevant below... There are a lot of us cheapskates around and we do like to extend the life of our stuff for as long as possible.
The Question: If I have an OLD android device trying to connect to a website with a browser... or trying use an app against a server with a cert that is signed by a CA that my truststore does not have, in principle, all I need to do is get that CA installed (yes/no/maybe?)
The Reason I ask:
So I saw an Android Police item today: "Many websites will stop working on older android versions in 2021" This story says that thanks to the fact that "Let's Encrypt" will stop cross signing their certificates with the DST CA X3 certificate... Evidently any device running 7.1 or earlier will start having issues. The DST cert has been around for some time... but "Let's Encrypt" has their "ISRG Root X1" CA. According to the AP article, this "cross-signing" made it possible for devices on Android 7.1 or earlier to connect to SSL-enabled sites. After January 2021 they are NOT going to do this anymore so your chrome brower (which unlike FireFox does not have capability to use a separate truststore) will not work with some websites... and of course this has ramifications for apps that rely on ssl as well.
So again, my question is, assuming the apps I have use the basic device's trust store, shouldn't I just have to install the ISRG Root X1 into my device's truststore and I can then be fat, dumb, and happy again? My limited knowledge on SSL suggests the answer is "yes that would work" but I'm not sure (of much!) these days.