Android Officially WORST in security and privacy

http://www.zdnet.com/article/stagefright-just-how-scary-is-it-for-android-users/

95% of a billion phones affected. Patch was released, only 5% of that number received it. The rest of the 900,000,000 still vulnerable. One of the great benefits of an open sourced OS

Here a another breakdown fromArs. They talk about the spookiest part of the whole thing--

All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.

To stress what this actually means:

• No hardware contact is required
• The victim doesn't need to take any action
• No personal information is required outside of a phone number (Craigslist users, beware)
• It's likely many affected users won't even know their device has been compromised

That's why this one is particularly bad, and why it's particularly alarming that it affects 950+ million android phones across the globe. It does get worse. From the ZDNet article:

Yes, it's really a bad security hole, but the fix is in... isn't it?

Uh, well about that, you see Android has another bigger security problem. With the exception of the Nexus devices, Google provides the Android source code patches, but it's up to the smartphone carriers and original equipment manufacturers (OEM)s to send it to users with updated firmware. As of July 27th, none of the major Android OEMs or carriers have announced plans to deliver the patch. With many older devices, patches may never be delivered.

This is an advantage Apple's ecosystem has enjoyed since the beginning, and Stagefright is just another confirmation of that fact.

More interesting tidbits about this issue, from Motherboard (a place I typically don't find articles that intrigue me):

Last week, I was hanging out with some hackers and security experts at a conference in Brooklyn when I took out my Sony phone.

“Oh! The journalist uses Android. That’s secure!” said one guy next to me, in a highly sarcastic tone.

I dismissed his sarcasm, even though, as someone who writes about information security, I knew that deep down he was right. Just a few days later, his joke now seems almost premonitory.

The full article is linked here. Go forth and read.

Bonus quote!

As security researcher Nicholas Weaver put it in a (now deleted) tweet, ”Imagine if Windows patches had to pass through Dell and your ISP before they came to you? And neither cared? That is called Android.”

What a terrible place to be. The decision to give carriers the power was a conscious one made by Google.

And this is why the government and businesses will never buy into Android and never have

Seems like android phones have a hard time with media just generally.

New vulnerability can put Android phones into permanent vegetative state

This isn't quite as overtly damning as Stagefright, but it's still worth looking at.

The vulnerability, which resides in the mediaserver service Android uses to index media files, can most easily be exploited by luring a vulnerable phone to a booby-trapped website. Presumably, the phone can be revived by restarting it, but according to a blog post published Wednesday by a researcher from security firm Trend Micro, the bug can also be exploited by malicious apps. In this latter scenario, the malicious app could be designed to automatically start each time the phone is turned on, causing it to crash shortly after each restart.

An end user stammering through their android experience is like an athlete trying to compete in the Rio summer Olympics.

Waiting for Android’s inevitable security Armageddon

It's a recipe for disaster, all around. Scathing editorial, backed by sound principles.

This is freaky... but this makes me feel a bit better:

If you're using Google's Hangouts app, you don't even need to open your text message app. All the attacker needs to do is send a poisoned package to your phone number. It then opens up your device, and the attack starts. This can happen so fast that by the time your phone alerts you that a message has arrived, you've already been hacked. If, on the other hand, you're using Android's standard Messenger app you must open the text message -- but not necessarily watch the video -- to get hacked.

I don't have google hangouts, and all I have to do now is not open texts from people I don't know. This is a complete disaster though...

Does this affect Android tablet users with no phone no. or Google login? If not, pffft.

Android is such a hot mess. i don't get Android fans. They shun better security, better privacy, better apps, better ecosystem, better quality, better games, better accessories, better OS, better customer support, better everything... All for the sake of making their home screen look unique.

It gets worse.

http://arstechnica.com/security/2015/08/android-security-on-the-ropes-with-one-two-punch-from-researchers/

On mobile right now, so I can't make it pretty. Suffices to say that it gets worse and it'll probably keep getting worse.

How can anything running android be compelling when you're forced to confront these sorts of significant fundamental flaws? Ignore it and pray it doesn't happen to you I guess.

Any news if the new version of Android addresses this exploit, or how many devices actually run it?

Worrying about being a victim of this is like worrying about about catching Ebola. It just isn't going to happen.

@samusbeliskner: The hack affects over 90% of Android owners. They are vulnerable as we speak, making them victims to a complete lack of basic security.

As predicted, inevitably, it gets worse.

Android lockscreen can be bypassed by overloading with massive password

The vulnerability, discovered by researchers at Texas University in Austin, potentially affects 21% of Android devices in use and requires the attacker to simply overload the lockscreen with text.

The bug affects only those users with smartphones running Google’s Android Lollipop using a password to protect their devices – Pin or pattern unlock are not affected.

The attacker need only enter enough text into the password field to overwhelm the lockscreen and cause it to crash, revealing the homescreen and giving full access to the device, whether encrypted or not.

I'd recommend that any of you who own android phones and utilize this method to unlock your phone--time to switch to something else.

The Android security fails just keep piling on

If stagefright is like ebola, than using an android phone is like consuming bush meat.

It gets worse-again (and again and again...).

In July, a security researcher revealed that Android phones could be hacked with a simple text, thanks to a series of bugs in the Android operating system that are now commonly known as Stagefright.

On Thursday, the same security researcher warned that two new Stagefright bugs can allow hackers to break into your phone by tricking you into visiting a website containing a malicious multimedia file, either mp3 or mp4. These two new bugs were also found in the Android media playback engine called Stagefright, just like the first series of bugs disclosed in late July...

It’s likely that 1.4 billion people are affected by these bugs.

To take advantage of these bugs, a hacker can trick a potential victim into opening a website where he has planted a malicious mp3 audio file, or a malicious mp4 video file, or by tricking the victim to open them in a third party application, say a multimedia player, that depends on the vulnerable Android libraries.

“Merely previewing the song or video would trigger the issue,” Drake wrote in a blog post.

Much more in the extremely damning article. Drake reported at least 10 more Stagefright bugs.

Google at your own risk. You are the product, and it shows. Never forget how android was born.

Better Apps is the main one.

I use xbmc all the time because its amazing, all the sports and video on demand on the go.

Also i use my android to emulate ps1 games, there are to many things ios cant do for me to ever take it seroius.

You mean Kodi

@GTR12: I use both.

There are some premiuim addons only work old xbmc.

University of Cambridge study finds 87% of Android devices are insecure

Confirmed over, and over, and over, and over, and people that know still buy them... Astonishing.

Worse still, is that Google is powerless to push out a fix to almost all of those smartphones.

That's what google gets for letting Carriers and OEM's have all control of OS and firmware updates. At least MS has full control to give users Windows 10 updates and have been doing it for a long time.

If anyone took control of their end user security, it was certainly Apple. Though MS following Apple's lead and not Google's in this instance was a very wise decision indeed.

What are you talking about, MS has always had control of OS updates for all Windows products, it's just that they didn't have the control on smart phones like they did with desktops/laptops

@FireEmblem_Man: Um, exactly. lol

This thread has become a real compendium of android security fails, and therefore, actually serves a couple greater purposes, doesn't it? Anyways, today's flaw is something Verizon and AT&T customers should watch out for-

Security flaw makes every Android device on AT&T and Verizon's wireless vulnerable

A group of South Korean researchers, on Friday, reported about a vulnerability that puts a large pool of Android devices -- every version of Android including Marshmallow -- in the United States at risk. If exploited, attackers could circumvent Session Initiation Protocol (SIP), often used in voice calls and instant messaging, to gain access to a victim's device. The attackers could then initiate the denial of service (DDoS) attacks on a wireless network. The access to a victim's network opens door to a number of sophisticated and serious attacks such as bypassing the VoLTE's accounting system to freely use the bandwidth, and wiretapping the victim's calls and messages.

Another day, another problem.

A spokesperson for T-Mobile acknowledged the existence of the aforementioned security flaw, andtold ZDNet that they have resolved the issue. As per the researchers, Apple’s iPhones aren’t affected with this vulnerability. A Google spokesperson told the publication that they would roll out a fix for the said flaw for Nexus devices in their monthly security patch in November.

So T-Mobile and iPhone owners across the board need not worry. The dozen or so nexus device owners can expect a patch next month, so at least there's that. If only Google had the ability to push out that update to all their usersproducts users...

*emphasis added

@musicalmac: Third party apps like Textra block this... Also, historically speaking, Apple's iOs has had the worst security ever.

You'll need to do more explaining than this. A lot more.

What do you think of the BlackBerry Priv in terms of security for an Android platform? They seem to be very confident about it.

@Mighty-Lu-Bu: Crack is a hell of a drug

Here we go again, only this time, it's the Samsung Galaxy S6 Edge edition.

Hack The Galaxy: Hunting Bugs in the Samsung Galaxy S6 Edge

A week of investigation showed that there are a number of weak points in the Samsung Galaxy S6 Edge. Over the course of a week, we found a total of 11 issues with a serious security impact. Several issues were found in device drivers and image processing, and there were also some logic issues in the device that were high impact and easy-to-exploit.

The majority of these issues were fixed on the device we tested via an OTA update within 90 days, though three lower-severity issues remain unfixed. It is promising that the highest severity issues were fixed and updated on-device in a reasonable time frame.

This one is more here to throw a bone to the android faithful. It's a report of a security flaw (no surprises there) that actually received a fix, albeit not a very timely one (3 months for a severe security issue - yikes). This thread overall is about the most brutal thing I've ever seen on the mobile board generally.

Oh boy. From MIT.

According to the ACLU’s principal technologist, Chris Soghioan, another gulf between the two is that Apple devices also better protect people’s data against criminals and surveillance. At MIT Technology Review’s EmTech conference in Cambridge, Massachusetts, on Tuesday, he warned that the combination of those differences has created a looming civil rights problem.

Apple CEO Tim Cook recently spoke about his commitment to privacy and criticized companies who are “gobbling up” personal data to make money from it. His company won plaudits from experts last year—and enraged the FBI—after making its mobile devices automatically encrypt data stored on a device in such a way that even Apple can’t unlock it.

Apple has also designed its messaging and video chat apps to use end-to-end encryption, which means that the company can’t read past communications (unless someone has enabled Apple’s iCloud backup service). And it hasresisted U.S. Department of Justice demands to modify its system to wiretap messages in real time.

People using phones powered by Google’s Android software are not so well protected, said Soghioan. The company said last year that it would make Android phones encrypt all stored data by default, like Apple devices do, but reversed that decision early this year. Google said this month it will require only devices meeting certain hardware performance standards to encrypt stored data, which Soghioan thinks will exclude cheaper devices. Google’s Hangouts text and video chat service bundled with Android does not use end-to-end encryption.

The difference between Apple and Google’s stances on encryption for mobile devices appears to be due to corporate rather than technical reasons, said Soghioan. “Google has by far the best security team of any company in Silicon Valley, and the security people I know at Google are embarrassed by Android,” he said. “But Apple sells luxury goods and Google gives away services for free in return for access to data.”

Emphasis added.

So again, why in the world would you ever choose Google's methods over Apple's? Few people understand the Grand Canyon sized rift between how a company who makes money on hardware operates, and how a company that makes money on advertising operates. This article puts that into perspective under very bright lights.

--

(Disclaimer: I think the idea that Google's groundbreaking security missteps can be seen as a looming civil rights problem is about the most insufferable thing I've ever read, but that's our culture these days. Yuck. Regardless, it highlights again the idea that YOU are the product, not the phone in your hand, but YOU.)

So a few days old, but I've been out-

New strain of Android malware is 'virtually impossible' to remove

Do you remember the bad old days of computer viruses so invasive that it was easier to nuke your software and start over than fix the problem? They're back... in mobile form. Lookout has noticed a trend toward Android malware that masquerades as a popular app, but quietly gets root-level access to your phone and buries itself deep in the operating system. If that happens, you're in serious trouble. Unless you can walk through loading a fresh ROM or carefully modify system files over ADB, it may be easier to just replace the device, or have your phone company reflash it -- a simple factory reset won't get the job done. Some of the bogus apps are little more than shells for ads, but others will work properly while they compromise your device.

As with a lot of Android malware, you generally have to go to a third-party store to get these corrupted apps. You'll likely be fine if you stick to Google Play. Lookout says it spotted over 20,000 modified apps, however, and some of the highest infection rates are in Google Play-friendly countries like Germany and the US. In other words, this isn't simply an issue in those regions where third-party stores are the only real sources for apps -- it's a global issue. These exploits take advantage of the same security holes that many people use to root their devices, so as long as those exist the problem may also continue. For now, the best bet is for people to be more cautious with their downloads.

Just another day in android land. This one probably necessitates the acquisition of a new phone entirely. I'm not even sure what else to say about this one.

Woof.

In today's edition of Critical android Exploit Daily-

New Android exploit can hack any handset in one shot

Hackers have discovered a critical exploit in Chrome for Android reportedly capable of compromising virtually every version of Android running the latest Chrome. Quihoo 360 researcher Guang Gong demonstrated the vulnerability to the PSN2OWN panel at the PacSec conference in Tokyo yesterday. While the inner workings of the exploit are still largely under wraps, we do know that it leverages JavaScript v8 to gain full administrative access to the victim's phone.

More in the link. This is another bad one, folks. At this point, I'm not sure even what to say. It's just astonishing.