Researcher To Release Web-Based Android Attack

← Back to Stories (view on slashdot.org)

Researcher To Release Web-Based Android Attack

Posted by timothy on Thursday November 4, 2010 @02:39PM from the oopsie-daisy dept.

CWmike writes "A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones. It is being disclosed Thursday at the HouSecCon conference by M.J. Keith, a security researcher with Alert Logic. Keith says he has written code that allows him to run a simple command line shell in Android (video) when the victim visits a website that contains his attack code. The bug used in Keith's attack lies in the WebKit browser engine used by Android. Google said it knows about the vulnerability. 'We're aware of an issue in WebKit that could potentially impact only old versions of the Android browser,' Google spokesman Jay Nancarrow confirmed in an e-mail. 'The issue does not affect Android 2.2 or later versions.' Version 2.2 runs on 36.2 percent of Android phones, Google says"

101 of 136 comments (clear)

Min score:

Reason:

Sort:

Anything that gets phone makers to update... by mykos · 2010-11-04 14:42 · Score: 3, Insightful

So many phone makers seem to think the worst thing in the world is to provide users an official update. Maybe this will get them in gear.

As an aside, does anyone know what phone makers are good about keeping updates coming?
1. Re:Anything that gets phone makers to update... by Anonymous Coward · 2010-11-04 14:45 · Score: 2, Informative
  
  Still waiting for 2.2 from Samsung... so not them!
2. Re:Anything that gets phone makers to update... by Nerdfest · 2010-11-04 14:50 · Score: 1
  
  Why would it? In most cases they almost seem to be of the attitude that "You bought it, now it's your problem".
3. Re:Anything that gets phone makers to update... by cheater512 · 2010-11-04 14:53 · Score: 4, Interesting
  
  N900 is pretty good. 3 core updates (I think) so far plus a upgrade to Meego when it is finished.
  Also half the price of similar phones.
4. Re:Anything that gets phone makers to update... by stoolpigeon · 2010-11-04 15:22 · Score: 3, Informative
  
  If you are on the Galaxy S like I am, Froyo started rolling out today in the UK - hoping the US is not far behind.
  
  --
  It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
5. Re:Anything that gets phone makers to update... by rmcd · 2010-11-04 15:25 · Score: 2, Insightful
  
  One problem is that the phone makers insist on idiotic customizations of the android interface, so updates can take a long time because they have to update the customizations as well as the OS.
  The other problem is that hardware becomes outdated and perhaps challenging to update. T-mobile just started updating the MyTouch 3G (which I have). This is a 15-month-old phone running stock android, and I think it took them a long time because the hardware is old.
  I don't think this is as trivial a problem as some of the commenters would suggest.
6. Re:Anything that gets phone makers to update... by Johnny+O · 2010-11-04 15:38 · Score: 3, Informative
  
  Samsung or Sprint (I forget which) already stated that the Moment (which I am posting this from) will NOT be getting 2.2. We are STUCK with 2.1.
7. Re:Anything that gets phone makers to update... by bhagwad · 2010-11-04 15:41 · Score: 4, Interesting
  
  Won't it be nice if someone sues a carrier for not providing updates because of which their phone was hacked and valuable data lost? It'll be like a wet dream come true for me :D
8. Re:Anything that gets phone makers to update... by Zarf · 2010-11-04 15:54 · Score: 2, Informative
  
  Motorola Droid has had every update so far.
  
  --
  [signature]
9. Re:Anything that gets phone makers to update... by Anonymous Coward · 2010-11-04 15:55 · Score: 1
  
  2 year contract, 6 month technology cycle. Didn't you expect this? I know I did when I bought mine. Just root the sucker and put on a third party rom, which runs incredibly better anyway.
10. Re:Anything that gets phone makers to update... by causality · 2010-11-04 16:12 · Score: 1
  
  One problem is that the phone makers insist on idiotic customizations of the android interface, so updates can take a long time because they have to update the customizations as well as the OS.
  Emphasis added.
  
  I don't think this is as trivial a problem as some of the commenters would suggest.
  It's trivial because those customizations that hinder updates are idiotic. If they were important and non-essential then it would be non-trivial. As it stands, the problem is very easy to solve.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
11. Re:Anything that gets phone makers to update... by toastar · 2010-11-04 16:51 · Score: 2, Insightful
  
  If you are on the Galaxy S like I am, Froyo started rolling out today in the UK - hoping the US is not far behind.
  If you have root like I do, you probably have had froyo for months
12. Re:Anything that gets phone makers to update... by zarthrag · 2010-11-04 17:01 · Score: 1
  
  My nexus one gets 100% pure updates through T-mobile. If I'm impatient, I can run official builds directly from google. No missing features, no custom UI elements. I'll have tethering for free while everyone else pays, and any other feature Google releases that doesn't defy my hardware.
  
  --
  Why can't all fpga/microcontroller manufacturers just release free optimizing compilers???
13. Re:Anything that gets phone makers to update... by rmcd · 2010-11-04 17:43 · Score: 1
  
  You're right, but ...
  It's easy to solve if customers demand clean implementations. I don't see that happening anytime soon. No one I know (apart from friends who are the type to read slashdot) even knows what android is, let alone the difference between "with google" and not.
14. Re:Anything that gets phone makers to update... by mini+me · 2010-11-04 17:50 · Score: 1, Insightful
  
  Apple might give you a few updates when you first purchase your device, but they soon stop coming too. First generation iPhone and iPod touch owners are already without the option of upgrading to iOS 4.
15. Re:Anything that gets phone makers to update... by khchung · 2010-11-04 18:56 · Score: 1, Insightful
  
  Won't it be nice if someone sues a carrier for not providing updates
  
  So you would be happy to encourage carriers to pick phones that do not have updates so they won't be liable for not providing the updates to customers?
  
  --
  Oliver.
16. Re:Anything that gets phone makers to update... by mcvos · 2010-11-04 19:11 · Score: 1
  
  Motorola, HTC and all the rest could take a page from Apple and take better care of their customers.
  Personally I'd appreciate it if Motorola took a page from HTC and didn't use an encrypted bootloader, so I can update the OS myself.
17. Re:Anything that gets phone makers to update... by mcvos · 2010-11-04 19:14 · Score: 1
  
  Probably because the hardware is not compatible enough anymore. When technology moves as fast as this, a 3 year cycle is still better than what many other manufacturers give us. Networks expect us to get a new phone every two years.
18. Re:Anything that gets phone makers to update... by mcvos · 2010-11-04 19:15 · Score: 1
  
  Really? It was still $500 when I considered the N900. (I chose against it because I don't want a stylus; I want multitouch.)
19. Re:Anything that gets phone makers to update... by Johnny+O · 2010-11-04 21:57 · Score: 1
  
  I came with 1.5. I was PLEASANTLY suprised they upgraded to 2.1. Lots of other phones released at the same time are going 2.2. This one was abandonded. Android 2.2 comes with tethering and Sprint doesn't want that (without fees).
20. Re:Anything that gets phone makers to update... by mcvos · 2010-11-04 22:05 · Score: 1
  
  How is support for the HTC G1? How many other 3 year old phones still get regular updates?
  I'm not saying it's acceptable, I'm just pointing out Apple isn't any worse than any other manufacturer in this. And it's not exactly surprising, considering the networks want to sell us a phone every two years.
  At the moment, the only way out of this is to make sure you own your phone, and aren't tied to a manufacturer or network to keep your phone up to date.
21. Re:Anything that gets phone makers to update... by Doug+Neal · 2010-11-04 22:22 · Score: 1
  
  But the catalog of applications available is dire. Nobody is developing for it. Yes there are a few apps which are really cool, but they're the exception, and they don't have the same level of polish as you'd expect from Android or iPhone apps. And still no decent Webkit browser!
  I'm dumping my N900 for an Android device as soon as I'm out of contract. Sad really because the hardware is excellent, and it had a lot of potential.
22. Re:Anything that gets phone makers to update... by Zero__Kelvin · 2010-11-04 22:33 · Score: 1
  
  "I came with 1.5."
  You are a serious enthusiast. I am loved my first Android phone, as well as my recent one, and I plan on getting the Mytouch HD now that is has been released, but I never came; it didn't even get me hard.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
23. Re:Anything that gets phone makers to update... by cwtrex · 2010-11-04 22:38 · Score: 1
  
  I have been researching roms and kernels for the Samsung Epic, which of course is a CDMA phone and has 4g. You didn't mention which Samsung S you have, but are you aware of a rom that is Froyo and also has CDMA, Wifi, and 4g capabilities for the Samsung Epic?
  
  Is there a way to keep the stock rom, but force it to upgrade to froyo using root?
24. Re:Anything that gets phone makers to update... by peragrin · 2010-11-04 23:23 · Score: 2, Insightful
  
  And this is one of the main reasons not to get an Android phone. In order to get upgrades you have to root(jailbreak) the phone. Apple may be a control freak, but at least they are willing to support their products for more than 6 months.
  So many Android phones have come and gone one would think that an game AI was trying to find the right product. I just realized Android phones are the Zerg of cell phones. Cheap, mass produced, and die off quickly.
  
  --
  i thought once I was found, but it was only a dream.
25. Re:Anything that gets phone makers to update... by cheater512 · 2010-11-04 23:30 · Score: 1
  
  Erm...Why do you want a Webkit browser?
  Its got essentially raw Firefox and all its capabilities.
  As alternatives it has Fennec and Opera as well.
26. Re:Anything that gets phone makers to update... by Doug+Neal · 2010-11-04 23:47 · Score: 1
  
  Because Webkit is superior to Gecko - it's faster and it uses less memory. The built in MicroB browser is not very quick. Fennec is even worse. The GUI responses lag behind the input noticeably.
  I wasn't aware of Opera being available for the N900 though, I will give it a try.
27. Re:Anything that gets phone makers to update... by rwa2 · 2010-11-05 00:09 · Score: 1
  
  As an aside, does anyone know what phone makers are good about keeping updates coming?
  Um, anything supported by CyanogenMOD? I specifically shopped for a phone on their list.
  Not as convenient as OTA updates, sure. But there's enough good stuff in there to make it well worth the effort to flash from 2.1 to 2.2
28. Re:Anything that gets phone makers to update... by poetmatt · 2010-11-05 00:21 · Score: 1
  
  really? The original android phone has no problem with froyo 2.2, the original droid has no problem with 2.2.
  It's not about hardware, it's whether people are willing to make it work.
29. Re:Anything that gets phone makers to update... by jeffmeden · 2010-11-05 00:54 · Score: 2, Insightful
  
  If you have genuine security needs (and concerns) like I do, you wouldn't touch a rooting system and hacked rom with a 10 meter patch cord. Hoping for increased security by running "newer" code from completely untrusted sources... What could possibly go wrong?
30. Re:Anything that gets phone makers to update... by jeffmeden · 2010-11-05 00:55 · Score: 1
  
  "I came with 1.5."
  You are a serious enthusiast. I am loved my first Android phone, as well as my recent one, and I plan on getting the Mytouch HD now that is has been released, but I never came; it didn't even get me hard.
  You are overlooking the possibility that he is a sentient smartphone and was merely referring to the software which was preloaded at birth...
31. Re:Anything that gets phone makers to update... by Culture20 · 2010-11-05 01:20 · Score: 1
  
  Apple might give you a few updates when you first purchase your device, but they soon stop coming too. First generation iPhone and iPod touch owners are already without the option of upgrading to iOS 4.
  Probably because the hardware is not compatible enough anymore. When technology moves as fast as this, a 3 year cycle is still better than what many other manufacturers give us. Networks expect us to get a new phone every two years.
  iPhone 2G users also didn't get security patches for the pdf security vulnerability found immediately after the iOS4 release (which was reported to work on older versions). Apple just said "3 years of security updates is enough for any computer that happens to have a phone built in".
32. Re:Anything that gets phone makers to update... by markhb · 2010-11-05 01:22 · Score: 1
  
  Yeah, well, I've got the original CLIQ, which is just getting the long-awaited upgrade from 1.5 to 2.1, with very few hopes of getting an official bump to 2.2. I wonder if they can backport the WebKit fix from 2.2 into 2.1 without breaking everything in sight.
  
  --
  Save Maine's economy: write stuff down. All comments are exclusively my own, not my employer.
33. Re:Anything that gets phone makers to update... by peragrin · 2010-11-05 01:23 · Score: 1
  
  HTC support their phones for 6-12 months. maybe it depends on how many units sold.
  Carrier supplied phones are still using android 1.5, 1.6
  Apple is literally 3 times better at old software updates than everyone else who sells phones.
  
  --
  i thought once I was found, but it was only a dream.
34. Re:Anything that gets phone makers to update... by GooberToo · 2010-11-05 01:34 · Score: 2, Informative
  
  By your definition, Apple's products complete fit the bill. In fact, given one product problem after another, even without your comments, they seemingly fit the bill. Though honestly, I don't believe your assessment of the market, Android+iPhone is even close to reality.
  Just the same, Android phones vary widely in fit, function, and quality. Some even exceed the iPhone's quality by a wide margin. Android's success is not because "resistance is futile" mentality as you attempt to push. Its succeeding because they cover every market segment; including the "cheap" market to well beyond what Apple currently provides.
35. Re:Anything that gets phone makers to update... by trcooper · 2010-11-05 01:46 · Score: 1
  
  HTC and Verizon have been good on the Incredible. The second update to the phone in 6 months is set to go next week. This will be a minor update to the Froyo release that went out in August / September I believe. I also expect that we'll see Gingerbread a month or two after it's released.
36. Re:Anything that gets phone makers to update... by rainmouse · 2010-11-05 01:49 · Score: 1
  
  Apple is literally 3 times better at old software updates than everyone else who sells phones.
  As I said before, please back up these claims. Without proof or some kind of source these could well just be figures plucked from thine own bunghole.
  My partners android phone with Orange has been automatically updated to 2.2, why would carriers be supplying phones using android 1.5? Again back up your claims with evidence or a link to something other than ranting on a forum please.
37. Re:Anything that gets phone makers to update... by peragrin · 2010-11-05 01:52 · Score: 1
  
  The Nexus 1 uses stock android though.
  the majority of HTC models lag 6-12 months behind in updates simply because they have to make sure their UI updates correctly on the older hardware. It is also why HTC stops updating phones much earlier than apple does simply because it becomes far to much work for a limited group that you want to purchase new phones anyways.
  
  --
  i thought once I was found, but it was only a dream.
38. Re:Anything that gets phone makers to update... by jDeepbeep · 2010-11-05 01:53 · Score: 1
  
  So many Android phones have come and gone one would think that an game AI was trying to find the right product. I just realized Android phones are the Zerg of cell phones. Cheap, mass produced, and die off quickly.
  I'd have to agree with you. I have a Droid Eris that Verizon has declared end -of-life in under a year of its release, and they have also stated it will never be updated to 2.2. I have no choice but to root the phone, since I'm not going to buy a newer, shinier unsubsidized device at $600+ a pop.
  
  --
  Reply to That ||
39. Re:Anything that gets phone makers to update... by mcvos · 2010-11-05 02:01 · Score: 1
  
  My partners android phone with Orange has been automatically updated to 2.2,
  And that phone was 3 years old? I'm impressed!
40. Re:Anything that gets phone makers to update... by peragrin · 2010-11-05 02:06 · Score: 1
  
  The HTC Aria came out in may/June 2 months after the offical 2.2 Froyo came out.
  It still isn't updated to 2.2 stock. HTC won't do it. ATT won't do it.
  HTC Hero is also officially only android 2.1 with no official updates yet.
  instead of being an asshole why don't you go look it up. Here is the problem, you have to look up every phone by each carrier separately to find out if an update may or may not be forth coming. Even then half the time they refuse to list what version of android is avialable unless it is the latest.
  If HTC can't update phones released since the official Froyo release, what makes you think they will update phones that are older than froyo?
  
  --
  i thought once I was found, but it was only a dream.
41. Re:Anything that gets phone makers to update... by jeffmeden · 2010-11-05 02:13 · Score: 1
  
  I am honestly not trolling... But, please tell me which Android phone is "well beyond what Apple currently provides [in the iPhone 4]"...
42. Re:Anything that gets phone makers to update... by tixxit · 2010-11-05 02:39 · Score: 1
  
  I JUST got a 2.1 update from TELUS (Canada) for my HTC Hero. It was several months after most other providers released the update. As far as I know, this is it for support for my phone; HTC only promised up to 2.1. It is annoying that phone companies sell 3 year contracts that come with a phone, when that phone is only supported for 1 year. For all the Apple bashing, at least they actually support their product for the expected lifetime of the device, rather than ditching it as soon as it hits that 1 year mark.
43. Re:Anything that gets phone makers to update... by ronocdh · 2010-11-05 03:22 · Score: 1
  
  As an aside, does anyone know what phone makers are good about keeping updates coming?
  No. I have a Nexus One and am extremely pleased with it. The unlocked bootloader means I can run whatever version of the operating system I want. Google releases the source code months (in some cases, maybe years) before most phone manufacturers get around to offering an update, but modding communities like CyanogenMod have an extremely fast turnaround. They build for many different handsets, by different vendors, patch often (there are nightly releases available if you're into that), and don't seem to have any bias about device manufacturers.
  Google did allow this system to be open, but people didn't vote with their dollars by buying the Nexus One in big enough numbers. I wouldn't stand for having a computer that restricted the software I'm allowed to run on it, and I don't see any reason to change that philosophy for using a "smartphone."
44. Re:Anything that gets phone makers to update... by mini+me · 2010-11-05 03:23 · Score: 1
  
  The first generation iPhone and the iPhone 3G have virtually the same hardware. Apple did not drop support for hardware reasons.
45. Re:Anything that gets phone makers to update... by tlhIngan · 2010-11-05 03:36 · Score: 1
  
  One problem is that the phone makers insist on idiotic customizations of the android interface, so updates can take a long time because they have to update the customizations as well as the OS.
  The other problem is that hardware becomes outdated and perhaps challenging to update. T-mobile just started updating the MyTouch 3G (which I have). This is a 15-month-old phone running stock android, and I think it took them a long time because the hardware is old.
  It's phone makers AND carriers. The only real reason carriers are loving Android is it's the Anti-iPhone. Think about it - the iPhone denies carriers to ability to customize the experience, load up custom helpful apps, and all that stuff. Apple's basically dictated the terms - Apple does the software, you guys sell service (and pay Apple a portion of the profits). The only reason carriers are doing this is because people want the iPhone and they'll line up in droves to get one. What they lose in the iPhone deals, they make up because there are just so freaking many iPhone users (see how the iPhone has been kind ot AT&T's revenue).
  Phone makers want customizations because it differentiates their product from the competition. Otherwise their phone looks like any other Android phone on the market, and people will just pick whichever one the carrier is offering free. They don't want people to buy an "Android phone", they want people to buy an "HTC phone" or a "Samsung phone" or a "Motorola phone" which hey, happens to run Android. Same situation with Windows Mobile - people collectively just called them WinMo phones that weren't terribly different from everyone else's.
  Ditto carriers - they feel their customizations and carrier requirements makes them "special". And they'll demand that certain apps be preinstalled as well to encourage this. Plus each carrier has idiosyncracies of their own that require enabling and disabling certain features (echo cancellation, for example).
  It's no big surprise that there can be easily 20-30+ different builds of Android for one model of phone. Couple this is hardware that stopped being sold 2 models ago, and manufacturers really don't want to spend the money to update software on something they consider obsolete.
  Other than the Nexus One - what other piece of hardware is directly supported by Google and you can get carrier-free, lock-free, and software updates direct from Google?
46. Re:Anything that gets phone makers to update... by tehcyder · 2010-11-05 03:36 · Score: 1
  
  My TMobile Pulse is stuck on android 1.5 unless you want to download a Hungarian upgrade, the thought of which does not fill me with confidence. Is there some easy auto-update feature that needs to be switched on?
  (I have zero technical interest in mobile phones in case anyone starts laughing).
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
47. Re:Anything that gets phone makers to update... by whodunnit · 2010-11-05 03:47 · Score: 1
  
  Yes like my ipod touch, that for one update i had to PAY to get the upgrade, and now is completely un supported. Yep... apple rules. Oh no, wait.. the suck. And that's why I bough an android phone.
  And you don't have to root your phone to get an update, but you CAN.
  Damn fanboys.
48. Re:Anything that gets phone makers to update... by GooberToo · 2010-11-05 03:56 · Score: 1
  
  Several HTC, Samsung, and Moto devices have all been highly regarded. Especially the latest Samsung S series units. Moto and HTC also make some of the lowest of the lower end devices too.
  Seriously, go check out some of the android sites like www.androidguys.com and you will find lots of good information on good Android devices.
  Generally the biggest complaint about Android devices originate from the the Apple camp and it almost always boils down to - its not an iPhone and/or it doesn't run the OS I'm used to seeing. Which basically means different is bad. So long as you're not as closed minded as all that, you'll find lots of Android options which easily meet or exceed Apple solutions.
  Hell, even the HTC Incredible was fairly well received and widely considered on par with Apple's offerings. And by today's standards, the Incredible is considered a previous generation or two now.
49. Re:Anything that gets phone makers to update... by tehcyder · 2010-11-05 04:33 · Score: 1
  
  Good point, my wife looked at me pityingly the other day when I started babbling about androids, rooting and custom roms. She has a blackberry.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
50. Re:Anything that gets phone makers to update... by tehcyder · 2010-11-05 04:37 · Score: 1
  
  I wouldn't stand for having a computer that restricted the software I'm allowed to run on it, and I don't see any reason to change that philosophy for using a "smartphone."
  Having come late to the smartphone joy ride, I've concluded that it's a fucking waste of time, and in future I'll stick to using computers for the internet and everything else, and leave the phone for calls and texts only.
  I really can't be bothered with having to update the operating system for what is still basically just a phone.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
51. Re:Anything that gets phone makers to update... by ronocdh · 2010-11-05 04:51 · Score: 1
  
  I really can't be bothered with having to update the operating system for what is still basically just a phone.
  You know, a lot of people would say that same thing about their computers. And if you're thinking of devices like the Nexus One as "basically just a phone," you haven't spent time with one. Even calling it "basically just a computer" is selling it short; this thing has a faster processor, more RAM, and more storage space than my desktop computer from ten years ago. And it fits in my pocket.
  If you want to be all "Get off my lawn" about smartphones, be my guest. But the influx of mobile computing is happening with or without your personal consent, and I think there's a lot of good to come of it, if we do it right.
52. Re:Anything that gets phone makers to update... by jeffmeden · 2010-11-05 05:20 · Score: 1
  
  Owning a Fascinate (verizon galaxy s phone) I can say that while advanced, and smart, it is not really any measure better than the iPhone. Lacking a front facing camera, any sort of LED message notification, and sporting a screen technology that is both lower in resolution and far harder on battery life make it impossible to ever classify it as "well beyond what apple currently provides". The incredible's lack of significant screen resolution (even after the switch to LCD to improve reliability and battery life) and no front facing camera make it also pale when compared to the iPhone 4. Motorola, god bless them, doesn't even compete in the same space. Their android offerings are either keyboard/slider, or jumbo-slate, neither being a good alternative if you are really set on the now standard slate form factor of the iPhone (which I am).
  Don't get me wrong, I love to see iPhone competition get better, but after a lot of research I can't in good conscience call ANY of them a marked improvement on Apple's offerings.
53. Re:Anything that gets phone makers to update... by GooberToo · 2010-11-05 05:42 · Score: 1
  
  The S family is actually fairly large. I can't speak to your particulars but I can absolutely assure you, there are many phones which are on par or simply out class the iPhone.
  Much of your complaints are also of the personal opinion variety rather than technical merit. That goes back to my open mindedness comment before.
54. Re:Anything that gets phone makers to update... by jeffmeden · 2010-11-05 05:53 · Score: 1
  
  As a cellphone is something one must live with day in and day out, personal opinion on size/shape/feel are HUGE factors, and dismissing these with a wave of your hand is incredibly ignorant. Feel free to include details on your merit-based argument if you *really* think it's that compelling.
55. Re:Anything that gets phone makers to update... by GooberToo · 2010-11-05 06:04 · Score: 1
  
  You're trolling.
  Your personal opinion is not my personal opinion. The opinions of the iPhone crowd rarely match that of the Android crowd which rarely match that of the "other" crowd. So your saying it doesn't match your personal opinion holds zero sway. The legitimate point remains, with absolutely no hand waving, excluding your own. There are many Android devices which are superior to that of the iPhone. Period.
  Which means, strictly based on your own personal opinion, its up to you if you can find one you like with the features, in combination which speak to you. Contrary to your hand waving, no one is pushing an Android solution on you. And no one is saying your personal opinion is invalid for yourself. No one is telling you what to think. Period. I'm simply saying your opinion is only good as far as - you. Period. Just the same, you opinion doesn't change the facts. Period.
56. Re:Anything that gets phone makers to update... by rainmouse · 2010-11-05 06:12 · Score: 1
  
  Try settings / about phone / system software updates and make sure the tick box is checked. There should also be an option to 'check now' (Not sure how different this method may be on other android phones but I'm hoping its just the same).
  The problem is that the carriers sometimes lock out the updates until they can mess about with their own branding on it which can take months. One option is to remove the branding from your phone allowing you to update it yourself though this can be a somewhat technical process.
57. Re:Anything that gets phone makers to update... by Spykk · 2010-11-05 06:16 · Score: 1
  
  Who is a trusted source? Apple? Motorolla? I'll trust the source code that I am free to read myself long before I'll trust anything a phone manufacturer forced on me.
58. Re:Anything that gets phone makers to update... by peppepz · 2010-11-05 06:39 · Score: 1
  
  My HTC phone was supported for 0 months, is the most buggy phone I've ever owned, and in its life it has received 0 (zero) updates - not to upgrade it from Android 1.6 which was already obsolete one month after the phone was released (September 2009), but not even a minor update just to fix the dozens of bugs it has.
  In comparison, my $60 dumbphone from another manufacturer has seen 3 firmware updates so far.
59. Re:Anything that gets phone makers to update... by jeffmeden · 2010-11-05 06:51 · Score: 1
  
  You're such an anti-apple fanatic that you can't see the forest for the trees, and think that anything outside your notion of "fair" is a troll. I asked you twice to name these specific "technical, non-subjective features" that you insist certain phones posses that make them superior to the iPhone. Please do so, unless you want to be the one trolling.
60. Re:Anything that gets phone makers to update... by Zero__Kelvin · 2010-11-05 08:24 · Score: 1
  
  I am overlooking no such thing. His SlashID is lower than mine, and he was therefore born well before Smart Phones themselves of any sort existed.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
61. Re:Anything that gets phone makers to update... by cheater512 · 2010-11-05 10:52 · Score: 1
  
  I doubt Webkit would do any better than MicroB on the N900. Remember that its processor it half the speed of most newer phones.
  And no Gecko is not inherently slow and bloaty. Put any experience you have with desktop Firefox away because it doesnt quite apply to Fennec or MicroB.
62. Re:Anything that gets phone makers to update... by Pollardito · 2010-11-06 07:16 · Score: 1
  
  I think you'd still be fine without rooting as long as you installed mobile firefox from the Android store? This is a webkit attack that targets the default browser.
63. Re:Anything that gets phone makers to update... by LandGator · 2010-11-06 11:22 · Score: 1
  
  Perhaps he rooted /. in order to acquire a lower SlashID.
  
  --
  There is nothing wrong with yr Internet. Do not attempt to adjust the picture. We are controlling the transmission - NSA
64. Re:Anything that gets phone makers to update... by Zero__Kelvin · 2010-11-06 12:23 · Score: 1
  
  "Perhaps he rooted /. in order to acquire a lower SlashID."
  Try to be serious. Do you really think I hadn't considered that? A sentient being capable of doing such a thing would hardly waste their time with Slashdot. Sheesh ... do you people even stop to think just a little bit before posting these kind of ridiculous and sad attempts to seem smarter than I am?
  
  Sincerely,
  
  - SAM (Sentient Android Master)
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
And the rest? by AlanCramer · 2010-11-04 14:44 · Score: 1

What about the rest on versions lower than 2.2?
1. Re:And the rest? by tjhart85 · 2010-11-05 04:57 · Score: 1
  
  What about the rest on versions lower than 2.2?
  Google provided the code with the fix in it, it's up to the manufacturers to give it to the people that bought the phone.
Apple = "Jailbreak", Android = "Risk"? by TaoPhoenix · 2010-11-04 14:45 · Score: 2

Isn't this roughly similar to the effects obtained by the earlier exploits on iOS? However, there many users first feeling was some relief from the monolithic Apple gate system, but here on Android the spin feels more like traditional tech news.

--
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
1. Re:Apple = "Jailbreak", Android = "Risk"? by mcvos · 2010-11-04 19:19 · Score: 1
  
  There was that one time when a major vulnerability was presented (even here!) as a very convenient way to jailbreak your iPhone. Just visit this website!
2. Re:Apple = "Jailbreak", Android = "Risk"? by TaoPhoenix · 2010-11-04 23:49 · Score: 1
  
  Yes, that especially was the one I was thinking of.
  
  --
  My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Re:That so called Researcher should be arrested by js3 · 2010-11-04 14:56 · Score: 1

irony

--
did you forget to take your meds?
Re:That so called Researcher should be arrested by MichaelKristopeit161 · 2010-11-04 15:14 · Score: 1

testing security infrastructure for consenting users
Re:That so called Researcher should be arrested by tepples · 2010-11-04 15:16 · Score: 1

How can he be permitted to release something, which when used as intended, does harm to others?
For the same reason that tobacco manufacturers are permitted the same thing.
Risk outweighs benefit by tepples · 2010-11-04 15:17 · Score: 2, Insightful

Isn't this roughly similar to the effects obtained by the earlier exploits on iOS?
Technically it is. But unless you bought your Android phone from AT&T, you have the option to put in your own command prompt through "Unknown sources". So any jailbreaks for Android are considered less necessary, and the risk outweighs the benefit.
1. Re:Risk outweighs benefit by the_humeister · 2010-11-04 16:49 · Score: 2, Interesting
  
  Even if you do have an AT&T Android phone, which I do, it is still possible to use apk (a tool found in the Android SDK) to transfer programs to the phone. It's pretty simple to use too. Of course, to get rid of the crapware AT&T installs, rooting is still required.
Re:That so called Researcher should be arrested by sitharus · 2010-11-04 15:18 · Score: 4, Insightful

Because we've seen from history that most companies won't patch an exploit unless it's screaming at them, and that most exploits are picked up by people who wish actual harm on you before security researchers find them.
Hopefully this will force some device manufacturers to release 2.2 updates for their devices, and with any luck it'll teach them to stick with stock android rather than loading crapware.

--
--sitharus
Welcome to the community by gmuslera · 2010-11-04 15:24 · Score: 1

Thomas A. Anderson is specialized in killing Agents, John Connor in killing Terminators, and now M.J. Keith kill Androids... that comes just in time when Hollywood was running out of ideas for a new movie.
1. Re:Welcome to the community by jokermatt999 · 2010-11-05 01:57 · Score: 1
  
  They already had a guy for that; he was played by Harrison Ford.
Re:That so called Researcher should be arrested by jhigh · 2010-11-04 15:25 · Score: 3, Interesting

"A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones.
How can he be permitted to release something, which when used as intended, does harm to others? This is insane...and he does it "in the light of day!"
Other tools that folks have used to harm others have dual use...but for this code, I do not see any use save for harm. What am I missing?
He is publishing code that can be used to exploit a vulnerability. This could be used for malicious purposes, or it could be used for security demonstrations, as an example to be taught to infosec students or any of a ton of other academic and/or security-related purposes. He is not actually using the code to do anything malicious. Please tell me exactly what statute he is in violation of? Are you saying that no one should ever publish code for exploits?

--
Social Engineering Expert: Because there is no patch for stupidity.
Re:That so called Researcher should be arrested by cosm · 2010-11-04 15:26 · Score: 1

"A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones.
How can he be permitted to release something, which when used as intended, does harm to others? This is insane...and he does it "in the light of day!"
Other tools that folks have used to harm others have dual use...but for this code, I do not see any use save for harm. What am I missing?
Either your just whooshing, or you just got whooshed by the submitter and the rest of this community.

--
'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
Misleading Headline by Farmer+Tim · 2010-11-04 15:34 · Score: 1

I read the headline and immediately thought a mad scientist was about to unleash an army of things resembling a cross between Spiderman and the Terminator, and we should all cower in terror in our makeshift basement bunkers awaiting our inevitable destruction.
But TFA revealed it's just a smartphone hack.
All we need is a brand of toilet paper called "Flying Car" and my disappointment with the 21st century will be complete.

--
Blank until /. makes another boneheaded UI decision.
Ratings by tpstigers · 2010-11-04 15:34 · Score: 1

Headline = 1,000,000 points. Copy = I don't know - about a dozen points. Maybe.
Re:That so called Researcher should be arrested by santax · 2010-11-04 15:44 · Score: 1

I can understand your point of view. But look at mine pov. It's better to have a dude with an agenda including things as: job improvement, proof of concept releasing this then it it that Group X with selfenrichment AND costing damage to you releases it. It's gonna be released anyway. That's for sure.
Re:That so called Researcher should be arrested by phantomfive · 2010-11-04 15:56 · Score: 2, Informative

This is a known exploit, Google has patched it. It isn't like this is some secret thing that no one would have known about if he didn't release it; anyone who actually cares (and has the technical ability) already has the exploit. So he is not harming you really.

Typically it is considered bad form for security researchers to release exploits before informing the manufacturer. Once the manufacturer has long enough to fix it, if then it is ok to release it. Experience has shown that sometimes this is the only way to pressure manufacturers into patching it.

Another use for the code is so you can learn. I appreciate it when researchers release the code; a lot of hackers try to keep their techniques secret, and we are all worse off for it.

--
Qxe4
Re:That so called Researcher should be arrested by Anonymous Coward · 2010-11-04 16:28 · Score: 1

As the owner of a Samsung Galaxy S phone, the manufacturer Samsung has released its 2.2 version for a while. Unfortunately, since I'm under the TMobile carrier, I'm still stuck with 2.1. They said it'll be updated by the end of the year, and every time TMo makes a prediction, it usually takes another 3 months - so March 2011 for me. Why the delay? Probably to keep its bloatware and layout working.
I'll be luck if I don't lose my data by then.
Re:That so called Researcher should be arrested by phantomfive · 2010-11-04 16:31 · Score: 1

You won't lose your data. The exploit doesn't allow full access to the phone. Still, you ought to have a backup of all that data anyway, in case your phone gets run over by a truck.

--
Qxe4
Class Action Lawsuit? by JSBiff · 2010-11-04 16:39 · Score: 3, Insightful

I wonder if there is any law which covers this sort of situation. The original G1 was only released like 3 years ago - not really very old, but T-Mobile has completely abandoned owners/users of the G1 and is not providing any additional updates.
Honestly, I blame Google. From day 1, it should have been mandatory that OS updates would come from Google, forever. Carriers don't give a crap about keeping users in updated code once the phone is sold. To them, it's just a device which comes in a box, gets sold, and if it becomes 'obsolete' within 2 years, well that's just another box they can sell you in 2 years.
It's absolutely inexcusable that a programmable, Internet enabled device of the complexity of a G1 should not have guaranteed security updates for the included software, for a minimum of 10 years.
1. Re:Class Action Lawsuit? by getto+man+d · 2010-11-04 16:58 · Score: 2, Interesting
  
  Google and the hardware manufacturers are both to blame; Google (for the reasons you stated) and the manufacturers for adding in their 'own' elements departing steadily from vanilla android.
  
  I've seen many comments on /. how Android is amazing, especially since it is fragmented (linux and windows arguments) but this is the worst possible case for the mobile platform, IMHO. Unless of course you don't mind upgrading your phone every 'x' amount of years. Some of us don't have the spare $$ and truly want a device that is current without modding.
2. Re:Class Action Lawsuit? by Psiren · 2010-11-04 22:53 · Score: 1
  
  10 years support for a phone is never going to happen, and it shouldn't. A ten year old device like that would be hopelessly outdated. Even something 2 years old looks pretty pathetic nowadays. They should however be forced to provide updates for the duration of your contract. I know mobile contracts over in the US are pretty fucked up, but here in the UK my current phone is on a two year contract. I just got the update to 2.2 yesterday, but I've still got another 20+ months of contract to run. That's certainly going to cover 2.3, and probably the next version too. I really would like to know that I can have those updates when they're made available.
3. Re:Class Action Lawsuit? by Woek · 2010-11-04 23:08 · Score: 2, Interesting
  
  One of the selling points of the Google Nexus One phone was direct support from Google, and therefore the quickest updates. The phone is quite a bit more expensive than the HTC desire/incredible, which is practically the same phone.
4. Re:Class Action Lawsuit? by JSBiff · 2010-11-05 00:21 · Score: 1
  
  I accept that the G1 can't do all the things that phones with faster CPUs, more RAM, and more flash memory can. I'm not talking about updates to the latest-greatest version of Android. I mean simply fixes for things like this exploit - Google might say that upgrading the entire OS might fix the problem, but they should also be prepared to offer *small* OTA fixes for older versions of Android to address problems just like this, and the carriers need to get those fixes out to the handset owners. Fix the kernel, if it needs it, or .so libraries, or dalvik class files which have specific problems.
  I just want my phone to be able to keep working at the level it was originally sold at, but an exploit like the one discussed in this article could potentially brick my phone (or, if my phone becomes 'owned' and I can't clean it, I'll be forced to stop using it even if it technically still works, so it would *effectively* be bricked, from my standpoint).
5. Re:Class Action Lawsuit? by TimTucker · 2010-11-05 00:42 · Score: 2, Interesting
  
  This was also a selling point of the ADP1 (basically the developer version of the G1). Some of us did shell out early for an unsubsidized Android phone with the expectation that it would be directly supported by Google.
6. Re:Class Action Lawsuit? by akadruid · 2010-11-05 07:52 · Score: 1
  
  I don't know why you've selected the G1 - it was one of the better supported phones. It got all the upgrades for the first year, from 1.0 to 1.6.
  Pick something like LG GW620/Eve/InTouch Max/KH5200. Released in 2010, in dozens of countries, running android 1.5, it was never updated and was fully abandoned by manufacturer and carriers in under 6 months. There are hundreds of thousands of them out there on 18 or 24 month contracts which won't expire until 2012.
  It is fully capable of running android 2.2, and fortunately for some, there is an open source project which provides that. But most of the people who bought it will be spending another year or so with a needlessly obsolete and insecure phone.
  
  --
  "Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
Re:That so called Researcher should be arrested by BrokenHalo · 2010-11-04 17:50 · Score: 1

...in case your phone gets run over by a truck.

That isn't as silly as it sounds. I drove my tractor (twice - forwards and backwards) over my Motorola Razr2 V9 a few months ago. Funny thing is, although the phone looked a bit of a mess, it was still working after that. I guess that qualifies as an endorsement. :-}
Re:That so called Researcher should be arrested by RMH101 · 2010-11-04 20:31 · Score: 1

I was tempted on several occasions to drive over my old RAZR, or throw it out of the window. I always thought that Moto's hardware designers might have put some extra effort into the robustness of the handset given they knew what software was going to end up on there...!
Re:That so called Researcher should be arrested by BrokenHalo · 2010-11-04 20:57 · Score: 1

Agreed about their software. But I don't use the device for much more than making calls and sending text messages, for which it's adequate. That handset is really beginning to flake out now, so I'll have to take a look at the competition. Yes, I am still using it - in a way, it's kind of cool to have a phone that has been so extensively abused. ;-}
Re:That so called Researcher should be arrested by TaoPhoenix · 2010-11-04 23:52 · Score: 1

50% tangent, MS Security Essentials is flagging Firesheep on me, even though it's more of a security risk to *other* people. They're banking on the lowest X % being so scared to get away from the "Nice Safe Green" effect.

--
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Re:That so called Researcher should be arrested by tehcyder · 2010-11-05 04:53 · Score: 1

No code release is necessary, just research what API call is broken and how. The purpose of such information is to fix the bug and allow for users to mitigate the attack vector, if possible. Without this information, only black hats can steal your information without you even being aware it was possible.
Yes, but the problem (as with Firesheep) is that what was once something requiring technical knowledge becomes easily available to script kiddies.
It's like why you don't generally sell alcohol or guns to children.

--
To have a right to do a thing is not at all the same as to be right in doing it
My AT&T/Captivate Experience by xipxero · 2010-11-05 05:15 · Score: 1

I've been with AT&T for a long time, bought the Galaxy S (Captivate) relatively not too long ago. Was perfect when I bought it, did everything I wanted it to do, especially tethering, one of the big reasons I bought it.

A couple weeks down the line, 2.1-update1 rolls out, disables my tethering abilities. I called AT&T, Samsung, talked with an in-store rep, and called AT&T again. Samsung says it's not their problem, AT&T pushed the update. The In-store rep and the person I talked to on the AT&T phonecall both agreed that I needed to use third-party software to continue tethering. They were pretty much ENCOURAGING ME TO ROOT MY PHONE. The solution I found was to use a third-party tethering app which I had to remove the AT&T sim card in order for it to show in the marketplace, install, then reinsert the sim card.

Still waiting for that 2.2 update that I was promised when I bought the phone.
Starting to look more and more like I should just return the phone, drop AT&T, and move to another Galaxy S carrier.
This is a good thing by RichiH · 2010-11-05 07:38 · Score: 1

Yes, there will be a lot of trouble once people lose all their contacts & emails, buy a random Market app for 1000 and similar.
But this will _force_ makers, vendors, network operators and everyone else to introduce sane update policies. These machines are a small PC. They need the same software update capabilities.
V Cast is Back for Android Users - next week by 4phun · 2010-11-05 17:52 · Score: 1

It's phone makers AND carriers. The only real reason carriers are loving Android is it's the Anti-iPhone. Think about it - the iPhone denies carriers to ability to customize the experience, load up custom helpful apps, and all that stuff. Apple's basically dictated the terms - Apple does the software, you guys sell service (and pay Apple a portion of the profits). The only reason carriers are doing this is because people want the iPhone and they'll line up in droves to get one. What they lose in the iPhone deals, they make up because there are just so freaking many iPhone users (see how the iPhone has been kind ot AT&T's revenue).
I just saw in the news that Verizon's Android customers are getting an update that will be pushed on them over the Verizon network starting next week. It will add V-Cast and the V Cast store so you can add Verizon approved apps to your Android. This is the same crap I had years ago from Verizon on my LG phone.
So Verizon may not have fixed the browser problem but the Android user has a pretty red Verizon V-Cast interface to work with.