Slashdot Mirror
Android Holes Allow Secret Installation of Apps
CheerfulMacFanboy writes with a link to Heise Online which says "'Security researchers have demonstrated two vulnerabilities that allow attackers to install apps on Android and its vendor-specific implementations without a user's permission. During normal installation, users are at least asked to confirm whether an application is to have certain access rights. Bypassing this confirmation request reportedly allows spyware or even diallers to be installed on a smartphone.' One vulnerability was identified when a security specialist analysed HTC devices and found that the integrated web browser has the right to install further packages (used to automatically update its Flash Lite plug-in). Attackers can exploit this if they have found another browser hole. 'Android specialist Jon Oberheide demonstrated another hole which involved misusing the Account Manager to generate an authentication token for the Android Market and obtaining permission to install further apps from there. However, this initially requires a specially crafted app to be installed on the smartphone. Nothing could be easier: Oberheide released the allegedly harmless "Angry Birds Bonus Levels" app into the Android Market and, upon installation, this app downloaded and installed three further apps ("Fake Toll Fraud," "Fake Contact Stealer," and "Fake Location Tracker") without requesting the user's permission.'"
As mentioned before on /., Maybe Google should consider moving to a repository system. By default, Android devices should have a repository where apps are vetted, Apple App Store style. Of course, have the ability for a user to easily turn on the second repository (which would be the current Google App Store) for items not found on the "blessed"/default repo.
This has worked for OSS projects for over a decade. It should work quite well for Android.
Android has a security vulnerability? A security hole in the browser lets a malicious website infect the phone? Isn't this very similar to a problem my iPhone had just a few months ago? Yeah, it's a different method of infection and the levels of access aren't the same (I believe the iPhone could be totally rooted by this) but the fact remains that these devices aren't 100% secure.
Is this type of thing news? Only in the sense that it serves as a reminder to those who will listen that you have to be careful about what you do with your phone/computer/etc.
True, but while CM has been a great solution for a while the focus of that distro has moved on to newer phone models. While CM 6.0 runs on the G1 it is VERY slow, and doesn't support apps/data on SD ext3, and official Froyo apps on SD doesn't work well for many apps.
6.1 seems to be a lot better, but I think it is only a matter of time before the G1 stops getting much attention, which then leaves a lot of more experimental mods floating around. CM was nice because it focused more on usability/stability and was less of a POC build.
It is like the 1990s all over again - developers tend to be enthusiasts who buy the latest and greatest, so they always build stuff that doesn't run well on older PCs. We've gotten away from this in the last 10 years since modern PCs (except in the area of graphics) have not really been improving much as they are no longer CPU-bound, and most developers don't own SSDs yet.
Phones, however, are on a very Moore's-law like curve which means that when you donate to your favorite phone modder you're giving him a change to get a newer fancier phone and stop supporting yours. :) Granted, that doesn't mean that the solution isn't to reward them for what they've done for us.