Android Holes Allow Secret Installation of Apps

CheerfulMacFanboy writes with a link to Heise Online which says "'Security researchers have demonstrated two vulnerabilities that allow attackers to install apps on Android and its vendor-specific implementations without a user's permission. During normal installation, users are at least asked to confirm whether an application is to have certain access rights. Bypassing this confirmation request reportedly allows spyware or even diallers to be installed on a smartphone.' One vulnerability was identified when a security specialist analysed HTC devices and found that the integrated web browser has the right to install further packages (used to automatically update its Flash Lite plug-in). Attackers can exploit this if they have found another browser hole. 'Android specialist Jon Oberheide demonstrated another hole which involved misusing the Account Manager to generate an authentication token for the Android Market and obtaining permission to install further apps from there. However, this initially requires a specially crafted app to be installed on the smartphone. Nothing could be easier: Oberheide released the allegedly harmless "Angry Birds Bonus Levels" app into the Android Market and, upon installation, this app downloaded and installed three further apps ("Fake Toll Fraud," "Fake Contact Stealer," and "Fake Location Tracker") without requesting the user's permission.'"

Makes popcorn

And sits down to watch the fanboy battle begin. Go go go

Re:Makes popcorn

[MobileTatsu-NJG]

I dare the posters on this site to go this entire thread without mentioning Apple.

Re:Makes popcorn

Oh damn! Already foiled.

Re:Makes popcorn

[fluffy99]

Not an issue with iOS. It is 100% secure from this type of hacks. People who value their security go with the mature platforms and apps that have been checked over by professionals to make sure they are not Trojans.

A little tongue in cheek eh? Yes Apple has certainly had a few questionable and/or vulnerable apps make their way into the store.

Re:Makes popcorn

[WrongSizeGlass]

Android has a security vulnerability? A security hole in the browser lets a malicious website infect the phone? Isn't this very similar to a problem my iPhone had just a few months ago? Yeah, it's a different method of infection and the levels of access aren't the same (I believe the iPhone could be totally rooted by this) but the fact remains that these devices aren't 100% secure.

Is this type of thing news? Only in the sense that it serves as a reminder to those who will listen that you have to be careful about what you do with your phone/computer/etc.

Re:Makes popcorn

[icebike]

Well the summary did fail to mention The browser hole has been closed in Android 2.2.

Hey, pass some of the popcorn over here, I't trade you for this here cold brewsky.

Re:Makes popcorn

[davester666]

Just think of how Hitler would make use of this security hole!

Re:Makes popcorn

[MrHanky]

Why shouldn't this be news, when new Windows and iPhone exploits are news? The question is whether these holes will be fixed for all Android phones, and not only in the upcoming Android 2.3.

Re:Makes popcorn

[TheRaven64]

Isn't this very similar to a problem my iPhone had just a few months ago?

Nope, it's entirely different. This is a security hole, while the iPhone had a jailbreak opportunity.

Re:Makes popcorn

[RDW]

'Well the summary did fail to mention The browser hole has been closed in Android 2.2.'

Which is great news for everyone stuck on earlier versions without an upgrade path...

Time to open a six pack!

Re:Makes popcorn

[msauve]

"Android has a security vulnerability? A security hole in the browser lets a malicious website infect the phone?"

That's not what the summary said - it said there's one "security hole" (the user explicitly giving a browser rights to install apps) which can only be exploited "if they have found another browser hole." (my emphasis)

The Linux "login" command has the same sort of hole, because if you can only find that other hole which allows you to get root, you can do anything. One can fix that by making it so root doesn't have the privileges to do anything. :-)

Re:Makes popcorn

[BrokenHalo]

Getting back to the topic... what I didn't get from the article is whether or not this exploit works if you use another browser (e.g. firefox) rather than the integrated one.

Re:Makes popcorn

[a_nonamiss]

I'm not sure if you're being sarcastic or not, but jailbreak opportunity is by definition a security hole. With the iPhone/iPad vulnerability, you could literally go to a webpage and your device was jailbroken. You didn't have to approve or install anything. It was convenient, but that jailbreak code could just as easily have been a toll caller, person tracker, cookie stealer, etc.

Re:Makes popcorn

[TheRaven64]

I'm not sure if you're being sarcastic or not

And so, as a result, you are the proud winner and get to take home today's 'Whooooooooosh'. Congratulations!

Re:Makes popcorn

[node_chomsky]

Yeah, except that series of holes that could be exploited by opening a webpage with a PDF that gave ANYONE ROOT ACCESS.

Tard. Or troll. Hard to tell the difference, maybe there is none.

The pdf root problem was an issue with adobe's viewer, not pdf's in general. A PDF is just a file format, it doesn't have special root powers. The iPhone doesn't run acrobat, it has it's own in-house pdf reader.

Re:Makes popcorn

[a_nonamiss]

Bah... it was early...

Re:Makes popcorn

[DinDaddy]

?

OS X supported powerPC macs until 10.6

Re:Makes popcorn

[Meski]

I don't get this. Software gets fixed by releasing new versions. Like 2.3. Which will likely be pushed automatically. Unless you bought one that has been infected by all the cruft that carriers put on them, in which case you're stuck with the Windows Mobile model of updating - buy a new phone with the latest OS on it.

Re:Makes popcorn

[DrSkwid]

It is hard to "be careful" when what that means is "use sparingly".

How on earth is one supposed to know "Angry Birds Bonus Levels" is more than what it says.

If it was me I'd write my malware as a stalking horse and then slip the pwnage in as an update in a few months.

Re:Makes popcorn

[MrHanky]

Unfortunately, you are wrong. There's only one phone that more or less automatically gets the latest version of the Android OS -- the Google Nexus One. It's got nothing to do with the carriers, just that different phones have different hardware, and the various hardware makers also like to customise the UI to differentiate themselves from other Android phone makers, and provide so-called "value" for their customers (the advertisers, not the end users). You can't just push stock Android on to any Android phone: it won't work. It depends entirely on HTC, Motorola, Sony Ericsson or whatever[1] to come up with an update. Sony Ericsson, for example, just updated their Android line to version 2.1, months after 2.2 was released. And that's their unbranded phones -- the branded ones were held back a little longer (actually as little as one week, in some cases).

Some system apps will be automatically updated, though. I've seen new versions of the Market app being pushed to Android 1.6 as late as a couple of months ago.

--
[1] Some phones also get community-developed Android versions.

Re:Makes popcorn

[p0larity]

Yeah, I don't use my Android phones for more than a week before installing some kind of custom ROM on them. Most users will never even think of doing updates though. The carriers may push an update if this bug gets enough press though. That still means people won't update, but the ones who care can be safe. Or the users who have friends who care.

Android is open...

[Schuthrax]

So that means anyone can compile and install his or her own fixes? So this sounds like a non-issue to me.

Re:Android is open...

[amRadioHed]

Actually this sounds like it is an HTC Sense issue, not an Android issue. Android doesn't come with a browser that uses Flash Lite. And since HTC Sense is not open, people can not make their own fixes.

Re:Android is open...

[wampus]

Um, I'm pretty sure the stock browser in Froyo has the ability to run plugins, and Flash is in the Market. Sounds like Adobe did an awesome job of recreating their desktop experience on my phone. Well, HTC on Adobe's behalf. Course, the entire point of securing the rest of the userland is kind of lost when you can just gain root through a fork bomb with no permissions needed...

Re:Android is open...

[a_nonamiss]

I'm pretty sure that's why GP was modded funny and not informative. {/sarcasm}

Re:Android is open...

[AmberBlackCat]

So that means anyone can compile and install his or her own fixes? So this sounds like a non-issue to me.

I would have modded you insightful. You're just as screwed with open source as you are with closed source.

Re:Android is open...

[TrancePhreak]

The hole was closed in Froyo. Froyo uses regular Flash, the vulnerability is in Flash Lite. You can update Flash without an OS upgrade.

Re:Android is open...

[amRadioHed]

Yeah, the stock browser has a Flash plugin which is updated via the market as all other apps are. This is talking about the HTC Sense browser using a Flash Lite plugin which apparently auto-updates via its own mechanism separate from the market.

Adobe @#^@#$ us over again

A security hole so @#^%&@ adobe can update its garbage flash player every thirty seconds because of security issues.

Re:Adobe @#^@#$ us over again

[Lanteran]

A security hole so @#^%&@ adobe can update its garbage flash player every thirty seconds because of security issues.

It beats having an unpatched and vulnerable adobe flash....

Re:Adobe @#^@#$ us over again

[ChunderDownunder]

It's an incentive just to uninstall flash altogether. Mobile battery life and 3G download quota being the main beneficiaries.

They're up to version 10.1 now - Adobe have had over a decade to implement secure sandboxing. If they were serious they'd offer a blank cheque to, say, Theo from OpenBSD and fix Flash and Acrobat Reader properly once and for all.

Re:Adobe @#^@#$ us over again

[Urkki]

A security hole so @#^%&@ adobe can update its garbage flash player every thirty seconds because of security issues.

No, more like a retarded way of allowing flash player to update. If that's specifically for flash, then it should require signed packages, or possibly a fixed URL where it downloads Android updates from, or both (to avoid DNS spoofing etc).

Either that, or mentioning Flash was just sensationalism, and it's just one use case.

Re:Adobe @#^@#$ us over again

I'm not sure that throwing a systems guru at what is effectively application software would be a prudent use of company funds. First off, going by the available feature set for Flash "developers," the code base for the Flash runtime would make Java and its standard libraries look concise. Hell, it implements two discrete native scripting environments; I'm not even getting anywhere near rendering logic.

Now you might say that in a sane world, "systems" logic (such as device access) would be entirely separate from "application" logic (rendering) — but this is Adobe, and more specifically, Flash. They didn't write the code, they acquired it (it was, until recently, Macromedia Flash, remember?). I'd wager further development happened through accretion, not top-down design, and all of this on top of a 10+ year-old code base likely running into the millions of lines in an unknown programming environment.

Add in the fact that there's likely a very strong legacy support issue in that Flash output from earlier versions is playable in later players. Again, one would hope that the bytecode parser is separate from systems logic, but there's a decent chance that somewhere along the line there has been some mingling for a compatibility issue.

None of this is to disagree with you on the crux of the issue, of course. Adobe's programmers, until recently, maintained one of the largest bodies of consumer-facing Fortran code (Photoshop!). Somehow, in a year, they replaced it all with C and managed to keep execution times similar — which doesn't sound like much, until you remember that Fortran's strength is numeric computation and these algorithms are very well known and formally studied. So yeah, probably not a manpower or skill issue, but a business issue — the average user doesn't care about security and Adobe knows this.

Re:Adobe @#^@#$ us over again

[AmberBlackCat]

So why don't the browser and plugins have separate updaters? I can update Firefox and the flash plugin separately on Windows and Linux.

Re:Adobe @#^@#$ us over again

[Lanteran]

I personally have flash uninstalled on systems where its practical, blocked with individual object unblocking where its not.

Yes, and people really should read the source

[Brannon]

before they install their apps.

Re:Yes, and people really should read the source

[maxwell+demon]

That's not enough. They also have to self-compile them (because how else would you be sure that the app really is compiled from the source they've seen?) with a trusted compiler (or else the compiler may insert a vulnerability). Of course after having read the source of the compiler itself, and having hand-compiled it (because otherwise you'd have to rely on an unchecked compiler to compile your compiler).

Oh, and don't forget to study the circuit design of your phone's processor!

Time to move to a repository system?

[mlts]

As mentioned before on /., Maybe Google should consider moving to a repository system. By default, Android devices should have a repository where apps are vetted, Apple App Store style. Of course, have the ability for a user to easily turn on the second repository (which would be the current Google App Store) for items not found on the "blessed"/default repo.

This has worked for OSS projects for over a decade. It should work quite well for Android.

Re:Time to move to a repository system?

[Rich0]

Uh, that's exactly how it works right now - only market apps can get onto the phone, unless the user enables the installation of non-market apps. The problem here is that Google left a back-door open. No amount of security design will help if the vendor leaves a back-door open. The iPhone in theory doesn't run anything not signed by Apple, but since lots of users are walking around with jailbroken iPhones they didn't get it right either.

Google just needs to stop leaving back-doors open in their OS. Apps should be installed via the standard interface, and the existing market auto-update feature should be used for deploying updates.

Note also that having multiple repository tiers probably won't help much. The less-vetted tier will undoubtedly have more software in it, so 99.999% of all phones will have it enabled. Thus, virtually all phones will still be vulnerable to malicious apps.

The solution is just to fix the leaks in the sandbox, and not to deliberately engineer them in. As long as the user has to approve all app installs, and apps disclose their permissions, things like this should stay under control.

Oh, on the topic of permissions - Android really needs to let users toggle individual permissions at the time of application install. Right now your only choices are install or don't-install. It would be REALLY nice if I could toggle that "auto-load on start" permission for the 95% of the apps on the phone that I don't want running all the time no matter what the authors think. Right now the only thing I can do is edit the apk manifest, which is a BIG pain and blocks updates.

Re:Time to move to a repository system?

[mlts]

Exactly. Google has a decent app store. However, I'd like to see the default be a store that is vetted, perhaps even the same store, except just showing apps that have been checked over and approved (perhaps with an additional fee for the time to approve.) Then offer an option right next to the one to install from ADB to use un-approved apps.

This way, Joe Sixpack (whom we all know and love) will tend to stick in the walled areas where there is far less chance of him downloading malicious software.

Re:Time to move to a repository system?

[Rich0]

I still think a better solution is to make it impossible to write malicious software in the first place.

Apps should not generally open arbitrary network sockets. Apps should generally not be able to use gobs of bandwidth. Apps should generally not be able to call 911/etc.

Maybe an in-between solution is for Google to vet apps that request more sensitive permissions. So, if your app just displays on-screen, makes connections back to the distributor's website with modest bandwidth use, and maybe plays some music, then no pre-approval is required. If your phone accesses the phone book, the dialer, or sends arbitrary network traffic, then it requires pre-approval. That will of course make app authors think twice about whether those things are necessary.

Perhaps another step is to make it so that by default the app asks for the more sensitive permissions but the user has to confirm them individually and if they just hit the OK button the software gets installed with safer permissions. This would of course require software authors to design their apps so that they work fine with or without GPS location, or phonebook access, or the dialer, or without services, etc.

Re:Time to move to a repository system?

[mlts]

The problem with that is that there are ways around that. If I can have my app phone home, then I can install a proxy on the receiving end to allow connections anywhere on the Internet. If my app plays music, then I can do nasty things from random farts to other things. Microphone access? I now have a bug 24/7 which can either stream in real time, or save the compressed sound for transmitting every so often when the device isn't used.

Your idea of a failsafe permission set is good; I'd like to see an app carry four sets of permissions: A minimum set to run at all, a minimum set to run with decent functionality, a set to run with full functionality, and maximum permissions (since a Web browser would never need some permissions such as root access.)

The good thing is that Google can do the best of both worlds; they can have a closed environment with apps scrutinized for potential holes, but still offer apps (with the ability to pull the bad ones) with just a checkbox separating people from those.

Re:Time to move to a repository system?

[mlts]

There is also the fact that Google will yank the app off the market and in extreme cases, kill it from handsets, especially if it is malicious. For sophisticated users, Google's store works well.

Appbrain, as well as other tools such as Droidwall are the staple of a /. user. However, what we consider not an issue is totally different compared to the average people buying these phones and who will be dictating future sales. You are a clued person, or at least post as one.

However, the people buying the phones won't know AppBrain from a zombie's brain. They will think DroidWall is a rendition of a Pink Floyd album on a synthesizer. These are the people who will flip through the app store, install stuff blindly regardless of permissions asked, then when they get stung, will be screaming to the press how it is Google/$PHONE_MAKER/$CELLULAR_CARRIER's fault, and how those companies should have protected them. It is unfortunately common for people to blame anybody but themselves for their own actions.

Google has a good thing going. If they went to a completely closed store model, it would ruin Android as a platform. However, it can't hurt to go to a tiered system so for someone to get nailed by malware, they actually have to do an action (even if it is just checking a box) to leave the walled garden behind. This way, if they do get nailed, Google can point to the disclaimer and show that the end user was the responsible party who decided to install un-approved software.

Re:Time to move to a repository system?

Where in the article summary implicates Google as the responsible party? Read again.

VENDOR SPECIFIC IMPLEMENTATIONS have this security hole. HTC specifically added a permission to update internal plug-ins.

Re:Time to move to a repository system?

[chickenarise]

roflmao turrets much?

Re:Time to move to a repository system?

[Anne+Thwacks]

Perhaps you should go and live in Switzerland. There is no crime ins Switzerland because "Im der Schweitz, das crime is verboten!"

Re:Time to move to a repository system?

[cmdr_tofu]

This is really a great idea...

Re:Time to move to a repository system?

[Rich0]

Ah, then the fault is not with Google.

Granted, you should note that ALL Android distributions are vendor-specific. They do of course vary in how much the vendors mess with the core OS.

Re:Time to move to a repository system?

[Macka]

I still think a better solution is to make it impossible to write malicious software in the first place

If it was that easy it would have been done already.

Maybe an in-between solution is for Google to vet apps that request more sensitive permissions.

And how do you determine if an app is going to request sensitive permission without umm, vetting it in the first place? Chicken and egg situation there mate.

Perhaps another step is to make it so that by default the app asks for the more sensitive permissions but the user has to confirm them individually

So you have a situation where the app is constantly asking the user for confirmation before doing things, kind of like how MS Vista used to do. We all know how well that was received.

I guess that Apple obviously thought this through properly before they released their product. Maybe Google should eat some humble pie and just emulate what Apple have done.

Re:Time to move to a repository system?

[hey!]

Actually, why one size fits all? Why not multiple app stores? Choose the app store you trust an which meets your need.

Better yet, why not let anybody vett applications then sign the installer? You as a user would choose which certifiers to trust. Some certifiers might be *necessary*, others *sufficient*. This would be great for IT departments who issue Android phones. They could require all apps to be certified by them, or by a set of trusted analysis.

Re:Time to move to a repository system?

[Rich0]

And how do you determine if an app is going to request sensitive permission without umm, vetting it in the first place?

Simple - developer uploads app to market. If app's manifest only requires "safe" permissions then it goes right into the market. If it wants more, then a human looks at it. That is a compromise between the current Google and Apple approaches.

So you have a situation where the app is constantly asking the user for confirmation before doing things, kind of like how MS Vista used to do.

There wouldn't be anything constant about it - this would happen exactly once at the time of install, just like it does now. However, the GUI would change.

Right now the installer just shows you a list of permissions and gives you a choice of OK/Cancel.

My proposal would be a list of permissions, and each has a check-box next to it. "Safe" permissions would be checked by default, and unsafe ones would be unchecked. Anything not in the manifest wouldn't be displayed at all, since the app doesn't need those permissions anyway.

So, if a user just hits OK they get a sandboxed app.

The downside to this approach is that some apps wouldn't be very functional if the user just accepts the defaults. For example, if GPS location is considered unsafe then navigation programs wouldn't work if the user doesn't manually enable GPS location.

The alternative is to check all the boxes by default, similar to the current situation, but let users still uncheck boxes they don't want.

I do agree that no change will completely make it impossible to install malicious software - that is probably an impossible problem to solve. However, we can probably do a lot better than we are doing now.

Re:Time to move to a repository system?

[Rich0]

While I like letting apps advertise their minimum permissions, I'd still like to be able to override them.

I'm not concerned with apps that call back to the source website and then get to the internet via a proxy. That is a perfectly safe way to provide internet access - if the app does something nasty they're doing it on the attacker's IP and not mine. If the attacker wanted to send spam from phones this way, or whatever, then they'd just do it without the phone component.

That is why java sandboxes allow connections back to the originating server only. This makes java applets impossible to use as an intrusion/etc vector, as you can only hack into a server that you already control.

I do agree that complete elimination of malicious software will not be possible. However, there are ways to improve things.

Re:Time to move to a repository system?

[Fnkmaster]

There is exactly one hole described in Android in this story, that involves fake Market authentication tokens. That sounds like a real vulnerability that needs to be addressed.

The other issue is a hole that HTC opened up in the browser app to update Flash Light. If you run a proper Android phone with a proper version of the OS (2.2) and have Flash installed, it updates via Market like every other app. This is a stupid HTC kludge. You can't completely stop stupid people from shooting themselves in the foot with open source - HTC gets to recompile stuff their way, and in this case, their way was a dumb way. But yeah, Google should probably give them a talking-to about this.

The big stick Google has to enforce security, updating, rules-compliance, etc. is Market access. Nobody wants an Android phone that can't get Market access because apps are a big part of the appeal of having a smartphone and getting them easily is critical. Google clearly needs to fix the issue with fake Market auth tokens, and they need to start holding handset vendors accountable for securing their releases of Android, and for keeping phones supported and updated within reasonable timeframes, or else face losing access for future products to Market.

I hope Google learns to start enforcing some rule on the Android landscape. We don't want things as locked down as the Apple world, but complete chaos isn't good either.

Re:Time to move to a repository system?

[ducomputergeek]

My understanding is that when install an android app it gives a list of permissions of what it needs to access. Problem is, according to those I know who have the phone, barely anyone pays any attention and just clicks "okay". Also, most Android users are not geeks and wouldn't know the first steps towards compiling or installing an OS update on their phones. So when the phone manufactures stop supporting that model phone, they are SOL.

As far as app stores are concerned, if this continues to be a "problem" we'll just see the carriers go back to each having their own "store" with their own "rules", submissions process, and billing terms, and then Android suddenly becomes an even bigger PITA for smaller developers.

Re:Time to move to a repository system?

[Rich0]

Problem is, according to those I know who have the phone, barely anyone pays any attention and just clicks "okay".

Well, WHY don't they look at it?

Simple - your only choices are agree or don't agree. It is like an EULA - what is the point of reading it? The fact is that you wouldn't have bought/downloaded/etc the software if you didn't want to run it, so what is the point in reading a bunch of text that you can't do anything about.

Now, if you could CHANGE the permissions then people might actually care what those permissions are.

Re:Time to move to a repository system?

[easyTree]

Tourettes and schizophrenia?

What of old versions

[giorgist]

See now that Android is becoming a big target = installed base
Old phones are rarely updated.
New phones and evices are still coming out with 1.6
Old 1.6 phones are still alive

All vulnerabilities will persist.

So an auto logging in banking app is there for the taking

Re:What of old versions

[Rich0]

Well, it remains to be seen if they backport fixes to 1.6, but I agree completely that this is a potential weakness of the platform. Vendors are WAY too quick to abandon old phones. If it isn't still in stores, they don't care about it.

In fact, probably the best way for us poor G1 owners to get some official updates for our phones is to start releasing viruses designed to take down the cell network. THAT would get some updates out quick! :) (Disclaimer - I'm not advocating that anybody actually do this of course!)

Re:What of old versions

[stox]

More likely, it would get G1's banned from the network.

Re:What of old versions

[tophermeyer]

Fortunately for the individual user, the process of rooting a G1 and flashing a custom ROM is very straightforward and well documented (running Cyanogenmod 6.0 currently).

Though this opens up a lot of new concerns about platform incompatibility, not to mention that there is no guarantee that a given ROM is legitimate. It is by no means a solution for the community as a whole.

Re:What of old versions

[Hellasboy]

Have any fixes been backported and have any of those fixes been released from the manufacturer?

The Xperia X10 *just* received 2.1. There's a pretty common bug in 2.1 where it can't connect to Cisco routers with a self-signed security certificate on their enterprise hardware. You wouldn't believe the number of hospitals, research institutions, and hotels have this same setup. The problem is that you cannot connect to any of these wifi networks.

From what I've read online on google's forums is that the fix was in 2.2 but supposedly backported to 2.1 several months ago. Yet, the latest entry utilizing the 2.1 OS still doesn't work.

I can see why major developers are frustrated at Android. They have to deal with phones that range from 1.6 to 2.3 (by next week) and then deal with all the variations between all the major versions. If Google is serious about a mobile platform, they need to pressure the manufacturers into updating their dev cycle and get them *all* on 2.3. It's a shame that you have dumbphone manufacturers trying to pass off their terrible OS update cycle to smartphone customers.

Re:What of old versions

[arivanov]

Not necessarily. The old versions may stay and it may still be a viable platform provided that they updates are funnelled through the market same way package repositories in Linux work.

You want to run this app. Fine, but you will have to update to the latest patchlevel or update your OS to a newer version altogether.

Re:What of old versions

[93+Escort+Wagon]

See now that Android is becoming a big target = installed base
Old phones are rarely updated.
New phones and evices are still coming out with 1.6
Old 1.6 phones are still alive

That was the worst attempt at a haiku ever.

Re:What of old versions

[Rich0]

I tend to agree. I think the biggest problem is that these are $500 devices being bought by average people for whom $500 is quite a bit of money. Or maybe they're only $200 but only if you sign up for a new account/etc - which you can't do all the time.

And yet, the vendor treats them like a disposable free phone, and they only get updates for six months. Most consumers that buy a $500 device expect it to last years. Now, for devices that don't require updates to function that is one thing. However, smartphones are all about downloading software, and when lots of apps require a newer OS users start to feel that pain.

Plus, users are used to the PC world. If you bought a PC with XP on it in 2003, you could still run the newest software on it today. Sure, games and hardware-intensive apps would be slow or non-functional, but the vast majority of simple apps work on PCs that are ancient by today's standards. I bet a PC running WinME could run half the stuff I use day-to-day.

Granted, phone technology is new and progressing rapidly. However, phone vendors need to consider these devices investments and not abandon them immediately. This is actually one thing Apple does moderately well - their original iPhone was the only iPhone around for much longer than any Android device has stayed on the market, and they only abandoned it for software updates relatively recently. And, I imagine that almost all apps still work on it just fine.

Re:What of old versions

[Rich0]

Yeah, I'd like to see that happen. Keep in mind that for another six months there will still be tons of people who bought G1s under contract and they are stuck with them. Can you say class-action-lawsuit?

However, if they just release G1 owners from contract and provide access to non-contract deals then I'd be happy with this approach... :)

Re:What of old versions

[Rich0]

True, but while CM has been a great solution for a while the focus of that distro has moved on to newer phone models. While CM 6.0 runs on the G1 it is VERY slow, and doesn't support apps/data on SD ext3, and official Froyo apps on SD doesn't work well for many apps.

6.1 seems to be a lot better, but I think it is only a matter of time before the G1 stops getting much attention, which then leaves a lot of more experimental mods floating around. CM was nice because it focused more on usability/stability and was less of a POC build.

It is like the 1990s all over again - developers tend to be enthusiasts who buy the latest and greatest, so they always build stuff that doesn't run well on older PCs. We've gotten away from this in the last 10 years since modern PCs (except in the area of graphics) have not really been improving much as they are no longer CPU-bound, and most developers don't own SSDs yet.

Phones, however, are on a very Moore's-law like curve which means that when you donate to your favorite phone modder you're giving him a change to get a newer fancier phone and stop supporting yours. :) Granted, that doesn't mean that the solution isn't to reward them for what they've done for us.

Re:What of old versions

[JAlexoi]

G1 users are hit by only one of the two. Teh one that is essentially a "local" exploit. The remote exploit (HTC + Flash Lite) only hits Android 2.1 based phones with HTC Sence. Way to screw things up HTC!!!!

Re:What of old versions

[colinnwn]

It remains to be seen if Gingerbread will even reasonably run on a G1, so it may be a non-issue that the focus of CM has moved on. It was rather heroic they got FroYo running on it so well.

I noticed you outlined several issues with the older CM6. I'm running CM6.1 on my G1 rignt now, with several relatively easy performance tweaks. It is as fast or faster than the sanctioned T-Mo firmware, supports apps and data on SD ext2/3/4, and official apps on SD seem to work fine. Only problem I've encountered is 3 of 10 apps I have must be moved to the phone before they can update themselves, and then they can be moved back to SD to run.

I was planning on getting a new phone as soon as I could afford it before CM6.1. Now I no longer have any immediate plans, though the G2 is pretty cool looking, I don't think I can stomach paying more than $300 unsubsidized for a phone that can so easily be damaged.

Re:What of old versions

[Rich0]

I wouldn't be surprised if the newer versions work fine. I'm not sure it is really the OS so much as the accessories/etc that contribute to RAM use.

If you stripped out some of the features that are RAM-hungry while keeping the functionality I think that it would work fine. Cut down on the graphical glitter (3D gallery, fancier home screen, etc), and focus on functionality (better Exchange support, chrome2phone, API, etc). Much of the original benefit in CM was in the stuff that was left out - some of this has been lost as the feature set is being dictated more by newer phones...

The Downside of Smart Phones

There are a lot of upsides to phones that can install aps, browse the web, and so on and so forth. This article is an example of one of the downsides, though. With computer-type capabilities, you get computer type problems. The old wired phones, and probably even most "dumb" cell phones pretty much were only vulnerable to people who had physical access to them altering their behavior. Now phones can theoretically get viruses and dial out on their own and so on and so forth.

I'm not advocating that people discontinue buying smart phones, but it's always good to pause for a second and think about the things we give up to move forward, as it were.

Microsoft's fault

I've been suspicious for a long time that Google is having Microsoft write all their software. This proves it.

Telco backdoors

[LongearedBat]

If I'm not mistaken, all mobile phones have backdoors for telco's to use, for silently pushing firmware updates and bricking phones, etc.

I might be mistaken, but I'm pretty sure that's what my cousin told me, who works with setting up mobile infrastructure.

Re:Telco backdoors

[gmhowell]

If I'm not mistaken, all mobile phones have backdoors for telco's to use, for silently pushing firmware updates and bricking phones, etc.

I might be mistaken, but I'm pretty sure that's what my cousin told me, who works with setting up mobile infrastructure.

No kidding? Well, my best friend's sister's boyfriend's brother's girlfriend heard from this guy who knows this kid who's going with the girl who saw Ferris pass out at 31 Flavors last night. I guess it's pretty serious.

Re:Telco backdoors

[fostware]

Abe Froman can afford to give you mod points.

Re:Telco backdoors

[Schuthrax]

The sausage king of Chicago?

Re:Telco backdoors

[RoboRay]

The Sausage King of Chicago?!?!?!?

Re:I can't find that app in the App Store

[FatdogHaiku]

Man I found it but Fake Location Tracker doesnt seem to work :(

You must first be in a fake location...duh!

Re:I can't find that app in the App Store

[Sun]

They're called "mock locations" on Android. Settings/Applications/Allow mock location.

Shachar

General purose computing device

[bm_luethke]

Until smart phone manufacturers realize that they are making general purpose computing devices we will see this. To some there is a "war" going on between Apple and Android but that really misses the issue - in this respect trying to figure out which is the "better" on is like trying to figure out if Frosted Flakes or Fruit Loops is the better breakfast cereal - it is personal preference and there are most likely "better" solutions out there (and as a disclaimer I am an Android user - Droid One).

Until one side truly figures this out I'll stick with Android if for nothing else than I can get the functionality I want. With Apple I have to buy into their idea on how their devices fit into my life and I, well, do not. If Apple truly had this superior model than I would go for it, but as far as I can see I get the worst of both worlds - lack of specialized apps (as those are often, for unknown reasons, rejected from their app store and there are one or two I would like) along with just as many vulnerabilities (and those usually require you store that info on the phone - which until/unless they secure them I do not). So I currently see Apple as having those issues yet none of the "rewards" of going with them.

There are a handfull of people I know I would still recommend the iPhone too, but unless they already know the iPhone platform over the Android and are still asking others about it that is rare. Sadly it isn't because Android is truly better, but because if all else is equal then the flexibility of the Android system is superior and pretty much everything else is equal. Apple has remained where they are for a *long* time because they haven't figured this out too - though I also have to say they have not died because they ignore it too (their model of revenue find this irrelevant, which means they will not "win" but really can not "loose").

Re:General purose computing device

[khchung]

Until smart phone manufacturers realize that they are making general purpose computing devices we will see this.

I say just the opposite. Until the Android crowd realize that a lot of people do not want a general purpose computing devices on their phone, they will be talking past all iPhone users.

I work with computers for a living, I know very well the high cost of ownership for owning a general purpose computing devices. I do not want that for my phone. I deliberately stayed away from "smartphones" until Apple got smart enough and produce one that obviously is not intended to be a PC on a phone.

All your reasons for calling Android "superior" is exactly the reasons that I found it inferior. I want a limited device that only do what I want and no more. The "no more" part is important to me, as it keeps the cost of ownership low. This seems to a point that the Android crowds never understand.

Maybe you find it intellectually simulating to find which security hole is patched in which Android version, and fun to track down exactly which Android version can be hacked to be installed on your phone (since your phone supplier probably won't give you a fix until a year later).

For me, I just want iTunes to periodically check if my phone has the latest patch and tell me about any updates, so I can install it by clicking "Yes".

Re:General purose computing device

[TheRaven64]

I want a limited device that only do what I want and no more. The "no more" part is important to me, as it keeps the cost of ownership low.

It's called the 90-10 problem. 90% of the users only want 10% of the features. The problem is that they don't all want the same 10%. This is why modern computers have so many features that you never use - it's not because people want general purpose computers, it's because people all want different special-purpose computers.

Re:General purose computing device

[bigstrat2003]

Your logic fails. First, the main aspect of the iPhone that you could claim is an advantage over Android, the harsh policing of the app store, is irrelevant for security. Google can, and has, taken down apps that were insecure. The Android Market can be just as monitored as the iOS app store is. The real advantage is not anything to do with the market, it is the fact that you can install apps that are not from there. I'm sure you'll say "but I don't need that", but that's not true. You don't need it yet. I'm sure you'll feel differently if you ever have the bad luck to start to heavily use an app that Steve Jobs decides offends him in some way, and subsequently gets removed from the app store.

Second, if your reason for having an iPhone includes "I can just wait for iTunes to tell me when there's a new version", that's ridiculous. You can be ignorant of security flaws on Android, as well. Trust me, there's no one that makes you go read up on them on /. (although apparently you would do so anyway, since you read this article). You can just wait for the phone to tell you that there's a new update for the OS available, and install it. Just like the iPhone! Of course, just like the iPhone, if there's a security bug you won't know about it and can be exploited, but if that's really what you want you can get it.

Re:General purose computing device

[Haeleth]

Nope, 90% of people want the same 10% of features

That is simply not true.

It may be the case that about 40% of people are willing to tolerate only having the same 10% of features because the feature they value most is "looking cool in front of my friends", but there's a reason why the iPhone does not have 90% market share -- it simply does not meet that many people's needs.

Re:General purose computing device

[khchung]

It is not my logic that fails. It is merely that my values is different from yours, and you have already assumed your values is the correct one so anyone not subscribing to the same values has faulty logic.

For the value of a hypothetical possibility that I might like and heavily use an app that will eventually banned by Jobs, the trade off is to give up the Apple app store for the Google one that I cannot make any payment from where I live. Not to mention that there are fewer apps to start with. I am not interested in spending the effort to find out which app in the wild is clean, so don't bother about non-app store apps.

I choose the risk of my hypothetical fav app banned by Jobs over inability to actually buy apps I want! No contest there. You obviously chose otherwise, doesn't mean either logic is faulty, it just mean we value things differently.

Claiming there are unknown security flaws in both platforms is just a cop-out. Every platform hs security holes, so let's just forget about security and patches! This completely ignore the fact that if there is anything major out in the wild, Apple has a vested interest in patching iOS and getting fixes out to iPhone owners with a single click on iTunes. While Google can only patch their code and hope/wish/cajole the phone vendors to sync into their own Android version and send it out to you, hopefully in less than a year, if ever. Meanwhile, you either live with a major known security hole, or you spend the effort to try to hack the latest patch into your phone. Have fun doing that.

This is no different from console-gaming vs PC-gaming. Some PC gamers look down on console gamers, citing the "superiority" of upgradable video cards, more indie games, possibility of game mods, etc. Console gamers thinks it is silly to deal with driver issues, antivirus setups, hackers/aimbots on multiplayer games.

Re:General purose computing device

[bm_luethke]

The iPhone *is* a general purpose computer, as such it has all the risks associated with it.

The fact that *you* are only allowed the bits they want to let you see may make you feel like it isn't, but from a security standpoint (of which I was primarily addressing) it is a general purpose computer. This limits how much *you* do, not how much a hacker/phreaker can do.

Of course, I do agree that I'm talking over most iPhone users heads (apparently yours included), but not in the way you mean. A large portion of Apple users confuse the limited distribution of the app store to be some form of security - it is not.

If you want a device that you are only allowed to do what someone else lets you do then the iPhone is a great choice in the "smart phone" market - no doubt about that. That may very well make the device simpler for you to use and there isn't much argument there - that is a personal preference (though I have yet to see any one confused by an Android phone that wasn't just as confused on an iPhone, however I have seen more than one frustrated that the iPhone will not let them do what they want and are happy when Android does). However security that is not.

As such I find no security difference and a great deal of usability difference. Most people do and find one or the other the "better" choice. The people who think and work in the way Apple wants you to find the iPhone great so stick with it (you obviously do) - no argument there - but most people either don't really care (the phone is as much a fashion statement as anything) or prefer to make the phone fit themselves instead of themselves fit the phone.

I'm not sure how that attitude is going to sink Android and have the iPhone ride the wave into the future, but oh well, that attitude and same argument sure helped the Macintosh ride the wave of the future as a dominate force in the 90's - I'm sure it will do the same this time. Apple has made good money over the years by giving that smaller market segment *exactly* what they want, no reason to figure that is going to change and if you are a part of that segment I suggest you purchase their products (as I said in my original post - there are people I would suggest them too).

Re:General purose computing device

[PipsqueakOnAP133]

As such I find no security difference and a great deal of usability difference.

You exhibit the same problem as those who blindly support the idea that "security by obscurity is no security at all," in that you appear to dismiss the fact that security isn't made of one thing or another, but the sum of all the efforts to make something secure.

The iTunes App Store does not itself make the iPhone secure. It only attempts to improve the quality and conformity of applications provided to the user.
The lockdown/sandboxing of the iOS device itself makes it harder to install apps that have not been vetted by Apple somehow, but it doesn't guarantee security. It only makes it significantly more difficult to obtain user data.
The iTunes/iOS update system, can post a patch to all devices relatively quickly and with relative certainty that the hole exploited has been plugged. It doesn't guarantee security.

All of these don't guarantee security. They're all defeatable. The first two are obviously defeated by jailbreaks and that PDF/freetype vulerability.
The 3rd one is defeated if the user decides not to install firmware updates.

But together, they make it harder for a user to get exploited. If you try to attack from the official App Store, even if the reviewer was a moron, the sandbox makes most user private data impossible to access. Even if you managed some way to hack through kernel-level sandboxing, whatever you do will get plugged on discovery, and the fix deployed via a system update. (and not only that, the base OS will get reset to an unhacked state, which is probably why the PDF fix was deployed in a full system firmware update of some couple hundred megs, instead of a 100kB patch.)

On the other hand, you have Android.
You can install whatever you want. You can access most things on the phone, usually just by letting the user know in vague terms in the install. (or in this article's case, without really knowing at all, provided you have an HTC phone with Flash Lite.)
Google only pulls out the banhammer on the marketplace when something's reported to be no good.
Google can apply a fix and deploy it to the G1s, some myTouch dev units, and the N1s. But everybody else will wait until their manufacturer pushes the fix. (and Google's own stats say that only 1/3rd of Android users are on 2.2)

Apparently khchung finds the sandboxing in iOS to be a blessing. Apparently you and bigstrat2003 find the flexibility in Android to be more valuable.
Either choice is fine with me. (heck, when I first got into the iphone jailbreaking scene, I not only audited the source code for the early jailbreak utilities, but then did all the procedures manually, to make absolutely sure nothing got sneaked in.)

But make no mistake, the security aspects of both platforms are most definitely different.

Re:General purose computing device

[bm_luethke]

"You exhibit the same problem as those who blindly support the idea that "security by obscurity is no security at all," in that you appear to dismiss the fact that security isn't made of one thing or another, but the sum of all the efforts to make something secure."

Almost all security comes through some form of obscurity - you password, private key, pre-shared key, or heck even your one time pad are only secure because no one else knows them. In the and all security comes down to obscurity - so no, I do not think I am one that falls to that.

What you fail to understand - and searching on Apple iPhone exploits shows - is that the pre-screening Apple gives has *no bearing on the security of the phone*.

Apple screening is based on, as far as anyone can discern, other criteria. Indeed, without source code and truly rigorous testing that you couldn't afford it *has* to be that way.

Nor are the immune to the description you give of the G1's - ask anyone with any hardware before the 3G where all their shiny new updates are. My bet is since Apple has none they are sitting on the same vulnerabilities that they were when their last update was applied - well unless Apple has figured out how to update without patching.

I do not find apples "sandboxing" (which they aren't doing at all - they are simply saying you can only buy software at your local Best Buy which is *not* sandboxing - they are a walled garden, not a sandbox) to be useful from a security point of view because it gives me *nothing* that enhances that. Google really doesn't either - while the OS certainly does real sandboxing (which apple doesn't at all) installing applications generally requires you to give blanket permission that pretty much break this as a security feature too.

khchung finds the lack of flexibility to be invigorating as he/she doesn't have to worry over user interface. They somehow - as you do - equate only being able install one of three video players instead of one of five as "security". Neither one is more or less secure than the other - the space of apps you have is *not* security or sandboxing. Each trades flexibility for a smaller set of skills to learn, *not* a tradeoff in security.

If anything Googles real sandboxing with explicit permissions is *better* security - at least without a true OS hack they can't get at anything outside the sandbox you do not explicitly give permissions for. Sadly even a simple flashlight app generally wants internet access and all sorts of crap - Google really needs finer grained permissions.

Re:General purose computing device

[PipsqueakOnAP133]

What you fail to understand - and searching on Apple iPhone exploits shows - is that the pre-screening Apple gives has *no bearing on the security of the phone*.

So how does a scan for what APIs your app calls not have any bearing on security?

Nor are the immune to the description you give of the G1's - ask anyone with any hardware before the 3G where all their shiny new updates are.

If you read the point I was making, it wasn't that the G1 doesn't have updates. It's that Google can only push updates directly to end users of the G1, N1, and MyTouch dev phones. Google cannot push updates directly to users of other handsets like the Droid, the Epic, the Evo, and all other handsets/tablets/etc.

But yeah, the fact that Google is no longer supporting the G1 is true too.

Indeed, the original iPhone is in the same boat as the G1. But unlike the original iPhone, the following phones haven't been out for 3 years yet and still don't have 2.2 either:
the G1,
the Droid Eris,
the Motorola Backflip,
the Motorola Devour,
Samsung Behold II,
Samsung Moment,
Motorola Cliq,
and the Sony Experia X10.
(Has the 2.2 rollout for the Samsung Epic 4G and Captivate hit the US yet?)

Sure, you can flash an unofficial rom just like you can patch a jailbroken iPhone 2G. But the common user isn't going to understand how to do either.

I do not find apples "sandboxing" (which they aren't doing at all - they are simply saying you can only buy software at your local Best Buy which is *not* sandboxing - they are a walled garden, not a sandbox) to be useful from a security point of view because it gives me *nothing* that enhances that. Google really doesn't either - while the OS certainly does real sandboxing (which apple doesn't at all) installing applications generally requires you to give blanket permission that pretty much break this as a security feature too.

As for sandboxing, I have no idea what you mean by "walled garden, not a sandbox." But what I do know is that the iPhone indeed has a sandbox.

If you write an app to do something not allowed, say, open a serial port, then compile and load an app using the SDK. It'll exit as soon as open is called because the kernel killed it. Yeah. I tried it pretty early on.

This isn't some simple, "ooh, you can't install it, so it's protected" naivety. It's that processes loaded from the app store are killed or denied access by the kernel if they try to go out of their sandbox.

See here for profile info: http://iphonedevwiki.net/index.php/Seatbelt

Jailbroken phones and apps obviously bypass this in order to do their customizations. But for any app from the app store, they're sandboxed.

Re:Wow

[geminidomino]

Crap like this is why I have data disabled on my phone and install nothing. I'll take the inconvenience of not being able to do other things with my phone for the convenience of not having to fight a ridiculous data or voice charge.

I can understand just wanting a dumb phone, but if that's the case, then why have an android phone in the first place?

An open platform can find it's own solution

[LodCrappo]

I'm sure many Apple devotees will see this news as confirmation that Apple's "we know better than the user" approach is superior.

While I disagree for a number of reasons, for sake of argument, let's assume that they are right. If the walled garden approach is better, won't some enterprising entity create just such a service for Android? The platform is open, anyone can create a market place. Several alternative markets already exist.

There is no reason someone couldn't make a tightly controlled market where apps are scrutinized prior to being offered. If there truly is value in that, I don't see why it wouldn't be done. Such a service could even reject apps for no obvious reason or censor content that doesn't agree with their view of things, if 100% compatibility with that other app store was desired.

Re:Is the new android fine? (Thinking of buying)

[Menkhaf]

I'm looking to buy a new phone in a few months. My current Nokia 6300 has lasted for almost 3 years, and is beginning to act a bit weird at times.
I had a look at the Nokia N900 a few days ago and was amazed at the price compared to the specifications and the price point of other smartphones. Qwerty keyboard, 800x480 display, Maemo 5.
Here in Denmark I can buy a new and unlocked for 375 EUR, though I'm tempted to find a used one on eBay -- the price there starts around 200 EUR for a slighty used.

Damn H4xx0rz!

[arifwn]

more features == more security holes less feature == less h4xx0r My next purchase: http://www.johnsphones.com/store/johns-phone-white/item24

Angry rovio?

[js_sebastian]

If I were rovio software (the makers of angry birds) I would be pretty annoyed that the name of their popular game, and artwork from it, has been used to distribute a malicious program, even if it's just for demonstration purposes.

. So the real question is, will rovio hit the authors with an explosive angry bird or bomb them with an egg-dropping angry bird?

On the plus side, this has reminded me that there is one more level pack I can buy for my n900...

Re:I can't find that app in the App Store

[Americano]

You need a phone with more gee bees and the wifi.

Is this news?

[josepha48]

Really though all OS's have their vulnerabilities, doesn't matter who makes em they all have em. Welcome to software!

The real issue here is how quickly these are fixed and how easy it is for the end user to get that fix. All major desktop software have done a decent job of making it easier to get the updates, the end user just has to either allow the install or maybe do a click through update. Phones are moving in that direction but some move quicker than other. I hope in time android will be at a point where it will get updates out at a normal pace to end users. I do think that android could learn a few things from ubuntu and other linux distros that have automatic updates. Even vendor supplied roms need to learn something from this process.

I wonder if one can sue a vendor if there is a browser vulnerability that gets fixed in android source but does not make it to their phone?