New Android Exploit Discovered To Steal Data

← Back to Stories (view on slashdot.org)

New Android Exploit Discovered To Steal Data

Posted by timothy on Saturday January 29, 2011 @08:04AM from the damn-androids-have-no-consciences dept.

mimd writes "A researcher at North Carolina State University has discovered yet another Android Browser exploit that affects the new Android 2.3 (Gingerbread) and previous versions. Slashdot recently covered a previous browser exploit that affected all versions of the Android Browser, but was patched in 2.3. Xuxian Jiang writes 'our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed. We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone.' The exploit is capable of reading and writing files from an Android's sdcard or system partition as well as uploading user data over the internet."

98 comments

Min score:

Reason:

Sort:

Windowsesqe by BasilBrush · 2011-01-29 08:08 · Score: 0, Troll

Android, the Windows of the smartphone world.
1. Re:Windowsesqe by thetoadwarrior · 2011-01-29 08:21 · Score: 4, Interesting
  
  I am a bit unimpressed with how rubbish Android can be at telling you something is wrong. Some apps appear in the market and I can't install them. All it says it can't download them. So of course I keep trying and it fails. So is it a network error or will it never install because actually it won't run on my G1 and should it even be showing up in the market for me? It's not like it downloads it at all so it's aware of whether my phone can run it in advance so why the generic message?
  
  I had to do a factory reset on my phone after a google created app killed the phone. I suspect it was google maps. I say that because even after doing that and maps was then updated again it would always crash everytime I started up the phone. I believe it was about a month later until it was fixed.
  
  Today my phone and home button quit working and when bringing up the shut-down menu the only option that was there was to turn the phone off. I searched and most people just did a factory reset. I wasn't about to do that. I haven't installed any apps since the last ordeal where I had to do a factory reset and no apps were updated in ages so as far as I was concerned no factory reset should be needed.
  
  What it was in the end is something like the cookie data for communicating to Google got corrupt for as best as I can tell no good reason. I'm not sure why that should put the phone in a nearly broken state and absolutely no warning message whatsoever so you're left thinking the buttons are broke or something worse. I found you can clear you google apps cache and log back in and it fixes it. That's ridiculous, imo. I have version 1.6 of Android and there are people with at least 2.2 experience this problem. It's not like they're unaware of it.
  
  I can't bring myself to pay out for an iPhone but I have to say I'm really tempted. The idea of having a phone where you have to worry about it fucking up for no apparent reason and with no warning message is awful. I'm trying to convince myself that even if I get an android phone cheaper I'm still locked in a contract so it is a big deal. But even if I want to pay for an iPhone I don't entirely agree with how Apple manages their app store but more and more I understand completely why they do it.
2. Re:Windowsesqe by 4phun · 2011-01-29 08:29 · Score: 0
  
  Android, the Windows of the smartphone world.
  Mobile Windows didn't have such glaring problems with malware stealing from the user.
  That is only possible by virtually every Tom, Dick, and Harry with mental problems having a copy of the source code that they can examine for flaws that they can exploit.
  Then you have another group with mental problems saying no one should expose the danger as that damages Android's reputation and users will avoid it. Duh? Of course they should avoid it until the danger is completely eliminated or someone writes a good antivirus anti Trojan app that can root out the danger.
3. Re:Windowsesqe by TheRaven64 · 2011-01-29 08:34 · Score: 1
  
  Finding a flaw in the source code isn't that much easier than finding a flaw in the disassembly. In both cases, you're either spending insane amounts of time reading code, or you're using automated tools to spot certain patterns. Or you're just running the code and seeing how it really behaves, which is how most holes are found.
  The problem is that finding a vulnerability in Windows or Android gives you a lot of vulnerable machines. Monocultures are bad for this exact reason, whether they're Microsoft or Google monocultures.
  
  --
  I am TheRaven on Soylent News
4. Re:Windowsesqe by binarylarry · 2011-01-29 08:38 · Score: 3, Insightful
  
  Why did this get marked Troll?
  Android has taken the same position in the smartphone market Windows has in the PC market. It even did it the same way.. by being more open than Mac and working with various hardware and software vendors.
  
  --
  Mod me down, my New Earth Global Warmingist friends!
5. Re:Windowsesqe by dubdays · 2011-01-29 09:47 · Score: 4, Informative
  
  Here's my workaround to the market not completing downloads and not installing them even if they appear to have successfully downloaded.
  
  1) back all the way out of the Market
  2) Go to Settings --> Applications --> Manage Applications
  3) Click on the "All" tab at the top
  4) Wait a couple of minutes, and then find "Market" in the list (list isn't always in order, so it can be hard to find if you have a lot of apps)
  5) Click "Market"
  6) If the "Force Stop" button isn't grayed, click it to force the Market app to end
  7) Click the "Clear Data" button
  8) Re-launch the Market app, click "Agree", and try it again.
  
  I know it's stupid, but it does work about 90% of the time. If not, rinse and repeat.
6. Re:Windowsesqe by ColdWetDog · 2011-01-29 09:53 · Score: 3, Funny
  
  The idea of having a phone where you have to worry about it fucking up for no apparent reason and with no warning message is awful.
  The iPhone may not be your best choice. I accidentally let my iPhone 'upgrade' from 3.2 to 4.1 (note to self - do nothing at all, except perhaps post on Slashdot when tired). After a very frustrating four hours of reinstalling itunes, waiting for Apple's 'upgrade server', googling a dozen cryptic error messages and finally reinstalling everything from scratch, I finally have a functional phone.
  
  It's pretty amazing that Apple can manage to have so many holes and gotchas in their locked down system. Much of it seems to be just bad programming (not realizing a preference file is corrupt, having twizzlefits about exactly which USB port is OK, cruft files left over from previous installs) and sloth.
  
  I'd recommend a DOS phone. Nice and simple. Just use a hex editor to fix things. None of this complex new stuff. Bah.
  
  --
  Faster! Faster! Faster would be better!
7. Re:Windowsesqe by qbast · 2011-01-29 10:54 · Score: 1
  
  Much worse. On Windows you enable autoupdates and vulnerability soon disappears. With Android you wait months for new version which carrier will or will not make available for your phone.
8. Re:Windowsesqe by Miamicanes · 2011-01-29 11:06 · Score: 2
  
  > Mobile Windows didn't have such glaring problems with malware stealing from the user.
  That's mostly because statistically, there weren't enough Windows Mobile users (or PalmOS users, or Symbian users, for that matter) to be worth the time of organized crime.
  The problem with Android isn't the fact that the source is available to peruse, it's the fact that manufacturers and American carriers do their best to make upgrades as difficult as possible despite Android's open-source Linux roots. An exploit like this barely gets a yawn from Nexus One users, because someone will update it before any real exploits based on this ever become a problem. In contrast, owners of American Samsung Galaxy S phones will be shitting bricks, because we're still waiting for a fucking kernel that works with Froyo. Or at least leaked CDMA loadable kernel modules compatible with a 2.6.32 kernel so we can build our own without losing basically all the hardware drivers it needs to work properly.
  Sidetrip: Unlike Windows, Linux makes no effort to maintain a stable ABI between versions. Simplified a bit, this basically means that a loadable kernel module (the Linux analog to a hardware driver) that's built for a 2.6.29 kernel will probably crash and burn on a 2.6.32 kernel. The official Linux party line is that it makes it harder for manufacturers to keep drivers proprietary, and motivates vendors to release source for their drivers so it can be automatically rebuilt for each new kernel release. The cold American consumer reality is that the Android Emperor is nude. The Nexus S can't do 4G on T-Mobile, is fundamentally incompatible with Sprint and Verizon, and AT&T's slow, capped, expensive 3G isn't even a real option. We're stuck with an allegedly-open operating system inextricably bound to hardware that's more locked down and proprietary than an iPhone, and all we can really do is hope some of Linux's core developers also own Android phones and are starting to really, really feel some of the ABI pain themselves on a daily basis.
  Put another way, here's a more technical summary of the problem:
  * Samsung has released source to its kernel and loadable kernel module drivers, but the LKM source won't build against any known 2.6.32 kernel due to missing dependencies.
  * The .ko modules themselves were built against the ABI of a specific build of 2.6.29 that changed enough with 2.6.32 for most of them to crash and burn if you try using them with a 2.6.32 kernel.
  * Froyo and Gingerbread have dependencies on the 2.6.32 kernel. You can cobble together a FrankenBuild that sort of works with a 2.6.29 kernel, but it'll never be a True Froyo/Gingerbread, and will always have bugs hidden below the surface veneer.
  Metaphorically, an American Samsung Galaxy S trying to run Froyo is kind of like a laptop that shipped with Windows 98 and a winmodem. The unfortunate user upgrades it to XP himself, then discovers that the winmodem only has drivers for Win98. Through some miracle, the winmodem drivers have their "source" released, but that source requires a thirdparty library called LunexantProprietaryLib that isn't included, and won't build without it. After lots of hacking, the user manages to cobble together drivers that will allow the modem to limp along at 9600 baud by pretending it's an older version of the chipset, but getting it to do 56k without official drivers is hopeless. And if, by some miracle of god, a never-released copy of drivers for XP get leaked despite the determination of the manufacturer to keep it unavailable through the perverse logic that fucking their customers will somehow encourage them to buy a newer model from the same company that screwed them less than a year earlier (instead of buying one made by just about ANYBODY else), the user discovers that the drivers needed for 3D acceleration have the same problem as the Winmodem, and it's back to square one.
  What Google really needs to do is define an ABI thunking layer and require that any and all device drivers
9. Re:Windowsesqe by camperslo · 2011-01-29 12:06 · Score: 1
  
  Android could stand to be more open, or use different jumping off points for work towards future versions.
  Not being GPL'd, the modified source from the various handset vendors / carriers isn't likely to make it make it back into the gene pool. Users can't fix bugs or make other improvements to what came on their devices, and any would-be natural selection using "surviving" popular variations from some vendors normally doesn't get any added goodness put back into the main distribution. The evolutionary mechanism for selection of better code-genes going forward is absent.
  For users, it doesn't really seem like open source if you're effectively on a closed source fork, and other than praying for fixes/updates from the closed vendor, your only option is to jump to the other branch and lose whatever custom growth you'd bought into.
  Outside of developer handsets, Is there EVEN ONE carrier/handset vendor that provides the source to what they ship?
  Although there are likely far fewer bugs, in some ways Android is WORSE THAN (desktop) WINDOWS because there are so many different builds with no reliable source of timely updates.
  Even the PCs with awful demoware-customized versions of Windows still get patches. Also, Windows has a fairly long life before becoming unsupported with patches. Some Android products are out of date when they ship yet they never see an update. There's generally no jailbreaking needed to replace a copy of Windows.
  Perhaps there should be class action suits against various carriers/handset vendors for damages resulting from vulnerabilities that could have been prevented had they not been negligent in providing timely updates.
  Google could improve things by switching to the GPL, and supporting at least modular code updates on ALL devices for those functions where bugs would likely expose vulnerabilities. It's great that there is source for work on some substitute builds, but that's really not enough.
10. Re:Windowsesqe by 4phun · 2011-01-29 13:14 · Score: 1
  
  > Mobile Windows didn't have such glaring problems with malware stealing from the user.
  That's mostly because statistically, there weren't enough Windows Mobile users (or PalmOS users, or Symbian users, for that matter) to be worth the time of organized crime.
  The problem with Android isn't the fact that the source is available to peruse, it's the fact that manufacturers and American carriers do their best to make upgrades as difficult as possible despite Android's open-source Linux roots. An exploit like this barely gets a yawn from Nexus One users, because someone will update it before any real exploits based on this ever become a problem. In contrast, owners of American Samsung Galaxy S phones will be shitting bricks, because we're still waiting for a fucking kernel that works with Froyo. Or at least leaked CDMA loadable kernel modules compatible with a 2.6.32 kernel so we can build our own without losing basically all the hardware drivers it needs to work properly.
  Sidetrip: Unlike Windows, Linux makes no effort to maintain a stable ABI between versions. Simplified a bit, this basically means that a loadable kernel module (the Linux analog to a hardware driver) that's built for a 2.6.29 kernel will probably crash and burn on a 2.6.32 kernel. The official Linux party line is that it makes it harder for manufacturers to keep drivers proprietary, and motivates vendors to release source for their drivers so it can be automatically rebuilt for each new kernel release. The cold American consumer reality is that the Android Emperor is nude. The Nexus S can't do 4G on T-Mobile, is fundamentally incompatible with Sprint and Verizon, and AT&T's slow, capped, expensive 3G isn't even a real option. We're stuck with an allegedly-open operating system inextricably bound to hardware that's more locked down and proprietary than an iPhone, and all we can really do is hope some of Linux's core developers also own Android phones and are starting to really, really feel some of the ABI pain themselves on a daily basis.
  Put another way, here's a more technical summary of the problem:
  * Samsung has released source to its kernel and loadable kernel module drivers, but the LKM source won't build against any known 2.6.32 kernel due to missing dependencies.
  * The .ko modules themselves were built against the ABI of a specific build of 2.6.29 that changed enough with 2.6.32 for most of them to crash and burn if you try using them with a 2.6.32 kernel.
  * Froyo and Gingerbread have dependencies on the 2.6.32 kernel. You can cobble together a FrankenBuild that sort of works with a 2.6.29 kernel, but it'll never be a True Froyo/Gingerbread, and will always have bugs hidden below the surface veneer.
  Metaphorically, an American Samsung Galaxy S trying to run Froyo is kind of like a laptop that shipped with Windows 98 and a winmodem. The unfortunate user upgrades it to XP himself, then discovers that the winmodem only has drivers for Win98. Through some miracle, the winmodem drivers have their "source" released, but that source requires a thirdparty library called LunexantProprietaryLib that isn't included, and won't build without it. After lots of hacking, the user manages to cobble together drivers that will allow the modem to limp along at 9600 baud by pretending it's an older version of the chipset, but getting it to do 56k without official drivers is hopeless. And if, by some miracle of god, a never-released copy of drivers for XP get leaked despite the determination of the manufacturer to keep it unavailable through the perverse logic that fucking their customers will somehow encourage them to buy a newer model from the same company that screwed them less than a year earlier (instead of buying one made by just about ANYBODY else), the user discovers that the drivers needed for 3D acceleration have the same problem as the Winmodem, and it's back to square one.
  What Google really needs to do is define an ABI thunking layer and require that any a
11. Re:Windowsesqe by Anonymous Coward · 2011-01-29 13:58 · Score: 0
  
  I heard of plenty of problems with iPhones too. I really don't think you'll have a much better experience there. In my opinion them most straight forward, pretty-much-never-screw-up-for-an-inexplicable-reason device is the Blackberry. Sure, the browser sucks, the specs sucks and the apps suck, but I restarted my phone once a month or so, everything syncs perfectly and no dicking around. There are definitely problems, but calling and messaging "just works".
  Be that as it may, I love my Streak now (Android)
12. Re:Windowsesqe by alvinrod · 2011-01-29 14:25 · Score: 1
  
  While that's helpful, that's absolutely horrible. That's not something mom and pop are going to be able to figure out or even understand.
  
  This almost feels like a +5 black comedy moderation. Just read through that list of 8 steps, many of which can be further broken down to more steps. Step 4 is especially endearing if taken literally, which may sadly be true. Shit like this is why people will buy the Apple product even if it's locked down or forces the purchaser to hand over his first-born child.
13. Re:Windowsesqe by tkprit · 2011-01-30 04:52 · Score: 1
  
  I'm having a better experience w/ Android right now though I'm still not fond of that default Facebook+contacts shit. The first thing I dl'ed just happened to be Advanced Task Killer and it stays open in notification area — if I have a problem, I open ATK and kill everything except ATK. (Don't worry; the important stuff restarts itself anyway. Even the unimportant bloatware starts itself again. ...I must root this thing.)
  I have ipod touches and have used iPhones — imo not much better except in batt. life. I think the best phones (reliability/security) are probably still RIM (it's just overkill for my personal needs, and well hell, I wanted to try to android!). But if your issues are apps, make a habit of reading reviews before d/ling anything. (I don't mean "Market" reviews, either. Find some android forums.)
  If you haven't rooted, take your phone in and complain. (If you have rooted, unbrick it then take it back). Your buttons SHOULD work. In my experience the store employees just pop out the SD card and give me a new phone instead of trying to repair it.)
14. Re:Windowsesqe by thetoadwarrior · 2011-01-30 07:10 · Score: 1
  
  The physical buttons do indeed work, it's just that the software basically ignores them and I've had the phone for about 2 years so I don't think I'll get anything for it. I have fixed it so it's back to normal
  
  Breaks the home and phone button and removes options from the shut down menu is the fact that the Google Apps cache becomes corrupt. In fact supposedly it's as something basic as just a cookie becoming corrupt according to some.
  
  I can't for the life of me understand why that should disable the home button other than the fact your Google account is so integrated into the phone that it can break things it probably should have no affect over. The fix isn't that hard. I think it would just be nice if it hadn't gone on this long (it's at least in 1.6 to 2.2) or it would tell you there is a software problem.
  
  I'm wondering if it's just better to have a cheap phone and then some sort of PDA or tablet but then I'd feel like I'd be going back to old days with my Palm III. One device would be ideal but not if it limits my ability to make calls.
Gingerbread by Anonymous Coward · 2011-01-29 08:12 · Score: 0

Is the Nexus S still the only 2.3 phone available? I know Samsung and HTC have upcoming phones with 2.3, but as far as I can tell the Nexus S is still the only 2.3 phone you can get at this moment.
1. Re:Gingerbread by h4rr4r · 2011-01-29 08:25 · Score: 2
  
  CM7 nightlies have been available for a while. Whole list of phones you can install that on.
2. Re:Gingerbread by shellbeach · 2011-01-29 10:48 · Score: 1
  
  Is the Nexus S still the only 2.3 phone available?
  Not at all -- there's at least five different gingerbread ROMs available for the HTC Desire over on XDA, for example. Most popular phones should have an AOSP build of gingerbread by now, it's been out long enough!
3. Re:Gingerbread by peragrin · 2011-01-29 10:59 · Score: 1
  
  and every single one of them will void your warranty on the hardware.
  Where are the HTC 2.3 ROMs? You know the ones that you don't lose your hardware warranty for installing?
  Maybe if HTC only had 2 or 3 models they could work to make at least one of them good, and update on a regular basis.
  
  --
  i thought once I was found, but it was only a dream.
4. Re:Gingerbread by adolf · 2011-01-29 11:25 · Score: 2
  
  and every single one of them will void your warranty on the hardware.
  It will?
  Where, exactly, is that spelled out in the warranty agreement?
  The warranty for my Droid 1 doesn't seem to care a bit about software -- in fact, it goes on at length about exactly how little Motorola gives a shit about how poorly the software on the device behaves.
  HTC's warranty is similarly worded.
  Hack away.
  
  --
  Kid-proof tablet..
5. Re:Gingerbread by shellbeach · 2011-01-30 09:55 · Score: 1
  
  and every single one of them will void your warranty on the hardware.
  They may or may not (although I doubt such a void warranty claim would stand up in court). But since you can always revert to stock with one of the OTA ROMs, it hardly matters, does it? My phone is currently being repaired, and you can be assured that I reverted to stock before sending it back ...
  
  Where are the HTC 2.3 ROMs? You know the ones that you don't lose your hardware warranty for installing?
  So HTC aren't concerned with building new ROMs for older hardware? That's one more reason to switch over to the community ROMs!
  I'm not sure what exactly your fear of using an AOSP ROM is, but bear in mind that they have a lot more active development than an HTC ROM, much easier bug reporting and much faster bug fixing, not to mention many more features. And if you really do like HTC Sense, then there's several excellent Sense-based ROMs (LeeDroid being the standout) which will give you your Sense-UI fix with many more features and a better kernel to boot.
Click here by metalmaster · 2011-01-29 08:15 · Score: 1

You'll see boobies. I promise
Seriously, the only way you can protect users is to take the phone from them. be consious about whatt youre doing with your phone. despite it acting like a computer that fits your pocket its still just a phone.
1. Re:Click here by Illogical+Spock · 2011-01-29 09:15 · Score: 1
  
  I generally would agree with you, but in cases like this it is not necessarily the user's fault. If the bug is really like the article describes, just clicking a link can exploit it - and you can avoid clicking in the "click here to see boobies", but not some google results that appear to be legit, or some links in forums, etc. If in fact you need to RUN something, then, yes, it will be the user's fault.
  
  --
  --- Illogical Spock
2. Re:Click here by Anonymous Coward · 2011-01-29 09:19 · Score: 0
  
  Seriously, the only way you can protect users is to take the computer from them. Be conscious about what you're doing with your computer. Despite it acting like a phone that fits in your pocket, it's still just a computer.
  *fixed that for ya'.
3. Re:Click here by qbast · 2011-01-29 10:57 · Score: 1
  
  Hey! I clicked dozen times and still no boobies! Internet must be broken or something ...
4. Re:Click here by Archangel+Michael · 2011-01-29 17:45 · Score: 1
  
  Want Boobies, for real??? click here
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
um So don't use a SD card with personal info on it by Anonymous Coward · 2011-01-29 08:16 · Score: 0

So just dont put anything you wouldn't want stolen on your SD card for now, until a confirmed fix is released :)
Turnabout is fair play? by symbolset · 2011-01-29 08:23 · Score: 2

When Windows Phone has this kind of market share it will be the target of hackers too.
Oh, how I hate that meme.

--
Help stamp out iliturcy.
Re:um So don't use a SD card with personal info on by Anonymous Coward · 2011-01-29 08:28 · Score: 0

In other words, don't use the camera at all.
+1 Nothing new.. by Anonymous Coward · 2011-01-29 08:28 · Score: 0

Its in line with the long standing tradition of slashdot to heavily report anti-ms news and hide linux/oss bugs. There are countless oss vulnerabilities being disclosed on security lists year after year and only about 10% make front page news on Slashdot. Its not a conspiracy, but its funny to observe the oss cheerleaders here..
gotta get those page views up.. ;)
1. Re:+1 Nothing new.. by Anonymous Coward · 2011-01-29 08:46 · Score: 1
  
  "There are countless oss vulnerabilities being disclosed on security lists year after year and only about 10% make front page news on Slashdot."
  perhaps because a project finding bugs in the code it is developing is not particularly newsworthy but a third party finding bugs in someone else's expensive code that is marketed as being 'secure' is?
  no conspiracy, no cheerleaders. people just like to read about the 'big guy' getting a PR spanking rather than the flurry of irc messages between a few devs.
  in this case, android is one of the 'big guys,' hence why it appears here. see how that works?
Just dont use the stock browser by Illogical+Spock · 2011-01-29 08:37 · Score: 4, Informative

Im not minimizing the problem or its potential consequences, but the article says:

For now, Android users can protect themselves by disabling JavaScript support in the browser, or by using a third-party browser for now.
So the problem is the browser, not the OS, and it can be circumvented by using another browser (what a lot of people do, for example Opera and Dolphin). Good to know, since I use Dolphin most of the time, and Firefox Beta (still terribly buggy) now and then.

--
--- Illogical Spock
1. Re:Just dont use the stock browser by Anonymous Coward · 2011-01-29 08:48 · Score: 0
  
  Why would you use opera mini or dolphin if you care about minimizing third party access to your private information?
2. Re:Just dont use the stock browser by Anonymous Coward · 2011-01-29 08:53 · Score: 0
  
  Minimizing access to random 3rd parties (every website you visit) is not the same as to a particular one (one specific browser vendor).
3. Re:Just dont use the stock browser by Anonymous Coward · 2011-01-29 08:58 · Score: 0
  
  Im not minimizing the problem or its potential consequences, but the article says:
  
  For now, Android users can protect themselves by disabling JavaScript support in the browser, or by using a third-party browser for now.
  So the problem is the browser, not the OS, and it can be circumvented by using another browser (what a lot of people do, for example Opera and Dolphin). Good to know, since I use Dolphin most of the time, and Firefox Beta (still terribly buggy) now and then.
  Just goes to show that if you treat Android like it's a PC, you'll always be susceptible to these kinds of problems. The tech-heads may have options but the regular user will be clueless.
  But that's okay. I'm sure you'll just trash regular-users as being too stupid to know how to use a smartphone. Android is flawed, and don't expect handset makers to send out OS updates as most are locking them down, and they have no incentive to do so when they can just convince folks to buy the next latest-and-greatest made.
  Android is simply landfill material.
4. Re:Just dont use the stock browser by Illogical+Spock · 2011-01-29 09:00 · Score: 2
  
  AFAIK Dolphin dont use a proxy to "compress" pages as Opera and Skyfire, so its not a threat to my privacy to use Dolphin. In Opera's and Skyfire's cases, I agree with you it would be.
  But, in other news, when I was confirming that Dolphin don't use a proxy I just found out that it is built over the stock browser, and therefore probably doomed too. It seems that I will need to use the incredibly buggy Firefox for now. At least I have a stock Android (Nexus S) so probably Ill have a patch soon.
  
  --
  --- Illogical Spock
5. Re:Just dont use the stock browser by Anonymous Coward · 2011-01-29 09:03 · Score: 2, Funny
  
  Lol Steve, you're supposed to be on medical leave, not trolling slashdot.
6. Re:Just dont use the stock browser by Anonymous Coward · 2011-01-29 09:05 · Score: 0
  
  Doesn't Dolphin just wrap the existing browser? They always crash on the same pages.
7. Re:Just dont use the stock browser by Illogical+Spock · 2011-01-29 09:16 · Score: 1
  
  Yes, youre right. Im doomed. :-) Please let me know if you see my wifes nude pictures somewhere. ;-)
  (I think I will need to use Lynx for Android ;-)) )
  
  --
  --- Illogical Spock
8. Re:Just dont use the stock browser by Illogical+Spock · 2011-01-29 09:18 · Score: 1
  
  Oh, God, this shitty MS keyboard have two keys that looks like the apostrophe, and I ALWAYS use the wrong one - hence I have no apostrophes in my messages...
  
  --
  --- Illogical Spock
9. Re:Just dont use the stock browser by bemymonkey · 2011-01-29 09:45 · Score: 4, Interesting
  
  I dunno, isn't the entire underlying engine vulnerable? Browsers like Dolphin don't implement their own engine, but rather just wrap around the existing browser...
  Opera and Firefox should be fine though.
10. Re:Just dont use the stock browser by kevinmenzel · 2011-01-29 09:51 · Score: 2
  
  You look at your keyboard when you type? And depend on the glyphs your keyboard manufacturer uses to know what each key does? Wow....
11. Re:Just dont use the stock browser by flowwolf · 2011-01-29 22:15 · Score: 1
  
  There is a seperate opera browser that does not proxy your pages like opera mini does.
12. Re:Just dont use the stock browser by flowwolf · 2011-01-29 22:16 · Score: 1
  
  There is an actual opera browser app. Not just the opera mini, which only proxies webpages.
13. Re:Just dont use the stock browser by bemymonkey · 2011-01-29 22:33 · Score: 1
  
  Hence "Opera and Firefox should be fine though." ;)
What SD Card? by AC-x · 2011-01-29 08:52 · Score: 1

The Nexus S doesn't have an SD card slot, I assume the exploit also allows uploading of anything in the phone's internal storage area but "removing the SD card" as a workaround isn't going to work on the Nexus S!
1. Re:What SD Card? by Anonymous Coward · 2011-01-29 09:00 · Score: 0
  
  AFAIK, Android phones refer to the internal storage as "SD card", and any external SD cards as "External SD cards".
  Still, you can't unmount the internal one.
2. Re:What SD Card? by Illogical+Spock · 2011-01-29 09:04 · Score: 1
  
  It will work. The phone will be dead, so nobody (even you) will read or write anything in the SD anymore. :-)
  (I have a Nexus, and the only think I couldn't understand and think would make the phone even better is the lack of a SD port)
  
  --
  --- Illogical Spock
3. Re:What SD Card? by Tacvek · 2011-01-29 10:47 · Score: 2
  
  Android devices have two main storage locations. One is internal storage. That term specifically refers to the device mounted on /data , in which user downloaded apps, and internal app data is stored. (This is in reality pretty much always a partition on the same storage device as provides the partition mounted on /system (a.k.a. the "ROM")).
  The other is known as shared storage, and it is invariably SD. On phones without an external SD card slot, this is either an internal SD card slot, or more frequently an SD chip soldered directly to the mainboard. Shared storage is mounted on /sdcard (or /sdcard is a symlink to the real mount location, either is permitted).
  When somebody says SD Card in an Android Context they are referring to whatever is mounted on /sdcard.
  Now to further complicate matters, a few phones have provided both internal shared storage and an external SD card slot for shared storage. That is a very bad idea, since it leads to all sorts of odd bugs, but they did it anyway.
  To make matters even more confusing I am aware of at least one phone (the Droid 2) which uses a hard soldered SD chip for /system and /data, but provides no shared storage on it. It uses an external SD card slot for the shared storage.
  
  --
  Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
Market updates? by ace123 · 2011-01-29 08:55 · Score: 5, Interesting

<rant>
Wait, they can't just use Market to push out new browser updates? Something to do with the browser being integrated into the OS? (Yet all third-party browsers are not--can't google at least provide a second non-integrated but secure browser?)
Are you telling me that one of the *most complicated* applications on the OS which deals with untrusted data from the internet can not be updated? Did the android developers dream that the web browser will not have security bugs?
Then, did they just push out Android 2.3, *knowing that there was a security bug in the past, and likely to be more in the future*, and still provide no way to release updates to the browser?
Google, are you serious? </rant>
. /me updates Firefox with the hope of getting a less buggy version
1. Re:Market updates? by bemymonkey · 2011-01-29 09:47 · Score: 3, Interesting
  
  It's inexplicable. This is one area where Google needs to do some serious catching up...
2. Re:Market updates? by Anonymous Coward · 2011-01-29 09:59 · Score: 0
  
  What did everybody expect when a search engine company jumped into the OS business?
3. Re:Market updates? by bemymonkey · 2011-01-29 10:10 · Score: 4, Insightful
  
  Awesomeness. Which has actually been the case mostly...
  Sent from a Desire baked into Gingerbread.
4. Re:Market updates? by Anonymous Coward · 2011-01-29 10:30 · Score: 0
  
  it was stupid yes.
  I am hoping that in honeycomb and ice cream they start following the unix philosophy and start breaking the OS into modules so one asshole vendor can't bork the security of the whole OS.
5. Re:Market updates? by Anonymous Coward · 2011-01-29 11:12 · Score: 0
  
  AFAIK, the Market app can't update /system apps. And if Android's browser app uses any system libraries (that is, it needs root perms...) then it must be installed to /system. For that matter, TFA's flaw might not even be in the browser.
6. Re:Market updates? by fluffy99 · 2011-01-29 11:16 · Score: 2
  
  Assuming the phone even has access to the Market. Many don't have access to the standard Android Marketplace and can only get to the one the telco restricted the phone to. For the slew of Tablets out there, many can't get to the Android marketplace either. Also note that many of those are running dead-ended or proprietary/custom builds that are no longer supported and might not see any future updates at all.
  The "fragmentation" of Android is perhaps it's biggest shortcoming. There is not such thing as a standard Android install as most installs are tweaked for the hardware and the features the vendors wants to implement. It's certainly not like Apple's iOS which has maybe a dozen unique hardware configurations to maintain. I think Android is close to a few hundred "distros" (if that's an appropriate term, maybe unofficial forks would be better) that will need to get updated.
7. Re:Market updates? by fluffy99 · 2011-01-29 11:23 · Score: 1
  
  I would love to see Google try to reign some of the uncontrolled nature of Android back in. Establishing a central software repository of all of the forks of Android would be a create start. All of the manufacturers that have tweaked Android for their specific devices could provide copies of their loads, ideally including the source and details of their changes. This would give users one central place to look for updated 'firmware' (yeah I know, but that's what the vendors keep calling it). As it stands now, each vendor may or may not provide updates. There are a large number of individuals building custom loads for various orphaned devices with no coordinated means of distributing those loads.
  A centralized repository would go along way towards security and sharing feature updates. Before you yell at me, yes I realize this is a vulnerable app and not Android itself. My arguments still apply.
8. Re:Market updates? by magus_melchior · 2011-01-29 11:24 · Score: 1
  
  They've had built-in apps that you couldn't update through Market until recently-- Mail and Maps are two well-used examples.
  While I agree with your sentiment that they should've employed at least a bit more forethought to this, this could motivate them to detach the browser from the OS (assuming that's possible), and push it as a standalone app on the Market where it can be updated independently of the OS.
  What would be ideal, though, is updates for all OS components through the Market, similar to Ubuntu OS updates. Google ought to use this incident as leverage on the cell phone industry to tell them, "Look, we have to get security updates to the user ASAP, and we can't sit around debating whether they'll sue if something breaks on their devices."
  But given their reluctance to indemnify anyone if their software breaks, I don't see them having much more leverage than a toothpick does on a redwood tree.
  
  --
  "We are Microsoft. You shall be assimilated. Competition is futile."
9. Re:Market updates? by magus_melchior · 2011-01-29 11:29 · Score: 1
  
  Mini-rant (and OT): The HTML tag <i> was permitted before the update, now the current comment software filters it out in "Plain Old Text" mode for some reason-- it's even in "Allowed HTML", for goodness' sakes. I don't suppose this is a test case that was overlooked? Maybe the new CSS sets a rule for the tag to "text-style: normal;"?
  
  --
  "We are Microsoft. You shall be assimilated. Competition is futile."
10. Re:Market updates? by Anonymous Coward · 2011-01-29 14:58 · Score: 0
  
  Any device 2.2 or higher is capable of updating the cooked in software. I suspect this is what they'll do.
11. Re:Market updates? by drinkypoo · 2011-01-30 00:31 · Score: 1
  
  . /me updates Firefox with the hope of getting a less buggy version
  Apparently you're not running Minefield, which was working fine for me a couple weeks ago, and now explodes or ignores clicks before I can even get a page open.
  On a vaguely related note, wine1.3 worked for HL2 two weeks ago, then didn't a week ago, now does again. I love wine, for all my bitching.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
12. Re:Market updates? by exomondo · 2011-01-30 11:54 · Score: 1
  
  I would love to see Google try to reign some of the uncontrolled nature of Android back in.
  That's the downside of the free open source nature of Android though, anyone can use it, anyone can build a device that runs it and anyone can lock it down on the device they sell.
13. Re:Market updates? by fluffy99 · 2011-01-30 12:18 · Score: 1
  
  I would love to see Google try to reign some of the uncontrolled nature of Android back in.
  That's the downside of the free open source nature of Android though, anyone can use it, anyone can build a device that runs it and anyone can lock it down on the device they sell.
  And unfortunately, anyone can and does sell crap hardware with Android on it which severely tarnishes the reputation of Android. China is flooding the market with low-end, very slow hardware. People are getting frustrated and getting the perception that Android is garbage and not user friendly. It doesn't help when the high-end tablet makers can't seem to sell anything that doesn't cost $2-300 more than an iPad.
14. Re:Market updates? by exomondo · 2011-01-30 13:16 · Score: 1
  
  China is flooding the market with low-end, very slow hardware. People are getting frustrated and getting the perception that Android is garbage and not user friendly. It doesn't help when the high-end tablet makers can't seem to sell anything that doesn't cost $2-300 more than an iPad.
  That's the core issue, the average consumer isn't going to be able to justify spending $600 on an Android tablet that has a 7" touchscreen, GPS, wifi, 3G, etc... when they can get one with the same features for $159, nevermind the fact that the hardware in the cheap one is rubbish and slow and only runs Android 1.6.
  They need to try them out side-by-side, but even then once they've been lured in with dirt-cheap prices the chances of actually spending 400% of the cost of the cheap one are quite slim.
15. Re:Market updates? by sridharo · 2011-01-30 21:28 · Score: 1
  
  Spot on!
16. Re:Market updates? by PipsqueakOnAP133 · 2011-02-06 20:27 · Score: 1
  
  Awesomeness, indeed. I seem to be caught in the awesomeness of failure that is Android.
  Sent from my Macbook Pro cuz I have one less reason to post from my Nexus S... aside from that its battery is dead again.
17. Re:Market updates? by bemymonkey · 2011-02-06 20:37 · Score: 1
  
  Don't blame others for your mistakes. I could have told you that SAMOLED display would drain power like crazy (AMOLED saves power, yes - when displaying mostly dark images... uses up to 3x as much as a decent LCD when displaying anything moderately light) and that the system-available RAM is woefully inadequate at a smidge over 300MB... and that Samsung has quite a poor track record when it comes to Android handsets and stability/fluidity and buggy software.
  Of course, Google endorsing the (Galaxy-in-Disguise-) S as a Nexus phone is entirely their fault. Shame on them...
18. Re:Market updates? by PipsqueakOnAP133 · 2011-02-06 22:12 · Score: 1
  
  Strange, I've found that the Samsung Galaxy S units (Friend has a Captivate) seem smoother in terms of UI responsiveness than the HTC Evos I've played with. Also the Captivate and Nexus S were definitely smoother than the Motorola Atrix I played with at CES.
  My problem actually hasn't been the AMOLED display, it's the OS' incessant need to use the radio when it's in my pocket. (But yeah, the display does eat batteries too)
  If I leave the phone on a desk idle without touching it (display off, bluetooth off, wifi off, cell on) for 8-9 hours, I got 20% of my battery remaining.
  If I leave the phone mostly idle (did play mp3s for my car for 3 hours) but all the radios off, I got 90%+ remaining.
  Friends with Moto Droid 1s and other Nexus S units I've talked to are unsurprised, so I could only conclude that this is considered normal. (while I didn't get mine free from google, most of the people I know with Nexus S units got them as their employee holiday gifts)
19. Re:Market updates? by bemymonkey · 2011-02-06 23:32 · Score: 1
  
  Strange, I've found that the Samsung Galaxy S units (Friend has a Captivate) seem smoother in terms of UI responsiveness than the HTC Evos I've played with. Also the Captivate and Nexus S were definitely smoother than the Motorola Atrix I played with at CES.
  You've got to consider that Motorola are just bad at Android software (which makes the locked bootloaders all the more sad). My Dream/G1 with a decent custom ROM is about on par with my old Milestone in terms of general UI performance - slow as balls. Without custom ROMs like on the OG Droid, all Motorola devices will be more or less crippled :(
  Hence why I'll never be buying another Moto device...
  
  My problem actually hasn't been the AMOLED display, it's the OS' incessant need to use the radio when it's in my pocket. (But yeah, the display does eat batteries too)
  If I leave the phone on a desk idle without touching it (display off, bluetooth off, wifi off, cell on) for 8-9 hours, I got 20% of my battery remaining.
  If I leave the phone mostly idle (did play mp3s for my car for 3 hours) but all the radios off, I got 90%+ remaining.
  Friends with Moto Droid 1s and other Nexus S units I've talked to are unsurprised, so I could only conclude that this is considered normal. (while I didn't get mine free from google, most of the people I know with Nexus S units got them as their employee holiday gifts)
  Sounds like you've got a runaway app. That's definitely not the radios, unless they're actively sending and receiving data ALL the time... with all radios on and the device idle in standby with just Gmail sync and Sipdroid receiving calls, my Desire gets about 5mA of power drain (you can check with Battery Monitor Widget if your device's power management provides the necessary output files). That translates to about 280 hours of battery life with a 1400mAh battery.
  Over night (8 hours on average), with Sipdroid receiving calls and Trillian connected to a few IM services, Facebook, Google Reader, Gmail, Twitter and so on all syncing at least hourly, my Desire will drain between 5 or 8 percent of the battery, depending on how much there is to sync (if my Gmail account gets 20 or 30 more e-mails than usual over night, it'll use a %-point or two more).. Extrapolate that and you're looking at about 100 hours or more of standby... with EVERYTHING on and syncing.
  With my use (quite heavy - at least two or three hours a day of web surfing, half an hour of calls, music nearly constantly... probably an estimated 4 or 5 hours a day) and those sync settings, I get about 18 hours of battery life (up at 6AM, and at 8PM I've got about 30% left).
  As far as I can tell, those figures or better are more than possible with the Nexus S. In your first post I was under the impression that you were referring to active usage time, for which 8 hours is actually not that bad. I'm pretty sure I could drain an iPhone battery in less than that if I wanted to :)
20. Re:Market updates? by PipsqueakOnAP133 · 2011-02-07 07:37 · Score: 1
  
  The way I see it isn't that Motorola, Samsung, and HTC arn't bad at Android software, it's just that the stock Android software is bad. I haven't owned a Nexus One, but I did play with a friend's when it first came out, and "slow as balls" describes that perfectly as well. It's not very reassuring to me that even using Google-supported devices, there's quirks that just arn't acceptable.
  From what I can see, there's something polling the net as the phone's idle, keeping the radio on. So turning off all the radios causes that app to not drain as much. The problem is, I'm using an almost stock Nexus S. I've got GMail and Google Voice configured. And I periodically use Google Maps. When I did this test, the only software installed (aside from the default ROM) was Angry Birds and Google's Chrome to Phone (not yet configured, so it's probably not doing anything). So probability says it's even a Google app that's running amok with my cell radio.
  Your numbers sound pretty darn good, but I'm not sure how to get any closer to those kinds of numbers without turning it into an ipod touch equivalent. I'll be giving Advanced Task Killer a go since a friend recommended it to me because it helped her.
21. Re:Market updates? by bemymonkey · 2011-02-07 08:09 · Score: 1
  
  Can't quite agree with your statement about plain Android being slow in general... pure AOSP (which is basically what the Nexus phones come with) absolutely flies.
  As for your power problem:
  1. Install Battery monitor widget from the market - idle/standby drain higher than 10mA means you're not done optimizing.
  2. Check partial wake usage in battery history (you might need to Google that, unless you can get Spare Parts installed on your phone... the battery history menu in the advanced phone info menu seems to have been removed as of gingerbread). Basically any app using partial wakelocks longer than a few minutes over an entire discharge cycle are behaving rather badly - uninstall and find better behaved alternatives.
  3. Check the battery usage info in the Android settings dialog.
22. Re:Market updates? by PipsqueakOnAP133 · 2011-02-10 07:49 · Score: 1
  
  So it took a while but I logged some data using the Battery Monitor Widget.
  Basically, the phone sits in 4mA to 8mA idle for an hour or so, and then jumps to 15 to 30mA for about 3 hours.
  Then returns to 4-8mA for about 3 hours.
  Periodically, this cycling occurs over 1 hour instead of 3, but more often 3.
  By the way, I already signed out of Google Latitude as suggested by:
  http://www.google.com/support/forum/p/Google%20Mobile/thread?tid=6bcdbe3c9425039c&hl=en
  Here's the list of apps installed:
  Advanced Task Killer Free
  Angry Birds
  Awesome Drop
  Battery Monitor Widget
  Google Chrome to Phone
  ConnectBot
  Google Goggles
  Market
  There isn't much choice I have in terms of what to "uninstall and find better behaved alternatives".
  And, the battery usage info under phone settings is pretty useless. It claims most of my battery went to Google Services and Music. I was going to try to download Spare Parts from the market, but it felt questionable to get it from the market. I'd probably rather download from source and compile it myself later.
I received a text message... by jo_ham · 2011-01-29 09:48 · Score: 1

I received a text message from someone I don't know that said "don't tell anyone with an iPhone, but there's another browser exploit in my Android phone!"
I kid, I kid.
1. Re:I received a text message... by Illogical+Spock · 2011-01-29 11:28 · Score: 1
  
  You are just joking, but I need to answer. ;-)
  The iStuff have the most severe exploit of all: Apple can do what they want with the iStuff, like delete things.
  And this one exploit will never be fixed.
  
  --
  --- Illogical Spock
2. Re:I received a text message... by jo_ham · 2011-01-29 12:21 · Score: 1
  
  So can Google. Both ecosystems have remote kill switches.
  Google has used theirs too.
3. Re:I received a text message... by Illogical+Spock · 2011-01-29 12:45 · Score: 2
  
  How can they remove a program that Ive installed through my USB without knowing the name of the package? It can work for Market only, and theyve usedit once for a specific exploit.
  Anyway, I love to rant about Apple. ;-)
  
  --
  --- Illogical Spock
4. Re:I received a text message... by teh+kurisu · 2011-01-29 21:19 · Score: 1
  
  They might be able to remove an app from your phone, but they can't remove the backup you made to your PC.
Outbound Firewall by slifox · 2011-01-29 11:38 · Score: 3, Interesting

My phone has too much sensitive data to allow just any random program connect to the internet. So, my default iptables policy is to drop all outbound packets except those matching a whitelist of apps (set by the app's userid). This includes not allowing uid=0 outbound access, in case malicious apps escalate to root.

DroidWall gives a convenient interface to manage the iptables rules (requires a rooted phone).

Yes, this is overkill for a regular user, and it cuts out a lot of the convenience of a smartphone (being able to run many internet-using apps). But for me it's less of a toy and more of a personal communication device (email, and yes, occasionally phone :) as well as a personal assistant (data storage, GPS mapping, etc). I wouldn't give a random Windows desktop access to all that data, and Android is becoming very similar to any random Windows desktop (high marketshare of devices; many apps; apps are easy to install; apps can abuse their privileges or often request too many privileges; user base is willing to run any app they see on a whim => exploiters have motive and means to attack)

On the other hand, the fact that very few "regular users" use iptables on their phone, means that exploiters have no reason to try to target and bypass it. ;) sometimes it's good to be different

Combining a strict firewall with some prudence in which apps are downloaded/run results in a pretty secure platform.

(and yes, the data is encrypted/protected against physical loss and communication interception)
1. Re:Outbound Firewall by John+Betonschaar · 2011-01-29 12:13 · Score: 1
  
  So does or did this whitelist ever contain the default Android browser?
2. Re:Outbound Firewall by slifox · 2011-01-29 13:38 · Score: 1
  
  No, and it doesn't have to by whitelisted for other things to work. Obviously you most likely want to include things like Gmail, Gtalk, and a few other odd system-related users. It'd be great to narrow it down even further, but you do what you can...
  
  I don't really think smartphones make very good web browsers anyways.
  
  Obviously there is no failsafe protection -- the best you can do is add some more layers and diversify enough that you're not part of a huge group of easy targets.
3. Re:Outbound Firewall by tkprit · 2011-01-30 05:18 · Score: 1
  
  For non-rooted androids, AndFire (page has lots of "And..." apps, but AndFire is the Firewall) is decently solid. Imo. (I haven't rooted yet. Blimey, I'm lazy.) It's not in the Market, but the Market firewalls are pretty much crap imo.
Re:wtf android by alostpacket · 2011-01-29 12:25 · Score: 1

I would like to take this opportunity to tell you about my wonderful new application!!!

--
PocketPermissions Android Permission Guide
Phones that won't let you update your OS.. by cK-Gunslinger · 2011-01-29 14:02 · Score: 1

I don't really follow the smartphone scene, but aren't there some Android-based phones that currently can't be upgraded to a later OS version? Are owners of those phones just less secure, or are there patches available, if not full upgrades?
1. Re:Phones that won't let you update your OS.. by Anonymous Coward · 2011-01-29 16:12 · Score: 1
  
  Most Android phones don't receive any official OS updates from the vendors. However there is a very strong 3rd party community that puts together custom firmware for just about any device. So as long as you're not afraid to root your phone and install a custom firmware, you'll be able to update just fine.
Don't worry, a fix in 2 days by MrJones · 2011-01-29 14:10 · Score: 2

like most open source projects, the patch will be out in less than 2 days, then you can download, patch, compile and install. ohh, wait a minute ... where the the repo command in Android?

--
Get my e-mail after a captcha test in: http://tinymailt
Fix yes, Everyone get? No. by Anonymous Coward · 2011-01-29 18:09 · Score: 0

Sadly in the current state of Android, only a fraction of current phone owners will ever get the update.
jeans outlet by money888 · 2011-01-29 18:50 · Score: 0

Get the newest Coupons Codes, Promotions and Special Offers from jeans outlet. While deliberation a peculiarity as good as design, skinny jeans have been chic, voguish, sizzling, in vogue as good as even simply washable! cheap jeans's lowrise bootcut 'Billy Big T' with back flaps. Natural Whipstich Big T thread combination. http://www.jeansoutlet-usa.com/
1. Re:jeans outlet by Anonymous Coward · 2011-01-29 19:53 · Score: 0
  
  Slut
Re:wtf android by Anonymous Coward · 2011-01-29 20:39 · Score: 0

great! i will fill up the memory and bog down the whole device (As if it wasn't already sluggish and laggy) by using third party apps which are *as well* not trustworthy. AND have ads! yaaaaay!
Use Opera Mini by fluor2 · 2011-01-30 00:43 · Score: 1

I do. Why don't you too? ;)
Who needs exploits? by drseuk · 2011-01-30 03:03 · Score: 1

Just use Windows Mobile 7 which steals your data out of the box.
1. Re:Who needs exploits? by Anonymous Coward · 2011-01-30 12:00 · Score: 0
  
  Just use Windows Mobile 7
  There is no such thing.
Isn't this just a browser issue? by tkprit · 2011-01-30 05:03 · Score: 1

Maybe I'm reading this wrong, but it seems like if you d/l a different browser, you're good?
(Though I'm actually glad Market doesn't automatically update stuff unless you specifically request it to check for updates; sometimes updates can suck. What Google SHOULD do is inform you of your options (d/l update; get new browser; turn off j/s), but I don't want them putting anything on my phone w/out my knowledge. That's so... **apple/microsoft**)