Slashdot Mirror
New Android Exploit Discovered To Steal Data
mimd writes "A researcher at North Carolina State University has discovered yet another Android Browser exploit that affects the new Android 2.3 (Gingerbread) and previous versions. Slashdot recently covered a previous browser exploit that affected all versions of the Android Browser, but was patched in 2.3. Xuxian Jiang writes 'our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed. We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone.' The exploit is capable of reading and writing files from an Android's sdcard or system partition as well as uploading user data over the internet."
You'll see boobies. I promise
Seriously, the only way you can protect users is to take the phone from them. be consious about whatt youre doing with your phone. despite it acting like a computer that fits your pocket its still just a phone.
I am a bit unimpressed with how rubbish Android can be at telling you something is wrong. Some apps appear in the market and I can't install them. All it says it can't download them. So of course I keep trying and it fails. So is it a network error or will it never install because actually it won't run on my G1 and should it even be showing up in the market for me? It's not like it downloads it at all so it's aware of whether my phone can run it in advance so why the generic message?
I had to do a factory reset on my phone after a google created app killed the phone. I suspect it was google maps. I say that because even after doing that and maps was then updated again it would always crash everytime I started up the phone. I believe it was about a month later until it was fixed.
Today my phone and home button quit working and when bringing up the shut-down menu the only option that was there was to turn the phone off. I searched and most people just did a factory reset. I wasn't about to do that. I haven't installed any apps since the last ordeal where I had to do a factory reset and no apps were updated in ages so as far as I was concerned no factory reset should be needed.
What it was in the end is something like the cookie data for communicating to Google got corrupt for as best as I can tell no good reason. I'm not sure why that should put the phone in a nearly broken state and absolutely no warning message whatsoever so you're left thinking the buttons are broke or something worse. I found you can clear you google apps cache and log back in and it fixes it. That's ridiculous, imo. I have version 1.6 of Android and there are people with at least 2.2 experience this problem. It's not like they're unaware of it.
I can't bring myself to pay out for an iPhone but I have to say I'm really tempted. The idea of having a phone where you have to worry about it fucking up for no apparent reason and with no warning message is awful. I'm trying to convince myself that even if I get an android phone cheaper I'm still locked in a contract so it is a big deal. But even if I want to pay for an iPhone I don't entirely agree with how Apple manages their app store but more and more I understand completely why they do it.
When Windows Phone has this kind of market share it will be the target of hackers too.
Oh, how I hate that meme.
Help stamp out iliturcy.
CM7 nightlies have been available for a while. Whole list of phones you can install that on.
Finding a flaw in the source code isn't that much easier than finding a flaw in the disassembly. In both cases, you're either spending insane amounts of time reading code, or you're using automated tools to spot certain patterns. Or you're just running the code and seeing how it really behaves, which is how most holes are found.
The problem is that finding a vulnerability in Windows or Android gives you a lot of vulnerable machines. Monocultures are bad for this exact reason, whether they're Microsoft or Google monocultures.
I am TheRaven on Soylent News
Im not minimizing the problem or its potential consequences, but the article says:
For now, Android users can protect themselves by disabling JavaScript support in the browser, or by using a third-party browser for now.
So the problem is the browser, not the OS, and it can be circumvented by using another browser (what a lot of people do, for example Opera and Dolphin). Good to know, since I use Dolphin most of the time, and Firefox Beta (still terribly buggy) now and then.
--- Illogical Spock
Why did this get marked Troll?
Android has taken the same position in the smartphone market Windows has in the PC market. It even did it the same way.. by being more open than Mac and working with various hardware and software vendors.
Mod me down, my New Earth Global Warmingist friends!
"There are countless oss vulnerabilities being disclosed on security lists year after year and only about 10% make front page news on Slashdot."
perhaps because a project finding bugs in the code it is developing is not particularly newsworthy but a third party finding bugs in someone else's expensive code that is marketed as being 'secure' is?
no conspiracy, no cheerleaders. people just like to read about the 'big guy' getting a PR spanking rather than the flurry of irc messages between a few devs.
in this case, android is one of the 'big guys,' hence why it appears here. see how that works?
The Nexus S doesn't have an SD card slot, I assume the exploit also allows uploading of anything in the phone's internal storage area but "removing the SD card" as a workaround isn't going to work on the Nexus S!
<rant>
Wait, they can't just use Market to push out new browser updates? Something to do with the browser being integrated into the OS? (Yet all third-party browsers are not--can't google at least provide a second non-integrated but secure browser?)
Are you telling me that one of the *most complicated* applications on the OS which deals with untrusted data from the internet can not be updated? Did the android developers dream that the web browser will not have security bugs?
Then, did they just push out Android 2.3, *knowing that there was a security bug in the past, and likely to be more in the future*, and still provide no way to release updates to the browser?
Google, are you serious? </rant>
. /me updates Firefox with the hope of getting a less buggy version
Here's my workaround to the market not completing downloads and not installing them even if they appear to have successfully downloaded.
1) back all the way out of the Market
2) Go to Settings --> Applications --> Manage Applications
3) Click on the "All" tab at the top
4) Wait a couple of minutes, and then find "Market" in the list (list isn't always in order, so it can be hard to find if you have a lot of apps)
5) Click "Market"
6) If the "Force Stop" button isn't grayed, click it to force the Market app to end
7) Click the "Clear Data" button
8) Re-launch the Market app, click "Agree", and try it again.
I know it's stupid, but it does work about 90% of the time. If not, rinse and repeat.
I received a text message from someone I don't know that said "don't tell anyone with an iPhone, but there's another browser exploit in my Android phone!"
I kid, I kid.
The iPhone may not be your best choice. I accidentally let my iPhone 'upgrade' from 3.2 to 4.1 (note to self - do nothing at all, except perhaps post on Slashdot when tired). After a very frustrating four hours of reinstalling itunes, waiting for Apple's 'upgrade server', googling a dozen cryptic error messages and finally reinstalling everything from scratch, I finally have a functional phone.
It's pretty amazing that Apple can manage to have so many holes and gotchas in their locked down system. Much of it seems to be just bad programming (not realizing a preference file is corrupt, having twizzlefits about exactly which USB port is OK, cruft files left over from previous installs) and sloth.
I'd recommend a DOS phone. Nice and simple. Just use a hex editor to fix things. None of this complex new stuff. Bah.
Faster! Faster! Faster would be better!
Is the Nexus S still the only 2.3 phone available?
Not at all -- there's at least five different gingerbread ROMs available for the HTC Desire over on XDA, for example. Most popular phones should have an AOSP build of gingerbread by now, it's been out long enough!
Much worse. On Windows you enable autoupdates and vulnerability soon disappears. With Android you wait months for new version which carrier will or will not make available for your phone.
and every single one of them will void your warranty on the hardware.
Where are the HTC 2.3 ROMs? You know the ones that you don't lose your hardware warranty for installing?
Maybe if HTC only had 2 or 3 models they could work to make at least one of them good, and update on a regular basis.
i thought once I was found, but it was only a dream.
> Mobile Windows didn't have such glaring problems with malware stealing from the user.
That's mostly because statistically, there weren't enough Windows Mobile users (or PalmOS users, or Symbian users, for that matter) to be worth the time of organized crime.
The problem with Android isn't the fact that the source is available to peruse, it's the fact that manufacturers and American carriers do their best to make upgrades as difficult as possible despite Android's open-source Linux roots. An exploit like this barely gets a yawn from Nexus One users, because someone will update it before any real exploits based on this ever become a problem. In contrast, owners of American Samsung Galaxy S phones will be shitting bricks, because we're still waiting for a fucking kernel that works with Froyo. Or at least leaked CDMA loadable kernel modules compatible with a 2.6.32 kernel so we can build our own without losing basically all the hardware drivers it needs to work properly.
Sidetrip: Unlike Windows, Linux makes no effort to maintain a stable ABI between versions. Simplified a bit, this basically means that a loadable kernel module (the Linux analog to a hardware driver) that's built for a 2.6.29 kernel will probably crash and burn on a 2.6.32 kernel. The official Linux party line is that it makes it harder for manufacturers to keep drivers proprietary, and motivates vendors to release source for their drivers so it can be automatically rebuilt for each new kernel release. The cold American consumer reality is that the Android Emperor is nude. The Nexus S can't do 4G on T-Mobile, is fundamentally incompatible with Sprint and Verizon, and AT&T's slow, capped, expensive 3G isn't even a real option. We're stuck with an allegedly-open operating system inextricably bound to hardware that's more locked down and proprietary than an iPhone, and all we can really do is hope some of Linux's core developers also own Android phones and are starting to really, really feel some of the ABI pain themselves on a daily basis.
Put another way, here's a more technical summary of the problem:
* Samsung has released source to its kernel and loadable kernel module drivers, but the LKM source won't build against any known 2.6.32 kernel due to missing dependencies.
* The .ko modules themselves were built against the ABI of a specific build of 2.6.29 that changed enough with 2.6.32 for most of them to crash and burn if you try using them with a 2.6.32 kernel.
* Froyo and Gingerbread have dependencies on the 2.6.32 kernel. You can cobble together a FrankenBuild that sort of works with a 2.6.29 kernel, but it'll never be a True Froyo/Gingerbread, and will always have bugs hidden below the surface veneer.
Metaphorically, an American Samsung Galaxy S trying to run Froyo is kind of like a laptop that shipped with Windows 98 and a winmodem. The unfortunate user upgrades it to XP himself, then discovers that the winmodem only has drivers for Win98. Through some miracle, the winmodem drivers have their "source" released, but that source requires a thirdparty library called LunexantProprietaryLib that isn't included, and won't build without it. After lots of hacking, the user manages to cobble together drivers that will allow the modem to limp along at 9600 baud by pretending it's an older version of the chipset, but getting it to do 56k without official drivers is hopeless. And if, by some miracle of god, a never-released copy of drivers for XP get leaked despite the determination of the manufacturer to keep it unavailable through the perverse logic that fucking their customers will somehow encourage them to buy a newer model from the same company that screwed them less than a year earlier (instead of buying one made by just about ANYBODY else), the user discovers that the drivers needed for 3D acceleration have the same problem as the Winmodem, and it's back to square one.
What Google really needs to do is define an ABI thunking layer and require that any and all device drivers
It will?
Where, exactly, is that spelled out in the warranty agreement?
The warranty for my Droid 1 doesn't seem to care a bit about software -- in fact, it goes on at length about exactly how little Motorola gives a shit about how poorly the software on the device behaves.
HTC's warranty is similarly worded.
Hack away.
Kid-proof tablet..
My phone has too much sensitive data to allow just any random program connect to the internet. So, my default iptables policy is to drop all outbound packets except those matching a whitelist of apps (set by the app's userid). This includes not allowing uid=0 outbound access, in case malicious apps escalate to root.
:) as well as a personal assistant (data storage, GPS mapping, etc). I wouldn't give a random Windows desktop access to all that data, and Android is becoming very similar to any random Windows desktop (high marketshare of devices; many apps; apps are easy to install; apps can abuse their privileges or often request too many privileges; user base is willing to run any app they see on a whim => exploiters have motive and means to attack)
;) sometimes it's good to be different
DroidWall gives a convenient interface to manage the iptables rules (requires a rooted phone).
Yes, this is overkill for a regular user, and it cuts out a lot of the convenience of a smartphone (being able to run many internet-using apps). But for me it's less of a toy and more of a personal communication device (email, and yes, occasionally phone
On the other hand, the fact that very few "regular users" use iptables on their phone, means that exploiters have no reason to try to target and bypass it.
Combining a strict firewall with some prudence in which apps are downloaded/run results in a pretty secure platform.
(and yes, the data is encrypted/protected against physical loss and communication interception)
Android could stand to be more open, or use different jumping off points for work towards future versions.
Not being GPL'd, the modified source from the various handset vendors / carriers isn't likely to make it make it back into the gene pool. Users can't fix bugs or make other improvements to what came on their devices, and any would-be natural selection using "surviving" popular variations from some vendors normally doesn't get any added goodness put back into the main distribution. The evolutionary mechanism for selection of better code-genes going forward is absent.
For users, it doesn't really seem like open source if you're effectively on a closed source fork, and other than praying for fixes/updates from the closed vendor, your only option is to jump to the other branch and lose whatever custom growth you'd bought into.
Outside of developer handsets, Is there EVEN ONE carrier/handset vendor that provides the source to what they ship?
Although there are likely far fewer bugs, in some ways Android is WORSE THAN (desktop) WINDOWS because there are so many different builds with no reliable source of timely updates.
Even the PCs with awful demoware-customized versions of Windows still get patches. Also, Windows has a fairly long life before becoming unsupported with patches. Some Android products are out of date when they ship yet they never see an update. There's generally no jailbreaking needed to replace a copy of Windows.
Perhaps there should be class action suits against various carriers/handset vendors for damages resulting from vulnerabilities that could have been prevented had they not been negligent in providing timely updates.
Google could improve things by switching to the GPL, and supporting at least modular code updates on ALL devices for those functions where bugs would likely expose vulnerabilities. It's great that there is source for work on some substitute builds, but that's really not enough.
I would like to take this opportunity to tell you about my wonderful new application!!!
PocketPermissions Android Permission Guide
> Mobile Windows didn't have such glaring problems with malware stealing from the user.
That's mostly because statistically, there weren't enough Windows Mobile users (or PalmOS users, or Symbian users, for that matter) to be worth the time of organized crime.
The problem with Android isn't the fact that the source is available to peruse, it's the fact that manufacturers and American carriers do their best to make upgrades as difficult as possible despite Android's open-source Linux roots. An exploit like this barely gets a yawn from Nexus One users, because someone will update it before any real exploits based on this ever become a problem. In contrast, owners of American Samsung Galaxy S phones will be shitting bricks, because we're still waiting for a fucking kernel that works with Froyo. Or at least leaked CDMA loadable kernel modules compatible with a 2.6.32 kernel so we can build our own without losing basically all the hardware drivers it needs to work properly.
Sidetrip: Unlike Windows, Linux makes no effort to maintain a stable ABI between versions. Simplified a bit, this basically means that a loadable kernel module (the Linux analog to a hardware driver) that's built for a 2.6.29 kernel will probably crash and burn on a 2.6.32 kernel. The official Linux party line is that it makes it harder for manufacturers to keep drivers proprietary, and motivates vendors to release source for their drivers so it can be automatically rebuilt for each new kernel release. The cold American consumer reality is that the Android Emperor is nude. The Nexus S can't do 4G on T-Mobile, is fundamentally incompatible with Sprint and Verizon, and AT&T's slow, capped, expensive 3G isn't even a real option. We're stuck with an allegedly-open operating system inextricably bound to hardware that's more locked down and proprietary than an iPhone, and all we can really do is hope some of Linux's core developers also own Android phones and are starting to really, really feel some of the ABI pain themselves on a daily basis.
Put another way, here's a more technical summary of the problem:
* Samsung has released source to its kernel and loadable kernel module drivers, but the LKM source won't build against any known 2.6.32 kernel due to missing dependencies.
* The .ko modules themselves were built against the ABI of a specific build of 2.6.29 that changed enough with 2.6.32 for most of them to crash and burn if you try using them with a 2.6.32 kernel.
* Froyo and Gingerbread have dependencies on the 2.6.32 kernel. You can cobble together a FrankenBuild that sort of works with a 2.6.29 kernel, but it'll never be a True Froyo/Gingerbread, and will always have bugs hidden below the surface veneer.
Metaphorically, an American Samsung Galaxy S trying to run Froyo is kind of like a laptop that shipped with Windows 98 and a winmodem. The unfortunate user upgrades it to XP himself, then discovers that the winmodem only has drivers for Win98. Through some miracle, the winmodem drivers have their "source" released, but that source requires a thirdparty library called LunexantProprietaryLib that isn't included, and won't build without it. After lots of hacking, the user manages to cobble together drivers that will allow the modem to limp along at 9600 baud by pretending it's an older version of the chipset, but getting it to do 56k without official drivers is hopeless. And if, by some miracle of god, a never-released copy of drivers for XP get leaked despite the determination of the manufacturer to keep it unavailable through the perverse logic that fucking their customers will somehow encourage them to buy a newer model from the same company that screwed them less than a year earlier (instead of buying one made by just about ANYBODY else), the user discovers that the drivers needed for 3D acceleration have the same problem as the Winmodem, and it's back to square one.
What Google really needs to do is define an ABI thunking layer and require that any a
I don't really follow the smartphone scene, but aren't there some Android-based phones that currently can't be upgraded to a later OS version? Are owners of those phones just less secure, or are there patches available, if not full upgrades?
like most open source projects, the patch will be out in less than 2 days, then you can download, patch, compile and install. ohh, wait a minute ... where the the repo command in Android?
Get my e-mail after a captcha test in: http://tinymailt
While that's helpful, that's absolutely horrible. That's not something mom and pop are going to be able to figure out or even understand.
This almost feels like a +5 black comedy moderation. Just read through that list of 8 steps, many of which can be further broken down to more steps. Step 4 is especially endearing if taken literally, which may sadly be true. Shit like this is why people will buy the Apple product even if it's locked down or forces the purchaser to hand over his first-born child.
I do. Why don't you too? ;)
Just use Windows Mobile 7 which steals your data out of the box.
I'm having a better experience w/ Android right now though I'm still not fond of that default Facebook+contacts shit. The first thing I dl'ed just happened to be Advanced Task Killer and it stays open in notification area — if I have a problem, I open ATK and kill everything except ATK. (Don't worry; the important stuff restarts itself anyway. Even the unimportant bloatware starts itself again. ...I must root this thing.)
I have ipod touches and have used iPhones — imo not much better except in batt. life. I think the best phones (reliability/security) are probably still RIM (it's just overkill for my personal needs, and well hell, I wanted to try to android!). But if your issues are apps, make a habit of reading reviews before d/ling anything. (I don't mean "Market" reviews, either. Find some android forums.)
If you haven't rooted, take your phone in and complain. (If you have rooted, unbrick it then take it back). Your buttons SHOULD work. In my experience the store employees just pop out the SD card and give me a new phone instead of trying to repair it.)
Maybe I'm reading this wrong, but it seems like if you d/l a different browser, you're good?
(Though I'm actually glad Market doesn't automatically update stuff unless you specifically request it to check for updates; sometimes updates can suck. What Google SHOULD do is inform you of your options (d/l update; get new browser; turn off j/s), but I don't want them putting anything on my phone w/out my knowledge. That's so... **apple/microsoft**)
The physical buttons do indeed work, it's just that the software basically ignores them and I've had the phone for about 2 years so I don't think I'll get anything for it. I have fixed it so it's back to normal
Breaks the home and phone button and removes options from the shut down menu is the fact that the Google Apps cache becomes corrupt. In fact supposedly it's as something basic as just a cookie becoming corrupt according to some.
I can't for the life of me understand why that should disable the home button other than the fact your Google account is so integrated into the phone that it can break things it probably should have no affect over. The fix isn't that hard. I think it would just be nice if it hadn't gone on this long (it's at least in 1.6 to 2.2) or it would tell you there is a software problem.
I'm wondering if it's just better to have a cheap phone and then some sort of PDA or tablet but then I'd feel like I'd be going back to old days with my Palm III. One device would be ideal but not if it limits my ability to make calls.
and every single one of them will void your warranty on the hardware.
They may or may not (although I doubt such a void warranty claim would stand up in court). But since you can always revert to stock with one of the OTA ROMs, it hardly matters, does it? My phone is currently being repaired, and you can be assured that I reverted to stock before sending it back ...
Where are the HTC 2.3 ROMs? You know the ones that you don't lose your hardware warranty for installing?
So HTC aren't concerned with building new ROMs for older hardware? That's one more reason to switch over to the community ROMs!
I'm not sure what exactly your fear of using an AOSP ROM is, but bear in mind that they have a lot more active development than an HTC ROM, much easier bug reporting and much faster bug fixing, not to mention many more features. And if you really do like HTC Sense, then there's several excellent Sense-based ROMs (LeeDroid being the standout) which will give you your Sense-UI fix with many more features and a better kernel to boot.