Slashdot Mirror
New Android Exploit Discovered To Steal Data
mimd writes "A researcher at North Carolina State University has discovered yet another Android Browser exploit that affects the new Android 2.3 (Gingerbread) and previous versions. Slashdot recently covered a previous browser exploit that affected all versions of the Android Browser, but was patched in 2.3. Xuxian Jiang writes 'our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed. We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone.' The exploit is capable of reading and writing files from an Android's sdcard or system partition as well as uploading user data over the internet."
I am a bit unimpressed with how rubbish Android can be at telling you something is wrong. Some apps appear in the market and I can't install them. All it says it can't download them. So of course I keep trying and it fails. So is it a network error or will it never install because actually it won't run on my G1 and should it even be showing up in the market for me? It's not like it downloads it at all so it's aware of whether my phone can run it in advance so why the generic message?
I had to do a factory reset on my phone after a google created app killed the phone. I suspect it was google maps. I say that because even after doing that and maps was then updated again it would always crash everytime I started up the phone. I believe it was about a month later until it was fixed.
Today my phone and home button quit working and when bringing up the shut-down menu the only option that was there was to turn the phone off. I searched and most people just did a factory reset. I wasn't about to do that. I haven't installed any apps since the last ordeal where I had to do a factory reset and no apps were updated in ages so as far as I was concerned no factory reset should be needed.
What it was in the end is something like the cookie data for communicating to Google got corrupt for as best as I can tell no good reason. I'm not sure why that should put the phone in a nearly broken state and absolutely no warning message whatsoever so you're left thinking the buttons are broke or something worse. I found you can clear you google apps cache and log back in and it fixes it. That's ridiculous, imo. I have version 1.6 of Android and there are people with at least 2.2 experience this problem. It's not like they're unaware of it.
I can't bring myself to pay out for an iPhone but I have to say I'm really tempted. The idea of having a phone where you have to worry about it fucking up for no apparent reason and with no warning message is awful. I'm trying to convince myself that even if I get an android phone cheaper I'm still locked in a contract so it is a big deal. But even if I want to pay for an iPhone I don't entirely agree with how Apple manages their app store but more and more I understand completely why they do it.
When Windows Phone has this kind of market share it will be the target of hackers too.
Oh, how I hate that meme.
Help stamp out iliturcy.
CM7 nightlies have been available for a while. Whole list of phones you can install that on.
Im not minimizing the problem or its potential consequences, but the article says:
For now, Android users can protect themselves by disabling JavaScript support in the browser, or by using a third-party browser for now.
So the problem is the browser, not the OS, and it can be circumvented by using another browser (what a lot of people do, for example Opera and Dolphin). Good to know, since I use Dolphin most of the time, and Firefox Beta (still terribly buggy) now and then.
--- Illogical Spock
Why did this get marked Troll?
Android has taken the same position in the smartphone market Windows has in the PC market. It even did it the same way.. by being more open than Mac and working with various hardware and software vendors.
Mod me down, my New Earth Global Warmingist friends!
<rant>
Wait, they can't just use Market to push out new browser updates? Something to do with the browser being integrated into the OS? (Yet all third-party browsers are not--can't google at least provide a second non-integrated but secure browser?)
Are you telling me that one of the *most complicated* applications on the OS which deals with untrusted data from the internet can not be updated? Did the android developers dream that the web browser will not have security bugs?
Then, did they just push out Android 2.3, *knowing that there was a security bug in the past, and likely to be more in the future*, and still provide no way to release updates to the browser?
Google, are you serious? </rant>
. /me updates Firefox with the hope of getting a less buggy version
Here's my workaround to the market not completing downloads and not installing them even if they appear to have successfully downloaded.
1) back all the way out of the Market
2) Go to Settings --> Applications --> Manage Applications
3) Click on the "All" tab at the top
4) Wait a couple of minutes, and then find "Market" in the list (list isn't always in order, so it can be hard to find if you have a lot of apps)
5) Click "Market"
6) If the "Force Stop" button isn't grayed, click it to force the Market app to end
7) Click the "Clear Data" button
8) Re-launch the Market app, click "Agree", and try it again.
I know it's stupid, but it does work about 90% of the time. If not, rinse and repeat.
The iPhone may not be your best choice. I accidentally let my iPhone 'upgrade' from 3.2 to 4.1 (note to self - do nothing at all, except perhaps post on Slashdot when tired). After a very frustrating four hours of reinstalling itunes, waiting for Apple's 'upgrade server', googling a dozen cryptic error messages and finally reinstalling everything from scratch, I finally have a functional phone.
It's pretty amazing that Apple can manage to have so many holes and gotchas in their locked down system. Much of it seems to be just bad programming (not realizing a preference file is corrupt, having twizzlefits about exactly which USB port is OK, cruft files left over from previous installs) and sloth.
I'd recommend a DOS phone. Nice and simple. Just use a hex editor to fix things. None of this complex new stuff. Bah.
Faster! Faster! Faster would be better!
Android devices have two main storage locations. One is internal storage. That term specifically refers to the device mounted on /data , in which user downloaded apps, and internal app data is stored. (This is in reality pretty much always a partition on the same storage device as provides the partition mounted on /system (a.k.a. the "ROM")).
The other is known as shared storage, and it is invariably SD. On phones without an external SD card slot, this is either an internal SD card slot, or more frequently an SD chip soldered directly to the mainboard. Shared storage is mounted on /sdcard (or /sdcard is a symlink to the real mount location, either is permitted).
When somebody says SD Card in an Android Context they are referring to whatever is mounted on /sdcard.
Now to further complicate matters, a few phones have provided both internal shared storage and an external SD card slot for shared storage. That is a very bad idea, since it leads to all sorts of odd bugs, but they did it anyway.
To make matters even more confusing I am aware of at least one phone (the Droid 2) which uses a hard soldered SD chip for /system and /data, but provides no shared storage on it. It uses an external SD card slot for the shared storage.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
> Mobile Windows didn't have such glaring problems with malware stealing from the user.
That's mostly because statistically, there weren't enough Windows Mobile users (or PalmOS users, or Symbian users, for that matter) to be worth the time of organized crime.
The problem with Android isn't the fact that the source is available to peruse, it's the fact that manufacturers and American carriers do their best to make upgrades as difficult as possible despite Android's open-source Linux roots. An exploit like this barely gets a yawn from Nexus One users, because someone will update it before any real exploits based on this ever become a problem. In contrast, owners of American Samsung Galaxy S phones will be shitting bricks, because we're still waiting for a fucking kernel that works with Froyo. Or at least leaked CDMA loadable kernel modules compatible with a 2.6.32 kernel so we can build our own without losing basically all the hardware drivers it needs to work properly.
Sidetrip: Unlike Windows, Linux makes no effort to maintain a stable ABI between versions. Simplified a bit, this basically means that a loadable kernel module (the Linux analog to a hardware driver) that's built for a 2.6.29 kernel will probably crash and burn on a 2.6.32 kernel. The official Linux party line is that it makes it harder for manufacturers to keep drivers proprietary, and motivates vendors to release source for their drivers so it can be automatically rebuilt for each new kernel release. The cold American consumer reality is that the Android Emperor is nude. The Nexus S can't do 4G on T-Mobile, is fundamentally incompatible with Sprint and Verizon, and AT&T's slow, capped, expensive 3G isn't even a real option. We're stuck with an allegedly-open operating system inextricably bound to hardware that's more locked down and proprietary than an iPhone, and all we can really do is hope some of Linux's core developers also own Android phones and are starting to really, really feel some of the ABI pain themselves on a daily basis.
Put another way, here's a more technical summary of the problem:
* Samsung has released source to its kernel and loadable kernel module drivers, but the LKM source won't build against any known 2.6.32 kernel due to missing dependencies.
* The .ko modules themselves were built against the ABI of a specific build of 2.6.29 that changed enough with 2.6.32 for most of them to crash and burn if you try using them with a 2.6.32 kernel.
* Froyo and Gingerbread have dependencies on the 2.6.32 kernel. You can cobble together a FrankenBuild that sort of works with a 2.6.29 kernel, but it'll never be a True Froyo/Gingerbread, and will always have bugs hidden below the surface veneer.
Metaphorically, an American Samsung Galaxy S trying to run Froyo is kind of like a laptop that shipped with Windows 98 and a winmodem. The unfortunate user upgrades it to XP himself, then discovers that the winmodem only has drivers for Win98. Through some miracle, the winmodem drivers have their "source" released, but that source requires a thirdparty library called LunexantProprietaryLib that isn't included, and won't build without it. After lots of hacking, the user manages to cobble together drivers that will allow the modem to limp along at 9600 baud by pretending it's an older version of the chipset, but getting it to do 56k without official drivers is hopeless. And if, by some miracle of god, a never-released copy of drivers for XP get leaked despite the determination of the manufacturer to keep it unavailable through the perverse logic that fucking their customers will somehow encourage them to buy a newer model from the same company that screwed them less than a year earlier (instead of buying one made by just about ANYBODY else), the user discovers that the drivers needed for 3D acceleration have the same problem as the Winmodem, and it's back to square one.
What Google really needs to do is define an ABI thunking layer and require that any and all device drivers
It will?
Where, exactly, is that spelled out in the warranty agreement?
The warranty for my Droid 1 doesn't seem to care a bit about software -- in fact, it goes on at length about exactly how little Motorola gives a shit about how poorly the software on the device behaves.
HTC's warranty is similarly worded.
Hack away.
Kid-proof tablet..
My phone has too much sensitive data to allow just any random program connect to the internet. So, my default iptables policy is to drop all outbound packets except those matching a whitelist of apps (set by the app's userid). This includes not allowing uid=0 outbound access, in case malicious apps escalate to root.
:) as well as a personal assistant (data storage, GPS mapping, etc). I wouldn't give a random Windows desktop access to all that data, and Android is becoming very similar to any random Windows desktop (high marketshare of devices; many apps; apps are easy to install; apps can abuse their privileges or often request too many privileges; user base is willing to run any app they see on a whim => exploiters have motive and means to attack)
;) sometimes it's good to be different
DroidWall gives a convenient interface to manage the iptables rules (requires a rooted phone).
Yes, this is overkill for a regular user, and it cuts out a lot of the convenience of a smartphone (being able to run many internet-using apps). But for me it's less of a toy and more of a personal communication device (email, and yes, occasionally phone
On the other hand, the fact that very few "regular users" use iptables on their phone, means that exploiters have no reason to try to target and bypass it.
Combining a strict firewall with some prudence in which apps are downloaded/run results in a pretty secure platform.
(and yes, the data is encrypted/protected against physical loss and communication interception)
How can they remove a program that Ive installed through my USB without knowing the name of the package? It can work for Market only, and theyve usedit once for a specific exploit.
Anyway, I love to rant about Apple. ;-)
--- Illogical Spock
like most open source projects, the patch will be out in less than 2 days, then you can download, patch, compile and install. ohh, wait a minute ... where the the repo command in Android?
Get my e-mail after a captcha test in: http://tinymailt