Swiped Tokens Expose Android Devices To Data Theft

← Back to Stories (view on slashdot.org)

Swiped Tokens Expose Android Devices To Data Theft

Posted by CmdrTaco on Tuesday May 17, 2011 @04:07AM from the swipe-the-leg dept.

tsamsoniw writes "Researchers at the University of Ulm have found that eavesdroppers can intercept and use authentication tokens sent between Android apps and Google services via unsecured Wi-Fi. Those tokens, which aren't tied to specific devices or sessions, can be used to peek at and tweak a user's email, contacts, and calendar. Devices running Android 2.3.3 or earlier (which accounts for the vast majority of phones) are most vulnerable, but there are steps devs, Google, and users can take to reduce the risks."

162 comments

Min score:

Reason:

Sort:

Cloud and Google by x*yy*x · 2011-05-17 04:08 · Score: -1, Flamebait

Another case where it really is bad to store everything in the cloud. Is it just me or does Android seem to have these security problems come out almost every day? I hope Google secures its own servers a little better than what the amount of security problems on Android suggests...
1. Re:Cloud and Google by Anonymous Coward · 2011-05-17 04:11 · Score: 4, Insightful
  
  Please. This is abhorrent fear-mongering.
  This is hardly different than sidejacking someone's Facebook session on unsecured wifi at Starbucks. Don't send private data that you want to be secure over inherently insecure networks.
2. Re:Cloud and Google by clang_jangle · 2011-05-17 04:12 · Score: 0, Flamebait
  
  Is it just me or does Android seem to have these security problems come out almost every day?
  It isn't just you. So far the fanbois mod me down every time I say so, but android really is a huge disappointment. So ironic that Linux finally gets popular, but in such a form.
  
  --
  Caveat Utilitor
3. Re:Cloud and Google by mehrotra.akash · 2011-05-17 04:16 · Score: 1, Insightful
  
  A shiny,insecure UI will always be more popular than a Plain,secure one
4. Re:Cloud and Google by clang_jangle · 2011-05-17 04:16 · Score: 1
  
  See? Retards...
  
  --
  Caveat Utilitor
5. Re:Cloud and Google by jeffmeden · 2011-05-17 04:17 · Score: 4, Informative
  
  While it is fear-mongering, it is hardly as trivial as the Facebook hacks of yore. For one, there is no way to enable/require SSL for these tokens (at least in plain sight). Two, there is no way to easily turn off these activities on a phone that you otherwise want to use for casual traffic on an unsecured network.
  Therefore, if you have an Android phone you basically better never use WiFi at less than WPA2 grade encryption unless you want to risk your email and other services being compromised, period, end of story, no workaround.
  I can only hope that thanks to the openness of Android, someone can code an app that allows for more granular control of what services are connecting at any given time, to at least give those with a clue the ability to stay safe when using open wifi.
6. Re:Cloud and Google by Anonymous Coward · 2011-05-17 04:18 · Score: -1
  
  Yeah, it's irrelevant really. Android's abuse of DHCP leases (and Google's refusal to admit the problem exists) means Android devices will be banned from most public WiFi networks before anyone can exploit this.
7. Re:Cloud and Google by h4rr4r · 2011-05-17 04:22 · Score: 1
  
  Sure there is, don't support unencrypted wireless on the devices.
8. Re:Cloud and Google by TheGratefulNet · 2011-05-17 04:22 · Score: 3, Interesting
  
  google is harming their own rep and they don't even care. or they are too big to stop it.
  over the weekend I bought my first android tablet. I didn't expect much as it was a $100 frys special...
  the hardware vendor did not care about quality. cardboard chads were stuck under the resistive touch screen and you could see and feel bumps as you moved your finger over. horrible! they released product like that.
  worse, the pad went into an annoying crash/reboot cycle. I went into one gui screen, tried to change some values and it crashed/rebooted. I was just configuring something, not even USING the damned tablet.
  apple is evil, its true; but at least they ensure a reasonable experience on their tablet. its hella expensive and locked down, but at least they don't ship product with junk under the screen and with glaring showstopper bugs.
  I know you can blame the vendor for shoddy hw and sw quality, but it does speak to google that they are so lax with the vendors. a bit of tighter control would have benefited them. the fragmentation is also a fall-out of their lack of management on the android platform.
  android is 'all over the place'. its a dogs breakfast. (that's not a good thing, btw).
  
  --
  
  --
  "It is now safe to switch off your computer."
9. Re:Cloud and Google by datapharmer · 2011-05-17 04:24 · Score: 1
  
  Seems like it would be easy enough to require ssl for the tokens... can you explain why google couldn't just make this possible via an update? Alternatively they could provide an option to turn off sync when wifi is unsecured.
  
  --
  Get a web developer
10. Re:Cloud and Google by sfunk1x · 2011-05-17 04:29 · Score: 1
  
  Who is stupid enough to connect to an unsecured wireless connection... with their personal cellular device?
11. Re:Cloud and Google by jellomizer · 2011-05-17 04:30 · Score: 0
  
  Because it is pointing out the Original Argument about security that the OSS zealots feared. Linux isn't that much more secure the only reason it gets attacked less is because it is less popular. As distributions of Linux get popular they become targets and get hacked.
  As much as we hate the Apple Store block of apps, it does help protect us in terms of security.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
12. Re:Cloud and Google by clang_jangle · 2011-05-17 04:31 · Score: 0, Troll
  
  android is 'all over the place'. its a dogs breakfast. (that's not a good thing, btw).
  I'm with you, it's dreadful. My friend has a verizon Droid which has made random calls and sent random texts since new. It flat-out astonishes me that people not only put up with shenanigans like that, but they will aggressively try to shout down anyone who mentions it. When it comes to Android, the emperor simply has no clothes. Of course, the same thing has been true of microsoft's offerings since the beginning. Doesn't seem to hurt adoption, so long as the marketing hits the right spot. But I strongly prefer competent systems.
  
  --
  Caveat Utilitor
13. Re:Cloud and Google by clang_jangle · 2011-05-17 04:35 · Score: 1
  
  You really are old enough to should know better than to try that hoary, ancient troll. Maybe if you learn more about how linux systems work you'll get over the delusion that the only thing wrong with windows security is "it's too popular".
  
  --
  Caveat Utilitor
14. Re:Cloud and Google by vajorie · 2011-05-17 04:37 · Score: 3, Insightful
  
  You missed this part:
  
  turn off these activities on a phone that you otherwise want to use for casual traffic on an unsecured network.
  
  I often connect to unencrypted wireless networks with my laptop, knowing full well that unless I ask it to, it will not be exchanging private info with anything. I set it up that way. How do I do that with my android? I doesn't stop sending bits and pieces of information, afaik, even when you turn off sync. The only thing that comes to mind is using droidwall...
15. Re:Cloud and Google by mpicker0 · 2011-05-17 04:37 · Score: 4, Insightful
  
  Just about anyone at an airport or hotel, for starters. And what's wrong with that? Shouldn't I be able to expect that to work, without compromising my accounts?
16. Re:Cloud and Google by tepples · 2011-05-17 04:38 · Score: 2
  
  Who is stupid enough to connect to an unsecured wireless connection
  Plenty of people. Otherwise restaurants wouldn't offer them to entice customers to eat there.
  
  with their personal cellular device?
  There isn't much of a difference between a "smartphone" and a "laptop" anymore except for size. Tethering and USB 3G modems have turned laptops into "personal cellular devices". (If you disagree, we may have run into a definition problem.)
17. Re:Cloud and Google by PitaBred · 2011-05-17 04:41 · Score: 1
  
  Yes, just like their archiving of your location data keeps you more secure... Apple is totally perfect, right? They wouldn't EVER let anything unknown or an app that did more than it said into the app store, right?
  This is simply an implementation flaw. Shit like that happens on ANY system. It's just that with open systems you actually learn about it. Are you SURE that you know all the security weaknesses in your iProduct? Are you sure Apple is telling you everything? How can you be?
  
  --
  My blog. Good stuff (when I remember to update it). Read it.
18. Re:Cloud and Google by asdf7890 · 2011-05-17 04:42 · Score: 2
  
  You need to not use wireless at all in that case, aside from known trusted networks that you are sure contain only trusted clients. Unless you are using WPA-Enterprise all clients on the same AP are using the same encryption key so can decode each others packets (intercepted simply by putting your network adaptor into promiscuous mode) easily.
  
  So public wireless is a no-no even if it is not working "plain" (no authentication/encryption), and private wireless is out too unless you have audited every device that has access.
  
  You could get around this by using some for of VPN setup of course, but that option is not open to non-technical users.
19. Re:Cloud and Google by crashumbc · 2011-05-17 04:43 · Score: 1
  
  Sounds like a OE problem to me, I've had a Incredible for over a year and never had problems like that... Tell your friend to stop blaming his phone for his drunk shenanigans? (BTW there's even an app in the google market to stop him from drunk dialing search for "drunkblocker")
20. Re:Cloud and Google by clang_jangle · 2011-05-17 04:47 · Score: 1, Troll
  
  Or you could unjustifiably assuming things. I've been in the room when her Droid was on the table with no-one anywhere near it and it called me. :P
  
  --
  Caveat Utilitor
21. Re:Cloud and Google by Anonymous Coward · 2011-05-17 04:50 · Score: 0
  
  You realize that your WiFi traffic goes plain-text again as soon as it hits that first router? So you can trust a router that encrypts traffic over the air, but not one that ever does? Why is everyone so dense?!?
  The traffic is not safe without end to end encryption...
22. Re:Cloud and Google by Ender_Stonebender · 2011-05-17 04:50 · Score: 2
  
  You bought a tablet at a price point where you could expect a dog's breakfast, and you're surprised that you got one? I fail to understand what you think is wrong with the world here. There are always going to be hardware makers that are willing to put out shoddy (and possibly knock-off) products at super-discount prices.
  I suspect that you bought the tablet on the self-fulfilling prophecy "Android is terrible, even this cheap tablet can't do anything properly!" Next time, either spend 10 minutes playing with the device in the store, or spend enough money to get a product that goes through proper quality assurance (both hardware and software).
  I've had an Android phone for most of year now - never had a problem with it until I loaded CyanogenMod, and even the one problem I have had is relatively minor and easily worked around.
  
  --
  Loose things are easy to lose. You're getting your hair cut. They're going there to see their aunt.
23. Re:Cloud and Google by Bill_the_Engineer · 2011-05-17 04:56 · Score: 2, Insightful
  
  Sorry but that argument is lame and totally inappropriate. Google drop the ball on this one. If an application needs to transfer sensitive information back to a server then the application should ensure that it is done securely. It is bad practice to assume that the path to the server is secure.
  Why are we only taking Wifi into account? I remember a while back talk about an exploit in GSM that allowed femtocells to eavesdrop on a cellphone's transmissions. Don't assume that wifi is the only weak link.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
24. Re:Cloud and Google by Graham+J+-+XVI · 2011-05-17 04:57 · Score: 1
  
  This is hardly different than sidejacking someone's Facebook session on unsecured wifi at Starbucks
  True, the Facebook thing was a big deal too, and all over the news.
25. Re:Cloud and Google by Graham+J+-+XVI · 2011-05-17 05:05 · Score: 2
  
  None of those are remote exploits for in-box software.
26. Re:Cloud and Google by npsimons · 2011-05-17 05:12 · Score: 1
  
  My friend has a verizon Droid which has made random calls and sent random texts since new.
  And my wife has a Samsung Galaxy with T-Mobile that has worked perfectly. My anecdote cancels yours out. Perhaps your friend's problems are with Verizon or Motorola? Both have been known to screw customers over, and shoddy products and service from them wouldn't surprise me. Also, if it's really an Android problem, file a bug report. Bitching on slashdot won't do anything.
  PS - I've got mod points, but decided to respond. Problems do need to be pointed out and fixed, but bitching on slashdot will do jack shit.
  
  --
  Nathan's blog
27. Re:Cloud and Google by Anonymous Coward · 2011-05-17 05:14 · Score: 0
  
  Everyone? I mean, it should be perfectly secure nowadays, with SSL and the likes. Which is why this is an issue.
28. Re:Cloud and Google by Anonymous Coward · 2011-05-17 05:14 · Score: 0
  
  Oh, did you miss the part where it's not the poster's phone? I don't think making an observation and raising a concern qualifies as "bitching", either.
29. Re:Cloud and Google by clang_jangle · 2011-05-17 05:18 · Score: 1
  
  Speaking of Android concerns there's also the swiftness with which posts like the one I made above get modded "troll". Seems to me there's big google money being spent on astroturfers, or perhaps Taco and Co have signed a special contract...
  
  --
  Caveat Utilitor
30. Re:Cloud and Google by kelemvor4 · 2011-05-17 05:19 · Score: 1
  
  That's because shiny is much more important than secure. Learn to live in the parameters of reality, and improve upon weaknesses when possible.
31. Re:Cloud and Google by Illy-chan · 2011-05-17 05:19 · Score: 1
  
  Plenty of people. Even if you're among those few who know better, sometimes you don't have a choice. If I'm in the middle of my building, I don't get a signal other than out unsecured wifi. Do you know how my superiors would look at me if I wasn't in contact with them during a major event and I told them it was because I was worried about something like this? At best, they'd stick tin foil on my head. That I'm right makes no difference and I'd rather not get fired.
  
  Yeah, I have Droiwall to try and limit ways my phone can be exploited but that's not a cure-all. Besides, as dependent as the world has become on smartphones, I do think the manufacturers have some level of responsibility to protect customers who are at risk because they don't know better. It's too late to try and limit this type of tech to nerds.
32. Re:Cloud and Google by crashumbc · 2011-05-17 05:28 · Score: 1
  
  the internet has matured, people are much faster at spotting trolls now? IF her phone was really randomly dialing people it was defective and should have been returned...
33. Re:Cloud and Google by jeffmeden · 2011-05-17 05:32 · Score: 1
  
  Given that someone can't sit next to me at Starbucks, or even in my driveway, and pick up packets off the wire and decode them, yes it is a LOT more worrying that this happens in the air as opposed to it being possible at all. I mean, how often did your PPP dialup and POP3 password get exploited for being transferred in cleartext? Sure, in a perfect world every single endpoint would have a major CA signed cert, and SSL/TLS would wrap every single packet on the internet. Until we get there, I will start my worrying with what happens over the air, and get to the wire when that's done.
34. Re:Cloud and Google by Anonymous Coward · 2011-05-17 05:33 · Score: 0
  
  Now STFU,, troll.
35. Re:Cloud and Google by willoughby · 2011-05-17 05:47 · Score: 1
  
  And my wife has a Samsung Galaxy with T-Mobile that has worked perfectly.
  Does that include the GPS? I just returned one yesterday because the GPS wouldn't work.
36. Re:Cloud and Google by scot4875 · 2011-05-17 05:59 · Score: 1
  
  Is it just me or does Android seem to have these security problems come out almost every day?
  No, it's just you.
  --Jeremy
  
  --
  Jesus was a liberal
37. Re:Cloud and Google by Bill_the_Engineer · 2011-05-17 06:01 · Score: 1
  
  Which one is which?
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
38. Re:Cloud and Google by scot4875 · 2011-05-17 06:05 · Score: 1
  
  That's all it takes for a STFU?
  
  --
  Jesus was a liberal
39. Re:Cloud and Google by Bill_the_Engineer · 2011-05-17 06:06 · Score: 1
  
  Ditto. However the replacement myTouch 4G hasn't given me any problems yet.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
40. Re:Cloud and Google by mehrotra.akash · 2011-05-17 06:08 · Score: 1
  
  Android vs Blackberry
  or the old s60 could be considered as being somewhere in between
41. Re:Cloud and Google by Anonymous Coward · 2011-05-17 06:10 · Score: 0
  
  So basically then, because Google humped the dog & doesn't allow you to specify to use SSL Authentication, you should therefore not use any unsecured wifi to use your Andriod phone to access Google services?
  Seriously, are you fucking KIDDING me?
  So when Adroid has an issue, the response is "just don't use it"?
  I wonder what the bloodbath would be here if this was the iPhone. Seriously, "it runs linux" is not a reason to ignore the fact that they fucked up again.
  Seriously, you fucking Linux/Andriod fanbois are getting worse than the Jobswhores. Grow the fuck up already.
  Mods: This is both trolling and flamebait. Please mod accordingly.
42. Re:Cloud and Google by Bill_the_Engineer · 2011-05-17 06:20 · Score: 1
  
  What about Blackberry's Android? ;P
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
43. Re:Cloud and Google by element-o.p. · 2011-05-17 06:31 · Score: 1
  
  What do you expect? If you release software and allow independent vendors to install your software on their hardware, you will get a wide range of products, from cheap and shoddy to pretty darned nice. If you only want to shell out $100 for a tablet, well, you get what you pay for. OTOH, I have a $450 Dell Streak 7 that I'm reasonably happy with. Fit and finish are pretty nice, the screen is sharp and clear, and the tablet works pretty well. There are a few apps that work fine on my HTC Hero but won't work on the Streak (Astro file manager, Google Sky); I assume that's because they were designed for the smaller screen of a phone and don't know how to scale to the larger tablet size. However, I have seen progress on that front even in the few weeks I've owned the Dell. ConnectBot wouldn't work when I first tried to install it. I tried it again last week, and the force-close on start-up on the tablet had been fixed -- now it works quite well (and the larger keyboard on the tablet makes it much nicer to use than on the Hero).
  
  It seems to me that Apple provides a one-size-fits-all approach. They provide a premium product at a premium price. If you can afford the ${iDevice} you'll probably be happy with it. Android allows you to buy a product that fits your budget. You can get a cheap device, but you'll probably get a cheap experience. You can buy a higher-end device and get a higher-end experience. Or you can buy at the point in between where your budget and your needs intersect. I don't see that as a bad thing.
  
  --
  MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
44. Re:Cloud and Google by element-o.p. · 2011-05-17 06:37 · Score: 1
  
  How is this a "OMG -- Linux is inherently insecure!!!" argument? The developer of software on a Linux platform is stupidly passing clear-text, confidential data across a WiFi connection. Guess what? If you set up a POP3 e-mail account on an Apple product with no encryption on your user name and password between you and the e-mail server, then try to connect to your POP3 e-mail on a shared network (for example, through an Ethernet hub), you'll be able to sniff those credentials, too. Did Apple fail to "protect you in terms of security" there? That's not an OS issue, that's an app issue.
  
  --
  MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
45. Re:Cloud and Google by arkhan_jg · 2011-05-17 07:00 · Score: 1
  
  Two, there is no way to easily turn off these activities on a phone that you otherwise want to use for casual traffic on an unsecured network.
  Well, going to 'settings' -> 'accounts & sync' and turning off 'background data' would do it. Then nothing in the accounts and sync page (google calendar, contacts, facebook, exchange etc etc) will be silent syncing in the background on your untrusted network. A lot of third party apps also follow that setting, so it should pretty much kill off all unsolicited background connections unless individually requested in a given app.
  If you want to only kill off specific services, and have those require a manual sync, just change the settings for those options under the same acccount & sync page.
  
  --
  Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
46. Re:Cloud and Google by flibuste · 2011-05-17 07:47 · Score: 1
  
  apple is evil, its true; but at least they ensure a reasonable experience on their tablet. it
  This is just as wrong as the FA. How can you compare a 700$ tablet with a 100$ one? It's great that you allow yourself some Android bashing / Apple loving, but at least try to be a *little* fair.
  I bough a XOOM (same price as the IPad) hoping it would not be too crappy. Well, guess what. It works like a CHARM, just as well as the IPad I tried before, maybe even better since it is way more flexible. And oh well, I knocked up an application on it in minutes without a 100$ SDK.
  Your example is wrong and biased. If you buy a 100$ made-in-china-punkyards tablet, you get what you paid for. Let's see what you get from Apple for a 100$
47. Re:Cloud and Google by peragrin · 2011-05-17 07:49 · Score: 1
  
  Oddly enough MSFT used a similar term when security experts started telling everyone that activeX is bad and not to use it. MSFT called it fear mongering.
  10 years later we are still cleaning up the mess that activeX made of the Internet.
  
  --
  i thought once I was found, but it was only a dream.
48. Re:Cloud and Google by peragrin · 2011-05-17 07:53 · Score: 1
  
  No Shiny is more important than plain.
  the problem is securing things is hard, and in the end should be nearly invisible to the end user.
  Shiny is is to show a CEO that you actually accomplished something today.
  
  --
  i thought once I was found, but it was only a dream.
49. Re:Cloud and Google by peragrin · 2011-05-17 07:59 · Score: 2
  
  That's the voice recognition software working for her. Try disabling voice dialing.
  I used to use voice stuff until I sneezed while driving and discovered my phone thought I said father and dialed him.
  From then on I refuse to use Voice activated features as none of them actually work right in the real world. They use quarter or half samples of pick up key phrases and hash those for speed however because of the compression/ judging that they use for hashes there is huge number of items that "sound alike"
  
  --
  i thought once I was found, but it was only a dream.
50. Re:Cloud and Google by shutdown+-p+now · 2011-05-17 08:29 · Score: 1
  
  Android does make it very easy to send your private data "to the cloud", though. For example, the configuration wizard (which opens when you first turn on the phone) asks if you want to "back up data to the cloud" - a simple checkbox. If you do that, it'll back up, among other things, all your WiFi keys...
51. Re:Cloud and Google by Anonymous Coward · 2011-05-17 08:38 · Score: 0
  
  I've noticed this too, "unpopular" opinions are getting modded down in these Android stories. It's ridiculous. Some might be on the trollish side but even calm, well reasoned arguments are getting the treatment. I try modding them back up from time to time but it's depressing to have to spend mod points undoing bullshit moderations.
52. Re:Cloud and Google by Samalie · 2011-05-17 09:23 · Score: 1
  
  It is the constant battle between the Fandroids and the iCult.
  God forbid anyone speaks truth about your platform of choice.
  
  --
  09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
53. Re:Cloud and Google by Skuld-Chan · 2011-05-17 09:27 · Score: 1
  
  If they are too open - China releases crappy products using a bunch of reference code. If they lock it down so they control the release cycle more the zealots come out and decry Google for not being open enough.
  Is there any middle ground? Keep in mind - any released code from Google no matter what the license - China will steal.
54. Re:Cloud and Google by Samalie · 2011-05-17 09:34 · Score: 1
  
  Well no, of course Windows is loaded with potential exploits.
  The problem is...so is OSX and Linux.
  But Windows does take the majority of exploits out there. Two reasons really:
  Market Share
  Technical Savvy of Users
  The average Windoes user is, well....stupid. And no, I'm not saying that to all you admins and shit out there...but Windows is the bastion of the average masses...they buy a PC from xxxxx that has Windows pre-installed and they just keep using it. They don't understand fuck all about computers, and they (or their 15 year old son) go surfing for porno, and they go to a dodgy site & get infected. They probably don't even know it, which leaves an infected/botted PC out there just waiting to accept commands from the almighty bot masters.
  The average Linux user is, well, socially inept (sorry, I had to) but understands technology. If there were virii out there to infect its 1% (desktop) market share, it would have to be a damn good one, because the average Linux user wouldn't click some random file in an email that says it is a screensaver. We, the users of Linux, just fucking know better.
  Even if Linux somehow magically became the dominant OS of the smartphone market (for example) and loaded with a pile of "Oh look! Shiny!" dumbass users that bought the phones because they wanted an "iPhone-like" device without paying out the ass for it, then you can be sure that there WILL be malware, and lots of it.
  
  --
  09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
55. Re:Cloud and Google by clang_jangle · 2011-05-17 09:38 · Score: 1
  
  Um, you forgot the rest of us. You know, slashdotters who aren't irrational, flaming, fanbois? We're probably the majority, too.
  
  --
  Caveat Utilitor
56. Re:Cloud and Google by exomondo · 2011-05-17 11:47 · Score: 1
  
  Plenty of people. Otherwise restaurants wouldn't offer them to entice customers to eat there.
  And this is why there should be no such thing as 'unsecured wireless', all wireless should be secured even if it is with a default password of 'password'.
57. Re:Cloud and Google by Anonymous Coward · 2011-05-17 12:05 · Score: 0
  
  Oh, did you miss the part where it's not the poster's phone?
  I'm not sure it could be any more obvious that he in fact didn't miss that at all:
  
  My anecdote cancels yours out. Perhaps your friend's problems are with Verizon or Motorola?
  So take your reading comprehension failures elsewhere dumbass.
58. Re:Cloud and Google by micheas · 2011-05-17 15:06 · Score: 1
  
  But if the encryption is end to end, the air is moot.
  The large sniffers are not next to you at starbucks, they are in the datacenter within 200ft of you POP to the internet.
  Encrypted wifi for internet access is strictly for access control and has nothing to do with keeping data secure.
  
  --
  Work bio at MMWD
59. Re:Cloud and Google by ekhben · 2011-05-17 19:00 · Score: 1
  
  Shrug, goodbye karma, but my iPhone's voice recognition does pretty well. Needs you to tell it to listen, repeats what it's going to do before it does it so you can cancel when it does get it wrong.
  100% success rate for the number I call most often, probably around three quarters successful for the other numbers I very infrequently call - so maybe it just seems good to me because of the specific circumstances I use it in.
60. Re:Cloud and Google by peragrin · 2011-05-17 23:30 · Score: 1
  
  you have a 100% success rate in telling it when you want it to do something.
  What is the rate of error when you make other noises at it?
  it may be able to tell the difference between mom & dad, but can it tell the difference between a throat growl and mom?
  That is the trick. not that it can identify clearly spoken sounds but does it also identify badly garbled sounds and find matches for those? If the answer is yes then the software only partially works as the error correction isn't good enough.
  
  --
  i thought once I was found, but it was only a dream.
61. Re:Cloud and Google by ekhben · 2011-05-18 11:55 · Score: 1
  
  I haven't tried using it in any place noisier than the inside of my car with the windows up and no passengers. It doesn't start interpreting sounds as voice until I explicitly tell it to, so I've not pocket-dialled someone by farting yet.
  I expect it would not work particularly well in noisier conditions. If that's the use case you'd have for voice recognition, then the technology probably isn't mature enough for you yet, but for my use case, it's good enough to be using now.
Pwnd Linucks on teh Fone!! by Anonymous Coward · 2011-05-17 04:10 · Score: -1

lol.. maybe when Linux is done ruining my phone it can ruin my desktop.
I think I'll stick with my Windows Phone & PC.
1. Re:Pwnd Linucks on teh Fone!! by Anonymous Coward · 2011-05-17 04:13 · Score: 0
  
  Funny, I thought you were using TrollOS.
2. Re:Pwnd Linucks on teh Fone!! by clang_jangle · 2011-05-17 04:14 · Score: 0
  
  Yes, you just do that. Meanwhile, those of us with more than two brain cells to rub together will stick with anything but windows.
  
  --
  Caveat Utilitor
Doesn't sound like Android is that relevant by Anonymous Coward · 2011-05-17 04:15 · Score: 5, Insightful

Token-based authentication vulnerable when tokens exchanged over unsecured connection? Really?
1. Re:Doesn't sound like Android is that relevant by drpimp · 2011-05-17 07:32 · Score: 1
  
  I agreed whole heartedly, but the difference is with Android apps it's virtually transparent whether you are connecting to a HTTP/S connection. At least with a browser, people are trained to look for "the lock", so even if they are connecting to an unsecured wifi spot, their HTTPS connections are safer (sans MITM and other vectors) than an HTTP connection over unsecured wifi.
  
  --
  -- Brought to you by Carl's JR
2. Re:Doesn't sound like Android is that relevant by Anonymous Coward · 2011-05-17 18:17 · Score: 0
  
  Bahaha.
  Sun... warm? Really?
Wow by Anonymous Coward · 2011-05-17 04:16 · Score: 0

One of my biggest fears when applying for coding jobs for projects such as "developing a shopping cart" or "developing a secure ____" or pretty much anything involving databases was that I wouldn't be vigilant enough about working out all the potential security issues involved. After reading this article, I feel like maybe I should have applied to more of these positions. An easily-capturable device/session independent token that's happy to be transmitted cleartext over an unencrypted wireless connection? I sure couldn't do much worse.
1. Re:Wow by Cajun+Hell · 2011-05-17 04:42 · Score: 1
  
  If you actually feel insecure about your abilities as a designer/programmer for secure systems, then you're probably 10x better than the people who actually make the stuff everyone uses. ;-)
  
  --
  "Believe me!" -- Donald Trump
Solution: Wrap your Android in aluminum foil... by digitaldc · 2011-05-17 04:18 · Score: 2

...and turn off Wi-Fi. Don't let your 'smartphone' become a 'dumbphone'

Only use it for emergencies and throwing angry birds.

--
He who knows best knows how little he knows. - Thomas Jefferson
Just update your phone. by Random2 · 2011-05-17 04:19 · Score: 3, Informative

As it says in TFA:
"The researchers tested out apps that contact Google services, including Calendar, Contacts, and Gallery, on various iterations of Android. They found that those apps were all vulnerable on devices running Android 2.3.3 or earlier. On Android 2.3.4 and later, Calendar and Contacts use a secure HTTPS connection, though the Gallery app -- which syncs with Picasa online Web albums -- does not. More important, the vulnerability is not limited to standard Android apps; any Android or desktop app that accesses Google services via ClientLogin over HTTP is vulnerable."
So, update to 2.3.4 when possible, and avoid unsecured wireless until then. It's not a life-threatening issue, more of a notice.

--
"Our goal each year should be to increase the number of goals we set for ourselves!"
1. Re:Just update your phone. by Anonymous Coward · 2011-05-17 04:37 · Score: 0
  
  that update is available to a small percentage of phones.
2. Re:Just update your phone. by thePowerOfGrayskull · 2011-05-17 04:39 · Score: 2
  
  And don't install apps that need access to the network, since you don't have the ability to veto them on a per-connection basis* . (Or don't use unencrypted wifi, which may be a more practical answer.)
  * unlike BB, which gives you very fine grained control over the connections each application makes -- if you take the time to use it.
3. Re:Just update your phone. by delinear · 2011-05-17 04:41 · Score: 5, Insightful
  
  If only Google had taken the decision to bypass carriers and enable me to force an update. Unfortunately I'm still on 2.2 and wholly relient on my carrier passing any update down the line to me (or I hack the phone and lose any warranty/support). In my opinion this was the biggest mistake of Android, giving the power over updates to companies who have no interest in keeping me on my existing phone longer when they really want to sell me a phone with the latest version. I understand why this is good for carriers, I understand why Google accepted the situation (to encourage uptake of the OS and to move the issue of hardware fragmentation onto the providers), but it's still a bad deal for the user when there are unpatched exploits out there. Apple manage to push through updates (and they've got less incentive to do so than Google, since they sell the hardware), I wish Google could have been more forceful and at least given users the ability to decide if they want to update or wait for their carrier's update.
4. Re:Just update your phone. by h4rr4r · 2011-05-17 05:43 · Score: 1
  
  Really?
  CM7.1 nightlies seem available on many phones.
5. Re:Just update your phone. by drinkypoo · 2011-05-17 06:07 · Score: 1
  
  Google can't be in the position of having to personally support every phone. Sure, they could probably do it TODAY, but it puts them in a poor position in the future.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
6. Re:Just update your phone. by Belial6 · 2011-05-17 06:19 · Score: 1
  
  I love my Android phones, but suggesting that people upgrade their OS is simply not a realistic answer. Vendor locking means that the vendor decides when you upgrade. And rooting is not the answer for the majority of users either.
7. Re:Just update your phone. by blair1q · 2011-05-17 07:08 · Score: 1
  
  Nexus One phones on T-Mobile got the 2.3.4 update a couple of weeks ago.
8. Re:Just update your phone. by ElKry · 2011-05-17 13:49 · Score: 1
  
  Not just on T-Mobile, on any carrier. The carrier doesn't provide the updates, google does.
Surprise? by Anonymous Coward · 2011-05-17 04:20 · Score: 0

Unsecured WiFi and authentication tokens sent over unencrypted connections are vulnerable. Interesting, but shouldn't that have been slightly obvious? I'm not getting at these guys for trying to demonstrate something but the original article calling it an "android vulnerability" seems a little excessive.
The suggested remedies are using HTTPS for login purposes (duh?), using the latest version of Android possible (unfortunately not always a choice the user has) and not using unsecured WiFi (duh!).
Tonight news at 11! by Rotten · 2011-05-17 04:26 · Score: 0

"A hacker could collect a large store of tokens by first setting up a Wi-Fi access point with the same SSID of an unecrypted wireless network....."
OMG REALLY!?
1. Re:Tonight news at 11! by Anonymous Coward · 2011-05-17 12:52 · Score: 0
  
  No mod points, but I thought it was funny :D
Rule 6: Don't use a unsecure wifi. by Anonymous Coward · 2011-05-17 04:27 · Score: 0

Come on!
That's a basic rule that everyone should know !
No matter it's a Android, a iPhone, or laptop...
Ok I agree that using HTTP instead of HTTPS it's bit lame...
And? by thePowerOfGrayskull · 2011-05-17 04:37 · Score: 3, Insightful

And? What kind of idiot uses unencrypted WiFi on their phones these days -- especially because you can't know what applications are sending or receiving in the background.
1. Re:And? by psydeshow · 2011-05-17 05:34 · Score: 1
  
  What kind of idiot uses unencrypted WiFi on their phones these days?
  Any idiot who wanders into range of an unencrypted WiFi access point with the same SSID as one of their trusted, encrypted access points.
  It's not like your phone is going to be all "Hey, why isn't this network encrypted anymore?" and refuse to connect, or even bring it to your attention.
2. Re:And? by chemicaldave · 2011-05-17 05:48 · Score: 1
  
  I don't know about that. Mine has a "Notify me when an open network is available" option.
3. Re:And? by Anonymous Coward · 2011-05-17 06:07 · Score: 1
  
  You don't use public wifi hotspots? You need to get out of your mom's basement more =]~
4. Re:And? by gknoy · 2011-05-17 06:22 · Score: 1
  
  Interesting. How can I configure it not to do that?
5. Re:And? by TheNinjaroach · 2011-05-17 06:40 · Score: 2
  
  What kind of idiots implement token based authentication over unencrypted HTTP streams?
  
  --
  I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
6. Re:And? by Anonymous Coward · 2011-05-17 07:03 · Score: 0
  
  Convenience of Starbucks (or other stores') free wifi when you don't have (good) 3G coverage?
7. Re:And? by Rich0 · 2011-05-17 07:35 · Score: 1
  
  Agreed.
  Google should simply run all authentication over https, period. Wifi just makes the problem obvious, but even wired ethernet is vulnerable to sniffing, etc.
  At some point non-SSL http should be EOL'ed. There should be two standards - https with trusted certificate (shows padlock), and https without a trusted certificate (treated like http is treated today and does not show padlock). That will eliminate the need for everybody to have a trusted certificate chain, but will cut out all the passive attacks.
8. Re:And? by thetartanavenger · 2011-05-17 07:47 · Score: 1
  
  Any "idiot" that doesn't have a data plan yet still wants to use their phone in public places. Seriously, how is this different from using a laptop on public wifi. It comes with risks... And you can know what is being transmitted, just because you don't know how, again, same with laptops...
  
  --
  Who need's speling and grammar?
9. Re:And? by thePowerOfGrayskull · 2011-05-17 07:56 · Score: 1
  
  When I don't know and can't control what data is going in and out of my device? No, of course I don't. Does that mean you actually do let your phone use unencrypted wifi hotspots?
10. Re:And? by thePowerOfGrayskull · 2011-05-17 08:05 · Score: 1
  
  While I agree, this goes beyond that. The specific google components are only one piece; the wider problem here is that when you're allowing a smartphone to connect to *any* network (especially if it's Android or iPhone; but by default BlackBerry too - you have to go out of your way to configure paranoid connection mode), you don't know what your apps are doing. You don't know what servers they're connecting to, what protocol they're using, what data they're sending, or to whom they're sending it to(but that's a different issue in itself). You certainly don't know who else is watching that data.
  Given that, allowing your phone access to an unencrypted wireless network is tantamount to shouting out all of your most personal information to anyone on the same network.
  While encrypted wifi is certainly no more secure once it leaves the wifi network, at least you're reducing the likelihood of somebody sniffing your data. If you only use encrypted networks, you may still have problems in that you don't know who is getting your data at the end point... but at least you can be reasonably certain. (Though obviously this also only goes so far - as it can be picked up anywhere along the way once it *;eaves* the encrypted network.
11. Re:And? by thePowerOfGrayskull · 2011-05-17 08:24 · Score: 1
  
  I responded to similar questions in this thread, and won't be retyping. Laptops at least have firewalls; and further you have the option of public/private network behavior on modern Windows versions such that you can be certain that apps you don't want talking over public wifi won't be talking.
  Alright, let's say an app exists for monitoring traffic (and I don't know that it does for all phone platforms) - but once the traffic is sent, it's too late. You can't know what is being sent until it's sent; and you can't stop it from being sent after learning about it -- but before it leaves the device -- on android or iphone.
  But for argument's sake, let us suppose that such an app exists that presents a fake network interface, allowing you to completely manage all device outbound traffic. The problem there is that users like defaults, and they're not going to out of their way to install an app to correct a problem that they're only marginally aware of if at all.
12. Re:And? by Anonymous Coward · 2011-05-17 10:54 · Score: 0
  
  Who doesn't have good 3G coverage now days? Ooh, right.. Communist Europe.. Sorry, my bad!
13. Re:And? by PastaLover · 2011-05-18 03:18 · Score: 1
  
  Or when you are travelling internationally (roaming charges are a right bastard).
Why not do even better? by bogaboga · 2011-05-17 04:38 · Score: 1

Devices running Android 2.3.3 or earlier (which accounts for the vast majority of phones) are most vulnerable, but there are steps devs, Google, and users can take to reduce the risks."
Why not eliminate the threat entirely? 'Reducing the risks' just does not gut it in the security industry.
1. Re:Why not do even better? by savanik · 2011-05-17 04:59 · Score: 1
  
  Why not eliminate the threat entirely? 'Reducing the risks' just does not gut it in the security industry.
  Because in order to eliminate the risk entirely, you will have to shoot the user in the head. They are the largest security risk in any scenario. Requiring encryption won't eliminate your mom from handing you the already logged-in device to troubleshoot it for her.
AOSP Android vs. OHA Android by tepples · 2011-05-17 04:43 · Score: 5, Informative

it does speak to google that they are so lax with the vendors.
There's a difference between OHA Android, which comes on phones and 3G tablets, and AOSP Android, which comes on PDAs and Wi-Fi-only tablets. Anyone can make a device with AOSP (Android Open Source Project), without Google's permission, but it'll come with AppsLib or Amazon Appstore instead of Android Market. I'm guessing that the 100 USD tablet you bought came with AOSP Android, not unlike my Archos 43 PDA. OHA Android-powered devices, on the other hand, are subject to tighter Google scrutiny, but they come with Android Market and other Google apps in return. If you want the tightest scrutiny ever, make sure to choose a phone with "Nexus" in the name.
Rule 7: use Android, not Google services by Cajun+Hell · 2011-05-17 04:44 · Score: 1

Google makes a decent (not great, but decent) OS, so use that. But for fuck's sake, don't use it for what they want you to use it for.

--
"Believe me!" -- Donald Trump
Firesheep? by dido · 2011-05-17 04:49 · Score: 1

Isn't this more or less the same thing that Firesheep does, and why the EFF is urging everyone to use HTTPS wherever possible?

--
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
1. Re:Firesheep? by psydeshow · 2011-05-17 05:36 · Score: 1
  
  Yes, but the point is that with these apps, you don't really have a choice. They connect to Google services in the background, using unencrypted channels. The end user doesn't realize that this is the case.
2. Re:Firesheep? by jeffmeden · 2011-05-17 05:41 · Score: 3, Insightful
  
  Isn't this more or less the same thing that Firesheep does, and why the EFF is urging everyone to use HTTPS wherever possible?
  Yes it is, except that in the case of FireSheep, the user could have simply connected to HTTPS://facebook.com and been protected from attack. Also, the user had to initiate the connection; very few people probably have facebook.com set to load up on any wifi connection available, as soon as their laptop is opened up. Lastly, it's *facebook*. If your account is compromised you might have a few awkward messages sent to your friends on your behalf, but the damage is limited. We have seen time and time again in the past few weeks just how much damage a compromised gmail account can cause.
Google: Just buy a new phone! by Anonymous Coward · 2011-05-17 05:01 · Score: 0

Google would have you buy a new phone to get the security update. This is because Android is "open".
Oh yeah? by Kamiza+Ikioi · 2011-05-17 05:08 · Score: 4, Interesting

You let me know which manufacturers are regularly pushing updates out to phones, and I'll give you a cookie, lol. Even if you run the wildly popular Droid X, you are running 2.2.1, and there are NO expected updates. And even the best carriers drag their asses and force us to wait for them to push the update, rather than update it ourselves. The luckier users are unlocked enough to get an updatable Mod, like Cyanogen. Unlucky users like me have no such option.
Until Manufacturers supply completely unlockable phones, how "open" Android is doesn't mean shit. 2.3.4 will NEVER... EVER... be released for my phone. And I can't upgrade to Cyanogen, because it has Motorola's "fuck you in the ass" locking mechanism. I have my phone unlocked, but it's a hell of a hack, and Google removed the unlock app from their store because carriers complained that it can be used to enable tethering.
I don't blame android, but I sure as hell won't ever buy Motorola again. My next phone with be 100% update-able by me (except for the cell radio itself, obviously). I don't care if I have to wait until Android 8.0 comes out to get it.

--
I8-D
1. Re:Oh yeah? by h4rr4r · 2011-05-17 05:45 · Score: 1
  
  Unlucky?
  You bought the phone knowing this would happen, and you call yourself unlucky?
  I have a motorola Droid 1 running 2.3.3 and will be running 2.3.4 as soon as CM7.1 hits RC.
2. Re:Oh yeah? by Bill_the_Engineer · 2011-05-17 06:13 · Score: 1
  
  I agree that luck may not be involved when it comes to actually rooting your phone. However, there is some luck with getting reliable service from your phone after it is rooted. I had issues with my previous phone after I rooted it. The problems outweighed any possible advantages so when I got my replacement phone, I decided against rooting it.
  I am glad that your luck is better than mine.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
3. Re:Oh yeah? by h4rr4r · 2011-05-17 06:23 · Score: 1
  
  Rooting the phone does not impact service in anyway. The hardware and software used for that is not even related.
  Hell, you can always flash a backup anyway.
4. Re:Oh yeah? by Zebedeu · 2011-05-17 06:30 · Score: 2
  
  You let me know which manufacturers are regularly pushing updates out to phones, and I'll give you a cookie, lol.
  Any of the Nexus devices. Do I get a cookie now?
  
  I don't blame android, but I sure as hell won't ever buy Motorola again.
  Actually I blame you and everyone who I see complaining on forums. It was an acceptable thing to feel betrayed by the manufacturer one or two years ago when Android devices first started coming out and the promises of openness weren't fulfilled, but nowadays you'd really have to make almost no research before buying your smartphone in order to not know the situation with the updates.
  If everyone who complains on the internet had instead made that research and gotten a Nexus device, they'd be selling like hotcakes, and a clear message would've already been sent to the manufacturers that people want open devices.
  But as it stands, people who value openness only have one real choice, and we still have to put up with the whiners every time an Android story pops up.
5. Re:Oh yeah? by Lectoid · 2011-05-17 06:39 · Score: 1
  
  Huh, I have a Droid X and my version says 2.3.3. Granted I put an early release of Gingerbread on my phone, but it's a leaked release of a version that's coming out very soon anyways.
  
  --
  Is it just me, or do you hate it when people say "Is it just me..."?
6. Re:Oh yeah? by Anonymous Coward · 2011-05-17 07:02 · Score: 0
  
  LG electronics and Sprint.
  I've owned my phone for about 6 months, and they've already pushed two updates to it.
7. Re:Oh yeah? by iluvcapra · 2011-05-17 07:02 · Score: 3, Insightful
  
  One day, Google invented this totally awesome free and open source operating system for phones, which ran on hundreds of different devices from dozens of different vendors. It allowed people to customize their phones, run whatever apps they wanted, buy apps off of different stores and sideload whatever code they pleased.
  Google also invented an awesome operating system for phones that they develop in secret, publish the source for only after select marketing partners have had a 6 month head start, and then only if the code "looks good enough," and their partners are only allowed a head start if they agree to not integrate their phones with services that would harm Google's strategic investments. These phones come in many different models, but only two of them, both coming from the same manufacturer, actually offer up-to-date support and updates. The rest are trendy abandonware, efused and ROMed.
  I am continually informed by people here that these two operating systems are the same thing and that all the good stuff about the first operating system applies to the second one.
  
  --
  Don't blame me, I voted for Baltar.
8. Re:Oh yeah? by Bill_the_Engineer · 2011-05-17 07:20 · Score: 1
  
  Rooting the phone does not impact service in anyway.
  Sure if you don't count force close and spontaneous reboot.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
9. Re:Oh yeah? by Rich0 · 2011-05-17 07:30 · Score: 0
  
  You let me know which manufacturers are regularly pushing updates out to phones, and I'll give you a cookie, lol.
  Any of the Nexus devices. Do I get a cookie now?
  Really? I haven't seen Google support a phone for more than 1.5 years to date. Right now they have issued three phones under their brand:
  ADP - last official update issued about 1 year after first sale, and six months before the N1 came out. If you're relying on Google support you're running Android 1.6, although if you are using Cyanogenmod you could be up to 2.2.
  N1 - last update issued about 1.5 years after first sale (maybe it is 1.75).
  NS - last update issued about 2 months after first sale.
  That isn't exactly a stellar history. Granted, the N1 and NS may still get more updates in the future (or they may not - there are no promises, and Google seems to just stop updating phones and not really announce any kind of official EOL policy). Also - I couldn't find an official firmware release history / changelog for any of these phones so it is possible I missed some kind of a minor update. Corrections are welcome.
10. Re:Oh yeah? by h4rr4r · 2011-05-17 07:43 · Score: 1
  
  That has nothing to do with rooting it. All rooting does is gaining root permissions. That will not cause this issue. Perhaps what you are installing afterwards is doing that.
  Lots of things you can do with root could cause that, but not just having root.
11. Re:Oh yeah? by Anonymous Coward · 2011-05-17 07:47 · Score: 0
  
  so your getting an iphone? /runs and hides
12. Re:Oh yeah? by Kamiza+Ikioi · 2011-05-17 07:51 · Score: 1
  
  Actually, that's the correct answer! I just don't like the iPhone. But I have to give them all credit for regular updates, even to an old 3G I keep around as a music player.
  
  --
  I8-D
13. Re:Oh yeah? by Zebedeu · 2011-05-17 07:53 · Score: 1
  
  Really? I haven't seen Google support a phone for more than 1.5 years to date. Right now they have issued three phones under their brand:
  The original devices Google was selling were developer devices: they weren't targeted at consumers, so I don't think they carried the same support expectations. Oh, and by the way, there were two of them, which makes for a total of four Google phones to date.
  In any case, the hardware in those devices wouldn't have been able to run Android 2.x in any usable manner. Believe me, my first Android phone had pretty similar hardware to those developer devices and I tried Android 2.2 on it. Unusable.
  
  That isn't exactly a stellar history. Granted, the N1 and NS may still get more updates in the future (or they may not - there are no promises, and Google seems to just stop updating phones and not really announce any kind of official EOL policy). Also - I couldn't find an official firmware release history / changelog for any of these phones so it is possible I missed some kind of a minor update. Corrections are welcome.
  I agree that it's too early to tell whether the Nexus devices will be properly supported, but it's not really fair to bunch the Nexus phones together with the earlier developer devices.
  At least they've been doing a good job updating both Nexus up to now. Google specifically promised timely updates for those devices and with them being the main force behind Android, I expect them to make good on it.
  In any case, even if support is dropped, the phone is completely unlocked, so at least it won't be immediately EOL'd.
14. Re:Oh yeah? by Kamiza+Ikioi · 2011-05-17 07:54 · Score: 1
  
  I will suck your dick... - MacGruber
  Looks like I'll be looking for a leaked version. :D
  
  --
  I8-D
15. Re:Oh yeah? by shutdown+-p+now · 2011-05-17 08:37 · Score: 1
  
  If everyone who complains on the internet had instead made that research and gotten a Nexus device, they'd be selling like hotcakes
  In the US, at least, the problem are operators. When Nexus One came out, you couldn't buy it with a contract, only full price; and it took them ages to release an AT&T-compatible version. Nexus S you can have on T-Mobile and Sprint - again, no AT&T nor Verizon. Depending on where one lives, this may be a deal-breaker.
16. Re:Oh yeah? by Rich0 · 2011-05-17 10:05 · Score: 1
  
  The original devices Google was selling were developer devices: they weren't targeted at consumers, so I don't think they carried the same support expectations.
  
  The original ADP was identical hardware-wise to the G1, which was a consumer device. The G1 had no better support than the ADP. If the G1 wasn't at least reasonably successful there might never have been an N1.
  
  In any case, the hardware in those devices wouldn't have been able to run Android 2.x in any usable manner. Believe me, my first Android phone had pretty similar hardware to those developer devices and I tried Android 2.2 on it. Unusable.
  I own a G1, and with a recent radio which frees up 16MB or RAM it actually is usable with 2.2. Granted, it is limited.
  However, I don't consider that a valid excuse for Google abandoning their initial platform in 1.5 year's time. They could have backported whatever enhancements they could have to the older platform. Microsoft still supports XP after 10 years. Google didn't even support their platform for the length of a typical cell phone contract.
  
  I agree that it's too early to tell whether the Nexus devices will be properly supported, but it's not really fair to bunch the Nexus phones together with the earlier developer devices.
  I dunno. I think Google's commitment is to making the next version of Android shinier than the last. If it is easy to get it to run on one of their existing phone models they'll probably do it. If it isn't then they probably won't. The newer models are clearly more future-proof (RAM being the biggest factor), but the N1 isn't even as old as the ADP was when it was declared obsolete.
  Don't get me wrong - I love android, and the fact that Google is trying to create reference devices with a superior experience. However, they could really use better long-term support. I'm not sure that they need the enterprise-level 10-year support that MS provides, but is 3-4 years too much to ask?
17. Re:Oh yeah? by Anonymous Coward · 2011-05-17 12:20 · Score: 0
  
  Nexus One: HTC, Nexus S: Samsung.... While you have some valid criticism, missing basic facts pretty clearly shows you are not seeing the whole picture.
18. Re:Oh yeah? by ElKry · 2011-05-17 13:54 · Score: 2
  
  N1 - last update issued about 1.5 years after first sale (maybe it is 1.75).
  NS - last update issued about 2 months after first sale.
  That isn't exactly a stellar history. Granted, the N1 and NS may still get more updates in the future (or they may not - there are no promises, and Google seems to just stop updating phones and not really announce any kind of official EOL policy). Also - I couldn't find an official firmware release history / changelog for any of these phones so it is possible I missed some kind of a minor update. Corrections are welcome.
  N1 has had constant OTA updates since it was launched - in fact, it was updated to 2.3.4 about two weeks ago.
  NS, exactly the same, some times getting releases some weeks before N1.
  So... did you just not bother looking for it, or are you intentionally spreading FUD?
19. Re:Oh yeah? by Anonymous Coward · 2011-05-17 20:10 · Score: 0
  
  Yawn.
20. Re:Oh yeah? by Rich0 · 2011-05-18 02:10 · Score: 1
  
  N1 - last update issued about 1.5 years after first sale (maybe it is 1.75).
  NS - last update issued about 2 months after first sale.
  That isn't exactly a stellar history. Granted, the N1 and NS may still get more updates in the future (or they may not - there are no promises, and Google seems to just stop updating phones and not really announce any kind of official EOL policy). Also - I couldn't find an official firmware release history / changelog for any of these phones so it is possible I missed some kind of a minor update. Corrections are welcome.
  N1 has had constant OTA updates since it was launched - in fact, it was updated to 2.3.4 about two weeks ago.
  NS, exactly the same, some times getting releases some weeks before N1.
  So... did you just not bother looking for it, or are you intentionally spreading FUD?
  So, per my post, I couldn't find any kind of official change history for the firmware on either the N1 or NS, and you still haven't provided a link to one. I did in fact go looking for it, and apparently did not find whatever you managed to find. A link to an official release history / changelog / etc for those phones would be welcome (assuming Google bothers to publish one).
  So, taking your statement at face value, the N1 has had updates up to two years after first sale, and the NS has had updates up to five months after first sale. If they're still publishing N1 updates two years from now I'll be willing to call it a well-supported platform.
  I never said that the N1 wasn't getting updates - only that Google does not have a history of support phones for more than about 1.5-1.75 years after original sale. It looks like with the N1 they're bumping that up to 2 years. I'd call the bare acceptable minimum two years after the date of the last sale, as this is the length of a typical phone service contract. I believe they were selling the ADP right up until the N1 came out, so they effectively stopped releasing updates for that phone six months BEFORE they stopped selling it. Now, I do agree that the ADP was a bit of a niche and served more as a reference platform - it would not have made sense for them to stop selling it before a replacement was available.
  Honestly, the only smartphone out there that I would consider to have a reliable history of support is the iPhone, and you can't even change the battery on that without doing surgery. It kills me to have to say that, and I really do hope that Google demonstrates their commitment to support by issuing updates to the N1 for another 1.5 years (which would be about two years after their last sale).
21. Re:Oh yeah? by Bill_the_Engineer · 2011-05-18 02:25 · Score: 1
  
  Now your just being pedantic. ;P
  Your absolutely right, the act of opening up my phone was not the cause of my problems. It was the use of the Cynamod ROM that was the cause of my problems. To be fair, the problems were a nuisance at first since you get used to closing the force close dialog box when it pops up on occasion. The straw that broke the camel's back was when my daughter was in an automobile accident, and every time I dialed '911' the phone would reboot. I had to borrow someone else's phone to make the call.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
22. Re:Oh yeah? by PastaLover · 2011-05-18 03:15 · Score: 1
  
  If everyone who complains on the internet had instead made that research and gotten a Nexus device, they'd be selling like hotcakes, and a clear message would've already been sent to the manufacturers that people want open devices.
  Those Nexus phones were more expensive for many in the US, and outside of the US they're just not available. I'm pretty sure the number of android devices outside of the US is now bigger than inside, so you should assume when you see someone whining that they did not have a chance to purchase a Nexus phone in the first place. (unless they were willing to have it insecurely shipped across international borders, facing charges if customs takes an interest).
23. Re:Oh yeah? by Zebedeu · 2011-05-18 03:37 · Score: 1
  
  Strange, I'm outside the US and I managed to get one here without jumping borders.
  Also, they aren't more expensive, you just have to pay the full price up front (which I prefer anyways). In fact, if you bother to make some calculations, buying up front can actually save you quite a bit of money.
  Besides, I think some carriers in Europe offer the Nexus S with a contract.
  Granted, even if it wasn't possible to get a Nexus phone where you live, there were other "sort-of-open" possibilities, namely the HTC devices at the time, which were easy to root and had a strong community of developers creating open roms for it.
  But this guy went out and got the phone which had the most draconian block in the market, and it's not like that information was secret -- it was all over the geek news.
  Now he's complaining that he has a locked bootloader. Well, cry me a river.
Wrap it up, Androidailures. by Anonymous Coward · 2011-05-17 05:23 · Score: -1

Your OS is a piece of shit.
Silver Lining by ThatsNotPudding · 2011-05-17 05:25 · Score: 1

If Google had any guts, they would push out updates without the greedy, trogliditic carriers involvement, using the unassailabe justification of security.

Of course in retaliation, the a-hole carriers would suddenly switch to Bing even on Android devices.
1. Re:Silver Lining by cecom · 2011-05-17 05:53 · Score: 3, Informative
  
  Sigh. Few people actually realize this, but Google can't possibly do it even if they wanted.
  Each different phone has different custom hardware. That requires a different kernel, different drivers, etc, etc. Google couldn't possible push an update to any hardware except its own - Nexus One and Nexus S. There is no standard for phones like there is for personal computers. Google would have to maintain and test different Android distributions for every one of the (hundreds?) phones out there. Absurd.
  When you buy a phone from a manufacturer (Samsung, HTC, Motorola, whatever) it is that manufacturer's responsibility to update your phone. If you don't like their update policies, don't buy from them. The market should work. And if people don't care (which is apparently the case), why should the manufacturers?
  Sadly, Google gets blamed for something which is outside of their control. It is like blaming Linus Torvalds for me being too lazy to install the latest security updates on our company website.
2. Re:Silver Lining by Anonymous Coward · 2011-05-17 06:33 · Score: 0
  
  If Microsoft does that with wp7, why can't Google do the same?
3. Re:Silver Lining by HAKdragon · 2011-05-17 07:41 · Score: 1
  
  I could be wrong, but I believe that Microsoft has a minimum spec that handset manufacturers have to meet for them to be granted a license for Windows Phone 7.
  
  --
  "Our opponent is an alien starship packed with atomic bombs. We have a protractor."
4. Re:Silver Lining by vinng86 · 2011-05-17 07:59 · Score: 2
  
  I think they should just abstract away the hardware-specific components. There's a great deal of code that is purely unrelated to hardware components that could be be separated and updated OTA by Google.
5. Re:Silver Lining by Anonymous Coward · 2011-05-17 08:18 · Score: 0
  
  I wish I could mod you up +100
6. Re:Silver Lining by Anonymous Coward · 2011-05-17 08:46 · Score: 0
  
  Phones have to be certified by Google before they can run Android too. In fact there some worry that the process is too arbitrary and would allow Google to block devices from coming to market (with Android) :
  "Interestingly, the license allows Google to change the applicable Compatibility Test Suite and Android Compatibility Definition at will up until the time a device is certified for launch by passing the CTS. So basically there’s nothing keeping Google from changing the CTS or ACD any way it wants in order to keep a particular device off the market."
VPN? VPN. by VortexCortex · 2011-05-17 05:26 · Score: 2

When abroad with my laptop/phone/tablet I use open unencrypted wifi, but I tunnel all of my data through an encrypted VPN connection to my home network, then out from there. Thus, the jag-off running "ssl-strip" or "script-kiddie sheep" on the local LAN can see only my encrypted stream even if the sites I visit are not using SSL.
I thought we had all learned this lesson a long time ago -- Encrypted data BEFORE it leaves your computer, especially when connecting via untrusted WIFI.
Android > Wireless And Network settings > VPN Settings > Add VPN.

"Yeah, but it's difficult to set up my own VPN. What about computer illiterate users?"
"You expect my grandma to do this?"
No. I don't care about anyone else's competency or security. Use VPN or only SSL websites on untrusted WIFI or face the consequences.
This story just proves what I've been saying all along: If you don't know shit about it, leave it the fuck alone.
1. Re:VPN? VPN. by drinkypoo · 2011-05-17 06:09 · Score: 1
  
  Actually, it's pretty easy to set up IPSEC on Windows... at least on Windows 2000 or later, and Pro or better. Using a cert is kind of annoying but using PSK is simple enough.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:VPN? VPN. by Bill_the_Engineer · 2011-05-17 06:17 · Score: 1
  
  This story just proves what I've been saying all along: If you don't know shit about it, leave it the fuck alone.
  So is this advice for the user or the creator of the API that sends these nuggets of information from the device?
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
3. Re:VPN? VPN. by Belial6 · 2011-05-17 06:31 · Score: 2
  
  In theory you are right. Setting up a home VPN in trivial. Just buy one of the many routers that support it out of the box. Buffalo even sells routers with official support for DD-WRT. Sutting up VPN consists basically of putting in your username and password. For the large part of the population with dynamic DNS, most routers also support DynamicDNS services. If people can figure out how to sign up for Facebook, they can figure out how to sign up for DynamicDNS. My problem is that currently the VPN client in Android is all but useless. It will not hold a stable connection, and and every time it disconnects, it requires that you exit your application, and go back in to the VPN settings to reentery your password. I REALLY want Google to implement a good VPN client. I want to be able to set my phone to always be connected to my VPN. If the VPN connection drops, it should automatically reconnect. It should work like the VPN client in my laptop.
4. Re:VPN? VPN. by Belial6 · 2011-05-17 07:15 · Score: 2
  
  This story just proves what I've been saying all along: If you don't know shit about it, leave it the fuck alone.
  Sorry to respond to the same post twice, but I just noticed this gem. Most people don't know "shit" about what is in the very walls of their house. They don't know "shit" about electricity, and they don't know "shit" about combustion engines. If people left things alone that they didn't know "shit" about, they would all literally be living in caves like animals. If even that.
5. Re:VPN? VPN. by Rich0 · 2011-05-17 07:40 · Score: 1
  
  Also - the native VPN client in Android (as far as I have been able to tell) has a few other issues:
  1. If the VPN isn't up, it just sends out traffic over the direct interface. All it takes is one packet with your token in it to leak your token - 98% VPN coverage just isn't good enough. If I want a VPN, then I don't want traffic to go out in the clear unless I explicitly acknowledge a message asking me about this.
  2. I can't find any setting that lets me make the VPN the default route. There is the openvpn redirect gateway option, which isn't the same thing (it is dumb and even sends DHCP acks for the gateway over the VPN causing you to lose the lease).
6. Re:VPN? VPN. by Anonymous Coward · 2011-05-17 08:54 · Score: 0
  
  He said 'leave it the fuck alone,' not 'shun it and never use it'
  The equivalent scenario is installing locks on your doors, not living at Walden pond.
7. Re:VPN? VPN. by _avs_007 · 2011-05-17 12:10 · Score: 1
  
  That's why on my Android phone, instead of using VPN, I use SSH, and set it to do a local port redirect, so I can just tunnel all my traffic over it.
What Android users can do: B: by sanermind · 2011-05-17 05:50 · Score: 1

Never turn on account sync in the first place. If you -do- have a gmail address, create a separate one just for your phone (since google makes it mandatory to have a gmail/google account to use android, for -some- reason I can't imagine...)

Disable all 'back up my data to google' options in the sub-sub menus.
Problem solved. Your phone won't have any account credentials worth worrying about, outside of through the browser (standard cross-site-scripting exploits, etc) or reasonable apps that ask for no permissions beyond internet (connectbot for ssh, etc)

--

---
the pen is mightier than the sword, the sword is mightier than the court, the court is mightier than the pen.
Swiper no swiping! by Anonymous Coward · 2011-05-17 06:02 · Score: 0

Swiper no swiping!
...of Ulm by Anonymous Coward · 2011-05-17 06:04 · Score: -1

Obviously researched by: Johann Gambolputty-de-von-Ausfern-schplenden-schlitter-crass-cren-bon-fried-digger-dingle-dangle-dongle-dungle-burstein-von-knacker-thrasher-apple-banger-horowitz-ticolensic-grander-knotty-spelltinkle-grandlich-grumblemeyer-spelter-wasser-kurstlich-himble-eisenbahnwagen-guten-abend-bitte-ein-nürnburger-bratwürstel-gespurten-mitz-weimache-luber-hundsfut-gumeraber-schönendanker-kalbsfleisch-mittleraucher-von-Hautkopft of Ulm.
Apple by Anonymous Coward · 2011-05-17 06:18 · Score: 1

This is what Apple did: stood up to the carriers and said, "We're in charge, not you losers with a track record of crippling phones.". And people hated them for it.
Android was the answer. Except that its end customers are the carriers, not users.
We were promised it would be unlocked! by Kamiza+Ikioi · 2011-05-17 08:03 · Score: 1

Considering I bought it... oh, over a year ago when it was released, you contradict yourself. I Besides, We were promised it would be an unlockable bootloader!
I have every damn right to be mad. FTA: "This follows Motorola's earlier statement that it is 'working closely with our partners to offer a bootloader solution that will enable developers to use our devices as a development platform.'"
So, for calling me a whiner... stick it up your ass, my friend.
BTW, if Google had a clue how to sell a phone through popular carrier channels to begin with instead of their stupid web-store experiment, I would have gotten one.

--
I8-D
1. Re:We were promised it would be unlocked! by Zebedeu · 2011-05-17 08:25 · Score: 1
  
  Considering I bought it... oh, over a year ago when it was released, you contradict yourself.
  
  When you bought the Droid X the Nexus One was already available. It might have been possible that the Nexus S was already rumoured (can't remember, or bother to check).
  Besides, it was already known that it was coming with a locked bootloader. Hell you bought the device with the most draconian bootloader lock at the time, and now you're complaining.
  
  Besides, We were promised it would be an unlockable bootloader!
  Did you read your link? End of 2011. I don't know how you could've missed it, it's in the title!
  (It's now early/middle 2011, you do know that, right?)
  
  I have every damn right to be mad.
  No you don't. I remember clearly the issue with the locked bootloader being all over the web before the device even hit the stores. At the time it was clear for anyone who spent more than 2 minutes researching that if you wanted an open device you'd either have to go with the Nexus One, or one of the popular HTC devices which somehow had a community of hackers around them.
  
  BTW, if Google had a clue how to sell a phone through popular carrier channels to begin with instead of their stupid web-store experiment, I would have gotten one.
  Ah, so now it's Google's fault... *eyeroll*
  Face it, you made a bad decision one year ago, either because you didn't bother to inform yourself properly, or because you liked so much that particular phone that you thought it outweighed its faults.
  Now you regret that decision, but can't face the fact that it's all on your shoulders. It is your prerogative to be an informed consumer -- it helps you and it helps everyone else.
  Anyway, this isn't about you. You could be stuck with a 1995 Nokia for all I care. What pisses me off is that you basically validated Motorola's anti-consumer strategies and then come whining when they bite you in the ass.
  And yes, it's clear to anyone that you're whining, and insulting me won't help your case.
Well by drolli · 2011-05-17 08:08 · Score: 1

I dont use the "sync to google" functions anyway. Was always too scary to me.
Who uses ClientLogin anymore? by DaScribbler · 2011-05-17 08:38 · Score: 1

Do any apps or services actually use the ClientLogin API anymore? I thought everybody had switched to OAuth already. Wouldn't this be akin to using Telnet over an unsecured network instead of using SSH?
Astroturfing? by Anonymous Coward · 2011-05-17 11:30 · Score: 0

Am I the only one that has noticed a strange rash of Android/Chrome FUD lately?
WPA has been hacked to deauth by tepples · 2011-05-17 11:58 · Score: 1

all wireless should be secured even if it is with a default password of 'password'.
WEP with a well-known password has the same vulnerability to passive Firesheep-type attacks as open Wi-Fi. Even WPA is vulnerable to an active attack that forces a deauth and then snoops the pairwise transient key on reauth. WPA+PEAP is less vulnerable because the handshake takes place over TLS.
1. Re:WPA has been hacked to deauth by exomondo · 2011-05-17 12:43 · Score: 1
  
  WEP with a well-known password has the same vulnerability to passive Firesheep-type attacks as open Wi-Fi.
  WEP is not secure, we've known this for a long time.
  
  Even WPA is vulnerable to an active attack that forces a deauth and then snoops the pairwise transient key on reauth. WPA+PEAP is less vulnerable because the handshake takes place over TLS.
  And either choice is a hell of a lot better than open, unencrypted wifi, hence my suggestion.
2. Re:WPA has been hacked to deauth by micheas · 2011-05-17 15:02 · Score: 1
  
  As long as you don't send the information out on the internet sure. Otherwise the unsecured wifi section is the LEAST hostile part of the journey. If you care about what is sent from your computer use ssl or equivalent.
  If you use telnet. ftp, and/or authenticated http over the internet, WPA/WEP is moot, one of the hops that has glass in and out on the way to your final destination will take your username password combo and log it for future use.
  Your WPA+PEAP is still going through third party networks, many of whom have a history of sniffing all traffic.
  If you care about security block ports 80, 23, and 21. Port 25 should probably also be on the list as well, being as the headers are plain text even if you use pgp/gpg.
  </rant>
  
  --
  Work bio at MMWD
3. Re:WPA has been hacked to deauth by exomondo · 2011-05-17 15:33 · Score: 1
  
  As long as you don't send the information out on the internet sure.
  No, not at all, it's exactly as i said that having encrypted wifi will *always* be more secure than unencrypted wifi, everything beyond that is irrelevant because it is exactly the same in both cases.
  If you want to be captain obvious and say all traffic should be encrypted you go right ahead.
Figures. by Anonymous Coward · 2011-05-18 16:06 · Score: 0

If this was an Apple or Sony bug I'm sure each and every one of you would be ranting about it and how there bad companies. But because its an Android bug your all praising Google and not blaming it on anyone.
Figures, the reason why I hate this site.
1. Re:Figures. by Anonymous Coward · 2011-05-19 00:08 · Score: 0
  
  Agreed.
Uh, no. by gottabeme · 2011-05-19 17:44 · Score: 1

Android apps run in a stinking VM. There's no reason whatsoever that the kernel and drivers have to be distributed with everything else as a monolithic package. The system apps and even the VM should just be packages like anything else and should be updated from Google. The kernel should present an API or ABI to which other packages can be compiled or run against. You know, like Linux. Oh, wait...
What was Google thinking? Android has so much potential but crap like this ruins it. They dug themselves a hole with no way out. The only hope is for thirdparty distros, but those void warranties. What a stupid mess that should have never been an issue.

--
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."