New Android Malware Attacks Custom ROMs

← Back to Stories (view on slashdot.org)

New Android Malware Attacks Custom ROMs

Posted by timothy on Thursday June 16, 2011 @09:32AM from the now-that's-offsides-innit dept.

drmacinyasha writes "Today Lookout disclosed a new form of Android malware found in Chinese markets which attacks third-party firmwares (ROMs). By using permissions granted to apps which are signed with the same private keys as the ROM itself, an app can update itself or install and uninstall other apps without user interaction. Most third-party ROMs use the private keys included in the Android Open Source Project, making them vulnerable to this attack. Last month's release of CyanogenMod 7.0.3 (and all subsequent builds) included an "important security fix" which a team member confirmed protects users against this vulnerability by preventing applications signed with the platform key to be installed to user or app-controlled storage."

105 of 146 comments (clear)

Min score:

Reason:

Sort:

Once again... by Daetrin · 2011-06-16 09:36 · Score: 5, Insightful

The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one (and possibly Amazon's app store) then you better be REALLY SURE you know what you're doing and not just blindly download any random app from any random source that strikes your fancy.

Of course hopefully this isn't news to people who are already computer savy.

--
This Space Intentionally Left Blank
1. Re:Once again... by MobileTatsu-NJG · 2011-06-16 09:42 · Score: 2
  
  The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs...
  Heh. You should look into why people flash their own ROMs.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
2. Re:Once again... by gweihir · 2011-06-16 09:43 · Score: 4, Insightful
  
  That is not the problem (or only part of it). The problem is that if you roll your own ROM, you need to use your own private key. Using Public Key Cryptography wrong removes any security it grants.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
3. Re:Once again... by errandum · 2011-06-16 09:57 · Score: 4, Informative
  
  No, half of what you said is completely wrong.
  Flashing a 2.3 ROM will allow you to get the latest security fixes on those mobile phones that are no longer supported by the manufacturer. Even 2+ year old phones get the latest versions from cyanogen, so it extends the life of your device way beyond that of an iPhone.
  Furthermore, unlike apple, that seems to abandon a device when they decide it is too hard to update for it, most of the custom ROMs are made from people that actually own the device, so they simply strip down some features and/or add alternatives so that everyone ends up with the latest fixes.
  The only truth on what you said was, try not to install apps that didn't come from the Android Market and/or reputable sources. Just because you have the choice of installing something else, doesn't mean you should trust everyone.
4. Re:Once again... by TehDuffman · 2011-06-16 09:58 · Score: 1
  
  Of course hopefully this isn't news to people who are already computer savy.
  Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.
5. Re:Once again... by zonky · 2011-06-16 09:58 · Score: 3, Insightful
  
  Mainly because handset makes are lying, deceptive bastards who don't maintain devices.
6. Re:Once again... by hedwards · 2011-06-16 10:02 · Score: 2
  
  I don't know, I think that people who aren't computer literate aren't likely to know that they can. But some of the apps out there will handle it for you, with little interaction on your part.
7. Re:Once again... by tooyoung · 2011-06-16 10:13 · Score: 2, Insightful
  
  Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.
  
  Well, we see a lot of posts on /. where people are advocating that their non-technical friends buy Android instead of an iPhone so that they can avoid the walled garden. I have to assume that they aren't suggesting they stick with a stock Android phone, as the vendors load the phones with so much crap-ware and the phones are just as locked down as the iPhone. I can only assume is that the advice is to buy an Android phone from a vendor and flash it. Doesn't this open a number of non-technical people to issues like this?
8. Re:Once again... by ColdWetDog · 2011-06-16 10:13 · Score: 1
  
  Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.
  Rooting an Android phone (or an iPhone) doesn't take a whole lot of computer savvy. Basically it's script kiddie level - 1. So, you might THINK you know a lot about computers and ROMS and whatnot, but you might not keep up on the security aspect. You might not be the most discerning of people when it comes to a 'neat' app. Further, as the malware designers get more sophisticated, it will be harder to tease out a reputable developer from some jackass trying to screw you.
  
  There will be some 'survival of the fittest' selection here and the vast majority of users that don't root their phones won't have many problems, but there the malware authors think there is enough of a market to spend the time to hack at the platform.
  
  --
  Faster! Faster! Faster would be better!
9. Re:Once again... by PopeRatzo · 2011-06-16 10:17 · Score: 1
  
  The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one then Google will send its army of hackers to try to destroy your life with malware
  
  Fixed.
  
  --
  You are welcome on my lawn.
10. Re:Once again... by artor3 · 2011-06-16 10:19 · Score: 4, Informative
  
  Nice flamebait, but Android phones can leave the walled garden with a simple checkbox in the options menu. Flashing your own ROM is something else entirely.
11. Re:Once again... by syousef · 2011-06-16 10:42 · Score: 1
  
  The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one (and possibly Amazon's app store) then you better be REALLY SURE you know what you're doing and not just blindly download any random app from any random source that strikes your fancy.
  Of course hopefully this isn't news to people who are already computer savy.
  That's the lesson you took from this? I would have thought the lesson to learn was that customer hostile bullshit, like trying to allow apps to install without their consent, is a breach of basic security principles.
  
  --
  These posts express my own personal views, not those of my employer
12. Re:Once again... by HeavyDevelopment · 2011-06-16 10:44 · Score: 1
  
  Yep, the Google official market is TOTALLY safe: Google recently removed at least 10 applications from the Android Market, all of which contained malicious code disguised as add-ons to one of the most popular apps of all time.
  
  --
  Badges!?! We don't need no stinking badges!
13. Re:Once again... by w0mprat · 2011-06-16 11:01 · Score: 1
  
  Once again... it's still massively better than the desktop software ecosystem. Significant malware problems are largely absent considering the millions of devices kicking about now. Android and indeed other platforms can still be called "Virus free" as a rule, although there have been some exceptions.
  
  Android also has a pretty good security model in the OS. There's certainly no cause for alarm.
  
  Massive respect to the ROM community for releasing a security update fast.
  
  --
  After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
14. Re:Once again... by Daetrin · 2011-06-16 11:08 · Score: 1
  
  Please note the "and/or" in the original statement. I don't know how many people flash new ROMs who aren't as computer savy as they think they are (though i suspect it's a non-zero number) but installing "unapproved" apps is pretty easy to do.
  
  --
  This Space Intentionally Left Blank
15. Re:Once again... by znerk · 2011-06-16 11:20 · Score: 1
  
  I have to assume that they aren't suggesting they stick with a stock Android phone, as the vendors load the phones with so much crap-ware and the phones are just as locked down as the iPhone.
  I have to assume you're an idiot who can't be bothered doing a few seconds of research to see just how incredibly inaccurate that statement is.
  Yes, some companies (hi, Sprint) lock their android devices down nice and tight, preventing the user from removing the stock apps, etc... others (such as AT&T) have a system that is remarkably open, and you wouldn't feel the need to root your device unless you were trying to circumvent specific things (the lack of wi-fi hotspot capability unless you pay an exorbitant fee, for example).
  I bought an Atrix, and my Sprint/Cricket-using friends were all amazed when I showed them that I can uninstall/reinstall the stock AT&T-branded apps at will, with no flashing or rooting required.
  
  --
  This work is licensed under a Creative Commons Attribution 3.0 Unported License.
16. Re:Once again... by Jonner · 2011-06-16 12:13 · Score: 1
  
  It's always a really dumb idea to download random apps from anywhere as anyone who has downloaded trojans from the Google Market knows. The other important lesson from this is that you should not sign code with a well-known private key. It was a pretty dumb thing for the CM team to do.
17. Re:Once again... by MobileTatsu-NJG · 2011-06-16 12:50 · Score: 1
  
  Yes, the platform that at one point (a year ago) let you root your phone by visiting a website is better.
  FTFY.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
18. Re:Once again... by Eric(b0mb)Dennis · 2011-06-16 12:54 · Score: 2
  
  It's weird but I've experienced the opposite...
  People who are very illiterate with computers ask me about 'hacking' their device constantly, for free stuff.
  
  --
  Excuse me, I don't mean to impose, but I am the ocean
19. Re:Once again... by thegarbz · 2011-06-16 12:57 · Score: 1
  
  Vendors don't load phone with crapware, carriers do. Also carriers only have one lockdown feature available which is the standard carrier lock on all phones.
  But even looking at the worst vendor, Motorola, there is no additional lockdown in the functionality of the phone. Your Motorola Droid is every bit as functional as a Google Nexus S operating system wise. The only additional locks some dodgy vendors put in the system is one that prevents the kind of tinkering that allows you to play with custom ROMs or flashing the bootloader. The Droid is as locked down as the iPhone. It's also not very popular.
  But again that's just one vendor. Pick another if you don't like it. For the major tinkerer who likes to play with things such as Cyanogen mod the Samsung Galaxy S for instance you hold down 3 buttons and it puts you into download mode. Run a tool on the computer and you can flash whatever the hell you want to the phone.
20. Re:Once again... by TehDuffman · 2011-06-16 13:32 · Score: 1
  
  Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.
  Rooting an Android phone (or an iPhone) doesn't take a whole lot of computer savvy. Basically it's script kiddie level - 1. So, you might THINK you know a lot about computers and ROMS and whatnot, but you might not keep up on the security aspect. You might not be the most discerning of people when it comes to a 'neat' app. Further, as the malware designers get more sophisticated, it will be harder to tease out a reputable developer from some jackass trying to screw you. There will be some 'survival of the fittest' selection here and the vast majority of users that don't root their phones won't have many problems, but there the malware authors think there is enough of a market to spend the time to hack at the platform.
  Apparently your reading level is elementary school -1...
  
  We aren't talking about rooting or jail breaking a phone here. This is completely changing the operating system on your phone. It requires quite a bit more time and effort than rooting your phone. Most people who are changing the ROMs on their phones know what they are doing. Only something like 500k use CM which is a tiny fraction of the android user base.
21. Re:Once again... by Kalriath · 2011-06-16 14:07 · Score: 1
  
  Actually, that's wrong. Carriers can also lockdown Android to not allow installation of non-market apps. AT&T used to.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
22. Re:Once again... by dudpixel · 2011-06-16 15:58 · Score: 1
  
  wait, you're comparing apple with custom rom makers now?
  I love android but this is not an apples to apples comparison, pun intended.
  How much support does Google give you for your phone software updates?
  How much support does the manufacturer of your phone give?
  I'd say Apple supports their hardware AND software a lot better than either of the above.
  Its great that Android is open source, but you cant compare the efforts of ROM makers with an actual manufacturer. If Apple released their source code, do you not think the jailbreak community would have something equally as good?
  Lets not make this story into something it isn't.
  What we do have with Android is greater freedom which brings greater responsibility. "Look before you leap" definitely applies when flashing custom ROMs on your phone AND when installing apps on your phone.
  I use Lookout Mobile security on my phone (no I dont work for them) since I'm a bit paranoid, and it doesn't slow down the phone.
  
  --
  This seemed like a reasonable sig at the time.
23. Re:Once again... by AvitarX · 2011-06-16 17:22 · Score: 1
  
  I'd be willing to bet plenty of the "computer literate" type do. It's not that hard to follow step by step directions.
  I suspect many do it for free/reduced price apps from shady sources even.
  The type of person that said ie7 was essentially Firefox at the office (they were digging the tabs, which I guess made them somewhat similar at a glance. The type with 10s of thousands of dollars of software on their computer that they don't even vaguely know how to use. Pretty much anyone with 'lite skillz would be a pretty easy target for this I bet.
  Hell, it makes me nervous to know that an app can bypass the permissions granting on my phone, it's kind of a big deal.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
24. Re:Once again... by MikeBabcock · 2011-06-16 17:27 · Score: 1
  
  In the world of "custom rom with one possible problem as a result that's been fixed in cyanogen" vs "stock rom that never gets updated with security fixes two years later", I'll take my chances with the first.
  
  --
  - Michael T. Babcock (Yes, I blog)
25. Re:Once again... by colinnwn · 2011-06-16 17:40 · Score: 1
  
  I couldn't find a reference to whether CM was signing their ROM with the ASOP private key or not. Maybe they were, or maybe they weren't. This summary and the link to the CM developer comment doesn't by itself suggest CM was actually doing that dumb thing. What the CM 7.0.3 update supposedly prevents is the installation of any external apps signed with the ASOP private key. It is like how the native ActiveSync client in Android doesn't allow the use of self signed certificates anymore.
26. Re:Once again... by thegarbz · 2011-06-16 17:59 · Score: 1
  
  Actually it's still right. But you're right too. This is the result of the strange relationship vendors have with specific carriers rather than a result of the carriers themselves. Carriers can add CSCs to Android which do things like push the aforementioned bloatware, but they can NOT disable features of the OS. They rely on vendors creating a specific handset for the carrier with specific firmware modifications if they wish to do that. e.g. There are two HTC Arias in circulation. One has an AT&T logo on it and comes with the restriction you mention. This is HTC's doing, not AT&Ts, and there's nothing stopping me from getting the normal HTC Aria and signing up to a pre-paid AT&T without restrictions.
  The way your mobile vendors and carrier work together to bring the same product with a different logo on it is incredible to say the least. The example I used before the Samsung Galaxy S there are:
  Samsung Captivate - AT&T
  Samsung Vibrant - T-Mobile
  Samsung Fascinate - Verizon
  Samsung Epic - Sprint
  Samsung Galaxy S - The rest of the bloody world.
  These phones are so close to identical that you can cross load the firmwares between them. They have minor differences in buttons but are all a Samsung Galaxy S underneath.
  In comparison in Australia you get
  Samsung Galaxy S with the OPS CSC - Optus
  Samsung Galaxy S with the VAU CSC - Vodaphone
  Samsung Galaxy S with the XSA CSC - Telstra
  All the same phone with CSCs just as intended by the Android system. All phones have an identical feature set save for the added bloatware.
27. Re:Once again... by arglebargle_xiv · 2011-06-16 20:19 · Score: 1
  
  Using Public Key Cryptography wrong removes any security it grants.
  You can even see the problem in the original article, which refers to:
  
  publicly available private keys
  What's wrong with this picture?
28. Re:Once again... by pandrijeczko · 2011-06-16 21:52 · Score: 1
  
  Let me give you a real world scenario, rather than your somewhat speculative comments.
  I'm in the UK, my provider is Vodafone, and I recently got a free upgrade from them so I went from a Google Nexus One (which incidentally had stock apps on it when originally sent to me) to a HTC Desire Z (for the keyboard) where the only non-standard thing I've noticed on it was a Vodafone bootup logo for about 10 seconds - if anything, I was quite shocked at how bereft it actually was of apps straight out of the box. So I've yet to see any of these crap-ware loaded phones of which you speak.
  The new phone is my main private/business phone and will stay with the standard Android ROM and any official updates. The older Nexus One is still very useful, I've just thrown 32GB MicroSD cards into both phones so I now have a nice load of portable music/video storage - what I will do with that phone is buy a cheap Pay As You Go SIM with some data allowance on it and then try out some hacked ROMs because I like fiddiling with stuff. Ultimately, if a piece of malware gets on it then the best it can do is use up the £10-odd PAYG credit that will be on the phone.
  Yes, I'm very computer savvy, already a fiddler and this way it gives more opportunity to fiddle without too much risk to myself. People who don't know the risks of what they're doing when it comes to flashing custom ROMs simple shouldn't do it.
  
  --
  Gentoo Linux - another day, another USE flag.
29. Re:Once again... by errandum · 2011-06-16 22:59 · Score: 1
  
  Oh god.
  No, I was answering to the person who said using custom roms was dangerous and half way to get a virus. Unlike what was said, they let you have the latest fixes for a long time after it stops being supported.
  I said that in a way it was an advantage over apple because, even though they support your phones for 2 years, after you're abandoned, either you buy a new one, or you're stuck with what you get.
30. Re:Once again... by gweihir · 2011-06-17 05:55 · Score: 1
  
  Test-keys, probably with a strong "DO NOT USE FOR PRODUCTION" comment. That is typically fine, if the users have a minimum of knowledge, skill and diligence. Qualities sadly missing in many people fancying themselves hackers or developers.
  That and OS development kit does assume a minimum of competence is perfectly fine IMO.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
31. Re:Once again... by bluemonq · 2011-06-19 09:47 · Score: 1
  
  Yes, the platform that at one point (a year ago) let you root your phone by visiting a website is better.
  FTFY.
  http://veryrite.com/2011/06/19/ipad-2-jailbreak-4-3-3-jailbreakme-3-0-ios-5/
32. Re:Once again... by MobileTatsu-NJG · 2011-06-19 10:17 · Score: 1
  
  I stand corrected.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Incompetent key handling. No surprise. by gweihir · 2011-06-16 09:41 · Score: 4, Interesting

Those that do not understand how Public Key Crypto works should not use it.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:Incompetent key handling. No surprise. by errandum · 2011-06-16 10:05 · Score: 1
  
  You have to understand that most of the people doing ROMs are hobbyists with no idea about the fundamentals of a lot of stuff. They have some programming skills and follow a tutorial on how to get things to work... and that's about it.
  There isn't that much information going around about what keys or how they should be used in relation to Android :\
2. Re:Incompetent key handling. No surprise. by rwven · 2011-06-16 10:06 · Score: 4, Insightful
  
  That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."
3. Re:Incompetent key handling. No surprise. by Anonymous Coward · 2011-06-16 10:17 · Score: 1
  
  That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."
  No, it's like saying, "Those who don't know how a locking mechanism works shouldn't be rekeying locks."
4. Re:Incompetent key handling. No surprise. by F.Ultra · 2011-06-16 10:17 · Score: 1
  
  No it's more like "Those who don't know how a locking mechanism works shouldn't try to make their own car lock"
5. Re:Incompetent key handling. No surprise. by Amouth · 2011-06-16 10:18 · Score: 1
  
  but they shouldn't trust it fully.. no one should.. unless they understand it.
  Honestly a lot of people are surprised that locksmiths can make them a new key by just having the VIN of the car..
  If you understand it then you can trust it as much as you are willing based on that understanding.. sadly there is this blip on the curve when it comes to "security" where most people who know nothing about a method will trust it because they don't understand it and don't want to bother to.
  
  --
  '...if only "Jumping to a Conclusion" was an event in the Olympics.'
6. Re:Incompetent key handling. No surprise. by rwven · 2011-06-16 10:24 · Score: 1
  
  Yes, but it's completely unreasonable to develop everyday end-user systems and then say that "unless a person as a CS degree and understands the underpinnings of the software, they shouldn't be using it." The OP posted a shortsighted, ego-ridden comment that is completely ridiculous in any real-world context.
7. Re:Incompetent key handling. No surprise. by blair1q · 2011-06-16 10:27 · Score: 1
  
  I didn't understand your post. Could you send me your private key so that I can decode it?
8. Re:Incompetent key handling. No surprise. by Amouth · 2011-06-16 10:44 · Score: 1
  
  Your right about the OP - and i agree with you on that..
  I feel the problem is in peoples lack of taking the time to understand the basics of the tools they are using and are relying on.. it doesn't take a CS degree to understand the basics.
  
  --
  '...if only "Jumping to a Conclusion" was an event in the Olympics.'
9. Re:Incompetent key handling. No surprise. by Abreu · 2011-06-16 11:04 · Score: 1
  
  Nothing more dangerous than a little knowledge, eh?
  
  --
  No sig for the moment.
10. Re:Incompetent key handling. No surprise. by rwven · 2011-06-16 11:05 · Score: 1
  
  No... That would be like saying "Those that do not reverse engineer Public Key Crypto should not use it."
11. Re:Incompetent key handling. No surprise. by mysidia · 2011-06-16 11:53 · Score: 1
  
  That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."
  No. "Those who don't understand how a lock is operated shouldn't use a car that requires keys"
  "How public key crypto works" is a basic cryptography topic; at the same level as knowing that you turn a key to open a lock.
12. Re:Incompetent key handling. No surprise. by rwven · 2011-06-16 14:31 · Score: 1
  
  Saying public key crypto is a basic cryptography topic is one thing. Righteously expecting the average joe to understand "basic cryptography" is egotistical bullcrap.
13. Re:Incompetent key handling. No surprise. by dudpixel · 2011-06-16 16:01 · Score: 1
  
  More like "Those who don't know how a locking mechanism works shouldn't be the ones installing locks."
  
  --
  This seemed like a reasonable sig at the time.
14. Re:Incompetent key handling. No surprise. by dkf · 2011-06-16 20:07 · Score: 1
  
  Those that do not understand how Public Key Crypto works should not use it.
  In other news, gweihir has announced that he will no longer be accessing any website via HTTPS.
  (The number of people who understand the whole of a public key crypto system and deployment is vanishingly small. The underlying math is difficult. The programming is easy to make errors in. The way to use it, not all that obvious either going by the massive quantities of misinformation I see here and elsewhere on the 'net. Public key crypto is only practical to use if you don't understand it all; fortunately, there are useful abstractions for most of it that are accessible. Now, if only the firmware makers grokked even that little bit...)
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
15. Re:Incompetent key handling. No surprise. by arglebargle_xiv · 2011-06-16 21:41 · Score: 1
  
  That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."
  No, it's like saying, "Those who don't know how a locking mechanism works shouldn't be rekeying locks."
  No, it's like saying, "Those who don't know how a locking mechanism works shouldn't be removing their own appendix with a rusty sardine can".
  (Kids these days, couldn't lance a pimple without an electric vibrating scalpel with automatic drain and suture).
16. Re:Incompetent key handling. No surprise. by mcvos · 2011-06-16 22:05 · Score: 1
  
  But Cyanogen Mod is a pretty big project by now, isn't it? I can't believe nobody involved in it has any basic knowledge of public key encryption.
  How can people who know enough about encryption to root a phone, not know about public key encryption? I completely fail to understand the world today.
17. Re:Incompetent key handling. No surprise. by mcvos · 2011-06-16 22:07 · Score: 1
  
  This is the winner.
  Keeping your private key non-private is the same as giving everybody access to your car key.
18. Re:Incompetent key handling. No surprise. by mcvos · 2011-06-16 22:12 · Score: 1
  
  This isn't about average Joes. It's about people who create OS distribution (not something the average Joe does), and then sign them with a private key that's not private.
  Any programmer worth his salt should know at least the very basics of public key encryption, especially if he's actually going to make use of it. Why would you sign software when you don't even know why you're signing it?
19. Re:Incompetent key handling. No surprise. by Lorkki · 2011-06-16 22:16 · Score: 1
  
  Are we still talking about the people who roll out custom Android firmware?
20. Re:Incompetent key handling. No surprise. by errandum · 2011-06-16 23:28 · Score: 1
  
  it looks like some do, so they fixed it. CM is not vulnerable.
21. Re:Incompetent key handling. No surprise. by adavies42 · 2011-06-17 05:08 · Score: 1
  
  i've met people who've been shocked at how quickly standard pin tumbler locks can be picked by an expert (i.e., as fast as you can open a slightly stuck lock with its own key).
  if that's your level of understanding, you shouldn't be choosing the locks for a new building....
  
  --
  Media that can be recorded and distributed can be recorded and distributed.
  -kfg
22. Re:Incompetent key handling. No surprise. by gweihir · 2011-06-17 05:26 · Score: 1
  
  I understand that. But these people need to understand that they or their users have zero right to complain about insecurities caused because of lack of understanding of basic security mechanisms. Public Key Crypto is not an Android concept, but a very basic crypto mechanism.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
23. Re:Incompetent key handling. No surprise. by gweihir · 2011-06-17 05:33 · Score: 1
  
  And same to you. Rather obviously my posting was about developers, not users. If you had any effective intelligence, you would immediately have seen that. Instead you have a big mouth and throw around insults. Pretty pathetic.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
24. Re:Incompetent key handling. No surprise. by gweihir · 2011-06-17 05:41 · Score: 1
  
  Are we still talking about the people who roll out custom Android firmware?
  I was. Seems quite a few people here are not and then blame me for their misconceptions. Pathetic, really.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
25. Re:Incompetent key handling. No surprise. by gweihir · 2011-06-17 05:44 · Score: 1
  
  Seems this level of clarity is necessary here. Of course that is what I said, "use" as in "use" do develop or modify.
  To many big egos with very small attached minds here.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
26. Re:Incompetent key handling. No surprise. by gweihir · 2011-06-17 05:48 · Score: 1
  
  Look at story: "Custom ROMs insecure because of public key reuse". Where these ROMs made by ordinary users? No. Then why do you assume I commented on ordinary users? Plain old stupidity? Overagression? Had a bad day at work?
  And for your information, I do know how PKK works, including the mathematics behind it. How dare you assume otherwise?
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
27. Re:Incompetent key handling. No surprise. by Amouth · 2011-06-17 06:51 · Score: 1
  
  agreed - people who do not understand things should not be in charge of them..
  
  --
  '...if only "Jumping to a Conclusion" was an event in the Olympics.'
Re:Just like with a PC by errandum · 2011-06-16 10:00 · Score: 1

I have a theory that cloud AV is the way for mobile phones. Just insert a layer before install that will check signatures of what you have, report a positive/negative if it knows the file, and upload for checking if it doesn't.
That way you'd save on batter and computing power and, lets face it, if you're installing something from the internet, it means you have it, so no harm done.
Permanent AV protection is not needed in a mobile phone, I think.
Why are you talking about Apple? by Brannon · 2011-06-16 10:03 · Score: 1, Flamebait

This is an Android story.
And since when does Apple not support software on 2+ year old phones? Can you name a single vulnerability for any version of iPhone which doesn't have an available Apple-supported patch?
Any single one. Dating back to the original iPhone from 4 or so years ago. Go ahead, I'll wait.
1. Re:Why are you talking about Apple? by errandum · 2011-06-16 10:16 · Score: 3, Interesting
  
  And I speak from experience because I did own an original iPhone that stopped being supported long long ago.
  And the way every single major version of Mac OS stops being supported not too long after a major version goes out. Unless you buy the upgrade you're screwed.
  That means 2 years support (as I said) is the norm. Compare that to the 7 years of support windows XP had and you'll get my point.
2. Re:Why are you talking about Apple? by errandum · 2011-06-16 10:21 · Score: 1
  
  That's exactly my point. After a while they stop supporting them - didn't think to look in Wikipedia.
  Those android versions, how do they work without the extra buttons?
3. Re:Why are you talking about Apple? by peragrin · 2011-06-16 12:20 · Score: 1
  
  true but Android handset manufactures only give you 6 months, of bug fixes, and maybe 18 months if it was a really popular handset,
  Apple gives you 30 months(my iphone 3G is updated to 4.1 ) Then again apple doesn't let the battery to be easily changed. so after 3 years the battery life is drastically reduced. With proper care they can still be good(I still get 2-3 days out of mine) but I take care to turn off wifi and bluetooth when not in use.
  Windows Phone only gives you bug fixes if the carriers approve taking 2-6 months longer than MSFT, so no emergency bug fixes will be pushed through.
  All that said I have to go root my nook color soon. The built in web browser and email client are beginning to annoy me.
  
  --
  i thought once I was found, but it was only a dream.
4. Re:Why are you talking about Apple? by errandum · 2011-06-16 12:36 · Score: 1
  
  Show me those 3 years please. Count the months. Most go for 2.x years. iPhone 4 might go for a lot longer simply because the iPhone 5 is nowhere to be seen. But that's it.
  Even that article proves my point. That's when they announced no more updates, but the last update was 3.1.3 that got released way before the "3 years" you claim.
5. Re:Why are you talking about Apple? by geminidomino · 2011-06-16 12:37 · Score: 1
  
  Iffy, at best, I'd wager, but not impossible. The Autonooter ROM for the Nook Color uses "softkeys' as a passable but far-from-perfect replacement that implements the buttons in software. Cyanogenmod has a much nicer and better functional one, but unfortunately, I don't know what it is.
6. Re:Why are you talking about Apple? by errandum · 2011-06-16 12:37 · Score: 2
  
  That's the whole point of the original argument (that fanboys modded down)
  While there is people out there that use a phone, anyone can compile the latest fixes -(or get them from someone who knows how), hence, having a very long term support.
  Saying "ohh, don't install custom roms or you might get viruses" is stupid because those custom roms will give you access to the latest version on most phones when it comes out (with all the security features).
  You don't depend on a company (Apple or HTC or Samsung) to get your updates. If you want them, you can do it yourself.
  PS:2 years, 2.5, what's the point? It's limited support and, sometimes, crappy (if you have a 3G you know that iOS 4 kind of made it... crap - hanging a lot etc).
  So, to sum up, no, ROM's aren't evil and if you still take care with the places you get apps from there is no problem whatsoever.
7. Re:Why are you talking about Apple? by Lanteran · 2011-06-16 13:50 · Score: 1
  
  None that I know of are operational yet- don't even know of any that are bootable at all.
  
  --
  "People don't want to learn linux" hasn't been a valid excuse since '03.
8. Re:Why are you talking about Apple? by simmonsjeffreya · 2011-06-16 15:13 · Score: 1
  
  The way Apple does updates is a non-issue for most Mac users and makes sense to drop support for older versions.
  
  A.) It keeps most people on a similar OS version, making it easier for Apple and I'd suspect most developers appreciate this as well. It's no fun trying to support a million different OS configurations, which is the case with Windows.
  B.) They still support even the oldest Intel Macs with the latest OS, no one is being left out. This again allows everyone to be on a similar OS, making it easier for them.
  C.) Unlike Windows where upgrading costs hundreds, even for a laptop that may have only cost $400, an OS X full system upgrade is only $30. If you paid $1,500-$5,000 for a system, $30 shouldn't be making you cringe, and personally, the features added are well worth the $30.
  D.) It minimizes the amount of users who, for one reason or another, choose to stick with an OS that is over ten years old. Again, this is an issue for developers, who have to support all these configurations or lose out on a good portion of potential sales.
  
  IMO, Apple is doing things the right way, and if I were in charge of a tech company that produced one of the major consumer operating systems, I would much rather go the route they chose, than the route Microsoft chose. All of these reasons apply to OS X as well as iOS.
9. Re:Why are you talking about Apple? by colinnwn · 2011-06-16 17:20 · Score: 2
  
  It is only $30 if you are careful to never miss an upgrade cycle. If you do, the cheap upgrade disks disappear from availability, and you have to call 800-i-fanboi to be told the upgrade will now set you back something like $180. Found that out the hard way after my aunt purchased an iPhone against my recommendation, then she discovered she couldn't sync it to her only computer, a PowerPC Mac.
10. Re:Why are you talking about Apple? by teh+kurisu · 2011-06-16 19:48 · Score: 1
  
  And the way every single major version of Mac OS stops being supported not too long after a major version goes out. Unless you buy the upgrade you're screwed.
  
  Generally I find that it's support from app developers that starts to disappear first, as they start to take advantage of new OS features. Apple security updates for a given version of OS X are usually the last to dry up.
11. Re:Why are you talking about Apple? by teh+kurisu · 2011-06-16 19:54 · Score: 1
  
  I think you're getting muddled up - Snow Leopard was the first release to be priced at around $30 (and Lion will be the second). Previously, releases cost around $130.
  Both of these releases were Intel only. The last version of OS X to support PPC was Leopard, and upgrading from Tiger to Leopard would have cost $130.
12. Re:Why are you talking about Apple? by freedumb2000 · 2011-06-16 21:56 · Score: 1
  
  Not sure what you are talking about. It says it is 29$ for the full version: http://www.amazon.com/Mac-version-10-6-3-Snow-Leopard/dp/B001AMHWP8/ref=sr_1_1?ie=UTF8&qid=1308295261&sr=8-1
13. Re:Why are you talking about Apple? by peragrin · 2011-06-16 22:43 · Score: 1
  
  Actually my 3G never suffered from iOS 4 problems for some reason. it doesn't hang, it doesn't do anything that was complained about. in deed now that it has been running a while it is moving as fast as it ever did.
  then again I don't play a lot of games on my phone so I might not have stressed it enough to notice.
  my only problem is if the android community doesn't care to upgrade your phone for you it never will be. How come Apple gets blasted for not supporting a phone for 20 years but android manufacturers gets off the hook for not doing it for 6 months. Double standards piss me off.
  
  --
  i thought once I was found, but it was only a dream.
14. Re:Why are you talking about Apple? by errandum · 2011-06-16 23:10 · Score: 1
  
  You did not see the uproar on the htc page when they said 2.3 was not coming to the Desire? It seems that now it will.
  No one is off the hook. But android gives you a valid alternative to the lack of support the big corporations give you.
15. Re:Why are you talking about Apple? by colinnwn · 2011-06-17 00:18 · Score: 1
  
  I said if you miss an upgrade cycle. Snow leopard would mean you didn't miss an upgrade cycle. I also said direct from Apple, not a third party that might have new old stock. Though most vendors immediately jack up the price after you can't get it from Apple anymore. Look again on Amazon for "Leopard" NOT "Snow Leopard".
16. Re:Why are you talking about Apple? by colinnwn · 2011-06-17 00:22 · Score: 1
  
  Not exactly muddled up, but I'm not an Apple person, so I don't know the history. When I was trying to upgrade her, I searched google to see what the options were. It looked like people were saying when Leopard first came out, you could upgrade from Tiger to Leopard for $30, and that after Snow Leopard came out they discontinued those upgrade disks. I guess you are saying this is incorrect?
17. Re:Why are you talking about Apple? by teh+kurisu · 2011-06-17 00:35 · Score: 1
  
  It sounds incorrect to me, although I'm not infallible :)
  I do distinctly remember that I didn't upgrade my PowerBook G4 to Leopard because I couldn't justify the cost. $30 I could stomach, $130 not so much.
18. Re:Why are you talking about Apple? by LoganDzwon · 2011-06-17 01:16 · Score: 1
  
  There is no patch for the original iPhone because it is not susceptible to that problem. Original iPhone only runs up to 3.1.3. I'm not saying it doesn't exist, that iOS version is pretty old... but you would need to actually find a known vulnerability in 3.1.3 to prove him wrong.
19. Re:Why are you talking about Apple? by wkcole · 2011-06-17 05:06 · Score: 1
  
  That's the whole point of the original argument (that fanboys modded down)
  While there is people out there that use a phone, anyone can compile the latest fixes -(or get them from someone who knows how), hence, having a very long term support.
  Not so much, or at least not always.
  For some phones (e.g. the Samsung Moment, released November 2009) you MUST have a real Windows machine (i.e. not even a VM ) to replace the manufacturer's deathgrip firmware. See, the "USB" port is shaped right and everything and often acts much like a real USB port, but when it comes to flashing the devices, well, it isn't. It's something that you need special drivers to talk to, and unless you want to go writing almost-USB drivers for some other system, you are stuck needing Windows running on bare metal. I sure wish I'd known that in 2009... It's not that I would have bought an iPhone (AT&T signal is zero where I am sitting) but it definitely would have made me more careful. Based on what I've read, Motorola and HTC have also worked to make it difficult to reflash their handsets. I'm not sure that there's a device running Android that is worth having once you eliminate the makers who have worked to close the mythical openness of Android.
  I think that's what has essentially ruined any sort of advantage Android might have had over other platforms based on its "openness." It's a myth that come very close to fraud, missing only because the real evangelists of the myth are fanboys rather than anyone selling anything. It would be easier for me to jailbreak an iPhone than to flash my Moment with Android 2.2, even if I did have a Windows machine to do so with. For most users, a phone OS is not usefully "open" if their device manufacturer and carrier want it to be closed, as is the case for the biggest device manufacturers and all of the major US carriers. Making that worse, the resource demands of Android have increased so much with successive versions that I doubt it would even make sense to try 2.3. The same has not been true of iOS over the same period. The unfortunate reality is that people who bought the latest iOS devices in the second half of 2009 (i.e. iPhone 3GS and 3rd gen. Touch) are still able to run the latest iOS rather painlessly, whereas most people who bought Android devices during the same period are probably never going to see anything later than 2.1 in a form that is easy to install and even those who do get 2.2 will probably not be happy with what they get. It's enough to make me miss Palm...
20. Re:Why are you talking about Apple? by scot4875 · 2011-06-17 05:18 · Score: 1
  
  A.) It keeps most people on a similar OS version, making it easier for Apple and I'd suspect most developers appreciate this as well. It's no fun trying to support a million different OS configurations, which is the case with Windows.
  Ahh, this must be why practically every piece of software ever written for Win32 still works in Windows 7, and why Visual Studio does such a good job of abstracting out newer features so that developers can use them and have a backwards-compatible fallback automatically with no extra effort.
  --Jeremy
  
  --
  Jesus was a liberal
21. Re:Why are you talking about Apple? by PipsqueakOnAP133 · 2011-06-17 09:31 · Score: 1
  
  From what I heard, when iPhones started needing versions of iTunes that don't run on 10.4 while 10.5 was already not available, it was possible to call in to Apple's tech support, tell them you can't find 10.5, and they'd send you 10.5 for free.
Even better... by xded · 2011-06-16 10:04 · Score: 1

If somebody does not even wonder why a private key is called like that, he should be kept away at all times from any computer system more complex than a pocket calculator.
1. Re:Even better... by gweihir · 2011-06-17 05:23 · Score: 1
  
  Indeed. Maybe they thought it was a "Private's" key as opposed to an Officer's key?
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:first post! by ColdWetDog · 2011-06-16 10:06 · Score: 2

4chan down again?

--
Faster! Faster! Faster would be better!
What % of 3rd party installed ROM base is non-CM7? by technomom · 2011-06-16 10:09 · Score: 1

Of the ROM-installing community, what percentage is NOT using CM 7.0.3?
Re:What % of 3rd party installed ROM base is non-C by Anonymous+Psychopath · 2011-06-16 10:14 · Score: 2

Of the ROM-installing community, what percentage is NOT using CM 7.0.3?
Everyone using a custom ROM on a device that CM does not support. I'm not sure how many that is, but it includes the HTC Thunderbolt users.

--
Eagles may soar, but weasels don't get sucked into jet engines.
Re:What % of 3rd party installed ROM base is non-C by namalc · 2011-06-16 10:18 · Score: 2

Those on devices where the CM 7.0.3 port is still very much a (buggy) work in progress, such as the LG Optimus.
Re:What % of 3rd party installed ROM base is non-C by rrossman2 · 2011-06-16 10:31 · Score: 3, Interesting

A lot. I was using's Doc's Rom Kitchen as it had a lot better support for my SGS. I ended up trying a CM7 nightly for my SGS, it was alright, but the cameras were too dark to be functional, and my ability to text went out the window. Reverted to a stock ROM, and while I can receive texts, I still can't send (which is more so confusing to me than anything as I really don't text).
I'm now using the Insanity CM GalaxyS ROM (which is based on CM7, but is very stripped down and lite.. I love it). Also flashed the 2.6.35_7_Glitch Insane Edition V10 ROM for the i9000, which is freakin sweet!
Not wanting to start a GLP flame war but... by nickovs · 2011-06-16 10:38 · Score: 2

... while the code for Android is GPLv2, the move of various other projects towards GPLv3 is only going to make this sort of problem worse. The 'anti-Tivoisation' clause basically demands that some authorised signing key gets distributed with any GPLv3 code that needs to be signed in order to run, and that the available signing key grants all the rights necessary for that code to function. While it is of course possible for users to completely rebuild the trust hierarchy with their own keys, very few people will be willing to do so. As a result it seems likely that any GPLv3 project will be unable to make effective use of signing as a mechanism for preventing the execution of rogue code, even if the license allows for it in theory.

--
If intelligent life is too complex to evolve on its own, who designed God?
1. Re:Not wanting to start a GLP flame war but... by klapaucjusz · 2011-06-16 13:48 · Score: 1
  
  ... while the code for Android is GPLv2,
  No, it isn't. The kernel is GPLv2, but that's just a tiny wee bit of Android. The user-space code uses a mixture of non-copyleft licences (mostly the APL).
  
  the move of various other projects towards GPLv3 is only going to make this sort of problem worse.
  Much as I dislike the GPL (and especially the GPLv3), that's nonsense.
  --jch
2. Re:Not wanting to start a GLP flame war but... by s_p_oneil · 2011-06-17 00:56 · Score: 1
  
  While I dislike the GPL, you're wrong. The problem is not that the private key used to build the OS was publicly available, but that any app using that key was trusted implicitly. Fix that (which is what they just did), and the problem goes away. From what I've read, it sounds like Windows 7 has the same problem. I believe UAC is disabled for apps signed with Microsoft's private key. If anyone ever got their hands on that key (I wouldn't be surprised if the US and/or Chinese governments already had it), they could do a lot with it.
3. Re:Not wanting to start a GLP flame war but... by PipsqueakOnAP133 · 2011-06-17 09:47 · Score: 1
  
  The GPL bothers me too. If I had the choice to utilize an open source project that was GPL licensed and BSD/Apache/MIT licensed, I'd pick the less restrictive license and still release my changes. The GPL is simply something I'd rather not deal with because it imposes restrictions on code that the project does not own.
  LGPL is fine, although I do find it to be a problem when in a proprietary project and on platforms where dynamic linking isn't possible. In that specific case, LGPL essentially becomes the GPL again.
  Simply put, I feel the choice to add functionality, minor or major from another project, should not impose restrictions outside of that project.
  I'm perfectly okay with making changes in a project and contributing them back, even handing over control of copyright to the project owner. But having that escape the project boundaries and impose restrictions on code not sourced from the project (and usually not something you'd integrate back into the project) is simply something I'm not cool with.
Re:To hell with the app culture by Anonymous Coward · 2011-06-16 14:05 · Score: 1

Give me a phone platform with only open source apps and stop thinking that you will be rich by selling stupid nonsense apps.
*gives fellow AC Maemo*
(It's OK, Nokia wasn't using it anyway. They're too busy setting their Meego platform on fire so they can jump off it.)
Really, it's basically what you describe. We have a community open-source repository with an automated build system. Submit your Debian source package, it builds, and the deb shows up in "extras-devel"; if you like it, you (the developer) can promote it to "extras-testing", and after a community testing process (n people have to rate it as ready for promotion), it's automatically promoted out to plain "extras" which is intended for end-users.
Of course, in reality a ridiculous proportion of power-users run extras-testing or even extras-devel daily, and only pin something to an older version (and ideally file a bug, but you know that's rare) if/when something breaks.
Last year Nokia finally brought their "ovi" app-store to the N900, but it has laughably few and pitiful apps compared to the extras repo.
I have no clue if something similar will exist for the Nokia Meego device whenever they finally crap one out, but it's one of the biggest strengths of the platform IMO.
Re:What % of 3rd party installed ROM base is non-C by dudpixel · 2011-06-16 16:02 · Score: 1

Of the ROM-installing community, what percentage is NOT using CM 7.0.3?
anyone with a samsung galaxy s/s2 phone for a start.

--
This seemed like a reasonable sig at the time.
Grammar nitpick by jabberw0k · 2011-06-16 17:00 · Score: 1

You don't have "firmwares" any more than you can have "softwares" or "hardwares" or "clothings" -- no; you have two firmware sets, two pieces of software, two pieces of hardware, and two items of clothing. These are all collective nouns.
1. Re:Grammar nitpick by adavies42 · 2011-06-17 05:15 · Score: 1
  
  this. you can always pluralize a mass noun (not a collective noun, that's something else) to refer to multiple kinds.
  
  --
  Media that can be recorded and distributed can be recorded and distributed.
  -kfg
It started simpel by Babystrauss · 2011-06-16 20:10 · Score: 1

Welcome to the new world. I am still waiting for the first virus to kill my office mobile ^^
Re:Not ROMs by mcvos · 2011-06-16 22:19 · Score: 1

I often wonder what people mean by "ROM" when they're talking about Android distributions (because that's what they are). I've always hoped it meant something other than "read-only memory". But if Android modders get even that basic bit of computer terminology wrong, it's no surprise they don't understand public key encryption either.
But does that mean there are really no competent Android modders? I was actually expecting a bit more from that community.
I'll put my money on five years by ThatsNotPudding · 2011-06-16 23:33 · Score: 1

until every platform, OS, - hell, everything smarter than a toaster - is rendered insecurable.
Always scan for malware before downloading an app! by ciagucle · 2011-06-17 00:13 · Score: 1

I is really a pity that Android is plagued by malware problems. There is only one way out, or use a trusted store use only an Android app search engine which offers an antivirus and malware tool.
Re:What % of 3rd party installed ROM base is non-C by aztrailerpunk · 2011-06-17 01:19 · Score: 1

Nightlies are exactly that. You shouldnt be using them unless you are committed to testing very beta and possibly unstable roms. The plus however, is that we get to play with all the new toys first if it works great. Otherwise we simply go back to our restore point on the prior nightly.

--
Foot placed squarely in mouth since 1983.
Re:What % of 3rd party installed ROM base is non-C by JackieBrown · 2011-06-17 06:01 · Score: 1

I didn't realize there were more than one. Thanks for the big list. I will have to check how many support the color nook.