Slashdot Mirror
Poking Holes In Samsung's Android Security
Orome1 writes "Tired of waiting for Samsung to fix a string of critical flaws in their smartphones running Android, Italian security researcher Roberto Paleari has decided to inform the public about the seriousness of the matter and maybe make the company pick up the pace. Mindful of the danger that the vulnerabilities present to the users if they are exploited by malicious individuals, he decided not to share any technical details, but to just give a broad overview of what their misuse would allow. This includes a silent installation of highly-privileged applications with no user interaction and an app performing almost any action on the victim's phone."
The Exynos memory bug (often referred to as ExynosAbuse exploit) was released publicly and fixed rather quickly. This seems to be the way for Samsung - responsible disclosure just doesn't work with them. This has been proven time and again.
Say what you will about Apple & the iPhone, but I appreciate the tight integration of OS & hardware and their desire to provide a consistent & reliable user experience. I own and use a (Sprint) Samsung Galaxy S2 Epic 4G Touch, and it was a series of broken promises on ever getting ICS. When finally rolled out, it wasn't the true android experience, but some half-baked Samsung-proprietary interface aka "Touchwiz." Great, that wasn't what I was sold when I purchased the device. I want android, not Samsung's half-baked, bug-filled, garbage-software-filled version of it.
Eventually, I rooted and installed JB, because Samsung sure as heck wasn't going to do that. And then, as you venture deeper into the rooting environment, you find out a bunch of hardware/software issues directly caused by Samsung, including but not limited the EMMC super-brick bug. These security issues in TFA are just more of the same. For me, their handling of their android phones and my experience with them has tarnished their image across their entire product fleet. Will I buy a Samsung brand washer/dryer? There's a lot of digital tech in even washing/drying machines nowadays. Before this, their name wasn't an issue. Now, maybe I consider some other brand.
the network carriers approve a security patch seems to be a very, VERY, long time!
Do not use ROMs dependent on the carriers.
"any patches [Samsung] develops must first be approved by the network carriers."
Well there's your problem. if I had to call up my ISP every time I wanted to patch windows I'd be screwed.
When finally rolled out, it wasn't the true android experience, but some half-baked Samsung-proprietary interface aka "Touchwiz."
Lesson learned: If you want a full-baked true Android experience, always look for the word "Nexus".
PCs don't require the user to bring in the computer to have it reprogrammed to use a different ISP. CDMA2000 without CSIM, the typical setup on U.S. prepaid carriers such as Ting and Page Plus, does.
I still can't use my phone as a WiFi access point without paying an additional $10-$20 per month.
That's an ISP problem more than an Android problem. During this transition from 2G to 3G to 4G-lite,* wireless carriers rely on subscribers not using all their monthly megabytes, and subscribers who use multiple devices on one plan tend to use more megabytes per month than subscribers who do not. Even a phone that obeys its owner (that is, one with a custom ROM) can't hide tethering-like behavior unless you run everything through a VPN. Carriers are reported to use traffic to Internet sites that host desktop OS updates, antivirus updates, and desktop application updates as evidence of tethering. By the time you've paid extra for a higher cap and paid extra for a VPN so that the ISP doesn't see what you're visiting, you might as well have paid for the tethering rider.
* "Lite" because LTE isn't really 4G.
It's currently the trend to throw things out and replace them but it's not particularly environmentally responsible.
I had problems start with my Samsung TV. It would take 10 minutes to turn on. Just sit there clicking on, off, on, off. I called Samsung and it was a known problem. They contacted a local repair shop and had the shop come out to my house and fix it THAT NIGHT. Zero cost to me.
are you one of these crazy old people who still repairs stuff?
I am. I have a ~7 year old Samsung 1600x1200 monitor that still looks nice. I like this form factor, and it's hard to get in these days of HDTV LCDs. Unfortunately, Samsung was known for using shoddy capacitors in that time period, and a few years ago my monitor started blacking out shortly after power up.
I found a video on YouTube where they showed how to fix my exact model, and I fixed mine with $5 of new caps. Now it's still going strong.
I swore off Samsung a few years ago when the 2.5 year old HDTV I had paid $1400 for died, and they wanted as much to repair it as a new TV would cost. Their products are shoddily made, and they don't stand behind them. They could produce the snazziest Jesus phone on the market and I wouldn't touch it with a ten foot poleaxe.
I agree that a TV should not fail after 2.5 years but Samsung's warranty on TVs is for 1 year, similar to all other manufacturers. Name me one TV manufacturer that would fix a 2.5 year old TV for free? You do realize that TVs are deliberately built to last 3 to 5 years? and that it has cost more to repair a TV than buying a new one for the last 10 years or more? and you blame Samsung because you gambled on the manufacturers warranty and lost?
The warranty period on all electronics has been reduced to save money and cost. It's one of the reason why SquareTrade has been doing so well. Now, when I buy an expensive piece of electronics (i.e. over $1000) I also buy a SquareTrade extended warranty so that it's covered for at least 3 years. I haven't had to use their services yet, so I cannot comment on SquareTrade's customer service. However, they do have good reviews on Amazon, etc.
The point is that you, as a consumer, are expected to understand the warranty period. If you feel that the warranty period is too short for your investment, then there are options on the market to extend the warranty. Personally, I think that all manufacturers should be forced to support their products for 3 years (I think the EU has this?) but that just isn't the case in the US/Canada.
it would be hard to find someone who does NOT use cheap 'china caps' inside instead of proper panasonic (japan) or nichicon or any of the other *reliable* electrolytic makers.
badcaps.net is informative for those that have not heard of this 15+ yr old problem in the parts industry. worldwide! china fucked the world on this and we're still paying with blown caps on nearly everything that uses them.
buy the parts from known places (digikey, mouser, newark, jameco, etc) and you'll get guaranteed real parts, not fakes. even the vendors who build boards tend to use fake caps (bad formula) and they last about a year before they fail.
--
"It is now safe to switch off your computer."
I had problems start with my Samsung TV. It would take 10 minutes to turn on. Just sit there clicking on, off, on, off. I called Samsung and it was a known problem. They contacted a local repair shop and had the shop come out to my house and fix it THAT NIGHT. Zero cost to me.
Ditto for our 5 year old (at the time) 52" Samsung LCD TV. It wasn't quite the next day, but definitely within a week of us calling them they had a local contractor come by, and he fixed it right in our living room in about an hour, soldering and all. No bill for us, because it was a known capacitor issue, and it's worked great ever since.
That's a big part of why our new 65" LED is also a Samsung :o)
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
Funny how in a thread about Samsung, someone must come out and say "but Apple also sucks" like this then makes it all better.
And comparing Apple to rape is a bit much, isn't it?
And all the idiot moderators that modded this interesting, WTF are you smoking?
"I agree that a TV should not fail after 2.5 years but Samsung's warranty on TVs is for 1 year, similar to all other manufacturers. Name me one TV manufacturer that would fix a 2.5 year old TV for free? You do realize that TVs are deliberately built to last 3 to 5 years? and that it has cost more to repair a TV than buying a new one for the last 10 years or more? and you blame Samsung because you gambled on the manufacturers warranty and lost?"
In New Zealand, we have a little law called "The Consumer Guarantees Act" which means that even if a manufacturer only puts a 1 year guarantee on a TV, it is expected to last a fair and reasonable time for a device costing upwards of $1000 and that means (in the eyes of the law) ten years. We've just had a washing machine and tumble drier from Electroux fail after six years and they tried every trick in the book to avoid fixing it (out of warranty, you'll need to pay for it and we might reimburse you some of the cost, even phoning me directly and hassling me) but I stuck to my guns and dealt with the vendor (you don't have to deal with the manufacturer, just the shop that sold you the device) and I waved the CGA under their nose (Harvey Norman aren't known for following the rules either so know your rights) and after much complaint from them, they complied with the law and fixed both free of charge.
Sure, the shops try everything to avoid following the law, but the law exists and you just have to keep reading the clause that says a device should last a reasonable amount of time. They have to fix it if it is a manufacturing or design fault regardless of the length of their warranty. In the case of my Samsung BD player, the CGA meant that after they tried and failed to fix the player I returned it with a letter stating that I rejected the player and my reasons (Samsung screwed the firmware and haven't fixed it) so the shop happily took the player back and swapped it for a Panasonic of equal value (Noel Leeming in this case, much better than Harvey Norman who I no longer shop from due to their repeated attempts to avoid their CGA duties)
"I have the attention span of a strobe lit goldfish, please get to the point quickly!"
Then perhaps you should educate yourself first before making allegations that are untrue? Apple has raised working conditions at their factories far above most others.
You can do a simple google search and find articles and interviews where factory workers are bitching about not being able to work overtime - a lot of them work for 3-4 years, and take their savings back to their village and can start their own small business, buy a home, and get married.
Just a comparison - in China, an Apple factory worker makes $350 to $700/month. A computer programmer makes $350/month. A pilot makes $500 to $700/month. Let me repeat that - an unskilled factory worker makes as much as a college educated programmer, or a professional pilot. And you think this sucks for the factory worker how?
As for suicides, these are campus towns. When you have 100,000 people working there, it's larger than a college university. The suicide rates for an average city of 100k people is far above the suicide rates at a 100k people Apple factory/town. Are you under some kind of assumption that in 100k people, there will be zero suicides?
Feel free to use Google and update your knowledge base, so that the next time you want to attack Apple, at least you'd be basing it on facts.