Android Master Key Vulnerability Checker Now Live

← Back to Stories (view on slashdot.org)

Android Master Key Vulnerability Checker Now Live

Posted by timothy on Thursday July 11, 2013 @02:13AM from the free-anonymous-testing dept.

darthcamaro writes "Last week, Rain Forrest Puppy (aka Jeff Forristal) first disclosed the initial public report about an Android Master Key flaw. Code was released earlier this week for attackers to exploit the flaw — but what about users? Google has claimed that it has patched the issue but how do you know if your phone/carrier is safe? Forristal's company now has an app for that. But even if your phone is not patched, don't be too worried that risks are limited if you still to a 'safe' app store like Google Play. 'The only way an Android user can be attacked via this master key flaw is if they download a vulnerable application. "It all comes down to where you get your applications from," Forristal said.'"

76 comments

Min score:

Reason:

Sort:

Even the Android fanboys know by MoronGames · 2013-07-11 02:16 · Score: 3, Insightful

That most phones that are "in the wild" will probably never receive this patch unless they are current flagship devices. That said, do not download things from untrusted sources! That goes for not only smart phones, but computers as well!

--
hey!
1. Re:Even the Android fanboys know by h4rr4r · 2013-07-11 02:25 · Score: 3, Interesting
  
  1. People seem to not care. This is why I only buy Nexus devices though.
  2. Totally correct.
  I wish google would use their leverage over the android trademarks, not the software, to force updates for X amount of time and a longer amount of time for security patches. The real issue here is the whole carrier model. If you bought your PC from your ISP and they provided all the software for it you would be in the same boat there.
2. Re:Even the Android fanboys know by Anonymous Coward · 2013-07-11 02:33 · Score: 0
  
  Wait. So 'open' isn't automatically, and innately good? The ability to side-load apps has its own, unique dangers?
  Wow. It's almost like the iOS users actually knew what they were talking about!
3. Re:Even the Android fanboys know by Anonymous Coward · 2013-07-11 02:37 · Score: 0
  
  From TFS:
  
  But even if your phone is not patched, don't be too worried that risks are limited if you still to a 'safe' app store like Google Play.
  What language is this in?
4. Re:Even the Android fanboys know by Anonymous Coward · 2013-07-11 02:45 · Score: 0
  
  My old Nexus One on factory reset (back to 2.x) is now currently running the newest Google Play store application without me needing to do anything asides from connecting to the Internet and waiting a few minutes. This means I'm protected because this master key business as this is a Play Store issue.
  Individual applications are updated individually and do not require a complete OS upgrade. What kind of stupid assumption / design would you have if you needed to use the system-wide/OS patcher for a bug in a single application? Oh wait, never mind.
5. Re:Even the Android fanboys know by Anonymous Coward · 2013-07-11 02:48 · Score: 0
  
  That most phones that are "in the wild" will probably never receive this patch unless they are current flagship devices. That said, do not download things from untrusted sources! That goes for not only smart phones, but computers as well!
  Troll. Google is patching this via the play store, bypassing the carriers. Even phones that will never see another carrier update will get this patch, if they don't already have it.
6. Re:Even the Android fanboys know by jeffmeden · 2013-07-11 02:51 · Score: 1
  
  1. People seem to not care. This is why I only buy Nexus devices though.
  2. Totally correct.
  I wish google would use their leverage over the android trademarks, not the software, to force updates for X amount of time and a longer amount of time for security patches. The real issue here is the whole carrier model. If you bought your PC from your ISP and they provided all the software for it you would be in the same boat there.
  Except, that is exactly what Google is doing. This vulnerability is being patched by pushing updated apps directly to the phones via the shadowy Google "remote control", and the carriers don't need to do anything about it. My handset was patched as soon as the Google updates started rolling out, and my carrier could care less.
7. Re:Even the Android fanboys know by h4rr4r · 2013-07-11 02:56 · Score: 1
  
  I more meant for vulnerabilities in the phones non-writeable partitions. /system is normally mounted read only. So if you need to patch something more basic to the OS, I would assume a carrier would be standing in the way.
8. Re:Even the Android fanboys know by h4rr4r · 2013-07-11 03:00 · Score: 1
  
  So the mere risk of something bad happening means you have to give up control to someone else? It's almost like personal responsibility is totally dead!
9. Re:Even the Android fanboys know by Anonymous Coward · 2013-07-11 03:05 · Score: 0
  
  I more meant for vulnerabilities in the phones non-writeable partitions. /system is normally mounted read only. So if you need to patch something more basic to the OS, I would assume a carrier would be standing in the way.
  Not that it is impossible, but it has yet to happen which makes the hubbub about slow OS-level updates rather overblown.
10. Re:Even the Android fanboys know by h4rr4r · 2013-07-11 03:09 · Score: 2
  
  What do you think root exploits often are?
  Any APK could contain one and use that to do anything it likes. The only trick would be getting users to install it. Which for most users just means telling them their is a shiny bunny or sexy woman in the application.
11. Re:Even the Android fanboys know by Anonymous Coward · 2013-07-11 03:12 · Score: 0
  
  That most phones that are "in the wild" will probably never receive this patch unless they are current flagship devices. That said, do not download things from untrusted sources! That goes for not only smart phones, but computers as well!
  Troll. Google is patching this via the play store, bypassing the carriers. Even phones that will never see another carrier update will get this patch, if they don't already have it.
  Idiot. The bug is that a malicious application can inject their own code (or data, or whatever) into an already installed application. The APK's cryptographic signature would then be invalid because the contents have been altered, but the OS doesn't actually recheck before executing.
12. Re:Even the Android fanboys know by Anonymous Coward · 2013-07-11 03:13 · Score: 0
  
  Yes, removing training wheels have its own, unique dangers.
  It doesn't mean welding them on is best idea ever.
13. Re:Even the Android fanboys know by RaceProUK · 2013-07-11 03:26 · Score: 0
  
  Engilsh
  
  --
  No colour or religion ever stopped the bullet from a gun
14. Re:Even the Android fanboys know by Anonymous Coward · 2013-07-11 03:38 · Score: 0
  
  What do you think root exploits often are?
  Any APK could contain one and use that to do anything it likes. The only trick would be getting users to install it. Which for most users just means telling them their is a shiny bunny or sexy woman in the application.
  Yes, but my question was where are these root exploits that are going unpatched at the OS level? Sure, it would be "Better" if any vulnerability at any level were able to be reliably patched very close to the moment of discovery, on any affected device. The reality is much different, obviously, and that leads us to judge design by way of performance. And to that end, the security of Android has performed very well, considering the distinct lack of "wildfire exploits" akin to what we see in the PC realm.
15. Re:Even the Android fanboys know by h4rr4r · 2013-07-11 03:46 · Score: 2
  
  RageAgainsttheCage was one it, used an adb setuid exhaustion attack, and there was a udev exploit. These were patched in AOSP a long time ago, but some devices never got updates that closed these holes.
  The android app store keeps these things from being put in apps from there, but nothing stops them from ending up in alternative (read pirate) app stores.
  Sure the fact that most people never enable third party apps and stick to the google store keeps them mostly safe. It simply would be better to go ahead and patch the devices as well.
16. Re:Even the Android fanboys know by sjames · 2013-07-11 03:46 · Score: 1
  
  With great power comes great responsibility.
17. Re:Even the Android fanboys know by Anonymous Coward · 2013-07-11 03:46 · Score: 0
  
  My Nexus 7 is unpatched/vulnerable and there are no system updates available for my tablet so it is up-to-date.
18. Re:Even the Android fanboys know by h4rr4r · 2013-07-11 03:50 · Score: 1
  
  You are basing this on what exactly?
  What OS version are you running?
19. Re:Even the Android fanboys know by Anonymous Coward · 2013-07-11 03:58 · Score: 1
  
  I am basing the fact that I am vulnerable on the Bluebox Security Scanner app linked in this article. My Nexus 7 is running Android 4.2.2
20. Re:Even the Android fanboys know by Dishevel · 2013-07-11 03:59 · Score: 1
  
  What do you think root exploits often are?
  Any APK could contain one and use that to do anything it likes. The only trick would be getting users to install it. Which for most users just means telling them their is a shiny bunny or sexy woman in the application.
  I am very ok with those people getting infected.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
21. Re:Even the Android fanboys know by Beardo+the+Bearded · 2013-07-11 04:08 · Score: 1
  
  Your smart phone IS a computer, FFS.
  My new G3 has a dual-core 1.5GHz processor, 2G RAM, and 80G of SSD on a 720-line display.
  My old netbook has a dual-core 1.5GHz processor, 2G RAM, 256 SSD and a 600-line display. (Until a month ago, it was my primary computer.)
  They both run Linux (CM and Ubuntu, respectively). They both play movies. The phone will play better games than the netbook. I can carry the phone around and have it track my bike rides and runs.
  They aren't phones. They're socially acceptable computers that happen to be able to make phone calls. We figured out what, 20 years ago, that if you DL ph@t w@r3Z... half the time it's real, half the time it's a virus.
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
22. Re:Even the Android fanboys know by Beardo+the+Bearded · 2013-07-11 04:09 · Score: 1
  
  Sexy bunny woman? Where do I click?
  WHAR LINK WHARE?
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
23. Re:Even the Android fanboys know by somersault · 2013-07-11 04:13 · Score: 3, Funny
  
  It's in a dialect of English usually known as Careless Autocorrect
  
  --
  which is totally what she said
24. Re:Even the Android fanboys know by Beorytis · 2013-07-11 04:35 · Score: 1
  
  That said, do not download things from untrusted sources!
  
  Especially a thing claiming to be "Vulnerability Checker".
25. Re:Even the Android fanboys know by Anonymous Coward · 2013-07-11 04:40 · Score: 0
  
  My Nexus 4 is unpatched (and has the latest OTA update), so I'd say good luck to anyone who thinks they might have a patch... if I don't, who the hell does?
26. Re:Even the Android fanboys know by h4rr4r · 2013-07-11 05:33 · Score: 1, Insightful
  
  That hot coffee lawsuit was not frivolous. This is an urban legend, they had been cited many times since it was too hot to safely drink. She suffered serious burns and required skin grafts.
  Personal health insurance mandates are personal responsibility. You not having insurance and using the ER then skipping on the bill costs me and other insured folks money.
  Unemployment does not last forever, and employed folks are paying for it. I sure as hell expect to be able to collect from an insurance policy I buy.
27. Re:Even the Android fanboys know by Rob+Y. · 2013-07-11 08:35 · Score: 1
  
  Ditto. My Nexus 4 has never received an OS update (unless it does this silently, which My old Nexus One never did).
  Anyway, it's running 4.2.2 with a build date back in January.
  
  --
  Posted from my Android phone. Oh, I can change this? There, that's better...
28. Re:Even the Android fanboys know by Rob+Y. · 2013-07-11 08:37 · Score: 1
  
  That said, and even though I'm rooted (hey, is that why I haven't gotten any updates - I'm still on the stock ROM), I don't believe I've been hit by this exploit. Has anyone?
  
  --
  Posted from my Android phone. Oh, I can change this? There, that's better...
29. Re:Even the Android fanboys know by bill.e.gloat · 2013-07-12 00:17 · Score: 1
  
  I only ever install from the Play Store with the single exception of the Avast Anti-Theft app. While Avast AV itself comes from the Play Store, I have to enable the option for downloading from untrusted sources to get the Anti-Theft portion. Why is that? (It seems poor design, but I assume there's a good reason.) I figure that if I trust Avast for AV than I should be able to trust their instructions for Anti-Theft. I always disable the untrusted sources feature immediately after the install/update, but I still wonder if I'm vulnerable during that time. Can other apps already installed leverage that window for malice?
30. Re:Even the Android fanboys know by Dishevel · 2013-07-12 03:19 · Score: 1
  
  It was frivolous. People got that coffee BECAUSE it was that hot. We got it because it lasted the commute. I knew it was really fucking hot. It was not her first time getting coffee there. She made the decision to purposely buy that coffee having already known how hot it was. They coffee temperature did not come as a surprise to her. If I buy something that I know is really hot and decide to buy it anyway then I spill it, it would be my fault. Only in the last 20 - 30 years have we been so ingrained as a people that we are responsible for nothing that happens in our lives.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
31. Re:Even the Android fanboys know by h4rr4r · 2013-07-12 03:24 · Score: 1
  
  The coffee was undrinkable, it would have cooked your insides.
  You can't sell a product not fit for purpose. Personal responsibility would have been McDonalds covering all her bills and giving her a nice settlement with no lawsuit. Instead McDonalds wanted someone else to cover their debts.
32. Re:Even the Android fanboys know by Dishevel · 2013-07-13 05:15 · Score: 1
  
  So you are saying that she did not ever have McDonalds coffee before? That she had no knowledge of the fact that their coffee was considerably hotter than that sold by most other chains? Or. Are you saying that regardless of the fact that she made an informed decision, it still must be the rich guys fault.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
Is there an App to check for bogus APKs? by Jah-Wren+Ryel · 2013-07-11 02:17 · Score: 1

For people who are stuck with vulnerable phones it should be possible for an app to scan the .apk you are considering side-loading and checking if it is a trojan using this particular vulnerability.

--
When information is power, privacy is freedom.
1. Re:Is there an App to check for bogus APKs? by Jerry+Atrick · 2013-07-11 02:27 · Score: 2
  
  It should be easy to catch the package installed/updated broadcast and intercept exploits immediately after they install but before they can execute. About 20lines of Java should do it.
  The other interesting aspect of this exploit is you could automatically strip the malware payload and recover the safe, original apk, or a close enough facsimile of it.
2. Re:Is there an App to check for bogus APKs? by Anonymous Coward · 2013-07-11 02:38 · Score: 0
  
  I suspect Google already does this if you choose to use their built in APK scanner.
3. Re:Is there an App to check for bogus APKs? by Jerry+Atrick · 2013-07-11 03:58 · Score: 1
  
  If they have any sense the built in scanning will detect the malformed APK before allowing it anywhere near the installer service... it is trivially easy to detect.
4. Re:Is there an App to check for bogus APKs? by raburton · 2013-07-11 04:33 · Score: 1
  
  I would assume opening the file in your favourite zip tool and checking there is only one classes.dex file should be sufficient.
5. Re:Is there an App to check for bogus APKs? by Anonymous Coward · 2013-07-15 13:35 · Score: 0
  
  norton halt.
Master key? by synackpshfin · 2013-07-11 02:19 · Score: 1

I have no idea what the mentioned 'master key' is supposed to be.
AFAIK the actual exploit is using duplicate filenames which aren't checked against hashes upon installation of apk...
1. Re:Master key? by Andy+Dodd · 2013-07-11 02:23 · Score: 3, Informative
  
  That was the word Bluebox used to describe it... Honestly, their original press release blew this way out of proportion.
  Most Android devices now have support for scanning of sideloaded APKs for Malware now (it's a Google Play service), and I'm assuming that while a week or two ago that detector wasn't configured to detect this exploit, it almost surely does by now.
  
  --
  retrorocket.o not found, launch anyway?
2. Re:Master key? by jeffmeden · 2013-07-11 02:56 · Score: 2
  
  That was the word Bluebox used to describe it... Honestly, their original press release blew this way out of proportion.
  Most Android devices now have support for scanning of sideloaded APKs for Malware now (it's a Google Play service), and I'm assuming that while a week or two ago that detector wasn't configured to detect this exploit, it almost surely does by now.
  Why should that get in the way of a good story? "Master key" sounds like something that will grant anyone access to your device, any time they want, without your permission, and plays so well with the "Android devices take months/years to get patched" meme. Which is all much more salacious than the reality, considering that only apps intentionally sideloaded by the user (After deactivating the default protection) can run with unchecked permissions, IF you havent gotten the Google Play Store updates yet, which are pushing out with quite rapid speed.
3. Re:Master key? by chowdahhead · 2013-07-11 09:20 · Score: 1
  
  My understanding is that the Play store was patched, so this vulnerability can't be exploited for apps uploaded to and downloaded from there. The AOSP patch addresses the part of Jellybean that verifies the cryptographic signature of sideloaded apps. That has to be updated on the device end--it's the "Verify Apps" option in the security menu. It's not part (yet?) of Google Play Services; it works without GApps installed. However, if you don't download .apk's from the internet, which 99.9% of people don't do, then it's immaterial whether your device is patched because that function isn't being used anyway. So you're absolutely right that it was blown out of proportion.
4. Re:Master key? by Andy+Dodd · 2013-07-12 06:17 · Score: 1
  
  " The AOSP patch addresses the part of Jellybean that verifies the cryptographic signature of sideloaded apps. That has to be updated on the device end--it's the "Verify Apps" option in the security menu."
  Nope. Those are two separate things. The "Verify Apps" operation applies some or all of the same Play Store checks to sideloaded apps, and I believe is only available with gapps installed (I'll poke at that this weekend.)
  The signature verification is part of the core Android system (even without gapps) and has been since long before that "Verify Apps" feature existed.
  If the signature verification vulnerability is patched on a given device, the "verify apps" and Play Store scanning becomes unnecessary (but still a good idea for defense in depth)
  If the signature verification vulnerability is not patched on a given device, the "Verify Apps" function should still act as a line of protection for sideloads.
  
  --
  retrorocket.o not found, launch anyway?
risks are limited if you still to a by Anonymous Coward · 2013-07-11 02:25 · Score: 0

"don't be too worried that risks are limited if you still to a 'safe' app store like Google Play"
It's like I'm in third grade all over again. Thanks, Slashdot!
MITM by SirJorgelOfBorgel · 2013-07-11 02:28 · Score: 2

I'm not sure if this is still true, but I do know that last week the Play store was still using HTTP downloads for the actual APK files instead of HTTPS (even though the API calls do use HTTPS). As such, even downloads from Play may be susceptible to man-in-the-middle attacks. I can't possibly explain it better than this group of comments:
http://it.slashdot.org/comments.pl?sid=3950207&cid=44220885
I'm not saying it's likely - but it doesn't seem impossible either. Seeing as it will be a long time before the average Android user will be running a phone with this patch, I would call "crisis averted" too soon. Of course, we don't know if the complete HTTP download is still verified with checksum gotten from the HTTPS API, but somethow I doubt it.
1. Re:MITM by Anonymous Coward · 2013-07-11 02:55 · Score: 0
  
  I tried Googling this issue, and I couldn't find any sources to back it up. Seems like someone would have mentioned it...
  Just tried adding a block on HTTP and play.google.com to my router and nothing seems to have changed.
2. Re:MITM by Applekid · 2013-07-11 03:14 · Score: 1
  
  I'm not sure if this is still true, but I do know that last week the Play store was still using HTTP downloads for the actual APK files instead of HTTPS (even though the API calls do use HTTPS). As such, even downloads from Play may be susceptible to man-in-the-middle attacks. I can't possibly explain it better than this group of comments:
  http://it.slashdot.org/comments.pl?sid=3950207&cid=44220885
  I'm not saying it's likely - but it doesn't seem impossible either. Seeing as it will be a long time before the average Android user will be running a phone with this patch, I would call "crisis averted" too soon. Of course, we don't know if the complete HTTP download is still verified with checksum gotten from the HTTPS API, but somethow I doubt it.
  A feature at the request of the NSA or your local union spook agency.
  
  --
  More Twoson than Cupertino
3. Re:MITM by PNutts · 2013-07-11 11:30 · Score: 1
  
  I tried Googling this issue, and I couldn't find any sources to back it up. Seems like someone would have mentioned it...
  Try Bing. ;)
Re:Guarrantee by Anonymous Coward · 2013-07-11 02:30 · Score: 0

i agree one hundred percent/ its gonna be a long time untill i feel safe again
The real problem still remains by Anonymous Coward · 2013-07-11 02:38 · Score: 0

The real problem here remains unsolved, which is the way that any app can be cracked open using ApkTool, messed with in creative ways, then packaged again and signed with the crackers own keys. It's pretty unbelievable how straightforward and robust this works out with most any app from Play Store or wherever, paid or not.
1. Re:The real problem still remains by Knuckx · 2013-07-11 02:56 · Score: 1
  
  And what prevents you from doing this with any executable file format, be it APK, EXE, ELF or JAR? Diassemblers, unpackers and resource editors exist for all of those file formats. If you can run it, you can edit it, unless the format/architecture is totally undocumented.
2. Re:The real problem still remains by Jerry+Atrick · 2013-07-11 04:07 · Score: 1
  
  The signing isn't meant to stop that, it's meant to stop updates to installed apps being replaced by malware. Re-signing won't let you update an installed app, you have to trick the user into uninstalling first. Which usefully can't be done for system apps by non-rooted users. Can't directly be done by any user.
  Ultimately all signing does is verify that your still dealing with the packager of the existing installed copy. The chain of trust still depends on trusting the first install, with this bug you're now reliant on checking each update hasn't been tampered with as well as checking the signature is the same. Good thing its so easy to spot tampering.
Conflict of interest? by 140Mandak262Jamuna · 2013-07-11 02:56 · Score: 1

So this flaw affects mostly app stores competing with Google marketplace. Not fixing this bug would give an edge to Google's marketplace. Though it is orders of magnitude different, this was similar to a situation early in the days of IE-vs-Netscape fights in the early days.( IIS and IE would work around each other's bugs making other web servers and browsers appear to be broken). How is Google handling it?
In some strange way Google is having the cake (open and competing app stores, instead of the total lock down on the Apple-iOS side of things) and is eating it too (its app store is less vulnerable than its competition due to its own bugs).
In the long run, having reliable and competent competition is what going to create lasting value to the customers, keep Google on its toes and keep it nimble. So if Google is really not evil and if it is interested in long term success, it should not take short cuts to maintain an edge over competing app stores. Hope it does.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:Conflict of interest? by Anonymous Coward · 2013-07-11 03:11 · Score: 0
  
  Not fixing this bug would give an edge to Google's marketplace
  I'd say fixing it does too. What will users remember after this issue is fixed?
  I bet the TL;DR version will be "use only Google Play."
2. Re:Conflict of interest? by Merk42 · 2013-07-11 03:14 · Score: 1
  
  The flaw doesn't affect 3rd party app stores any more than it does Google's. The issue is that an app store could host an app that takes advantage of said bug. As the Play Store is the most trustworthy to not do this, it is the recommended store.
Permissions by 8Complex · 2013-07-11 03:10 · Score: 0

Simple enough, if your app knows what it needs to do, there is no need for "Full Network Access". I smell scam app.
1. Re:Permissions by BasilBrush · 2013-07-11 03:40 · Score: 0
  
  Android is a phone for ordinary consumers. 13 year old girls, middle aged builders, grandparents, everybody. Do they all know that "Full Network Access" is a clue that it might be a scam app?
2. Re:Permissions by Beardo+the+Bearded · 2013-07-11 04:22 · Score: 1
  
  A lot of people don't read that.
  My co-worker has a taxi company's app. They want full permission for everything. I didn't load it.
  https://play.google.com/store/apps/details?id=com.appbuilder.u66459p124918
  Same with the Cineplex app. Way too many permissions for something that's just showing a ticket:
  https://play.google.com/store/apps/details?id=com.fivemobile.cineplex&hl=en
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
3. Re:Permissions by Anonymous Coward · 2013-07-11 05:09 · Score: 0
  
  Isn't it disturbing that to point out issues like in the comments, one actually has to install (or at least "send" it to install -thinking I got around that once by turning off the tablet, making the comment, then somehow canceling the installation...) the app. So much for "peer review" if negative.
4. Re:Permissions by Miamicanes · 2013-07-11 06:31 · Score: 2
  
  > Simple enough, if your app knows what it needs to do, there is no need for "Full Network Access". I smell scam app.
  Or an app that, like 98% of the free apps in Android Market, embeds Google's ads in the app. Then it needs full network access, coarse location, and read phone state & identity, among other things. It's the killer flaw in Android's permissions system... to serve ads from any common ad network, you have to practically give the app complete access to everything.
  Instead of embedding ad-handling into apps, ad-supported apps should require the installation of a content-provider app for the ad network (common to all apps using it) as a prerequisite, register itself with Android as an ad service provider, then allow apps declaring a permission like "Communicate with Advertising Service" to blindly embed content from that service provider into the app as a black box that the app itself can't influence or communicate with (so an app can't try to leak user information back to its own servers using the ad network as a backdoor). THEN, we could have apps with no app-related need to access the internet that declared only "Communicate with Advertising Service" as a permission, and a separate set of permissions for the Android-firewalled adserver content provider that would be unable to communicate directly with the ad-displaying app.
CM 10.1.1 by Riddler+Sensei · 2013-07-11 03:24 · Score: 2

For those running Cyanogenmod this has been patched in 10.1.1.
1. Re:CM 10.1.1 by Miamicanes · 2013-07-11 06:19 · Score: 1
  
  Here's the scary part -- 10.1.0rc5 is STILL the latest non-nightly build you can get for d2att (AT&T Galaxy S3), and it's ABSOLUTELY still vulnerable. I just ran the checker app now. :-(
2. Re:CM 10.1.1 by Riddler+Sensei · 2013-07-11 06:27 · Score: 1
  
  Huh, are these d2att stable builds not what you're looking for?
It is about the appstore you use. by briancox2 · 2013-07-11 03:29 · Score: 2

If it's about the appstore you use, then F-droid has a leg up. Unlike Google's, everything on F-Droid has had human eyes look at what it does.

--
We should learn what we need to know about issues, before we decide what we need to feel about them.
1. Re:It is about the appstore you use. by Anonymous Coward · 2013-07-11 05:05 · Score: 0
  
  everything on F-Droid has had human eyes look at what it does.
  With zero guarantee anyone besides the auhtor(s) have actually checked the code line by line.
2. Re:It is about the appstore you use. by briancox2 · 2013-07-12 03:52 · Score: 1
  
  While the only guarantee on Google's is that no one has checked a single line of the code, besides the author.
  
  --
  We should learn what we need to know about issues, before we decide what we need to feel about them.
Split-screen by tepples · 2013-07-11 08:11 · Score: 1

I agree that an Android smartphone is a personal computer. But when you plug your smartphone into an HDMI cable, how many windows can you keep open on the screen at once? Like you, I own an Android device and an Ubuntu netbook, in my case a Dell Inspiron mini 1012. When I'm programming on my netbook while riding the bus to and from work, I routinely split the screen down the middle to see the source code on the left and the output, another source code file, or documentation on the right. I imagine that even non-programmers find it useful to see both the document you're referring to and the document you're writing. But Google has strongly resisted any sort of split-screen feature in stock Android.
1. Re:Split-screen by Anonymous Coward · 2013-07-11 12:10 · Score: 0
  
  I agree with you. An Android smartphone is a personal computer with a shitty OS.
Establishing trust through SSL CAs by tepples · 2013-07-11 08:19 · Score: 1
The chain of trust still depends on trusting the first install
There are ways to establish trust for the first install even if it is not from Google Play Store. For example, if I download the APK of VLC from https://www.videolan.org/ then I'm piggybacking on the SSL CA infrastructure, which assures me of one of the following:
- A. The APK is authentic.
- B. Somebody compromised www.videolan.org and uploaded a trojan.
- C. A man in the middle compromised the private key of www.videolan.org and my Internet connection.
How likely are the scenarios other than A?
Privately by tepples · 2013-07-11 08:40 · Score: 1

People who choose not to install can always contact the application's developer privately.
Permission rationales by tepples · 2013-07-11 08:46 · Score: 1

Most of the permissions on the Cineplex app are perfectly justifiable. "Full network access" is needed to contact the payment processor and venue to buy your ticket. "Add or modify calendar events" is to remind you when the event for which you bought a ticket is about to occur. "Take pictures and videos" appears to be needed for scanning barcodes on tickets and related documents. And perhaps "precise location" is used for getting directions to the venue. My only suggestion is to make Google Play Store require the application publisher to add an explicit rationale for each permission it uses.
F-Droid, games, and anti-features by tepples · 2013-07-11 08:55 · Score: 1

According to this post, using any of the anti-features will hide an application from most users. How should one fund the development of, say, a video game to be distributed to users who have switched to F-Droid without putting in ads (which requires the "Ads" anti-feature) or charging for mission packs after the first (which requires the "NonFreeAdd" anti-feature)?
so in other words... by Anonymous Coward · 2013-07-11 21:35 · Score: 0

So the comment you quote essentially says that unsecured downloads from untrusted locations are not secure and should not be trusted. Who would have thank. News at 11.