Slashdot Mirror
Security-Focused BlackPhone Was Vulnerable To Simple Text Message Bug
mask.of.sanity sends this report from El Reg: The maker of BlackPhone – a mobile marketed as offering unusually high levels of security – has patched a critical vulnerability that allows hackers to run malicious code on the handsets. Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application.
The impact of the flaw is troubling because BlackPhone attracts what hackers see as high-value victims: those willing to invest AU$765 (£415, $630) in a phone that claims to put security above form and features may well have valuable calls and texts to hide from eavesdroppers.
The impact of the flaw is troubling because BlackPhone attracts what hackers see as high-value victims: those willing to invest AU$765 (£415, $630) in a phone that claims to put security above form and features may well have valuable calls and texts to hide from eavesdroppers.
Why are they still using C to deal with network protocol? Is the performance so critical that it's worth all the troubles?
Any high school student could have written this library in Java or something higher-level, running on JVM with all the strict rules and redundant checks everywhere, and without any need of special care for nasty security issues like that (unless VM itself is faulty, but it wouldn't concern app makers).
It might end up 10x slower and consume 10x more memory - but who cares? you have 4GB RAM on phones now, and 4 cores x 2GHz CPUs!