Slashdot Mirror

← Back to Stories (view on slashdot.org)

Certifi-gate: Another Huge Android Vulnerability

Posted by Soulskill on from the don't-come-around-here-with-your-gates dept.

An anonymous reader writes: Security research firm Check Point has released information about a new vulnerability called Certifi-gate, which they say compromises the security of hundreds of millions of Android devices. The flaw exists within the mobile Remote Support Tools, which are intended to enable screen sharing and simulated taps for tech support purposes. Unfortunately, the way mRSTs validate the remote operator is easy to exploit. Because the software is designed to allow both monitoring of a device's screen and simulated input, the potential for misuse is quite serious. The flaw was disclosed to manufacturers a month ago. HTC, for one, has confirmed it is already starting to roll out a fix.

69 comments

  1. Enough by nmb3000 · · Score: 4, Insightful

    Certifi-gate

    Okay, y'all have had your fun. Enough of this bullshit.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
    1. Re:Enough by Adriax · · Score: 2

      Still waiting for "NAND-Gate", where some big flash memory manufacture is caught using another companies designs or something.

      --
      I don't suffer from insanity, I enjoy every minute of it!
    2. Re:Enough by Anonymous Coward · · Score: 0

      Someday... SOMEDAY... there will have been enough vulnerabilities such that they can't make up stupid silly names anymore.

      But they'll probably just name them like movie sequels like "Certifi-gate II".

    3. Re:Enough by rossdee · · Score: 1

      agreed
      Watergate was a hotel, thats no reason to have the -gate suffix to mean a scandal

      And while we are at it, Marathon was a place as well, so theres no need for the charitable -athons

    4. Re:Enough by plover · · Score: 1

      Certifi-gate III: Oh hell no!

      --
      John
    5. Re:Enough by Anonymous Coward · · Score: 0

      On a Plane!

    6. Re: Enough by Anonymous Coward · · Score: 0

      Centrifi-gate II: Electric Exploit Boogaloo!

    7. Re:Enough by DustPuppySnr · · Score: 2

      https://www.youtube.com/watch?...

    8. Re: Enough by Anonymous Coward · · Score: 0

      Certifi-gate II: Certifi-gate harder.

    9. Re:Enough by GNious · · Score: 3, Funny

      yeah, with all the -gate names, it's as if they're having a gate-athon.

    10. Re:Enough by BasilBrush · · Score: 0

      Reason? Language isn't defined by reason. It's evolution. If a word form is popular enough to survive, then it's part of the language. Even if it's entirely unreasonable.

    11. Re:Enough by Anonymous Coward · · Score: 0

      Blame Nixon. He's the one that committed an egregious act so appalling as to allow the Clinton's debauchery to seem petty, when in fact, both are not befitting th office of President of the United States.
      The only thing more tiresome than repeating the same old cliché is having to come up with new words to describe the level of depravity the average rube in America is willing to accept.
        Go ahead and argue about which one of these candidates will fuck up the country less than the last shithead you all loved so much.

    12. Re:Enough by antdude · · Score: 1

      I'm waiting for /.gate. ;)

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    13. Re:Enough by znrt · · Score: 1

      agreed
      Watergate was a hotel, thats no reason to have the -gate suffix to mean a scandal

      agreed, 'scandalon' means a stumbling block, that's no reason to use it to refer to human moral misery.

    14. Re:Enough by wardrich86 · · Score: 1

      Let's work to end this crap. We'll call our movement Gate-gate.

    15. Re: Enough by Anonymous Coward · · Score: 0

      Cerifi-gate has nothing to do with gate meaning scandal

  2. Confused by koan · · Score: 3, Insightful

    Why is it HTC's responsibility to patch it? Why not a global patch from Android.

    In addition if a car manufacturer knows there is a serious issue with a car and doesn't recall, they are liable for the accidents that happen.
    Why aren't software corps held to a similar standard if security researchers have informed them of the bug.

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:Confused by timrod · · Score: 4, Informative

      It's not HTC's responsibility to patch all devices. Each manufacturer has a different hardware configuration and usually runs their own "flavor" of Android - HTC's version of Android is different from Samsung's, which is different from Google's. It's not simply a case of Google saying "fix it" and shipping patches to every single Android device out there. Google doing that would be like the Debian group trying to ship Debian patches to Ubuntu - it wouldn't work.

      HTC is merely saying "We're stepping up as soon as possible to patch devices that originated from us, starting with the HTC One M9."

    2. Re:Confused by Gaygirlie · · Score: 1

      Why is it HTC's responsibility to patch it?

      Because the bugs lie in HTC's software and that software is baked in the firmware. While these things are an industry standard practice these days they aren't an Android - standard thing; stock Android, like e.g. the Nexus - devices use, don't have this bug.

    3. Re:Confused by drinkypoo · · Score: 1

      Why is it HTC's responsibility to patch it? Why not a global patch from Android.

      That's an easy one. It's not possible to make a global patch to fix many kinds of vulnerabilities in Android, because there is too much variation between devices. In the case of the libstagefright vuln, libstagefright is custom to GPUs. In the case of this hole, FTFA:

      Vulnerable components of these 3rd party mRSTs are often pre-loaded on devices or included as part of a manufacturer or network providerâ(TM)s approved software build for a device. This creates significant difficulty in the patching process and makes affected components impossible to remove or to work around.

      IOW, the components in question are legion. It is not feasible to release updates to all of them.

      Both my tablet and my phone are vulnerable to the holes in libstagefright. Neither is vulnerable to these so-called "Certifi-gate" (ugh) attacks. It would be interesting to know from someone who has a direct-from-Motorola Moto G XT1063 who is still running any of the stock OTA firmwares whether their device is vulnerable. I am running AOSP, which makes it pretty sad that I have a vulnerable libstagefright, but not surprising.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Confused by koan · · Score: 0

      Wow what a mess, all those variants, all those bugs, yet most people will associate Android as the problem rather than the custom builds.

      Seriously I thought it was one build had no idea it was that varied as I have purchased all my stuff from the Google store.

      --
      "If any question why we died, Tell them because our fathers lied."
    5. Re:Confused by Anonymous Coward · · Score: 0

      > Why is it HTC's responsibility to patch it?

      Because they are using non-stock android.

      > In addition if a car manufacturer knows there is a serious issue with a car and doesn't recall, they are liable for the accidents that happen. Why aren't software corps held to a similar standard ....

      Because you wont pay for it.

    6. Re:Confused by Zero__Kelvin · · Score: 1

      "Why is it HTC's responsibility to patch it? Why not a global patch from Android."

      Oh wait! I know this one! Because there is no company or organization called "Android" behind the Android platform!

      "In addition if a car manufacturer knows there is a serious issue with a car and doesn't recall, they are liable for the accidents that happen. Why aren't software corps held to a similar standard if security researchers have informed them of the bug."

      Oh wait! I know this one too! Because people don't die when the software on their phone crashes!

      How the fuck do you have a 5 digit SlashID, make it all the way to 2015, and not know the simple, real, and obvious answer(s) to these questions?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    7. Re: Confused by koan · · Score: 1

      I bought it on eBay?

      U mad bro...

      --
      "If any question why we died, Tell them because our fathers lied."
    8. Re: Confused by Zero__Kelvin · · Score: 1, Interesting

      "I bought it on eBay? ... U mad bro..."

      I actually believe that given your obvious lack of knowledge of even the most basic high technology combined with your juvenile use of the letter U as a substitute for an actual word ... and no, ignorant douchebags who use the non-phrase "U mad bro" don't make me mad; they give me a reason to laugh. I am curious though ... why would I be mad that you are an idiot?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    9. Re: Confused by koan · · Score: 0

      Are you related to Zero Cool?

      #1 I buy all my Android items from the Google store, so I was not actually aware there were multiple builds and would not have thought that either because... well it's a messy way to do things.

      #2 I know Android is "Google", but there is a dev team responsible for the Android operating system and in my mind I think of them as "Android", I'll own that one... my bad.

      #3 You state that " Because people don't die when the software on their phone crashes!" well that's true, but I was referring to all software, including that in Jeeps, the botnet that cleaned out your bank account, airplanes, and Michael Hastings car (oh shit a conspiracy theory now I'm going to hear about it), and frankly there is a lot of damage created by software bugs, and holding the corps responsible might speed up the patch release.

      You chose to use the reductio ad absurdum reply, and that's on you.

      #4 I used to be into all this, and I did a bit of this and that in IT, now a days I don't give a shit about most of it and so I don't stay on top of things.

      You could say I'm leaning towards Luddite.

      I am pretty old, don't code any longer (thank fucking God) and don't really need to bother myself with most tech other than its use against humans.
      Something I doubt you would grasp due to your youth, and that's a guess based on your posting approach.

      I still read /. because there are articles that interest me, and it's a bit like comfy shoes... you like them even if they smell bad.

      Oh and... it's funny you don't get "u mad bro".

      --
      "If any question why we died, Tell them because our fathers lied."
    10. Re:Confused by 93+Escort+Wagon · · Score: 1

      There are multiple manufacturers of Windows phones - does Microsoft not push patches directly?

      --
      #DeleteChrome
    11. Re:Confused by BitZtream · · Score: 1

      yet most people will associate Android as the problem rather than the custom builds.

      It is an 'Android problem'. Android's wild west landscape of everyone hacking it up however they want is exactly why its a mess.

      iPhone's get updates because Apple told the carriers THEY were providing updates and the Carrier's have to keep their grub hands the fuck out of it or they don't get the iPhone.

      Google said 'yea, do whatever you want, we don't care just make sure you snare people into using our spyware' and the result is every carrier installs a bunch of buggy crap, every one behaves in new unexpected ways and its ... well, as you said, a mess.

      I've fairly certain you've been living in a hole in the sand on some south Pacific island if you've truly never heard about the Android fragmentation problem. Google puts the least amount of effort possible into Android. Android is just a vehicle to get other phone manufactures to recruit users for Google.

      Theres a reason its doesn't cost anything up front. You pay for it repeatedly long term.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    12. Re:Confused by swillden · · Score: 1

      It's not simply a case of Google saying "fix it" and shipping patches to every single Android device out there. Google doing that would be like the Debian group trying to ship Debian patches to Ubuntu - it wouldn't work.

      Especially since in this case Google had nothing whatsoever to do with the problem. This one is entirely a consequence of OEMs adding insecure extensions to the base platform Google provides. Insecure extensions with root privileges, basically.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    13. Re:Confused by WoOS · · Score: 1

      Because it is a vulnerability NOT in Android but in 3rd party remote control software installed by HTC. Please RTFA.

      Vulnerable components of these 3rd party mRSTs are often pre-loaded on devices or included as part of a manufacturer or network provider’s approved software build for a device.

      For your car analogy: If "TurboTuning Inc." broke your Chevy while trying to make it able to go 200 mph, would you sue Chevrolet to fix it? Well, obviously in the U.S. ....

    14. Re:Confused by qubezz · · Score: 1

      Yes, Microsoft does update the OS directly without carrier interference when you opt to get insider updates or simply root your phone's registry to masquerade as another device on another carrier. The firmware component still goes through considerable lag and has greater delays, but it is possible to get a Nokia phone and flash it with a de-branded ROM when available for your model and be completely carrier bloat free.

    15. Re:Confused by 93+Escort+Wagon · · Score: 1

      That's what I thought. So why does everyone give Google a pass on this? They're the ones who designed the system.

      --
      #DeleteChrome
    16. Re: Confused by Anonymous Coward · · Score: 0

      Your incorrect use of question mark couldn't have helped, either.

  3. I wish by bobstreo · · Score: 1

    I wish the phone I use was running something newer than 2.3.4.

    HTC updated it ONCE.

    It still works fine, but I probably need to get a new phone.

    1. Re:I wish by Anonymous Coward · · Score: 0

      one long word: Cyanogemod

      my galaxy s4 not vulnerable

    2. Re:I wish by Gaygirlie · · Score: 3, Interesting

      Have you checked if there are any custom ROMs for it on XDA-forums? I got fed up with these vulnerabilities myself yesterday, what with LG taking a minimum of 6 months to even consider doing anything, and wiped my LG G2 and installed Cyanogenmod on it; no bloat, much slicker, and both this and the Stagefright - bugs have been fixed. I have Cyanogenmod 12 on my aging Galaxy Note, too, that I just have hanging around as a replacement phone should something happen to my G2: Samsung never updated the Note beyond Kitkat and Samsung's own firmware was rife with bugs and god damn that Touchwiz slowed things down, but, again, replacing the official ROM made the device feel like new.

    3. Re:I wish by Noah+Haders · · Score: 1

      one long word: Cyanogemod

      quoting the comment above: oh hell no!

    4. Re:I wish by viperidaenz · · Score: 1

      +n

  4. That is confusing, who is "Android"? by SuperKendall · · Score: 4, Insightful

    Why is it HTC's responsibility to patch it? Why not a global patch from Android.

    Who is "Android"? Do you mean Google?

    If so, why should they be responsible - after all, HTC is the one who took a build of Android and customized it for your phone.

    In fact between HTC and Google, really HTC *should* be responsible since they are the ones that customized it in a way that you could not just take straight patches from Google.

    The problem is of course, that none of the phone makers are serious about security at all (they are making noises, but I'll bet it's just to placate the howling internet). So not only do they not patch Android themselves, they don't want to do the work to even fold in the fixes Google makes.

    What would be refreshing is to see a handset maker that really took ownership of the whole system. Sure they would build on Android to start, but they could do so much more - they could have their own security QA team looking for problems, fixing what they found and responding to security vulnerabilities even faster than Google.

    They could contribute that work back to Google even, safe in the knowledge it wouldn't even help competitors since they are unable to incorperate Android patches.

    Samsung *could* be that company. It's a mystery to me why they are not... they also are making noises about being serious about security but there has been so much hot air in the past around Google and phone makers cooperating "for real" that I refuse to take any statement at face value.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:That is confusing, who is "Android"? by Zero__Kelvin · · Score: 0

      "Who is "Android"? Do you mean Google?"

      Clearly, you'd be confused even without the confusing statement. He means the Open Handset Alliance. Google is in charge of Google Apps. They are not the controlling and directing interest behind Android (though Android certainly started at Google)

      "What would be stupid, and counter to the whole point of an open software ecosystem is to see a handset maker that really took ownership of the whole system. "

      FTFY. To use a little word play with a popular a saying: "There's an Apple for that". You might as well say that what Linux needs is for a single company to have complete control over the entire OS.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    2. Re:That is confusing, who is "Android"? by viperidaenz · · Score: 1

      Except Google didn't start Android, they bought it...

    3. Re:That is confusing, who is "Android"? by swillden · · Score: 5, Informative

      really HTC *should* be responsible since they are the ones that customized it in a way that you could not just take straight patches from Google.

      It's even more than that, since the security vulnerability in this case was added by HTC. There are no remote support tools in the base Android platform, and therefore no insecure remote support tools.

      No Nexus devices have this problem.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re:That is confusing, who is "Android"? by qubezz · · Score: 1

      There are many different backdoors in Android phones, I deodexed my rooted phone and killed off many carrier and vendor (and law enforcement) malware and remoting apks (the kind otherwise hidden and permission-locked) that operate over data, sms and phone connections, but it's almost impossible to know what still is in there in the baseband and core modules unless you have your own cell tower and fuzz everything they can send you. I consider my smartphone permanently rooted, easy to hack, and act accordingly.

    5. Re:That is confusing, who is "Android"? by BitZtream · · Score: 1

      If so, why should they be responsible - after all, HTC is the one who took a build of Android and customized it for your phone.

      Well in this SPECIFIC case, its HTC software, not Android and not Google software that is insecure, so it truly isn't Googles fault.

      However, this is a rare case where its HTC/Samsung/Whoever rather than Google. Google on the other hand in most cases is the culprit, and you're not even aware of who's fault it actually is anyway. So lets continue this under the original premise that this is Google's flaw.

      Google bought Android and sold it to these manufactures as something they could modify and customize ... and you're saying its someone else's problem that Google sold them a product which technically does what they claim, while at the same time being the worst possible version of that. Yes, you can change it, but its such a mess structurally that customizations destroy its ability to update.

      Do they really need to learn a thing or two from Microsoft? I'm fairly certain they continue to patch Windows regardless of the fact that it works on basically every x86 machine on the planet, and they somehow seem to provide security fixes to generic parts and even some hardware specific parts ...

      No, its Googles fault for over promising and under delivering.

      Not to mention that Google makes WAY MORE from Android sales than any of the manufactures. Its made indirectly through reselling those users as the product to advertisers and data miners, but thats the business plan for Android so pretending it doesn't exist is just fanboyism.

      What would be refreshing is to see a handset maker that really took ownership of the whole system.

      The handset maker you're looking for/talking about is Apple. You don't actually want them to take control though, what you're saying and what you mean are two different things. Apple did exactly what you just said. What you want however, is someone to make a phone specifically tailored to your exact custom needs, but with all the benefits of being a one-size-fits-all device.

      Good luck with that.

      They could contribute that work back to Google even, safe in the knowledge it wouldn't even help competitors since they are unable to incorperate Android patches.

      You want someone else to do Google's work for them? Do you patch Windows for Microsoft too?

      I didn't think so.

      Samsung *could* be that company. It's a mystery to me why they are not..

      Its no mystery. Its not Samsung's responsibility. Samsung makes hardware. Google makes software. Google makes Android, Samsung buys Android from Google. Technically Android has no up front cost, but they don't use just the free bits, do they? They also essential turn their own customers in to a product for Google. Thats expensive.

      Why the fuck do you continue to imply Samsung should fix, you're one of those people that thinks someone else should solve all of your problems and you're not responsible for anything, aren't you?

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  5. wow the hyperbole by Anonymous Coward · · Score: 0

    It says there's no way to work around it. ..

    But the description says it can only hijack existing sessions.

    Considering the user is likely on the phone with the real support, it'll become extremely obvious what's going on, not to mention the easiest mitigation: don't use the remote assist, or at least not on an untrusted network.

  6. Android update weakness by mcrbids · · Score: 5, Insightful

    I have a pretty decent phone. A flagship phone that's now 3 years old, the Moto Razr Maxx HD. It's a bit long in the tooth, but it still has a sharp, bright screen, decent battery life, and while it's not lightning fast, it does everything I need smoothly and comfortably.

    But Moto doesn't sell it anymore. I'm pretty sure it's EOL anymore, which probably makes me SOL.

    But it keeps chugging on, and as a consumer, shorting of reading tech sites like /., I would never know that there's any problem at all. Meanwhile, my security keys are being lifted, my email passwords are stolen, and somebody's posting Donkey pictures on my Facebook account and I have no idea how or why.

    But, even if I *weren't* SOL, there's the issue that, while my Linux laptop gets updated daily, and my Windows laptop gets updated weekly, my phone gets updated (perhaps) a few times per year.

    See the problem, yet? We're seeing just the bare beginning.

    The bright boys at Google need to figure out a way to update Android and bypass the carriers, or at least, provide a side-channel way to roll out security updates, or their whole ecosystem will collapse in an orgy of viruses and malware.

    For my next phone, I just might make sure I can run Cyanogenmod on it, if for no other reason than the hope of getting security updates in a reasonable timeframe.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:Android update weakness by Gaygirlie · · Score: 1

      Are you sure you can't install CM12 on your current phone? http://forum.xda-developers.co... at a glance seems to offer everything you need. Your phone's specs are mostly similar to my old Galaxy Note's, ie. 720p display, 1GB RAM and such, and my Note certainly got a lot spiffier with CM12 and seems to consume less battery than it did with stock ROMs.

    2. Re:Android update weakness by viperidaenz · · Score: 1

      Looks like it's going to be monthly for Android
      http://www.wired.com/2015/08/g...

    3. Re:Android update weakness by gTsiros · · Score: 4, Informative

      You think you have it bad? My barely two year old xperia z ultra, another "flagship", has already been pretty much abandoned, after releasing a half-assed update to lollipop with many bugs introduced which make you question if they even *have* a QA department (tapping the alarm icon in the status bar, for example, fails to open the alarm app... as it does in kk), I assume to please the masses.

      Their "user forums" are filled with idiots who either can't use their phones or poor sods who face actual problems but more often than not are asked to do a factory reset.

      Android had such potential, but google knly needs it to be popular for ad views thus it has become a shit operating system, development cycle and "ecosystem" in general.

      --
      Looking for people to chat about multicopters, coding, music. skype: gtsiros
    4. Re:Android update weakness by Anonymous Coward · · Score: 0

      You realize that rolling out updates (even small ones) requires massive amounts of QA, right?

      Windows has 80% marketshare and business have multimillion/billion dollar contracts with Microsoft to make sure your updates continue to work.

      Unix? I've tried it a few times. Twice have the updates from the official store screwed the video drivers requiring some arcane knowledge to fix. This is what you get from patches that users submit on their free time.

    5. Re:Android update weakness by Anonymous Coward · · Score: 0

      lol, pretty much abandoned and being updated to lollipop are two totally contradictory things.

      Have you considered they removed that function? Looking at

      http://www.gizmobolt.com/2015/03/05/sony-xperia-lollipop-ui-vs-kitkat-ui-comparison-full-lollipop-ui-revealed/

      It seems Sony decided to scale back the customization on the UI...

    6. Re:Android update weakness by phantomfive · · Score: 1

      Unix? I've tried it a few times. Twice have the updates from the official store

      Official store? There is no official store for Unix.

      screwed the video drivers requiring some arcane knowledge to fix.

      Arcane knowledge? If it screwed the video drivers, that means you probably were using proprietary drivers, and the 'arcane knowledge' was "download the driver from NVidia and run the installer."

      --
      "First they came for the slanderers and i said nothing."
    7. Re:Android update weakness by Anonymous Coward · · Score: 0

      You can, but the battery will expand to twice its original size within 3 hours.

    8. Re:Android update weakness by AmiMoJo · · Score: 1

      Fortunately you don't need to worry about this one. It only works if you first install a malicious app, and you can bet that Google can easily scan for and block such apps from Play. In fact even if you install from outside the play Play store, Google will scan the binary anyway dit known exploits.

      You phone is fine, no need to panic. The story vastly exaggerates the danger in order to sell some crappy anti virus software you don't need.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    9. Re:Android update weakness by Anonymous Coward · · Score: 0

      Please don't compare this to windows. For all of its flaws, you can count o. 10 years or more security fixes from Microsoft. And this problem with OEM and carrier customization is a problem of Google's own making. They decided that the best way to compete was to drop their pants and left every vendor fuck with their product. They made a deal with the devil to gain market share and now the bill is due.

    10. Re:Android update weakness by Anonymous Coward · · Score: 0

      Those so called "bright boys at Google" are the dumb shits that carpet bombed the world with an insecure, unpatchable mess called Android.

    11. Re:Android update weakness by gTsiros · · Score: 1

      nevermind, they are rolling out 5.1 for the z ultra these days

      maybe there is hope for sony after all

      --
      Looking for people to chat about multicopters, coding, music. skype: gtsiros
    12. Re:Android update weakness by tlhIngan · · Score: 1

      Looks like it's going to be monthly for Android

      For what phones?

      I mean, remember, Samsung released 2-3 phones a week (and a tablet a week) - around 120-odd phones and 54 different tablets in 2014 alone.

      Are you telling me that every month Samsung is going to issue the better part of 200 software updates? Or more likely, they're just going to update maybe 5 of those phones monthly and the rest are screwed?

      LG isn't quite so bad, but they're still a large number of their phones out there.

  7. Not another security breach by Anonymous Coward · · Score: 0

    Yo Damn, deez companies can't keep they data together. How many o' dem simply don' update they security patches? is dere really dat many new ways ta hack?

    Can anybody from da security field say whether mo' or from failure ta patch or from new ways o' attacking? It seems ta be getting worse.

    ah share muh daqta as little as ah can now.

  8. At this rate... by Anonymous Coward · · Score: 0

    My next phone might be an apple. I need to go scrub myself now...

    1. Re:At this rate... by Anonymous Coward · · Score: 0

      I have a cheap Chinese phone, but it isn't susceptible to this.
      It's also running android 5.1, which I suspect is more up to date that most of the recent flagship models people are always going on about.

  9. Google has no clothes by Anonymous Coward · · Score: 0

    and Android has failed. I have three Android, all very different. This is insane. I am moving the to dark side (Apple).

  10. More line an advertisement than a factual story! by Dr_Marvin_Monroe · · Score: 2

    This should prob. have been an interstitial ad instead of a story!
    What exactly is going on? Is it a problem with the installed certificates? Weakness in the tools? Which ones are effective and which are weak? How can I determine if my Android has this crapware installed?

    How did the moderators decide to let this story through?

    The links provide nothing more than a security scanner! There are no specifics other than 'Google is working with OEMs...'. So what? How about providing some information I can use....not ads that are designed to look like news stories.

  11. Android support durations by Ronin441 · · Score: 1

    As always with Android support durations: Android Support vs iOS Support which is in turn an update of Android Orphans: Visualizing a Sad History of Support

    It's not that iOS is good -- compare it to how long Microsoft support a Windows version. It's that Android OEMs are shocking.

  12. Obviously Not A Big Deal by Anonymous Coward · · Score: 0

    Security research firm Check Point has released information about a new vulnerability called Certifi-gate

    Well then clearly it isn't that big of a vulnerability, since they felt the need to use the -gate suffix. The only people who use -gate do so because they know the thing they are talking about won't stand on its own merits.