Android Lollipop Can Be Hacked With Very Long Password

Complex passwords are the way to beat some attacks, but for phones running the latest version of Android, that's not necessarily so: puddingebola writes with an excerpt from an article at CNN: Locked phones require a passcode. But there's a way to get around that. Just type in an insanely long password. That overloads the computer, which redirects you to the phone's home screen. It's a time-consuming hack, but it's actually easy to pull off. In a report published Tuesday, computer security researcher John Gordon documented the vulnerability and posted a video of the hack. It only affects smartphones using the latest version of the Android operating system, Lollipop.

Article is bullshit

[bluefoxlucid]

That's impossible. It's Java! Java can't have security holes! Everyone knows you don't write C because C has buffer overflows and can cause security problems when you paste in very long strings, and that NEVER happens with Java! Java is perfect! Everything you write in Java is perfectly secure! Ask any Java programmer!

Re:Article is bullshit

[Kkloe]

maybe they are trying to enter the weight of your mom

still not having to worry about memory management beats any language nowadays, we are making enough powerful computers nowadays to run a machine in a machine in a machine

Re:Article is bullshit

[benjymouse]

Nothing to do with java. Buffer overflows are quite possible with java, but this problem has everything to do with shitty coding, not the implementation language.

No, but this problem has everything to do with shitty operating system design. The login "screen" should not just be an application that maximizes it's screen to cover the UIs of all other application. That is a naïve implementation, and it opens the supposed security feature up to all kinds of attacks, including shatter attacks and more. Not to mention that an application crash will cause the OS to clean up and close the "blocking" window.

Google should take a cue from Windows and make the login screen a totally separate "desktop" which is completely isolated from the "user" desktop. Switching between the two should be a privileged operation, one that can only be executed by trusted login applications. This way a mere exception will not cause the "login" program to crash, close and reveal the user desktop.

Re:Article is bullshit

[Greyfox]

Java was supposed to protect you from shitty coding. "Oh, use Java," they said, "and you'll never have to worry about memory management or buffer overflows again!" It's true. They said that. They said you could write your program once and run it everywhere. They said you could use Java and hire chimpanzees to do you programming for you.

All those promises only turned out to be true-ish. The chimpanzee quota for most teams actually remained fairly consistent. Turns out a lot of companies were hiring chimpanzees before Java came along. Some of the chimpanzees tried to use Java for system-level programming, and it turned out to not be very good at that. While it was technically true that you didn't have to worry about memory management anymore, if you didn't, you mostly handled your server running out of memory and crashing every few days by rebooting it every couple of days. Logs became a morass of unhandled and permanently ignored exceptions. I often start a new job, look in their logs directory and find gigabytes of exceptions that no one ever looked at.

But you know, it's still better! Because now instead of most programs being giant masses of functions that reimplement system API commands and never take responsibility for any action, they're now giant masses of objects that reimplement system API commands and never take responsibility for any action. Some of them just pass messages around from service to service, none of which anyone truly understands since the system designer was laid off years earlier.

Arguably yeah, implementation language doesn't make a difference. All those teams could have written shitty code and poorly designed systems no matter what language they were using. The implementation language just makes it easier to operate without any discipline and maintain the illusion that they're competent at what they're doing.

Re:Article is bullshit

[gnupun]

It's Java! Java can't have security holes!

Java is just a middle layer. Ultimately, the Java code will have to call native C code, where a buffer overflow is most likely occurring. So the flaw is still in C. Or it could be a poor implementation of Java. Either way, it's not Java's (the language, not implementation) fault.

Re:Article is bullshit

Windows' login screen isn't on a separate desktop. It's the only desktop.

The boot process hands control to the kernel loader (ntldr), which starts the kernel (ntoskrnl and kernel32), which starts the service control manager (scm), which starts winlogon.exe, which calls security account manager (sam) to authenticate and then spawns instances of the local security authority (lsass) for each user that logs on. The lsass process, in turn, hosts virtual desktops for the user. Usually there are 2 virtual desktops per user: the regular visible one and the "secure" one that is only used for UAC prompts. Everything within those virtual desktops runs at the mercy of lsass.

So you basically have the right idea, but described it the way Unix-based systems do it. Instead, Windows' nested/hosted startup process requires less plumbing than the method you describe. You don't need to protect the log-in program from "untrusted" execution if it's only allowed to run once (a simple mutex can handle enforcement) and it runs from boot and hosts everything in userspace. It's basically the kernel's userspace process supervisor.

Re:Article is bullshit

[TuringTest]

But logging into the shell is an OS-level function.

Re:Article is bullshit

I want to see a useful language with automatic bounds checking that still compiles to native code. That anyone actually uses, so it has some kind of community built around it. That was well designed, not faddish, and not pushed by corporate marketing like Java was.

https://www.rust-lang.org.

Re:Article is bullshit

[Tough+Love]

...this problem has everything to do with shitty coding...

Understandable when you consider that most programming at Google is done by oversexed, overpaid interns still wet behind the ears. The name of the game at Google is to make it from intern to FTE so that your main duties become emailing, facetime and offsites, and your interns will do the coding.

Re:Article is bullshit

[AC-x]

Ah but you see Java has saved the day, for instead of a dangerous code execution buffer overflow condition the program simply quits out with a safe exception! :)

Re:Article is bullshit

[tnk1]

I'm not totally against Java, but having worked with it since it was released 20 or so years ago, I note that Java was touted as a language/VM/bytecode/whatever where you didn't need to worry about memory management aside from some tuning.

The reality is that Java saves you from having to write your own MM, but that's only helpful if their memory manager is actually better than something you could have written for yourself. Initially, the MM was nowhere near as good as it is today, although it was clearly "adequate". Still, you can do better even today, if you wanted to put the time into it.

What happened is that, for years, we just got used to restarting java apps when they acted poorly, and Operations threw up their hands and gave up trying to get development to actually catch exceptions when they were thrown. Logs full of unhandled exceptions have been normal for more than a decade now.

Java does have good points in comparison to C, but it is very easy to code junk in Java that works enough so that it gets released, which increases productivity, at the cost of well designed applications. That's why it is so popular, especially with the business.

Re:Article is bullshit

[glwtta]

Are... are you OK? Anything we can do to help?

Re:Article is bullshit

[BronsCon]

And that's not what this is doing. It's the lock screen, it runs when you're already logged in, lest all of your apps (even the one controlling phone functionality, which resides behind said lock screen) close every time you lock your phone. You know, just like they do when you log out of your shell.

Re:Article is bullshit

[thegarbz]

No, but this problem has everything to do with shitty operating system design. The login "screen" should not just be an application that maximizes it's screen to cover the UIs of all other application.

You're thinking from a security point of view. In reality the lockscreen is a function of the device that interacts with many running programs, widgets, allows apps to draw on it, modify it, still provides access to a whole host of phone functions such as adjusting brightness, volume, putting the phone on silent, dialing emergency numbers, accessing and dialing specific contacts in the contact list, even starting up certain applications in a limited functionality like the camera.

Your limited lockscreen wouldn't be very popular.

Incidentally looking at the video the attack seems to affect the Camera app rather than the lockscreen itself.

Re:Article is bullshit

[znrt]

(pssst. it's dalvik, actually)

Re:Article is bullshit

[terjeber]

Java was supposed to protect you from shitty coding

No, it wasn't. Remember, it's much better to sit quietly in the corner and let everyone think you are a moron, than to post on /. and remove all doubt.

Re:Article is bullshit

[gweihir]

It should be. It is not for Android.

Re:Article is bullshit

[BronsCon]

Not every lock screen is insecure.

I never said they were. Your post, while technically correct, does not make the post I was replying to any less incorrect or off-topic. The difference between a login screen that also serves as a lock screen and a lock screen that only serves as a lock screen is that the user is logged in regardless of whether they have unlocked the screen at any point; any start-up apps designated to run as their user have been started and will already be waiting for them when they unlock the device. It is a subtle but important distinction as, with a login screen, those apps would not start until the user logged in.

Since the focus of this article is the Android lock screen and the closest direct comparison is the iOS lock screen, which is also not a login screen, it makes no sense to discuss login screens.

Re:Article is bullshit

[ArsenneLupin]

So you basically have the right idea, but described it the way Unix-based systems do it.

On any Unix desktop environment that I know, the login screen runs before the user desktop is even started. Actually, after logging in you can see how the user desktop starts up, complete with this progress-bar like thingy in the middle of the screen.

What you might think is the lock screen, which is indeed a kind of window which entirely covers the normal desktop, and which can be "shattered".

Re:Article is bullshit

[david_thornley]

As long as Java is popular, there will be crappy Java programmers who lie and cheat to get hired. My best idea on how to avoid crappy developers is to work in unpopular languages, because crappy developers aren't going to bother to learn how to pretend to be good in them.

Re:Article is bullshit

[lsatenstein]

That's impossible. It's Java! Java can't have security holes! Everyone knows you don't write C because C has buffer overflows and can cause security problems when you paste in very long strings, and that NEVER happens with Java! Java is perfect! Everything you write in Java is perfectly secure! Ask any Java programmer!

I am a java programmer and I wholeheartedly agree with you. Java can't let you down, though the hardware could!

Hardware Access

[Barny]

Yeah, if you have hardware access to a device you own it. Nothing new to see.

Re:Hardware Access

[bill_mcgonigle]

Yeah, if you have hardware access to a device you own it. Nothing new to see.

Really? I'd love to bypass the bootloader on MY Verizon-compatible Kitkat GS4. Please post links.

Re:Hardware Access

[cyberchondriac]

This. Can't do it on my S4.

Re:Hardware Access

[LazyBoot]

Not only that, but it does not affect most phones with lollipop on it. It only works on phones that allow copy and paste from the emergency dialer (most do not) only then is it vulnerable.

    http://www.extremetech.com/mob...

I'm guessing that since I've set mine up so that the phone needs to be unlocked to access the camera, then I should be safe as well.

Re:Hardware Access

[ichthus]

I wonder how many people here, like me, went to this page thinking they'd be able to respond to your challenge, only to see the warning about bricking the phone. I feel bad for you -- my T-mo GS4 is so much better with Cyanogenmod installed.

Re:Hardware Access

[Wrath0fb0b]

Yeah, if you have hardware access to a device you own it. Nothing new to see.

That's actually not true on iOS where the unlock code actually forms part of the master key from which filesystem keys are derived. So hardware access without the unlock code nets you nothing. Of course, with a 4-digit code it's only a few days to try all 10000 of them, but users can a complex passcode with sufficient entropy to make brute force impractical.

Re:Hardware Access

[mackil]

You're right, but I was rather counting on the lock screen to keep my kids out of my phone. Now nothing can stop them from installing Angry Birds.

Re:Hardware Access

[acoustix]

Yeah, if you have hardware access to a device you own it. Nothing new to see.

My BlackBerry Z10 says otherwise.

Re:Hardware Access

[phantomfive]

Yeah, if you have hardware access to a device you own it. Nothing new to see.

A system that lets you bypass the password easily is a system with plenty of remote vulnerabilities.
People weren't thinking about security while they were programming.

Re:Hardware Access

[phantomfive]

Really? I'd love to bypass the bootloader on MY Verizon-compatible Kitkat GS4. Please post links.

It can be done, it's just a matter of how much money you are willing to spend to get that result. It's not like Samsung suddenly stopped putting bugs in their bootloader.

Re: Hardware Access

[RavenLrD20k]

Samsung Galaxy S5 owner here. Although I use the fingerprint scanner for a lockscreen, it has the ability to use a backup password instead. The password field does not allow pasting and typing into the field only allows 16 characters maximum; everything above that does not get entered in the field. I've also just switched to password entry as the primary locking mechanism to the same result. Cannot paste and field only accepts 16 characters.

Re:Hardware Access

[Zeroko]

I tried to do it with that configuration (I note that CM12.1 apparently does not allow tap-to-paste in the password field over a certain length, or perhaps the presence of the keyboard switcher at the right end of the box breaks it (the video shows repeatedly going to the right end & pasting)...but at any rate, I used Hacker's Keyboard to keep pasting), & when it crashed the lock screen, the home screen flashed briefly (potentially leaking sensitive data were there any there, so not ideal), but then the lock screen reappeared.

Re: Hardware Access

[Type44Q]

Locked bootloader on my Verizon S5 as well. Cocksuckers.

Re: Hardware Access

[macs4all]

Or I could go to radio shack and buy a small actuator to do it for me.

Really? You have a working Time Machine? Because that's the ONLY way you're going to buy any electronic components at a store called "Radio Shack".

Re: Hardware Access

[BronsCon]

Didn't they go out of business a couple months back? All the stores here closed, after 3 months of deep-discount (still overpriced) clearance.

Re: Hardware Access

[Bing+Tsher+E]

Don't show your ignorance. I was at my local Sprint/Radio Shack store on Tuesday. They have done the remodel and the stuff that is no longer going to be sold is on clearance. The big drawer cabinet of parts remains. The Arduino stuff and the pegboards with tools and soldering supplies and bare circuit boards and connectors are still there and not on clearance. There's a divide in the carpeting with two colors, an area with the Sprint and an area with the Radio Shack stuff.

Stick to your hipster Apple Store, if you feel safer, but here in the Midwest there are still Radio Shacks.

Re: Hardware Access

[khellendros1984]

Well, yeah, aside from their 1700 locations that are open right now, sure.

Re: Hardware Access

[macs4all]

Don't show your ignorance. I was at my local Sprint/Radio Shack store on Tuesday. They have done the remodel and the stuff that is no longer going to be sold is on clearance. The big drawer cabinet of parts remains. The Arduino stuff and the pegboards with tools and soldering supplies and bare circuit boards and connectors are still there and not on clearance. There's a divide in the carpeting with two colors, an area with the Sprint and an area with the Radio Shack stuff.

Stick to your hipster Apple Store, if you feel safer, but here in the Midwest there are still Radio Shacks.

Actually, I did NOT know that! That's actually GREAT NEWS!

I knew that Sprint was going to buy at least some of the Radio Shack stores; but had NO idea that they planned on keeping at least SOME of the "hobbyist" stuff!

That's all I ever go into Rat Shack for; so THANK YOU for edumacating me!

Re:Hardware Access

[dsmatthews9379]

Complementary Bluetooth attack coming in 10...9....8....7....6.....

Re:Hardware Access

[rastos1]

Yeah, if you have hardware access to a device you own it. Nothing new to see.

Really? I'd love to bypass the bootloader on MY Verizon-compatible Kitkat GS4. Please post links.

Obviously the corollary is that you do not really own the device. Sorry if you thought otherwise.

Re: Hardware Access

[RavenLrD20k]

After testing it in both Password Authentication only and Fingerprint Scanner with Backup Password authentication modes... both modes only allow 16 character passwords. So... if you're going to use a password, it can't be greater than 16 characters... or, it can, but everything after the 16th character is just dropped. I have to agree with you though. 16 characters is not enough. I'd personally prefer it should have been limited to 64 characters; 32 characters at an absolute minimum. Provides a nice huge margin before you get to the level that triggers buffer overflows, but also provides a decent level of security. I also seriously don't like that the lock screen crashes to home instead of crashing into itself.

Breaking security

[circletimessquare]

is nothing but a matter of time and effort. Nothing is secure. Anyone who touts how secure their software product is is in for a fall.

Software security will be a game of whack-a-mole forever.

Re:Breaking security

[Dixie_Flatline]

Ehn, this is particularly weak. This isn't a matter of a few hours, it's short enough to fit into a quick youtube video. :/

Re:Breaking security

[circletimessquare]

good response. there is indeed obscure, difficult, fleeting, technically sophisticated, damage limited security breaches, and "oh my fucking god how could you screw up so badly" security breaches that any idiot can perform to get full access

getting the home screen after punching in a crazy long password is a really embarrassing fail on google's part

reminds me of "hacking" windows 98 security:

http://imgur.com/gallery/fqjnK

Re:Breaking security

[Dragonslicer]

is nothing but a matter of time and effort.

While you're technically correct (the best kind!), if it would take longer than the expected lifetime of the universe to crack an encryption key, I'm willing to accept that as good enough.

Re:Breaking security

[circletimessquare]

with today's technology

as technology advances over the years, today's encryption key standard is going to be cracked in a scary short time

regardless, the topic is security exploits, back doors, hacks. not the brute forcing of a solid security implementation

Novermber,2014 called

[rodrigoandrade]

It wants its "latest" version of Android back.

Re:Novermber,2014 called

[Calydor]

Worse than that, I recall a similar buffer overflow from the DOS days when entering a ... 255 character password, I think, immediately followed by the command you wanted to execute, would get around the password prompt.

How do these things keep popping up?

Re:Novermber,2014 called

[cdrudge]

How do these things keep popping up?

The 18-20 year old developers who are entering the real world out of high school and college weren't even born when MS-DOS was around prior to Windows 95. Even if you add on an extra decade and include any developer under the age of 30 probably doesn't remember DOS much if at all, let alone buffer overrun hacks on mom and dad's PC.

Re:Novermber,2014 called

[Scoth]

In a past life I led UAT/QA testing teams, and I mostly blame poor fail state handling with a fair amount of positive-result-only testing. A lot of bits are coded such that they really only handle "correct" data, and anything else doesn't get handled properly or at all. On top of that, plenty of test case scenarios either only test that things work properly when used properly, or for things that include fail states that they still only really test "correct" usage. I used to get teased a fair amount for doing things like pasting huge amounts of data in fields (just for bugs like this one), or uploading images to csv-expecting text-based importers, or clicking buttons as fast as I could when it was only expecting a single click, but I found all kinds of weird bugs that way. My favorite, and relevant to this, was when I discovered that entering in a massive block of text on the customer account management site's Add Email Mailbox wizard would crash the entire customer management site systemwide. That one got fixed pretty quickly.

What is old is new

[goombah99]

early versions of mac OSX had a similar problem. 10,000 character password entries would unlock the system. Entering these was aided because the password field accepted emacs key commands (like every other field on a mac) so repeated ctrl-a ctrl-k ctrl-y ctrl-y ctrl-y quickly got you to the passwrd field overload point.

Re:What is old is new

[Tough+Love]

The metaproblem here is that Google is less competent than they imagine to develop Android by themselves as they do. The short form of that is one word: hubris.

Re:What is old is new

[macs4all]

early versions of mac OSX had a similar problem. 10,000 character password entries would unlock the system. Entering these was aided because the password field accepted emacs key commands (like every other field on a mac) so repeated ctrl-a ctrl-k ctrl-y ctrl-y ctrl-y quickly got you to the passwrd field overload point.

What versions? One of the Developer Previews?

Honestly, not only have I never heard of this vulnerability in OS X; but I couldn't find it on Google, nor, more importantly, could I find a "CVE" Reference to that alleged vulnerability, either. In fact, the CVE list only shows 92 Vulnerabilities for OS X from 2001 to present (and the vast majority being ranked level "2.1" on a scale of 2.0 to 2.99), as compared to 481 for Windows 7, 221 for Windows 8, 169 for Windows 8.1, and (drumroll please) 29 already for Windows 10 (even though it has only been released for a little over a month). Even more disturbingly, out of the 29 Windows 10 vulnerabilities, MOST of them are REALLY serious (levels 7 to 9).

Re:What is old is new

[slo]

Googling, I found this. It sounds like the screen lock vulnerability described.

Re:What is old is new

Not the original poster, and it was a bit hard to find, but there's this: https://www.securemac.com/maco...

I remember a slashdot discussion about it years ago as well.

Re:What is old is new

[Hognoxious]

The man is dead, but his reality distortion field lives on.

Re:What is old is new

[uCallHimDrJ0NES]

Hear, hear!

Re:What is old is new

OMG a software bug? Google must be very hubristic and incompetent. Software is normally free of flaws.

Re:What is old is new

[goombah99]

If you want proof of googles incompetence then look no further than the incomprehensible labyrinth of android studio, especially when you compare it to alternatives. Oracle makes things hard enough with for less than dedicated users with netbeans. Eclipse is really nice for dilettante users. Xcode for all its complexities is really a marvel since it handles so many different development needs with uniformity and great consistency over years.

Re:What is old is new

[macs4all]

Not the original poster, and it was a bit hard to find, but there's this: https://www.securemac.com/maco...

I remember a slashdot discussion about it years ago as well.

Ok, well now I remember it; but according to this article (and the comments following it), this is MUCH different than the Lollipop vulnerability:

1. It is only the SCREENSAVER-lock that is affected. The regular OS X Login Screen CANNOT be bypassed in this manner! BIG difference!

2. You must know the USERNAME of an ADMINISTRATOR Account; regular (non-Admin) Users CANNOT use this vulnerability to gain unlock the screensaver. Again, BIG Difference!

3. This has been fixed for aeons.

Re:What is old is new

[Tough+Love]

I don't need further proof of Google's incompetence but apparently some people do.

Re:What is old is new

[Tough+Love]

Well, here's further proof from just this morning: Google device manager was changed so that it now won't set a new Android device password remotely if the screen is locked, so if your wife forget her password your choices are 1) Factory reset or 2) Kill yourself. I wonder how much Jolt it took to come up with that one.

Google's new motto: We're too smart to think.

Re:What is old is new

[gweihir]

Google is a lot less competent in many areas than they think they are. For example, their research papers suck badly. That they do not really know how to handle Android is no surprise. Maybe if they had hired some people with experience and maturity instead of highly-intelligent but otherwise retarded ones.

Re:What is old is new

[tehlinux]

It's not like this is a brand new exploit that couldn't have been prevented.

Re:What is old is new

[goombah99]

Actually I believe that android's phone lock is actually a screen saver lock. They just have an app running that covers the screen rather than an actual login screen.

Comment removed

[account_deleted]

Comment removed based on user account deletion

My HTC One M8 GPE edition got updated last night.

[pecosdave]

I figured it was mostly for the corporate identity change and logo changes Google is has been doing recently. I could see this fix being in there.

On another note I mourn the loss of the GPE edition. It was a good idea and should stay.

pin code not vulnerable

[sociocapitalist]

Only works against passwords and only in certain cases.

Does not work against pin codes or swipes.

Re:pin code not vulnerable

[freeze128]

When I set up and unlock swipe pattern on my phone, I wanted to make sure it was not something simple that someone would guess. I was dismayed that:

You can't swipe to a non-adjacent point
and
If you double-back on your swipe path, you don't need to enter that double-back part of the path when unlocking.

I think using a swipe pattern is even LESS secure than using a pin with the same number of digits as swipe points.

Re:pin code not vulnerable

[asylumx]

You can't swipe to a non-adjacent point

Yes you can. My passcode has this on my android craplet at home. It's just difficult because if you pass over another point to get there it will add the other point too. Since it is similar to a keypad, all you do is go for example from the 9 position to the 4 position (corner on one side to middle on opposite side) without crossing the center point. They are not adjacent, yet you can use them.

Re:pin code not vulnerable

[PostPhil]

I think that was the point being made: it's not about the physical motion of "swiping", the problem is that the pattern is forced to be a contiguous line at all.

Whether I tap two corners and it adds the middle point automatically, or whether I swipe from one corner to the other, it doesn't matter because the problem is the same: this strategy reduces the total possible count of unique patterns.

The better implementation would be for the pattern to be detected as a sequence of activated points, where those points don't have to be part of a contiguous line, and the same point can still be reused later in the sequence. Really it would be better if each point simply flashed briefly when activated rather than using a line, because a line pattern is easy for someone across a room to be able to recognize. At the same time, while a tap on a point activates it, swiping motions should still work too, in case people still prefer their pattern to be contiguous.

Both preferences accommodated for, yet the total possible unique combinations goes up. Problem solved.

ARE YOU LISTENING, GOOGLE?

Re:pin code not vulnerable

[adolf]

You already have this functionality on your device: A grid of symbols, which can be activated in any order, or perhaps repeated. The symbols even flash briefly as they're activated.

It's called a PIN.

Re:pin code not vulnerable

[thegarbz]

This seems to rely on the Camera app crashing which makes me wonder if any manufacturers who ship their own camera app (i.e. Samsung) are even exposed at all.

Re: pin code not vulnerable

[jsh1972]

I really like LG's knock on code. It's similar to swipe, but divides the unlock area into quads, you then tap a pattern into the various quads. Works great to unlock direct to home screen, band best of all no grease trails to figure out the swipe pattern.

Re:pin code not vulnerable

[sociocapitalist]

I think using a swipe pattern is even LESS secure than using a pin with the same number of digits as swipe points.

Agreed completely

No password

[p51d007]

Nothing on my phone, other than photos, email addresses, bookmarks. No bank info, no home addresses. Phone is never left unattended, always on my belt clip. I've never lost a phone, had one stolen. Never used a password. Swipe to unlock. I don't leave my phone in the car, at the beach, bar, etc. I look at it as if I would my wallet. I've never lost it, had it stolen in over 40 years of carrying one since I got my drivers license in the 70's. If people were more RESPONSIBLE, it wouldn't be an issue.

Re:No password

[unrtst]

I don't leave my phone in the car, at the beach, bar, etc.

Assuming you use a car to drive to the beach and you go into the water, where do you leave your phone if not in the car or on the beach?

I mostly agree though. I've seen so many people leave their phones sitting on the bar when they go to the bathroom, or even just sitting on the table while they eat. Put it the fuck away unless you're using it, and don't use it while holding a conversation with someone else. One exception/excuse though... have you seen the size of pockets on women's pants!?!?

Re:No password

[MooseTick]

" If people were more RESPONSIBLE, it wouldn't be an issue."

If only we could all be as RESPONSIBLE as you then nothing would ever be lost or stolen.

Re:No password

[Culture20]

If you plan on driving to the beach, you can leave the phone at home.

Re:No password

[Actually,+I+do+RTFA]

If only we could all be as RESPONSIBLE as you then nothing would ever be lost or stolen.

If it wasn't for Private Joker, there would be no thieves in the world

Just fuck

[AndyKron]

A long password? Fuck. Just fuck.

And it has been fixed

[necro81]

The vulnerability was disclosed to Google, who has developed a patch, which Google released last week. So, it makes for a funny story, and a teachable moment, but does not necessarily mean OMG-We'z-Been-Hax0red!

Re:And it has been fixed

[mr_mischief]

This is especially true of us folks not using the password feature. Patterns and PINs are not included in this attack. I'm going to go out on a sturdy limb here and say my fingerprint scan isn't either.

Re:And it has been fixed

[ITRambo]

I'm pretty sure that most users will not get the patch for a very long time, if ever, due to carriers not caring one bit about updating in a timely manner.

Re:And it has been fixed

The hack works for extremely large thumbs.

Re:And it has been fixed

[acoustix]

I'm pretty sure that most users will not get the patch for a very long time, if ever, due to carriers not caring one bit about updating in a timely manner.

This. It seems that the US carriers rarely send out OS updates for the many security updates. This needs to change.

Re:And it has been fixed

[Carewolf]

If they have a carrier that doesn't care about updates they wouldn't have the very latest android version (the one affected) the first place.

Re:And it has been fixed

[Moof123]

The simple fix would be to make them liable for any break-ins for known security issues not patched within 30 days of availability for phones sold in the last 3 years.

Shipping already orphaned phones is awful. Shipping a phone with vulnerabilities that will never get fixed should be criminal.

I'm in the market to replace my phone, and it is just a sea of crap to wade through. It is very hard as a consumer to figure out how much crapware there is on a phone, or what the odds of ever getting an update are, or if the update will just be extra crapware that fills up the meager remaining on-board storage. I hate the idea of throwing money at Apple's walled garden, but compared to Android's dystopian Wild West (Westworld?) it is not looking too bad these days.

Re:And it has been fixed

[gsslay]

If you RTFA you'll see that the problem is (and this is nothing new for Android) that patches take ages to percolate from Google down to the various distros managed by manufacturers and phone networks. And that's only if the end user allows updates.

So this hack is likely to be live and exploitable for some while yet.

Re:And it has been fixed

[macs4all]

The vulnerability was disclosed to Google, who has developed a patch, which Google released last week. So, it makes for a funny story, and a teachable moment, but does not necessarily mean OMG-We'z-Been-Hax0red!

The vulnerability was disclosed to Google, who has developed a patch, which Google released last week, which very few end-users will ever see.

FTFY.

Re:And it has been fixed

[macs4all]

I'm pretty sure that most users will not get the patch for a very long time, if ever, due to carriers not caring one bit about updating in a timely manner.

This. It seems that the US carriers rarely send out OS updates for the many security updates. This needs to change.

That change can be had TODAY.

Re:And it has been fixed

[wbr1]

Nexus 6 babeeeeeeee

Re:And it has been fixed

[BronsCon]

And that also assumes that the convenience-minded users of these devices use the less convenient (when compared to PIN or Pattern locks) Password lock. It's so rare I can honestly say I've never seen it used outside the 5 minutes I had my phone configured to use it about 4 years ago. I am security-conscious but it completely negated the very reason I carry a phone-capable pocket computer with me in the first place: to fetch information as quickly as possible.

I can't help but think having a full QUERTY keyboard (and not the "here's your letters, press here for numbers, there for symbols, there again for more symbols, and there for smileys" crap we have today) would fix that. Preferably physical. I mean, I never had any issue with a proper password on the Blackberry devices I used before Android.

Re:And it has been fixed

[thegarbz]

The vulnerability was disclosed to Google, who has developed a patch, which Google released last week. So, it makes for a funny story, and a teachable moment, but does not necessarily mean OMG-We'z-Been-Hax0red!

The vulnerability was disclosed to Google, who has developed a patch, which Google released last week, which very few end-users will ever see.

FTFY.

The vulnerability was disclosed to Google, who has developed a patch, which Google released last week, which very few end-users will ever see, and which affects very few people to begin with.

FTFTFY

Re:And it has been fixed

[TsuruchiBrian]

The "simple" fix is more litigation?

Re:And it has been fixed

[macs4all]

The vulnerability was disclosed to Google, who has developed a patch, which Google released last week, which very few end-users will ever see, and which affects very few people to begin with.

FTFTFY

Then why did it rate a Slashdot article to begin with? Or are you saying it will only affect a few people because Lollipop hasn't been out very long? That's small comfort.

Re:And it has been fixed

[macs4all]

Just as one can choose to buy an iphone over a bad android phone, one can choose to buy a good android phone over a bad android phone.

But when the problem is in the underlying, unifying OS (Android), then how, pray tell, does someone get a "Good Android"? It seems like the only way to escape the ugly OS design that is Android, is to escape Android.

Hence my original post.

Re:And it has been fixed

[swillden]

I'm pretty sure that most users will not get the patch for a very long time, if ever, due to carriers not caring one bit about updating in a timely manner.

This. It seems that the US carriers rarely send out OS updates for the many security updates. This needs to change.

That change can be had TODAY.

Fixed that link for you.

Re:And it has been fixed

[macs4all]

I'm pretty sure that most users will not get the patch for a very long time, if ever, due to carriers not caring one bit about updating in a timely manner.

This. It seems that the US carriers rarely send out OS updates for the many security updates. This needs to change.

That change can be had TODAY.

Fixed that link for you.

Really? Looks like a broken link to me. ;-)

Re:And it has been fixed

[khellendros1984]

Can't find the model of iPhone with an SD slot, removable battery, 1080p screen that still fits in my pocket, that runs the apps I've already got. It seems like I'd also lose access to several of the app stores I'm accustomed to using =/

Just go with a Nexus device. No crapware, longer support, and if you're already accustomed to Android, you've got access to your apps and a familiar UI.

Re:And it has been fixed

[thegarbz]

Then why did it rate a Slashdot article to begin with?

You're taking the piss right?

Or are you saying it will only affect a few people because Lollipop hasn't been out very long? That's small comfort.

No. It affects all previous versions of android. HOWEVER: It only affects a few people because of the specific setup required: Google's built in homescreen + Google's built in camera app + password combination. The typical unlock scenarios you see are by preference:
1. Pattern unlock
2. Pin unlock
3. Swipe unlock (no security).
4. Password
followed by what ultimately is a rounding error compared to the above:
5. Fingerprint unlock
6. Face unlock.

i.e. straight off the bat every Samsung phone except for the Google Play edition is unaffected because the Camera App doesn't crash.

Re:And it has been fixed

[swillden]

Works great for me. And much more flexible than your option.

Mine can't

[edibobb]

I don't use a password. Why is my url mobile.slashdot.com when I'm on a desktop?

Re:Mine can't

[Zeroko]

Because the story is about mobile, not because it is the mobile version of the site.

Progress in computing

[thrig]

It's like gets(3), only different!

Re:Speaking of OLD

[chipschap]

Or, maybe you could realize that older people have developed the wisdom and maturity that only comes with time, and, heaven forbid, you might actually learn something from them.

Re:Exploit exists on iPhone 5 as well...

[93+Escort+Wagon]

Wow, somebody modded this comment as a troll? It's amazing how some folks have absolutely no sense of humor...

Re:Speaking of OLD

[jason.sweet]

Maybe you could put your phone down, and make my fucking burger.

Re:My HTC One M8 GPE edition got updated last nigh

[wbr1]

Then get a Nexus or root.

Re:My HTC One M8 GPE edition got updated last nigh

[pecosdave]

Got root - bought AT&T version - it's a GPE now.

Analysis of android vulnerabilities & exploita

[locksmithsinscottsda]

As you said this is java based program so you know very well about java. Java is the biggest vulnerability for US Technology. Android is an operating system based on the Linux kernel. It is the most widely used and popular operating system among Smartphones and portable devices. Its programmable and open nature attracts attackers to take undue advantage. Android platform allows developers to freely access and modify source code. But at the same time it increases the security issue. A user is likely to download and install malicious applications written by software hackers. This paper focuses on understanding and analyzing the vulnerabilities present in android platform. In this paper firstly we study the android architecture; analyze the existing threats and security weaknesses. Then we identify various exploit mitigation techniques to mitigate known vulnerabilities. A detailed analysis will help us to identify the existing loopholes and it will give strategic direction to make android operating system more secure. ANDROID SECURITY USING EXPLOIT MITIGATION TECHNIQUES : The main target for implementing Android security is to protect the user data, system resources, and providing application isolation. For this, Android has timely updated its security controls with each patch and every version it has released. The earlier versions of Android had very little or no security features to protect against advanced attacks because the development was still on and also very few people had android devices. CONCLUSION : After studying in detail the various Android vulnerabilities, it’s clear how dangerous its impact can be. To tackle the number of increasing vulnerabilities, Android must timely introduce new security enforcement and exploit mitigation techniques. The kernel of Linux OS itself is so vulnerable that every week new exploit is discovered. The vulnerability fixes released for these should be patched in Android's Linux Kernel as well to avoid replicating the same vulnerabilities again. To stay away from malware's, users need to be aware about the importance of looking over the permissions granted to an app during installation time and to download apps from the official Google play store. In the coming years, we see Android to be a very secure OS, which the users can trust enough to do even their banking transactions from smart phones. If you want to secure your smartphone forever. Look forward to contact : http://www.locksmithsinscottsd...

Some Phones are Already Unintentionally Patched

[The+Eight-Bit+Link]

On my HTC One (M7), the emergency dialer is not the stock Android dialer, and when you try to highlight the text to copy it, it tells you that it's not an emergency number and therefore the call wasn't sent. Same with the unlock screen: you can't paste text into it. I imagine the only phones that could be susceptible to this are the ones who are very close to stock Android, and since they are close to stock Android, they won't be vulnerable due to the new way Android updates are handled (every part of the system sans kernel is an app that can be updated).