Google Fixes Rooting Vulnerabilities In Android

itwbennett writes: Google released over-the-air firmware updates for its Nexus devices Monday and will publish the patches to the Android Open Source Project (AOSP) repository by Wednesday, fixing a new batch of vulnerabilities in Android that could allow hackers to take over devices remotely or through malicious applications. The new patches address six critical, two high and five moderate vulnerabilities. The most serious flaw is located in the mediaserver Android component, a core part of the operating system that handles media playback and corresponding file metadata parsing.

Android security? lol!

And everyone else will get these fixes by 2017 if ever?

Re:Android security? lol!

Overpriced basic phone with uniform updates, OR powerful but expensive phone with fewer updates, but longer support thanks to custom ROMs.

Re:Android security? lol!

[LichtSpektren]

You're right for the crappo sub-$100 phones, but flagships and Nexus devices do get the security updates.

Re:Android security? lol!

[minus9]

"No one will get these fixes."

Not even the people who are mentioned in the article you're replying to? The ones with Nexus devices that the fixes were pushed out to on Monday?

Re: Android security? lol!

Wrong again. My word, talk about pigs flying, and shit on hats. Damn man, open your eyes, ios, android, BlackBerry, and the evil giant MS, are all companies that want you to buy their product. If you bought one, they want you to buy another. So they have to "improve" the product. So why would the improvement be available to you with the old product?

Re: Android security? lol!

And yet Apple released iOS 9 for the 4s that they stopped selling years ago. Sort of blows up that theory.

Re:Android security? lol!

Many Android devices have a guaranteed update period of time. eg: 2 years for the Moto G (180$). And a device like the Moto G has a great community and is very well supported by Cyanogen.

iPhones are just for people who want someone else to decide and choose for them.

Re:Android security? lol!

HTC desire (2010 device) under KitKat, try to do something comparable with an iphone.

Re:Android security? lol!

[houghi]

My phone makes calls that cost money, so I DO need security.I would not want it to make calls that cost money (or send messages) without my knowledge.

And even if that were not the case, I do not like people being able to snoop around on it. Just because I do not have anything to hide does not mean I do not vallue my privacy.

Re:Android security? lol!

[tepples]

My phone makes calls that cost money

I thought the majority of smartphones were on plans with unlimited talk and text by now, and that major U.S. carriers were making pay-per-minute plans available only for dumbphones.

Re:Android security? lol!

[Lunix+Nutcase]

Guaranteed by what? Where's the legally-binding contract you have with Motorola for 2 years of updates?

Re:Android security? lol!

Sure, unlimited international calls. Or do you kind an attacker exploiting a flaw that lets them dial will only call national numbers?

Re:Android security? lol!

Actually, my US $180 Moto G 3rd Gen just got Android Marshmallow this morning. While I realize 6.0 was released just over 2 months ago, I am also fairly satisfied that I am getting these updates in a relatively timely fashion. The key with Android phone, just like everything else, is to understand what you're buying and the risks associated with that purchase. It will be some time before I receive this particular update, I know this, but I have a fairly high degree of confidence that I will get it. All this, on a non-flagship, non-Nexus, $180 phone.

Re:Android security? lol!

[Penguinisto]

Depends on another factor entirely - the destination phone number (e.g. if that phone # begins with 1-900 ).

A dialer that surreptitiously dialed a cost-per-minute "premium" phone number would be a way for a black hat to make money. Doesn't have to be more than a minute or two a week per phone, say $2.50/call per week per phone ($10 per month would be small enough to pass muster for most users, who would pay it without a second thought, if they even checked their phone bill). $10/mo multiplied by N victims would net a tidy amount of cash for someone who was moderately successful at it.

Re:Android security? lol!

[bill_mcgonigle]

Guaranteed by what? Where's the legally-binding contract you have with Motorola for 2 years of updates?

Did they advertise it? Did he buy one? Then its a contract that the courts will enforce.

Don't make the mistake of confusing the paper of a written contract for a contract. Of course it's cheaper to buy a new phone than engage in a court battle since we don't have marketable torts in the current Western systems.

Re:Android security? lol!

[tepples]

What else would I need to block at the carrier other than 1-900 and international calls?

Re:Android security? lol!

[Lunix+Nutcase]

Did they advertise it? Did he buy one? Then its a contract that the courts will enforce.

No, they haven't which is why I'm asking how he got a contract from Motorola for 2 years of updates. At best Motorola has made non-committal statements about updates but nowhere have they ever gave a legally-binding guarantee of 2 years of updates. The fact that the 2015 Moto E won't get Marshmallow is an attests to no such legally-binding guarantee.

Don't make the mistake of confusing the paper of a written contract for a contract. Of course it's cheaper to buy a new phone than engage in a court battle since we don't have marketable torts [youtube.com] in the current Western systems.

I'm not mistaking anything. Don't make the mistake of assuming things since you're not a very good mind reader.

Re:Android security? lol!

[Penguinisto]

Depends (err, again)... sometimes 'premium' numbers are 1-866 or 1-877, and internally shift to a 1-900 (though your phone wouldn't see that happen). I only pointed out 1-900 for clarity/shorthand more than anything else.

Re:Android security? lol!

I can't wait to get these updates for my Galaxy Nexus!

Re: Android security? lol!

[Miamicanes]

That was briefly true for a short time in the 90s (the ESS switching protocol exposed functionality whose security assumed it was under the control of a responsible phone company, but could be abused by malicious clients), but not any more. The vulnerability was fixed, and the FCC made it clear that any charges for fraudulently redirected calls HAD to be refunded to consumers. That's part of the reason why mobile phone carriers block calls to those numbers outright... they aren't required by law to participate, and they don't want to be bothered by the customer service nightmare (and financial losses) every time some incident occurs.

Re:Android security? lol!

[fluffernutter]

You have a point if this happens... I personally haven't heard of it happening. Plus I'm sure if it did happen, the phone company would refund the charge.

Re:Android security? lol!

[fluffernutter]

I did some googling and found the pwn2own vulnerability, but to do that you have to have a fake station in range of your phone, so it seems highly unlikely any given person would ever get hit by it. Are there any highly practical attacks that can dial a phone without someone knowing?

Re:Android security? lol!

[BronsCon]

Or a Nexus device. I already have these updates.

Re:Android security? lol!

[BronsCon]

You mean your 4 year old phone that you bought while Google had a published 2 year (from first sale) major update, 3 year (again, from first sale; or 18mo from last sale in the Google store) security update policy? If you're claiming you didn't know what you were buying, that's on you. That said, there's nothing stopping you from installing Chroma on it; Android 6.0.1, splt-screen windowing, and a host of other features, including these updates once the maintainers issue another release after the updates hit AOSP today.

Re:Android security? lol!

[Krojack]

I already got them. So you want to correct yourself?

Re:Android security? lol!

[swillden]

You mean your 4 year old phone that you bought while Google had a published 2 year (from first sale) major update, 3 year (again, from first sale; or 18mo from last sale in the Google store) security update policy? If you're claiming you didn't know what you were buying, that's on you.

To be fair, Google didn't have an official support policy for Nexus devices when the Galaxy Nexus was released. In fact, Google didn't have such a policy until August 2015. It was understood previously that devices would get updates for a couple of years, but there was no specific commitment.

Actually, it seems that official update policies for mobile devices are a new idea. AFAICT Google's was the first, and I don't know that any other company has yet matched it. That includes Apple -- though in practice Apple usually supports devices for longer than 2-3 years.

(Disclaimer: I'm a Google Android engineer, working on the Android security team. I'm speaking for myself, though, not for Google.)

Re:Android security? lol!

[BronsCon]

In fact, Google didn't have such a policy until August 2015.

I'll take your word, given that you're a Google engineer, but I seem to recall reading the policy before I bought my Nexus 6 in November 2014. I was under the impression that they had simply rewritten the policy and issued a few press releases in August 2015.

Re:Android security? lol!

[Forever+Wondering]

I just got an OTA update that fixed the stagefright vuln for my [Boost] Galaxy S3. AFAICT, it was [mostly] just security fixes, which is fine.

IMO, Google had to create the tools for the "rapid response" updates, which they did. Now, [IMO smart] vendors like Moto, Samsung, et. al. are beginning to use them.

As a computer engineer myself, I use git. I know how relatively easy it is to apply source patches to older tree branches using it. Since git is at the core of Android source tree development, this is also easy to do. Google just had to package this up as a release system.

This works for everybody: Consumers, vendors, and telcos. It improves the brand quality/loyalty. I really like Android, but the prospect of "being left behind" on security fixes was beginning to make me think [reluctantly] about Apple/iPhone/iOS because of the security update issue.

It also can address the "fragmentation" issue, if the monthly updates add some forward compatibility libraries. Apps crashing because they were built for Android version N, when I only have N-x. I don't mind a few feature restrictions, because that's better than outright freeze/crash/lockup/etc. necessitating a reboot.

Re:Android security? lol!

The key is two things:

1: Is the bootloader unlockable? Last year, it took a five-digit bounty before someone even got root, much less found a way to bypass KNOX on Samsung devices. If the bootloader isn't unlockable, I would recommend not just not getting it, but making it clear why one wouldn't buy it.

2: Is the device popular to be supported by someone? The ideal is if the CyanogenMod folks support the device, then you know that years later, down the road, the device will continue to get updates. Without this, the device will just slowly die, especially some lesser known models that may be functional, but nobody just cares enough to build on them.

Re: Android security? lol!

Except that's not an improvement. It runs slower on the 4, is missing features, and Apple is being accused of crippling these older phones to force users to upgrade. Apple is no different in wanting you to keep on paying.

Re:Android security? lol!

[golgotha007]

Oh, this is all FUD. Hackers of these exploits aren't using them to place long distance phone calls.

Re:Android security? lol!

You mean your 4 year old phone that you bought while Google had a published 2 year (from first sale) major update, 3 year (again, from first sale; or 18mo from last sale in the Google store) security update policy? If you're claiming you didn't know what you were buying, that's on you. That said, there's nothing stopping you from installing Chroma on it; Android 6.0.1, splt-screen windowing, and a host of other features, including these updates once the maintainers issue another release after the updates hit AOSP today.

In any case, Android phones are kind of shoddy.

Re:Android security? lol!

Did they advertise it? Did he buy one? Then its a contract that the courts will enforce.

No, they haven't which is why I'm asking how he got a contract from Motorola for 2 years of updates. At best Motorola has made non-committal statements about updates but nowhere have they ever gave a legally-binding guarantee of 2 years of updates. The fact that the 2015 Moto E won't get Marshmallow is an attests to no such legally-binding guarantee.

Don't make the mistake of confusing the paper of a written contract for a contract. Of course it's cheaper to buy a new phone than engage in a court battle since we don't have marketable torts [youtube.com] in the current Western systems.

I'm not mistaking anything. Don't make the mistake of assuming things since you're not a very good mind reader.

Everybody should assume Lunix Nutcase knows what he's talking about. Since he's a real smart human being who you know, or something.

Re:Android security? lol!

[BronsCon]

Well, yes, if you by the cheap shoddy ones, they are. Here's a tip: don't buy cheap shoddy crap.

Sweet

[afidel]

That means end users will be able to use these to root their devices for the next 12-18 months since the patches won't be applied by most OEM's before then. On the downside it means you can be spearfished through an MMS.

Re:Sweet

I guess I'll just ignore all the monthly security updates a vendors are doing these days.

Re:Sweet

The ones there are only doing for the very newest phones and only for as long as they feel like it?

Re:Sweet

[greenfruitsalad]

i'd much rather see nice, solaris style RBAC built into android.

Re:Sweet

[ITRambo]

Turn off push MMS. Problem solved.

Re:Sweet

[LichtSpektren]

That means end users will be able to use these to root their devices for the next 12-18 months since the patches won't be applied by most OEM's before then. On the downside it means you can be spearfished through an MMS.

Perhaps I'm misreading your post, but you seem very confused. Unlike jailbreaking iPhones, where one has to find some tiny privilege escalation vulnerability before Apple does and then abuse it to flash a custom ROM, Android is designed to allow rooting fairly easily. In fact, Google themselves provide a page that gives layman instructions to how to unlock the bootloader and flash the stock ROM for their Nexus devices (https://developers.google.com/android/nexus/images); that includes all the latest security updates, so rooting is unnecessary, but doing so from there is trivial. It's a little bit more complicated than that if one has a non-Nexus devices, but not prohibitively so.

Re:Sweet

[110010001000]

And Bluetooth, since there is a privilege escalation issue there too (CVE-2015-6641). In fact, just turn off everything, then you will be completely safe. Maybe. Just to be 100% sure, keep the phone off and pull the battery.

Re:Sweet

[houghi]

I have sending and receiving MMS turned of at my provider. As well as paid services, except helpdesk numbers that are fixed priced and have a restricted duration.

So no drunk call to sex lines by 'accident'. No sending sms to paid services. No SMS.

I can even turn on and off roaming for in and outcoming calls seperately.

Re:Sweet

[tepples]

Unlocking the bootloader and flashing a ROM requires a backup, wipe, and restore. What's the easiest way for a user to be sure that a backup tool downloaded from Google Play Store actually saved everything in a way that it can restore?

Re:Sweet

[gstoddart]

You understand this is a fix for the Nexus devices, right? Those are the Google branded ones without OEM crap on them.

So, no.

The OEMs have likely introduced their own security holes they'll have to deal with.

Re:Sweet

[afidel]

That's only true for Nexus devices, for devices with locked bootloaders and stock ROMs without root and no first party root ROM then you need to exploit a bug to gain root and then either gain permanent root or install a slotted second level bootloader that can bootstrap a rooted ROM image.

Re:Sweet

[afidel]

Uh, good for you? I use MMS on a weekly basis, either for picture messages with the wife or for messages greater than 160 characters.

Re:Sweet

Unlocking the bootloader and flashing a ROM requires a backup, wipe, and restore. What's the easiest way for a user to be sure that a backup tool downloaded from Google Play Store actually saved everything in a way that it can restore?

By buying an identical second device, and restoring it there.

Re:Sweet

[afidel]

No, this is a fix to AOSP which is the base tree for the OEM's, the OEM's might have additional bugs but they'll also need to apply these fixes to their own code tree, test, and push out the fixes (or not as is their want, though the big OEM's are now at least paying lip service to monthly security patches but it seems to really only be for flagship and flagship-1 and some midrange hero devices while a lot of their product range sits unpatched)

Re:Sweet

[guacamole]

Your comment reminds me the old Soviet joke about a director of a kolkhoz, who during an important meeting announced: "I have two news for you, one good and the other bad. The bad news is that we lost all crops and we will have to eat shit all of the next year. The good news is that we have plenty of shit!"

Re:Sweet

[guacamole]

I am not even sure if your comment is on topic, but I recall that RBAC is basically Sun's answer to sudo. As usual, instead of adopting in a well known, well liked, and well understood open source program into Solaris 8, Sun came up with its own "RBAC", which only works on Solaris and barely anyone used it.

Re:Sweet

[LichtSpektren]

Use Carbon (Titanium is superior if you're already rooted, but Carbon should do the trick). Try deleting an app and restoring it from backup as a test. Unfortunately there's no way to be 100% sure unless you test every single app you wanted to backup, but that's true of all backup systems unfortunately.

Re:Sweet

[BronsCon]

And the same applies to and computer system. Funny, that.

Re:Sweet

[greenfruitsalad]

what i mean is that running android applications as root is currently necessary to achieve some goals (e.g. app backups) but stupid from a security point of view - all or nothing permissions. that's one of the reasons google isn't too keen on this.

instead, i'd like a finer grained privilege escalation that's well integrated into the system instead of a dangerous hack. RBAC as implemented in solaris or aix is a beautiful way of doing such things (not so much in HP-UX). it is more advanced than sudo but not a significantly more complicated concept. it's just different and requires getting used to. it would be nice if google defined roles within android that applications can be allowed to have (with user's permission) without automatically gaining the ability to destroy the system.

Re:Sweet

[swillden]

Unlocking the bootloader and flashing a ROM requires a backup, wipe, and restore. What's the easiest way for a user to be sure that a backup tool downloaded from Google Play Store actually saved everything in a way that it can restore?

What apps do you use that need to be backed up? Games, I suppose... if you care about having your progress saved.

Personally, I don't worry about backup/restore. When I reflash, or get a new device, I just start clean. Pretty much everything I'd care to back up and restore is synced to the cloud anyway, so it just shows up. Android Marshmallow made it particularly slick the most recent time. It asked if I wanted to restore all my apps and stuff from my old phone and it did an outstanding job. Nearly everything was automatically installed and it even laid out my home screen and set my background. It still took a few minutes to set up a few things, and then for a while I was having to log into various apps the first time I used them, but all in all it was quite painless.

I suppose if you turn off all of the cloud backup options then it would be a different story.

Re:Sweet

[aynoknman]

Drop it in a bucket of water just to be sure.

Re: Sweet

Android uses SELinux for process confinement, although I'm not sure how five grained the policy is and whether it's linked to android's app permission system or not. Regardless, SElinux like RBAC provides a mechanism for allowing only certain su level actions by processes rather than granting everything to root.

Re:Sweet

[lokedhs]

You might want to read the entire article summary (no need to even RTFA). Here, I'll help you by even highlighting the relevant part:

Google released over-the-air firmware updates for its Nexus devices Monday and will publish the patches to the Android Open Source Project (AOSP) repository by Wednesday

Re:Sweet

[afidel]

Wow you're a horses ass, the second part is the important part for 99.999+% of Android users, they're releasing it to AOSP so that flows into all the other providers source tree.

Re:CSO Spam

[phishybongwaters]

Learn to count.... This one, then: Posted by samzenpus on Tuesday January 05, 2016 @08:12AM from the new-weapon dept Posted by samzenpus on Monday January 04, 2016 @02:41PM from the like-a-sieve dept. So that's 1 a day, and I stopped looking after hitting "older" 4 or 5 times and not finding a single one. So you are complaining about 3 articles from the same source in 3 days? Have you seen the amount of DICE crap on here? Jesus.

Warm. Fuzzy. Safe. Always in Good Hands.

Glad I'm an Android. Wouldn't you like to be an Android too?

Re:CSO Spam

[wonkey_monkey]

If I want to read CSO articles I'll just visit it.

You could say that about any Slashdot summary. So why come here at all?

Ask Slashdot :

[invictusvoyd]

A friend of mine uses an android phone offline. He never connects to the internet and never receives any MMS . He only uses inbuilt apps and text and calling . What is the kind of risk he is exposed to ?

P.S. he is not interested in android updates and is only using an android phone because Nokia went bust.

Re:Ask Slashdot :

[invictusvoyd]

Please note he *does* use SMS

Re:Ask Slashdot :

[110010001000]

A lot. Since he is using text messaging, he can receive a MMS. This MMS can do anything to your phone because of the bugs. You don't even need to open the MMS. You cant prevent getting a MMS if you have text messaging enabled. Also, Google logs everything you do on your phone, so that is a risk as well. Personally I would avoid smart phones entirely if you are worried about security or privacy. Since he never connects to the Internet and never does MMS a simple flip phone will do for him.

Re:Ask Slashdot :

[minus9]

You can disable the auto retrieval of MMS though.

Re:Ask Slashdot :

[idontgno]

I don't think you were reading who you were responding to, or read but discounted it.

PP (Parent Poster) indicates that the hypothetical user isn't connecting to the internet. MMS requires internet connectivity to deliver its "more advanced than SMS" payload. From Wikipedia:

Technical description

MMS messages are delivered in a totally different way from SMS. The first step is for the sending device to encode the multimedia content in a fashion similar to sending a MIME message (MIME content formats are defined in the MMS Message Encapsulation specification). The message is then forwarded to the carrier's MMS store and forward server, known as the MMSC (Multimedia Messaging Service Centre). If the receiver is on a carrier different from the sender, then the MMSC acts as a relay, and forwards the message to the MMSC of the recipient's carrier using the Internet.

Once the recipient's MMSC has received a message, it first determines whether the receiver's handset is "MMS capable", that it supports the standards for receiving MMS. If so, the content is extracted and sent to a temporary storage server with an HTTP front-end. An SMS "control message"(ping) containing the URL of the content is then sent to the recipient's handset to trigger the receiver's WAP browser to open and receive the content from the embedded URL. Several other messages are exchanged to indicate status of the delivery attempt. Before delivering content, some MMSCs also include a conversion service that will attempt to modify the multimedia content into a format suitable for the receiver. This is known as "content adaptation".

The bolded portion of the last paragraph makes it clear: accessing the multimedia content requires HTTP connectivity via some TCP/IP network, which PP is disallowing in his hypothetical. I think you're describing the Stagefright vulnerability, and it's true that if you allow a vulnerable Android device to access malware MMS multimedia content, the malware will exploit the weaknesses of the Stagefright APIs and pwn the phone. However, most SMS/MMS programs can be configured to not automatically download multimedia content (but rather requiring user action to start the download). This changes Stagefright MMS from a "drive-by" vulnerability to a slightly less risky "requires user consent" one.

Re:Ask Slashdot :

>Also, Google logs everything you do on your phone, so that is a risk as well.
If one uses a custom rom such as Cyanogenmod with no accounts linked to Google, how does Google log everything?

Re:Ask Slashdot :

[LichtSpektren]

Please don't give security advice when you don't know what you're talking about. MMS is only a vulnerability insofar that it can embed a dangerous file, but so long as one turns off auto-retrieving MMS files, you're in no danger from it. "Google logs everything you do" is not a security risk, it's a privacy risk, but AFAIK all of the telemetry and cloud services can be turned off if you're willing to tinker with the right settings (unlike Windows 10, which lies to you and tells you the telemetry is off when it isn't).

Re:Ask Slashdot :

[110010001000]

The default setting is on for MMS apps including the built in Google ones. "but so long as one turns off auto-retrieving MMS files, you're in no danger from it" The vast majority of people aren't going to do this. He is in danger even if he doesn't think he is receiving MMS, because they receive MMS automatically by default. And yes, Google tracks you server side. You cannot turn off the tracking. You are naiive if you think you can.

Re:Ask Slashdot :

[110010001000]

Hello, he THINKS he is not connecting to the Internet (probably because he claims he doesn't use web browser or email). But since MMS is set to autoretrieve by default on Android, he likely IS connecting to the Internet. He just doesn't know it. Bottom line: if you are worried about security or privacy don't use a Smart Phone (android or not).

Re:Ask Slashdot :

[110010001000]

They don't. But that guy isn't using CM. Even with CM the carrier is watching you.

Re:Ask Slashdot :

MMS are sent and retrieved over a separate data connection. If you want to prevent your phone from receiving MMS, then you have to delete or vandalize the APN configuration for that connection. Also note that LTE doesn't have "circuit-switched" voice anymore. It's all IP.

Re:Ask Slashdot :

MMS programs can be configured to not automatically download multimedia content (but rather requiring user action to start the download).

My carrier's implementations of MMS will fail if I do not download the message immediately upon receipt. Each manual SMS has a deadline timestamp marker on it. This is T-mobile on both a Froyo Samsung from 2010, and an LG G3 phone from 2014. Basically I have about 1 minute after receiving a text to click on the download button.

This is particularly annoying when your sender uses an iPhone (at least from Verizon), which apparently wraps simple text messages as MMS for no reason (very stupid for one-liners... Apple's custom SMS logic has to do with this problem). Even a particularly poor internet connection has caused me to need to ask my BOSS for a message to be resent. This doesn't always end up well

Re:Ask Slashdot :

[thegarbz]

You may consider that in the hypothetical case but not on the realistically configurable case.

Voice only no data plans exist and will still allow MMS retrieval.
Disabling of data on the phone is possible but will still allow MMS retrieval.

MMS are treated differently by the carriers so they are treated differently on the phone as well. There's no reason to assume that no internet means no MMS.

Re:Ask Slashdot :

[JackieBrown]

The default setting is on for MMS apps including the built in Google ones.

"but so long as one turns off auto-retrieving MMS files, you're in no danger from it"

The vast majority of people aren't going to do this.

The vast majority of people would not want to do this.

Re:Ask Slashdot :

A lot. Since he is using text messaging, he can receive a MMS. This MMS can do anything to your phone because of the bugs. You don't even need to open the MMS. You cant prevent getting a MMS if you have text messaging enabled.

Also, Google logs everything you do on your phone, so that is a risk as well. Personally I would avoid smart phones entirely if you are worried about security or privacy. Since he never connects to the Internet and never does MMS a simple flip phone will do for him.

MMS requires an internet connection. You may get the notification of an MMS over SMS, but you can't get the payload.

Re:Ask Slashdot :

[LichtSpektren]

The default setting is on for MMS apps including the built in Google ones. "but so long as one turns off auto-retrieving MMS files, you're in no danger from it" The vast majority of people aren't going to do this. He is in danger even if he doesn't think he is receiving MMS, because they receive MMS automatically by default. And yes, Google tracks you server side. You cannot turn off the tracking. You are naiive if you think you can.

Um, okay? Nobody says security is idiot proof. There's plenty of ways to get iOS fucked as well, if you're talking about unwise decisions that the vast majority of people will do. My only point was that Android is not insurmountably insecure.

Re: Ask Slashdot :

It requires a data connection to retrieve the payload from the carrier's server. This is internal to the carrier's network. No internet needed and many carriers do not count MMA retrieval against data but bill it separately.

This wouldn't be a problem if...

...Google used APP instead of LUDDITE AOSP!

Apps!

Better late than Never

And Google still sucks at life.

Re:mmm

[Teun]

The article is about Nexus devices, they are supported for many years.

Re:mmm

[sanf780]

Do not tell that to Nexus S owners. Still, it is good that at least Google keeps promising long term support.

So clever writing your own multimedia stack

It was so clever of Google to write their own multimedia stack instead of just using one that already existed and had these embarrassingly obvious security holes fixed years ago... In some cases by Google themselves via Chrome.
They just had to do their own incompetent version. When Adobe Flash seems to beat you in security, it would be a good time to think very long and hard about your development process.

Re:So clever writing your own multimedia stack

Yes, it was clever of them. How many bugs have been discovered in their Stagefright libraries? 10-15? How many have been discovered in Flash? 300-500? Do the math, idiot.

New old stock as entry-level phone

[tepples]

Many Android devices have a guaranteed update period of time. eg: 2 years for the Moto G (180$).

Is that two years after you buy one new or just two years after release day? Some carriers sell previous generation phones as entry-level devices. They're "new" in the sense of never having been used since burn-in by the manufacturer, but they're new old stock.

Re:New old stock as entry-level phone

[Lunix+Nutcase]

Motorola hasn't guaranteed what the GP states. Motorola has made promises of things but there's no contract to provide updates.

Still lots of binary blobs

[tepples]

Android is open sores.

First-stage bootloaders often are not. Nor are device drivers on most phones. And that's even without considering Google Play Store/Services.

Re:Still lots of binary blobs

fuck off gnaa

Re:mmm

'many years' meaning ~2 years. There's no updates for Nexus 7 2012 or Nexus 4 devices.

Mod up

[bogie]

Or don't. If you don't know that 85% of Android devices won't ever get proper security/platform updates due to Phone/Tablet OEMs being completely clueless regarding security then go back to sleep. Phone companies just want to concentrate on billing you as much as possible per GB and Tablet OEMs? Don't get me started on the glut of crappy Android tablets that have been rushed out the door over the years.

A total disservice to a solid OS.

Fix bootlocked Kitkat?

[emil]

I'd like to fix my mediaserver and stagefright. I'd run Cyanogenmod, but Verzion prevents me from using an unsigned kernel.

If I follow these instructions for my Samsung phone, can I pull the mediaserver and stagefright libraries out of the resulting .zip and load them in place of the existing binaries, can I have a running system that closes the exploits? I can likely use the nm utility on the resulting .so and check that all the symbols in the old libraries exist in the new.

The build process appears to pull from both aosp and cyanogenmod, and I understand that aosp Kitkat has been retroactively patched.

Re:Fix bootlocked Kitkat?

[clonehappy]

I hate to be this guy, but why do you run a device that won't let you install your own software? I don't mean to say you shouldn't use Android, but my Verizon LG G3 at least allows me to root it and install a custom recovery so I can run Cyanogenmod or whatever other custom builds I'd like.

This is why I would never buy a Samsung phone, way too locked down for what I want to do with it. I have an iPhone and an iPad for all of my walled garden needs, I refuse to accept the same from Android. If the day ever comes where I am unable to find suitable hardware to run the way I see fit, I just won't use it any longer. If I'm forced into a walled garden, I'll use Apple's because at least they don't try to pretend they aren't one.

Re:Fix bootlocked Kitkat?

so stop buying phones without sim cards. i've never been told i can't run my phone on someone's network because of software.

Re:Fix bootlocked Kitkat?

[emil]

I do agree, it was a mistake. I bought the phone because Cyanogenmod's website said that it was compatible, and I didn't thoroughly research it. I'm now running Alliance, and pondering a hardware service that can unlock the bootloader for $80.

I need Verizon because we have repeaters for it at work. I hate those people, and I'm on an mvno.

Re:Fix bootlocked Kitkat?

What? The Verizon Samsung Android phones all have SIM cards. What does having a SIM card have to do with the bootloader being locked to only boot a signed kernel?

Re:mmm

[iampiti]

Yeah, I love Android but the update policy is atrocious. I'm not for Google gaining an Apple-like control of the OS - I think the enhancements by the OEMs are sometimes valuable - but security updates should definitely be managed in a better way

Re:mmm

Do not tell that to Nexus S owners. Still, it is good that at least Google keeps promising long term support.

Google doesn't "keep promising" long-term support. Google has a specific support policy for Nexus devices: Security patches are provided for three years from the date the device goes on sale in the Play Store, or 18 months from the date the last device is sold from the Play Store, whichever is longer. Major upgrades are provided for two years from the date the device goes on sale.

Some may wish those support durations were longer, but AFAIK, Google is the only seller of mobile devices that offers any firm (and legally binding) commitment on updates. In practice, Apple does a reasonably good job with supporting older hardware, but they do not make any commitments.

The Nexus S was released in 2010, so it has been out of support for both security fixes and upgrades for quite some time.

Blocked

[tepples]

I wasn't aware that U.S. carriers were even allowing international calls by default without letting the subscriber set up and agree to a rate plan for them. Otherwise, an app that takes the dialer permission for itself would just get "This number is blocked."

Re:mmm

'many years' meaning ~2 years. There's no updates for Nexus 7 2012 or Nexus 4 devices.

Upgrades for two years. Security updates for three years, or 18 months from the date the device is withdrawn from the Play Store, whichever is longer.

Re:mmm

[sociocapitalist]

The article is about Nexus devices, they are supported for many years.

Well that's the point isn't it. The updates are available for Nexus devices but the vulnerabilities are in Android...of which the vast majority are not Nexus devices and do not have, and never will have, security updates for these vulns.

Incompetence

Why is file metadata parsing and media playback executing as root in the first place?

Re:mmm

[Anubis+IV]

The article is about Nexus devices

Which is all well and good, but that doesn't change the fact that the vulnerability is a part of Android, hence why Google is also having to push the fixes out to AOSP. As such, while the OP may be trolling a bit, their concern remains a valid one: how many of the handset manufacturers that have utilized a vulnerable version of AOSP will push these fixes out to their handsets?

So, for me to get this patch

[fustakrakich]

I have toss my perfectly good Galaxy Nexus into the bin, and buy a new phone? How sweet! The upgrade treadmill is fully operational..

Re:So, for me to get this patch

[LichtSpektren]

I have toss my perfectly good Galaxy Nexus into the bin, and buy a new phone? How sweet! The upgrade treadmill is fully operational..

I'm not happy that Google doesn't update the Galaxy Nexus anymore, but you still have CyanogenMod if you want to keep getting security updates for your phone: http://download.cyanogenmod.co...

Re:So, for me to get this patch

[BronsCon]

Or, install Chroma (6.0.1 on an over 4 year old phone FTW) or CM (not sure what Android version the current release the the Galaxy Nexus is based on) and get on with your life. Chroma even includes a few additional features like split-screen windowing.

Whew!

[ThatsNotPudding]

Just in time! I got the Lolipop update with the Stagefright fix on my Verizon Moto G two months ago.

Since then I was starting to get the DTs from not having any Android vulnerabilities. Thanks all around!

Helium or Carbonite?

[tepples]

Just to be sure, did you mean ClockworkMod Helium (formerly Carbon), or did you mean Carbonite? I'm guessing Carbonite is responsible for the rename to Helium.

Re:mmm

[BronsCon]

And here's another point: Google made their support promise for Nexus devices legally binding, while other manufacturers, including Apple have not. If you want guaranteed support for some predetermined period, you get a Nexus device, period. If you really don't care about getting updates or security (in which case, shut the hell up already), then you buy something else.

While Apple has generally been good about long term device support, there is nothing indicating that they will continue to be. As my wife is an iPhone user and her and I are both iPad users, I certainly hope the keep it up, but I'll be neither surprised not disappointed if they do not; I knew what I was buying when I bought it.

Re: mmm

[kb7oeb]

Nexus 7 2012 and Nexus 4 are not getting security patches, look at the official image build versions, they are not current for lollipop.

Re:mmm

The article is about Nexus devices, they are supported for many years.

Well that's the point isn't it. The updates are available for Nexus devices but the vulnerabilities are in Android...of which the vast majority are not Nexus devices and do not have, and never will have, security updates for these vulns.

You get what you pay for. Stop buying cheap piece-of-shit devices.

Re:mmm

[sociocapitalist]

And here's another point: Google made their support promise for Nexus devices legally binding, while other manufacturers, including Apple have not. If you want guaranteed support for some predetermined period, you get a Nexus device, period. If you really don't care about getting updates or security (in which case, shut the hell up already), then you buy something else.

While Apple has generally been good about long term device support, there is nothing indicating that they will continue to be. As my wife is an iPhone user and her and I are both iPad users, I certainly hope the keep it up, but I'll be neither surprised not disappointed if they do not; I knew what I was buying when I bought it.

Sure, and I knew what I was buying when I got my Android based Marshall music player (which also happens to be a normal Android phone but I chose it for the sound quality so I'm calling it a music player ;-) ), and I accept the fact that it's insecure - which does not mean that I like the fact that it's insecure.

As such, until and unless the Android model changes I'll continue to complain about it as publicly as possible in the hope that enough people will complain to Google that something gets done about it.

Re: mmm

[BronsCon]

And Google can do approximately...nothing about it. Google isn't the one realeasing, then not updating, devices.

Re: mmm

[sociocapitalist]

And Google can do approximately...nothing about it. Google isn't the one realeasing, then not updating, devices.

Sorry but no.

Google owns the OS, the architecture for the OS and the model of distribution for that OS.

If Google were to abstract the hardware layer from the rest of said OS, allowing hardware vendors to provide only drivers and forcing telephone service providers to not block the distribution of Android then there would be no problem.

The model is broken.

Re: mmm

[BronsCon]

Uhm... It's Linux, the hardware layer is abstracted, it does use drivers, and hardware manufacturers need only provide drivers. Also, whether the hardware layer is abstracted from the OS or not has nothing to do with whether or not providers can block distribution of firmware; the manufacturers work out their own contracts under which the carrier sells their devices and the carrier often demands this. Google has no say in a carrier's negotiations with a device manufacturer. My pipe is empty, can you please share some of whatever it is that you're smoking? Seems like some good stuff and I could use a good day trip.

Re: mmm

[sociocapitalist]

"My pipe is empty, can you please share some of whatever it is that you're smoking? Seems like some good stuff and I could use a good day trip."

Why do people on this site have to be dicks?

Re: mmm

[BronsCon]

If, by that, yku mean why do theh have to spout off about thungs they don't understand, that's a question for you to answer. I've grown tired of trying to educate people and getting shit on for it, so this has become my approach: the pre-emptive attack. Blame your fellow slashdotters for making me this way, because it's a relatively recent development.

Re: mmm

[sociocapitalist]

If, by that, yku mean why do theh have to spout off about thungs they don't understand, that's a question for you to answer. I've grown tired of trying to educate people and getting shit on for it, so this has become my approach: the pre-emptive attack. Blame your fellow slashdotters for making me this way, because it's a relatively recent development.

Take responsibility for your own actions.

Have a wonderful day :-D

Re: mmm

[BronsCon]

Likewise. You know, for spouting off about shit you don't understand.

Mouse Slip on Comment Mod: Windows 10

[IceAgeComing]

Hi Licht,

My mouse failed when I was moderating one of your Windows 10 comments, and I accidentally selected "Redundant" instead of "Insightful". I wanted to let you know, and this was the only way I knew how without undoing my other mods.