900M Android Devices Vulnerable To New 'Quadrooter' Security Flaw

An anonymous Slashdot reader quotes a report from CNET: Four newly-discovered vulnerabilities found in Android phones and tablets that ship with a Qualcomm chip could allow an attacker to take complete control of an affected device. The set of vulnerabilities, dubbed "Quadrooter," affects over 900 million phone and tablets, according to Check Point researchers who discovered the flaws. An attacker would have to trick a user into installing a malicious app, which wouldn't require any special permissions. If successfully exploited, an attacker can gain root access, which gives the attacker full access to an affected Android device, its data, and its hardware -- including its camera and microphone.
The flaw even affects several of Google's own Nexus devices, as well as the Samsung Galaxy S7 and S7 Edge, according to the article, as well as the Blackberry DTEK50, which the company describes as the "most secure Android smartphone." CNET adds that "A patch that will fix one of the flaws will not be widely released until September, a Google spokesperson confirmed."

News?

Being?

Typical Google

It's like they're the new Microsoft.

Re:Typical Google

[epyT-R]

If you read the summary you'd know this is a flaw in silicon, not android. Blame qualcomm not google for this one.

Re:Typical Google

If this were a similar fault on an Apple device,you know that the bulk of the submitters here would be showing them no mercy.

Re: Typical Google

Not surre what you mean.

APL fans will praise them because they can jb their device. It's not a big, it's a feature.

Also, it'll be just 8 i os versions affected, not 2 billion - anything to make it sound small. 900 million Android devices is less than 1â.... It was almost a year ago Google celebrated 1 billion activated devices.

Re:Typical Google

[scdeimos]

Um, no...

QuadRooter vulnerabilities are found in software drivers that ship with Qualcomm chipsets.

http://blog.checkpoint.com/201...

Re: Typical Google

Your post is what he means.

Re:Typical Google

[fustakrakich]

An attacker would have to trick a user into installing a malicious app

That doesn't sound like it's the silicon's fault to me, but what the hell do I know?

Re:Typical Google

[epyT-R]

Well, the GP blamed google.. The language of the summary made it sound to me like it was a fault in the silicon.. Turns out both statements are wrong. It's qualcomm's drivers. I stand corrected.

Re:Typical Google

[epyT-R]

Well, it seemed to me when I first read the summary that it was a hw problem.. It's not. it's drivers provided by qualcomm.. If apple was using the same drivers they'd be just as blameless as google is.

Re:Typical Google

> If this were a similar fault on an Apple device

If it came from the chip that Apple designed, then everyone would be correct to do so.

Re:Typical Google

Google decided to do business with apparently an incompetent company. So, of course you can blame Google.

Re:Typical Google

[peragrin]

while true, Apple would also spend the time an have 80% of all IOS devices updated in 3 months, were by this time next year less than 100 million andriod devices will have the update.

Andriod has a severe update problem that isn't going away. google was smart enough to bake a decent amount of security in to start with, but I still keep expecting a massive worm attack.

Re: Typical Google

[Karlt1]

Have you ever heard Apple make the excuse that it's the fault of a third party driver when there is a security issue with iOS? I doubt that Apple would accept any binary only drivers from someone who produces its chips.

Re:Typical Google

It's Google's fault that it has allowed updating being up to the device manufacturers and service providers, so no updates for most devices. It's no help to anyone to know there's a fix, if their phone does not get the fix. The original fault is of course Quallcomm's.

Re:Typical Google

[chill]

And rightfully so, considering Apple designs their own processors and codes the drivers now.

Re:Typical Google

[chill]

You're forgetting the difference between a flaw and the path to exploiting a flaw. The flaw can exist in silicon, but it needs software to exploit it. You can safely run flawed code all day if you are in tight control of the software executing on the system. It isn't until you run untrusted code that you have a problem.

This is why Java is such a vector. Once you connect it to a browser, you're blindly running someone else's untrusted code on your JVM.

When Java is used in an EE environment, not hooked to a browser, then it is much safer simply because exploit code doesn't have a path to any flaw.

Re:Typical Google

Since it requires installing an app to take control I would say that it is a "feature" that allows users to get root access on their own phones regardless of what the vendor thinks.

Re:Typical Google

[macs4all]

Well, it seemed to me when I first read the summary that it was a hw problem.. It's not. it's drivers provided by qualcomm.. If apple was using the same drivers they'd be just as blameless as google is.

Yes they would; however, a YUGE percentage of Slashdotters would still blame Apple, just because.

Don't even try to deny it. Seen it happen too many times...

Re: Typical Google

[macs4all]

Have you ever heard Apple make the excuse that it's the fault of a third party driver when there is a security issue with iOS? I doubt that Apple would accept any binary only drivers from someone who produces its chips.

Apple tends to roll their own drivers, even for third-party chips.

Re: Typical Google

are you insane? how is this google's fault? EVERYONE makes android phones/chipsets. this is like blaming Linus/Bill Gates for a fault in Nvidia's drivers.

Re: Typical Google

are you crazy? how is this google's fault? EVERYONE makes android phones/chipsets. this is like blaming Linus/Bill Gates for a fault in Nvidia's drivers.

Chalk one up for iOS

[MouseR]

The Apple haters will be silent tonight

Re:Chalk one up for iOS

[93+Escort+Wagon]

The Apple haters will be silent tonight

You might want to go read the past Slashdot discussion threads about previous Android flaws, and then reconsider your statement.

Re:Chalk one up for iOS

[markdavis]

>"Chalk one up for iOS"

Um, no.

1) Don't sideload apps unless you REALLY know what you are doing. You can't even officially DO that on iOS. So if you treat Android like iOS and don't change the default to NOT sideload and ignore all the warnings, then you are probably just fine.

2) All mine are Nexus and likely to be updated quickly.

Re:Chalk one up for iOS

Just owning all the Abble products isn't enough to make one completely ghey; you have to get shot in an Orlando gay bar. Even if you DID jack off while wearing the iWatch, it wouldn't give them your pulse correctly since Abble has such a closed ecosystem, its not like GNU is gonna help them. HOWEVER Abble users switching to teh Lunix is *PROOF* that homosexuality is a *choice* and IT CAN BE CURED The one time I went to the Abble store at the mall, the resident ghey Socialst came up to me in his Speedos and offered me a tiny cup of Froot Loops; he explained that sadly, they had to cut back on the portion size because they were running out of money. I politely turned them down because I wasn't sure what they were glazed with. And his iWatch had the wrong time.

Re:Chalk one up for iOS

[Dutch+Gun]

Personally, I've never understood why people pick sides and root for 500 billion dollar corporation X versus 500 billion dollar corporation Y like they're a sports team. Console vs console or console vs PC wars are equally inane to me. Where's the virtue in being wedded to a single platform? Is being techo-polygamous a bad thing?

Anyhow... considering that this requires installing a malicious app, the chances of most people getting hit with this are pretty low, especially now that app stores know what to look for. These sorts of issues are only a real problem when you can get infected with a drive-by SMS message or something like that.

Re:Chalk one up for iOS

I love it how when a security vulnerability is found on Apple devices it's reported as "New way discovered to jailbreak your phone!", but when it happens to Android it's "Android devices vulnerable to attack!"

Re:Chalk one up for iOS

[Bing+Tsher+E]

No, I will still hate Apple the company. For who they are and who they have been historically. I've hated them since Steve Jobs stood up on a platform and boasted of the new 'Hacker Proof' Macintosh at product introduction.

That was in the old days, and hacker had the meaning we all still wish it did.

Other crimes Apple committed include suing all the third party GUI vendors out of business. They ran the GEM desktop and the GEOS desktop off the market. They sued and drove out of business everybody but Microsoft's GUI. In effect they created the Windows monopoly we have today. Fuckers. Fuck Apple.

Re:Chalk one up for iOS

[Zeio]

I think ALL of us jailbreakers and rooters should celebrate this. Now I might be able to push an adaway hostfile with 875K worth of junk hosts of malware, ads, adware, gambling and other cruft blocked. I cant believe I need to wait for a flaw like this to update the hosts file on the phone I own.

This weaponizing of opensource software to do things like make it impossible to edit /etc/hosts with malware blocks is unreal.

Re:Chalk one up for iOS

Personally, I've never understood why people pick sides and root for 500 billion dollar corporation X versus 500 billion dollar corporation Y like they're a sports team.

I don't get it either. I use the product I want to use and I don't give a flying fark what a bunch of nameless, faceless internet monkeys think or say.

Re:Chalk one up for iOS

[tlhIngan]

I think ALL of us jailbreakers and rooters should celebrate this. Now I might be able to push an adaway hostfile with 875K worth of junk hosts of malware, ads, adware, gambling and other cruft blocked. I cant believe I need to wait for a flaw like this to update the hosts file on the phone I own.

This weaponizing of opensource software to do things like make it impossible to edit /etc/hosts with malware blocks is unreal.

Except Android doesn't use /etc/hosts. That's a function of the stub resolver in the C library you use, and the Android C library simply doesn't support it.

Re:Chalk one up for iOS

[arth1]

Where's the virtue in being wedded to a single platform? Is being techo-polygamous a bad thing?

It increases your attack surface. It's safer to be a serial-monogamist.

Re:Chalk one up for iOS

[Solandri]

iOS actually has a lot more vulnerabilities than Android. Most of the folks in the press are just enamored by Apple, so they downplay stories about flaws in iOS, while publicizing stories about flaws in Android to try to warp reality to fit their biases.

Re:Chalk one up for iOS

[dinfinity]

For me it is not about Google vs Apple, but Android vs iOS and the philosophies behind them.

I believe in open platforms being better for mankind in the end, warts and all.

Re:Chalk one up for iOS

[cvdwl]

They sued and drove out of business everybody but Microsoft's GUI.

There's this thing called Linux. I'd recommend taking a look at it.

Re: Chalk one up for iOS

[Karlt1]

How would downloading apps only from the Google Play store prevent apps from taking advantage of a security flaw in Android?

Re: Chalk one up for iOS

[Karlt1]

Did you notice how many of those vulnerabilities have already been patched? The latest version of iOS 9.3.3 is compatible with every iOS device sold since September 2011 and was available for every iPhone regardless of carrier the day it was released.

Re: Chalk one up for iOS

[tepples]

First, Google Play Store has a filter called Bouncer that attempts to detect known malicious attacks in APKs. Second, if a malicious app does slip past Bouncer, it can be reported to Google.

Re:Chalk one up for iOS

[tepples]

In the 1980s when Apple was busy suing DRI over GEM, XFree86 didn't exist yet.

Re:Chalk one up for iOS

Not really. This is a root app. Any time an iPhone can be jailbroken, that's because it was vulnerable to a root app.

Re:Chalk one up for iOS

[Rob+Y.]

...especially when the real problems are 500 billion companies Samsung and Verizon.

I'm oddly finding myself thinking that this exploit could actually be used to enhance security on phones with locked bootloaders and unreliable updates from their manufacturers. I'm seriously considering buying an Axon 7, because the hardware looks great. But if I can't install ROMs to keep the thing current on security updates, I don't want it. To tell the truth, even if ZTE were to provide timely updates for the first 2 years, I'd be seriously on the fence. My current phone, a Nexus 4, is no longer supported by Google, but I still have it up to date thanks to its unlocked bootloader. I don't know if Google likes that or not, but I suspect they're fine with it. ZTE, on the other hand, would definitely prefer for me to shove the thing in a drawer and buy a new one after two years, which sucks - but happens to coincide nicely with content providers that don't want you to have root access. We've reached the point where buying new hardware in order to keep up with new OS features is a losing game, and the industry needs to learn to live with a 5 year upgrade cycle - cause that's where it's going, if only consumers would insist on it...

Re:Chalk one up for iOS

The desktop environments on Linux are so terrible they put themselves out of business.

Re:Chalk one up for iOS

So adaway doesnt work? Wrong. /system/etc/hosts, /data/data/hosts does work. BZZZT.

Re:Chalk one up for iOS

[jofas]

I think you misunderstand what "up to date" means...

1. Unless you're positve of the clean & germ-free source, you are making an inherently risky move in installing a Marshmallow ROM or whatever reverse-engineered AOSP clone is floating out there.

2. Speaking of reverse-engineering, taking the ICS 4.0.x drivers and tweaking them to work with Marshmallow does not constitute a good security patching policy.

The updates spoken of here are not merely OS-baked-in ones, but also any actual firmware updates for radio, touchscreen, etc. These are almost never touched by modders and certainly never patched for security reasons.

Full disclosure, I do root & ROM as well, but I accept certain security risks in doing so that I mitigate otherwise.

Re:Chalk one up for iOS

[jofas]

Try again. Literally the first thing on adaway's front page: https://adaway.org/

Re:Chalk one up for iOS

[macs4all]

The Apple haters will be silent tonight

Unfortunately not.

Re:Chalk one up for iOS

[macs4all]

Don't sideload apps unless you REALLY know what you are doing. You can't even officially DO that on iOS.

Actually, if you have XCode 7, you can. No Jailbreaking needed.

Re:Chalk one up for iOS

[macs4all]

They sued and drove out of business everybody but Microsoft's GUI.

There's this thing called Linux. I'd recommend taking a look at it.

Not strong enough.

There's this thing called Prozac. I'd recommend him taking a look at it.

Re:Chalk one up for iOS

[macs4all]

hey sued and drove out of business everybody but Microsoft's GUI.

They sued the FUCK out of Microsoft, too. Or did you conveniently forget that fact?

Re: Chalk one up for iOS

[the_humeister]

XFree86, no but X did exist though

Re:Chalk one up for iOS

[macs4all]

Except Android doesn't use /etc/hosts. That's a function of the stub resolver in the C library you use, and the Android C library simply doesn't support it.

But, but, don't all the Slashtards and Fandroids crow about how Android == Linux, and how Android's popularity (mostly because of the proliferation of shitbox throwaway freephones) somehow means that Linux has some insanely-high marketshare?

So, I guess Android == Linux only for certain limited values of "equals", right?

Re:Chalk one up for iOS

[Rob+Y.]

Well, I'm guessing you wouldn't advise leaving my N4 on the last-supported Kit-Kat version. I'm using Cyanogenmod 13, which is a pretty well-known commodity. It may have some of its own bugs, but it also has some of its own security enhancements - like the ability to turn root on and off on demand.

Re:Chalk one up for iOS

re: your comment... I once, in a /. thread, told an obvious kid who couldn't understand why the two sides (Android & Apple devotees) were always fighting. The teenaged kid just wanted to be able to enjoy his Apple iPhone. I told him that they are both amazing devices that are basically computers with antennas with a different os. Apps are all programs, nothing special to see there. And that if he was happy with his iDevice, that that's all that matters. This b.s. between which company sells us out the least is getting us nowhere.

You can read more of this story...

[ChunderDownunder]

Eds, why not check the article and link directly to zdnet and not the 'sister' publication?

Rooted phone?

[Razed+By+TV]

Does this mean I might get to root my otherwise unrootable phone?

Re:Rooted phone?

[inode_buddha]

Sounds like you get to share root.... but thats pretty gross if you know what I mean

Re:Rooted phone?

I know for some of you nerds the relationship that has gone furthest for you is between you and your gadgets but no, i don't know what you mean and i don't want to know.

Re:Rooted phone?

[Wycliffe]

Does this mean I might get to root my otherwise unrootable phone?

I was thinking the same thing. Someone please publish the exploit on github so I can compile it and root my own phone.

Re:Rooted phone?

[nevermore94]

Sign me up. I am ready for your one-click Qualcomm root exploit app.

Re:Rooted phone?

[shione]

Better yet, can it beat knox so it doesn't nullify your warranty (according to the manufacturer).

Fuck iOS

[Gojira+Shipi-Taro]

I prefer my devices allow me to do as I wish with the content I already own. I like Android devices a lot better, and I'm someone who does pay for content and apps. I just refuse to do it multiple times.

What the fuck does a bug that requires social engineering and ignorant users installing sketchy software have to do with apple's alleged superiority? I have an iPad that a RARELY use. It has its place in my studio, but I haven't set that up since moving. For everything else, I prefer either my Samsung tablet with a proper screen ratio for reading comics without scrolling, or any of my other Android devices that don't try to nickle and dime me for every single fucking thing I do.

So much for Apple haters being silent.

Re:Fuck iOS

[DavidRavenMoon]

I prefer my devices allow me to do as I wish with the content I already own. I like Android devices a lot better, and I'm someone who does pay for content and apps. I just refuse to do it multiple times.

What the fuck does a bug that requires social engineering and ignorant users installing sketchy software have to do with apple's alleged superiority? I have an iPad that a RARELY use. It has its place in my studio, but I haven't set that up since moving. For everything else, I prefer either my Samsung tablet with a proper screen ratio for reading comics without scrolling, or any of my other Android devices that don't try to nickle and dime me for every single fucking thing I do.

So much for Apple haters being silent.

Spoken like someone who has never used an iOS device. Why would you pay multiple times? Why pay at all? All my content is on both of my iPhones, iPad, and my Mac. And much of that came from my own CDs and DVDs, etc. I have 37,918 songs in iTunes. Much that is from my CD and even vinyl collection. Some I bought on iTunes, Amazon, BandCamp, etc. Every one of those is available on my iPhone. Also, you do know you can download anything you want to an iOS device? Just get the free Documents app from Readle. That's another dumb argument I hear all the time. As far as "proper" aspect ratio. For web browsing, the 4:3 aspect ratio works far better than the 16:10. For reading books and magazines, the 4:3 aspect ratio is again better than the 16:10. Magazines fit better on a 4:3 aspect ratio screen than on a 16:10 aspect ratio screen. Maybe you ned a better comic reader. 16:10 and 16:9 is better for watching movies and TV shows. Maybe Apple haters should learn what they are taking about first.

Re: Fuck iOS

Why are you limiting your entire 19"+ inch screen to just one browser window? I guess it's because APL devices are for simpler folk.

I like having my contact list for a messenger/email/sms on the short edge. The other short edge is my launcher / start bar. Plus, virtually 100â... video content and 99% of games and productivity apps show more on wide screen (even browser / Flash based ones). It would feel claustrophobic on such a small looking screen.

Re:Fuck iOS

[exomondo]

What the fuck does a bug that requires social engineering and ignorant users installing sketchy software have to do with apple's alleged superiority?

Is it not obvious that it's pretty serious when the security of a system can be completely subverted by a non-privileged program? Regardless of whether you have bought into idiotic platform flamewars you can't argue with the fact that any platform that has a bug like this has a serious problem compared to the competition. What is odd is that one of the most commonly presented advantages for Android over iOS is the ability to sideload apps and install apps from non-official app stores thus giving the user control of their device, then a bug like this appears and all of a sudden Android fans act like this is something no sane person would ever think of doing.

Platform wars are moronic but the fascinating thing is the way the logic of the fanboys flips around depending on the current news. ...not to mention reading comprehension is the next thing to go and as a result I'll probably get branded and "apple fanboy" or a "shill" somewhere after this post.

Re:Fuck iOS

[xvan]

What would prevent a bugged android apk to be delivered via the playstore? Are the gatekeepers that trustworthy?
I don't trust them, but I did trust android permissions to (at least) identify apps with strange behaviours. Seems I was wrong and I'll need to stop installing crap.

This is a serious bug, but iOS security superiority is not on its walled garden, but in its timely OS updates.

Re:Fuck iOS

[exomondo]

What would prevent a bugged android apk to be delivered via the playstore?

Nothing, in fact I believe it has happened multiple times before.

This is a serious bug, but iOS security superiority is not on its walled garden, but in its timely OS updates.

Correct, but this isn't really about the walled garden. You can sideload apps on iOS too if you have XCode7, but there is no (known) privilege exploit that allows a userland application to get full privileges.

Re:Fuck iOS

[fluffernutter]

but there is no (known) privilege exploit that allows a userland application to get full privileges.

If the cost of that is not being able to access the damn filesystem and having everything running in it's own little isolated compartment, I'll just use Android and try not to install malicious apps thanks.

Re:Fuck iOS

iOS devices don't have a user accessible file system. FULL STOP! You can't even download an MP3 file from a website using Safari on iOS. That right there makes it complete shit for anyone with more than half a brain. And that's why I won't ever use an iOS device. I prefer not to suck iTunes dick every time I want to transfer a file to my device.

Re:Fuck iOS

[Archangel+Michael]

My android gets its security updates every month. Nexus 6P updated just a couple days ago, with the Aug update. I expect another one in Sept, probably one that fixes this one. Let me know when Apple ships timely monthly updates.

Re:Fuck iOS

[macs4all]

iOS devices don't have a user accessible file system. FULL STOP! You can't even download an MP3 file from a website using Safari on iOS. That right there makes it complete shit for anyone with more than half a brain. And that's why I won't ever use an iOS device. I prefer not to suck iTunes dick every time I want to transfer a file to my device.

Bullshit, Bullshit, Bullshit.

While it is true that iOS doesn't directly provide access to the file-system heirarchy, there are Apps, such as GoodReader, that for the most part provide excellent file-management and file-transfer functionality.

And as far as "can't download an MP3 from Safari", that is TOTAL bullshit. I just tested exactly that on iOS 9 on my iPhone 6+. No iTunes involved (and BTW, there is no "iTunes", per se, on iOS).

Re:Fuck iOS

[macs4all]

but there is no (known) privilege exploit that allows a userland application to get full privileges.

If the cost of that is not being able to access the damn filesystem and having everything running in it's own little isolated compartment, I'll just use Android and try not to install malicious apps thanks.

So, you are actually arguing against robust sandboxing? In 2016? On a Mobile Device?

Most users (yes, even Android Users) couldn't care less to paw through a filesystem heirarchy. In fact, the decision to make each app manage its own files in iOS was not borne out of some need to "lock down" user-choice; but rather, to keep a simple device simple for NON-computer-savvy people to use.

That's what you idiots need to get through your pin-heads: Not everyone is comfortable traversing a full-blown filesystem. In fact, even advanced users occasionally (more than they would admit) have to search for stuff they have "misfiled" on their computers.

Re:Fuck iOS

[macs4all]

My android gets its security updates every month. Nexus 6P updated just a couple days ago, with the Aug update. I expect another one in Sept, probably one that fixes this one. Let me know when Apple ships timely monthly updates.

Fortunately, they don't seem to have vulnerabilities du-jour; but when they do, they generally push out an update in a pretty timely fashion, and for MUCH longer than any, or nearly any, Android device.

Re: Fuck iOS

[the_humeister]

Can you download pictures and videos via Safari? no

Re:Fuck iOS

..I have 37,918 songs in iTunes. Much that is from my CD and even vinyl collection. Some I bought on iTunes, Amazon, BandCamp, etc. Every one of those is available on my iPhone.

I have 33,643 audio files on my server, a lot of them full albums, not just 'songs'.

On my home LAN I can access them from IOS on both the ipad and iphone, Android on the phones and tablets, OSX, Linux (the predominant OS on my machines), *BSDs, Windows 7 and XP, Solaris, Irix, QNX, and any DNLA compliant device (the 360, mainly)..

At work, I can access them from the Win7 boxes as a specific secure share from my home network to the work network I normally 'reside' on, failing that, if I'm slumming it elsewhere at work, VPN access, failing that, https access to the server and running Ampache or nextcloud.

Anywhere else with a reasonable network connection, VPN, or via https using any web browser using Ampache or nextcloud on my server, or via software which 'talks the talk', or via sftp, or via scp, or via an .onion address (pushing it.....)

iTunes, you say?, how quaint....(and limiting)

Re:Fuck iOS

[fluffernutter]

So they don't have to if they don't want to. The point is really the fact that the option is useful to some people.

Re: Fuck iOS

[macs4all]

Can you download pictures and videos via Safari? no

First, I assume you mean MOBILE Safari.

Second, you have moved the goalposts; but I would imagine it depends on certain factors. However in Mobile Safari, if I "long-tap" on an Image, it brings up a contextual menu. One of the selections is "Save Image". If I choose that, the image (picture) goes to my "Photos" library. Sounds "Downloaded" to me.

With videos, it appears you cannot download from Safari directly; however, GoodReader has web-browsing capabilities, and you can certainly Download (and Play) directly from that App. So, obviously, iOS doesn't keep you from Downloading video; they just didn't build that into Mobile Safari (that I know of). Chrome may allow it directly, although it doesn't seem to.

So, out of the 3 examples, 2 were able to be handled by Mobile Safari directly, and one with a readily available and very popular App.

If that's too hard for you, may I recommend a Flip-phone?

Re:Fuck iOS

[macs4all]

So they don't have to if they don't want to. The point is really the fact that the option is useful to some people.

The option to what, exactly? Pull down their pants and wag their nekkid ass in the air, waiting for the next available hard dick? Because that's about the equivalent to what you are touting as a "useful option".

Re:Fuck iOS

[exomondo]

If the cost of that is not being able to access the damn filesystem and having everything running in it's own little isolated compartment, I'll just use Android and try not to install malicious apps thanks.

But that isn't the cost of it, the fact that not every process should be able to just run with root privileges whenever it wants is a pretty fundamental part of any modern operating system and indeed is not incompatible with the ability to access the filesystem.

Re:Fuck iOS

[exomondo]

It's not about monthly updated, it's about timely updates for critical security issues like this one, irrespective of the platform. I'm not sure what you mean when you say "timely monthly" updates.

Re: Fuck iOS

[the_humeister]

Can you download pictures and videos via Safari? no

First, I assume you mean MOBILE Safari.
 

Based on the thread context, why would you infer otherwise?

Second, you have moved the goalposts; but I would imagine it depends on certain factors. However in Mobile Safari, if I "long-tap" on an Image, it brings up a contextual menu. One of the selections is "Save Image". If I choose that, the image (picture) goes to my "Photos" library. Sounds "Downloaded" to me.

Odd. I just tried this using my wife's iPhone 6+. There's no context menu popping up when I long press an image. Tried this with the same image on my Android phone and I get the expected context menu.

With videos, it appears you cannot download from Safari directly; however, GoodReader has web-browsing capabilities, and you can certainly Download (and Play) directly from that App. So, obviously, iOS doesn't keep you from Downloading video; they just didn't build that into Mobile Safari (that I know of). Chrome may allow it directly, although it doesn't seem to.
 

This is what irks me: why do I need a separate app for this when every other computing environment (eg Windows, Linux, Mac OS, Android) doesn't?

If that's too hard for you, may I recommend a Flip-phone?

Based on your ad homenim it's quite clear you place a high personal identity towards your phone environment. You may want to reconsider your priorities.

Re: Fuck iOS

[macs4all]

Odd. I just tried this using my wife's iPhone 6+. There's no context menu popping up when I long press an image. Tried this with the same image on my Android phone and I get the expected context menu.

Try a different site. Apparently, image saving in Safari can be blocked for copyright etc.

But this is how you do it. This must be from an earlier version of iOS, because my popup menu had a few more selections. But it is essentially the same.

Quad Rooter

That's what me and my mates called ur mum, she's pretty skilled taking 4 at a time.

Re:Quad Rooter

She's called 'Quad Pooper' for the number of black dicks she can take up the poop shoot at once.

Will slashdot be using this vulva to infect us

Why no SSL to m.slashdot.org?

SuckersiPhone.

This is what happens when you put your trust in Google.

Patch not needed quickly...

[wbr1]

It requires sideloading be turned on to get in. This is off by efault on any sane device. Yes it could get in through the play store, but since google now knows the exploit you can bet all apps are scanned.

This is mostly fear mongering. Now if you could root my phone with an MMS or some other function that does not require me to turn of security features first, then I'll worry.

I will worry about all the cheap chinese tabs and phones that come with sideloading (and malware/crapware) installed by default.

Re:Patch not needed quickly...

[xvan]

Anybody can comment on how strict are apple / google security processes to publish an app on their stores?

Re:Patch not needed quickly...

[Trogre]

I take it you've never heard of f-droid. Only one of the biggest FOSS repositories for a single platform.

And since it's not an official Google product, funnily enough, it requires sideloading.

Re:Patch not needed quickly...

[wbr1]

Yeah I have, most people do not need it or use it. However, for those that do, the smart thing is to turn the setting off temporarily when loading an app, and be sure of what you are loading.

A very small percentage use alternate app stores, so saying 900M devices are vulnerable is a bit hyperbolic.

If i can trick you into installing an app

you're owned anyways.

what's so special about this? people just hit 'yes' on all permissions on android anyways. am I missing something?

Re:If i can trick you into installing an app

[khz6955]

It's part of the advertising deal with MICROS~1, to only mention Android in relation to vulnerabilities else it's flash or banking trojan.

Re:If i can trick you into installing an app

[campuscodi]

Seeing that the app doesn't need special permissions, tricking the user is the easy part

Check your phone

[pgn674]

Check Point has an app in the Google Play app store that scans your phone for the vulnerabilities: https://play.google.com/store/...

Blackphone 2

[mentil]

The Blackphone 2 uses a Qualcomm Snapdragon chip. The maintainers (Silent Circle) released a patch a week ago that 'updates to the latest Qualcomm config files' but it's unclear if that fixes this specific vulnerability.

Re:Blackphone 2

[Horus1664]

The Blackphone 2 uses a Qualcomm Snapdragon chip. The maintainers (Silent Circle) released a patch a week ago that 'updates to the latest Qualcomm config files' but it's unclear if that fixes this specific vulnerability.

Nope, it doesn't. Still one out of four isn't bad :( (just vulnerable to: CVE-2016-5340) This will be a test of the promise to be the fastest at fixing/patching issues.....

Here we go again..

[Rexdude]

An attacker would have to trick a user into installing a malicious app

Stopped reading after that.
Mundus vult decipi, ergo decipiatur.

Trick user into installing malicious app

[khz6955]

"An attacker would have to trick a user into installing a malicious app"

Is this what slashdot is reduced to, posting bogus pseudo technical quotes from a known Microsoft shill.

Re:Trick user into installing malicious app

With the quality of curation on the Google app sources, you'd be fine integrating this exploit into a legitimately published app.

Re:Trick user into installing malicious app

"Android is better than iOS, just change the repository and you can get all the freedom and install whatever unlike evil apple controlled iOS"

"Stupid user, installing software outside the playstore."

-
If you want to claim the freedom as a bonus, and people exercise the freedom, you have to be responsible and take ownership for the consequences. But then again, petulant children on this site also need to grow up.

PLEASE!!

[eWarz]

FOR THE LOVE OF GOD, EXPLOIT MY BOOTLOADER, MAKE HER VULNERABLE TO ATTACK! For my Verizon Samsung Galaxy S7 remains invulnerable to any attack outside simple root base exploits. Oh script kiddy gods, I BEG YOU (no sarcasm).

Blackberry

[drolli]

So that is what you get from switching away from QNX.

Re:Blackberry

[danbob999]

I also hear that MS-DOS has never been attacked on a smart phone.

Re:Blackberry

I didn't know that MS-DOS was a real time modern, fully developed and supported for the forseeable future microkernel based unix operating system that fully emulates the latest version of Android. The things you learn on slashdot. Thanks danbob999 for the update! I think it's time to run firefox on MS-DOS!

Re:Blackberry

I didn't know Linux was a microkernel.

Re:Blackberry

[drolli]

Well... technically any virus attacking MS-DOS but accidentally hitting a Nokia 9000 communicator could probably be counted under the category "MS-DOS" on a smartphone.....

Re:Blackberry

[danbob999]

yeah, if you can get that smartphone to read that floppy disk with the virus on it and executing that .COM file.

Re:Blackberry

[drolli]

It could receive e-mail. Or you could surf a malicious web page.

Does it trip knox?

[shione]

If it doesn't trip knox then someone could retool the exploit to root the phones in a good way.

To what end?

[Sycraft-fu]

There's no update, and even if there were it'll come when the providers push it out. With a phone, you just have to accept that if the thing is vulnerable, it is vulnerable. You can't really do anything as a user. Anything you can do is shit you should already be doing like installing apps only from trusted sourced and running a malware scanner.

Re:To what end?

[swillden]

you should already be doing like installing apps only from trusted sourced and running a malware scanner

You don't need a third party malware scanner. Just turn on the built in Verify Apps.

Android needs a different kind of APK

[tepples]

Just because Android's package format is called "APK" doesn't mean you can use a hosts file. A workaround is to use a firewall app with a DNS filter, and then plug your hosts file into that. I haven't tried NoRoot Firewall to see whether it supports a hosts file, but it does show that a firewall is possible without rooting.

yet...

I'm sure the owner does not get root. The attacker just became your parental figure.

Re:yet...

mom? is that you? why don't you visit me in the basement anymore?

root

So you can root your Android device. Some people think that is a plus.

Checkpoint rooting the devices

So why wouldn't checkpoint be exploiting the vulnerability they already discovered and including it in the benign scanner app.

Re:Checkpoint rooting the devices

The "supposedly" benign

Android Debugging Bridge PULL command

See subject: That'll import a custom hosts file to use on ANDROID easily (does it need to be rooted?)

APK

P.S.=> I think it's hilarious (above ALL else) that ALL THOSE YEARS of /. "FUD" of "Windows != Secure, Linux = Secure" falls RIGHT apart when ANDROID comes around (& yes, it uses a Linux kernel - that surely doesn't make it Windows or MacOS X / iOS etc.)... apk

Re:Android Debugging Bridge PULL command

[tepples]

Because the hosts file is inside /system, the device needs to be rooted in order to adb push a modified version. And that's if Android's networking stack even uses it; this comment claims that at least some versions do not.

Easy Way to Root

[wasteoid]

Find the root image for your device on the XDA developers site.

Re:Easy Way to Root

[Razed+By+TV]

My bootloader is locked : (

Sucks

[shaitand]

But hey, at least owners of these devices have a super easy path to root without need to flash any special image.

Where's the 'write protect' switch?

[kheldan]

I think the only way you can possibly make any so-called 'smartphone' secure, is to have a hardware switch that puts the entire phone into 'read only' mode, so nothing new can be installed on it. They're like cheap swisscheese: more holes than cheese. I think I'll just keep sticking with cheap-ass $50 flip-phones. If something happens to it I can break it in half, toss it into the e-waste bin, and go get another one and nothing of value is lost. At least I don't become an unwilling participant in someones bot-net this way.

GOOGLE IS A US SPY SHOP IN TOTALITY

So yeah, you could say if you put some malicious code on their OS of course it is already spyware so yeah even moreso if you installed this malicious app like some dickhead.

BUT YEAH. YES. FBI ON SLASHDOT GOT THIS OUT THERE.

Fuck you FBI. Dead spies.

ADB's easy to do + works,&?

See subject: I've done the ADB procedure I noted a few times for pals (who had rooted phones like op has https://mobile.slashdot.org/co... OR it sounds like he might @ least...)

APK

P.S.=> Some ANDROID builds don't use HOSTS (Google's SCARED SHITLESS of it, ala KitKat as an 'example thereof') - but in the end? All "smartphones" are TRULY "DUMBPHONES" due to ANDROID being exploited FULL OF HOLES FOR DECADES NOW almost DAILY... they're damn toys - DANGEROUS ONES @ that - & what I call "electric dogcollars" @ times (what I used to call beepers I had to wear decades ago while on the job as a 'wageslave')... apk

Fuck that. I quit. No more tech for me.

I've had enough with the newest vulnerability to fuck up my life. I quit this shit. I'm throwing away my smartphone, my smartTV, my smartHome, my smartWristband, my computers, my car. Back to the stoneage for me. Off teh grid. No vulnerabilities. good bye

LIE. ^^ Reverse way of saying accept it, we won.

What you do is use your phone as needed and don't explain to each other how to kill the nearest backstab spy on your phone.

Use post-it notes.

Re:LIE. ^^ Reverse way of saying accept it, we won

post-it notes, dark of night, and ice pick.

Re:Fuck iOS --Really? No nuance or ambiguity?

You CAN access the file system on your iOS device. That being said, you HAVE to KNOW what you are doing and this is as it should be; you do not want your children to have the same access to the file system you do because, in as much as they know how, knowing when and why makes more of a difference. You can do a large number of things that Android people can but it is a different way of thinking because the system is rigged against anyone who knows just enough to get into trouble. Apple wants you to either not bother learning and use the intuitive interface (and it is so good that Samsung pays Apple to use all manner of elements from it; just that, lacking iOS experience, you might not know which came first) or learn enough so that if the problem you were trying to solve was a map, you would know the adjacent sheets -good practice anyway.

Downloading an MP3 or a ringtone is not hard but installing takes a side trip to a desktop machine; moreover, it is obviously easier on a Mac. I download images all the time and in the olden days before photos synced everything, I would text them to myself (effectively producing a backup copy on the phone) or emailing them to myself which, while not providing the backup, did allow me to remove the content from storage on the phone --well, there is still, sort of a backup, the sent folder in my iCloud account but that is not physically on the phone. You can also get a PDF of a journal article and treat it in a similar manner.

So many people with Android phones speak with vile hatred of iOS devices without actually knowing iOS or its benefits that in being so busy expressing their unexplainable hatred of (IBM way back when, then it was Lotus or WordStar, then Microsoft, and now, it is Apple's turn) corporation X, they demonstrate a lack of exposure at the least and a petulant disregard or disdain for anything that might be done better or easier on an Apple device. I have used and continue to use both (in no small part due to Samsung and T-Mobile policies) and there are things that are done better by one or the other. The owners of Android phones, much like the owners of a WinTel box running some sort of windows, have a high tolerance for system failures and bugs. iOS and Mac users, accustomed to their device "just working" have a significantly lower tolerance for defects or instability. Thus, your iPhone might not have the latest hardware (IPS vs OLED) but it has been tested to the point that one would be hard pressed to fine a condition Apple has not already exposed the device. Waterproof? I have seen iOS devices soaked for hours spend a fraction of a day in rice and turn on like nothing happened and I have seen supposedly waterproof Android phones fry themselves. However, the most irksome to me remains the all too frequent restarts on Android vs just TWO restarts in the entire time I've own my iOS device. Certainly, that has to give someone a bit of pause.

Owning a Google phone or a Blackberry device is not the same as being adrift in the other side of the Android world. For all intents and purposes, the corporate entity is no different in so far as being a gigantic and faceless monstrosity whose behavior harkens back to a time of unrestrained, unrepentant, and most of all, abusive capitalism. That behavior is only restrained (rather than constrained which implies limits rather than barriers) by governmental efforts driven (when enough people scream, even politicians listen) by sufficient public outcry. Not everyone that purchases an iOS device is unable to code or repair their own hardware and not everyone that clamors for the latest device that uses Android is an absolute tech geek. However, one glaring difference exists and that is this: Apple demands and gets compliance from the carriers so that an update is available to all iPhone owners at once without regards to carrier. Google can only do anything similar -and they do not- with their own phones. For the rest of the Android world, a mishmash of manufacturers and carriers spend time blaming one a