Slashdot Mirror
Android Oreo Bug Sends Thousands of Phones Into Infinite Boot Loops (bleepingcomputer.com)
An anonymous reader writes: A bug in the new "Adaptive Icons" feature introduced in Android Oreo has sent thousands of phones into infinite boot loops, forcing some users to reset their devices to factory settings, causing users to lose data along the way. The bug was discovered by Jcbsera, the developer of the Swipe for Facebook Android app (energy-efficient Facebook wrapper app), and does not affect Android Oreo (8.0) in its default state. The bug occurs only with apps that use adaptive icons -- a new feature introduced in Android Oreo that allows icons to change shape and size based on the device they're viewed on, or the type of launcher the user is using on his Android device. For example, adaptive icons will appear in square, rounded, or circle containers depending on the theme or launcher the user is using. The style of adaptive icons is defined a local XML file. The bug first manifested itself when the developer of the Swipe for Facebook Android app accidentally renamed the foreground image of his adaptive icon with the same name as this XML file (ic_launcher_main.png and ic_launcher_main.xml). This naming scheme sends Android Oreo in an infinite loop that regularly crashes the device. At one point, Android detects something is wrong and prompts the user to reset the device to factory settings. Users don't have to open an app, and the crashes still happen just by having an app with malformed adaptive icons artifacts on your phone. Google said it will fix the issue in Android Oreo 8.1.
Really guys?
Let's not even get into the stupidity of assuming a file extension (or that they stupidly walked the file system looking for the first matching NAME minus the extension) - but how can you let your SUPER SECURE OS get borked because of one unruly configured app which NEVER happens in the real world?!
Maybe I'm just getting old but it seems programmers is gettin' dumber every year, along with UI designers (or maybe, in this case, it's one and the same)
This bug shall be called the Buzz Lightyear bug.
#DeleteFacebook
It's beta software.
That's a lousy way to eat the creme filling. Open the oreo, use a clean knife to scrape the filling, put the cookies back in the package. Not only is it hygienic, it's much faster and in the end you get to bite into a big blob of awesome-tasting sugar.
#DeleteFacebook
SD card is paired to the phone and encrypted. Factory reset blows away the key so all data is lost.
forcing some users to reset their devices to factory settings, causing users to lose data along the way.
I'm out of touch; my phone runs 4.1.2 Jelly Bean. But I don't get it. Resetting to factory settings doesn't erase the SD card, does it? If so, pull it out before resetting.
Not unless you're an apple fanboy looking for a reason to complain online...
How do we know that if they just left the phone in boot looping for the next millennia that it wouldn't recover on the twenty seven septillionth time?
Google will start preventing APKs from being added to their store with this problem. Seems like a relatively easy thing to scan for.
Wanna see how fast my phone boots?
Wanna see it again?
Wanna see it again?
Wanna see it again?
Wanna see it again?
Wanna see it again?
Wanna see it again?
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Because technical users demanded external storage so Google provided support for it no matter how it hurt non-technical users.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The same way Chromebook developer mode begging the user to wipe it is a feature: it ensures someone who steals your SD card won't be able to see your private data.
That's a lousy way to eat the creme filling. Open the oreo, use a clean knife to scrape the filling, put the cookies back in the package. Not only is it hygienic, it's much faster and in the end you get to bite into a big blob of awesome-tasting sugar.
I prefer the chocolate wafers. I've often thought that they should just sell the chocolate cookie part as Oreo cookie wafers. Of course, I'm a big fan of chocolate. Sugary creme, not so much....
Because any other option would require the user to either a) Be aware of the encryption key or b) Use a password derived encryption key and require the user to enter said password. In the name of KISS, they opted to just tie it to the internal encryption key, which isn't exactly unreasonable. I would do something similar if designing a consumer device. Trying to support *your* specific preference over that of what 99.99% of people (myself included) prefer, is moronic. And no, supporting both options doesn't help, as it makes using it more complicated as it's a consumer device.
The only other option is store the encryption key in an encrypted bubble on the SD card itself that's tied to the PIN on the phone, and this creates a vulnerability that if the SD card is misplaced, an attacker can then use a brute force attack on the SD card to find out what the password of the phone is, and since most phones have pretty weak passwords, it most likely wouldn't be a hard brute force attack. And yes, this could be done on the phone itself as well, but it's a lot harder to misplace a phone than it is an SD card. Also, if they change the PIN on the phone while the SD card isn't in the device, they need to do something to detect that the two PINs are out of sync. And putting known structured data in to an encrypted blob to verify it decrypted successfully tends to be a poor idea, as this opens up a whole slew of other attack vectors for encryption.
Remember all the wailing and gnashing of teeth about devices that don't have SD card slots anymore? Yeah, those are the same newer devices that actually have a prayer of seeing an updated image that could cause this problem.
By the way, nice OS release where the simple installation of an app, and not actually running it, can destroy your operating config to the point of effectively needing to reimage the device... and then not actually fixing the root cause until 8.1. Are they fucking serious with that?
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Because it means that if someone steals your phone, without the password they don't get any data out of it, not even from the SD card
I prefer it that way, phones get stolen way too often.
Preventing data loss is simple... The procedure is called 'regular and complete backups'. It's no different from a laptop or a desktop. If you don't have a backup, your data is not important.
If it's the same thing as I think you are thinking about, it's very similar but somehow still a bit different than the Oreo cookies.
#DeleteFacebook
If they're sealed units, chances are there's no "SD card" inside. It's flash storage ICs soldered directly to the PCB.
#DeleteFacebook
Well, since the web seems to be 95% ads and 5% content, I guess it makes sense.
#DeleteFacebook
It fits into the part where's we're the ones getting fucked by the ads companies.
#DeleteFacebook
"Jcbsera did not catch the bug during development because he tested his app's new version only inside the Android emulator provided by the Android Studio application. The bug did not manifest in the same way in the emulator as on a real device. It was only after the developer pushed the update to his users that he noticed and discovered the bug after users started flooding his Play Store page with crash complaints and bad reviews."
He didn't even try the app on a real device. That's "move fast and break things" in action.
forcing some users to reset their devices to factory settings, causing users to lose data along the way.
I'm out of touch; my phone runs 4.1.2 Jelly Bean.
But I don't get it.
Resetting to factory settings doesn't erase the SD card, does it?
If so, pull it out before resetting.
Not unless you're an apple fanboy looking for a reason to complain online...
You mean like the hundreds of Linux/Android fanbois (cleverly disguised as ACs) who descend in DROVES upon EVERY Slashdot Apple Story?
At least I have the guts to LOGIN when I comment. I NEV-ER Post as AC. Never. And I have the Karmic Scars from fanboi Punish-Modding to prove it!
Yeah, came here for that 8.1 sentense. 8.1 fix is too fucking late. It needs to be fixed in 8.0.1 hotfix.
If this was an iPhone, it would have been fixed (and DISTRIBUTED) in less time than the Slashdot Army could fire-up their Torches and grab their Pitchforks...
How does one "accidentally" .. "rename[d] the foreground image of his adaptive icon with the same name as this XML file (ic_launcher_main.png and ic_launcher_main.xml)."? Dearie me, that happens so often.. I meant to touch the SankakuBlack icon, and instead I found myself accidentally renaming the foreground image of my adaptive icon with the same name as this XML file (ic_launcher_main.png and ic_launcher_main.xml)."! Again! third time today, and it's only 8:00 am here! I am so clumsy.
How does everyone miss
"and does not affect Android Oreo (8.0) in its default state."
in the original article?
Life is what happens to you while you are busy making other plans. No-one sees motorcycles
The importance of "external storage" is exchanging data with other devices. An SD card you can't use in anything else doesn't qualify.
No, for ordinary users, the importance of external storage is that they can quadruple their phone's storage for $20 and actually be able to have more than a couple of apps and four songs available.
To have a right to do a thing is not at all the same as to be right in doing it
And how would you design it to have a proper factory reset on the phone and still enable secure removable storage? If you do a factory reset on an iPhone all your data is lost as well and even if it didn't delete it it would be rendered inaccessible anyway since the encryption keys have been reset.
In an iPhone situation, you can do a Backup of your Phone, do a Reset to Factory Settings, then Restore From Backup. The key thing being that you musn't forget your passphrase before the Restore, or THEN you're borked...
You can even create a Non-Encrypted Backup if you don't care about Health and "Activity" Data (or iBooks PDFs!!! Grrrr!!!). But here is how you Backup, Restore to Factory Settings, then Restore (Apps & Data) for an iPhone.
Backup: https://support.apple.com/en-u...
Reset to Factory Settings: https://support.apple.com/en-u...
Then, Restore your Backup: https://support.apple.com/en-u...
There: Is THAT clear enough for ya?
Of course, if you DIDN'T make an iTunes Backup (or enable iCloud Backup) before doing an OS Upgrade that borked your iPhone, as usual, you deserve EXACTLY what you get.
The whole problem here is the "secure removable storage". They claim it's good for users, but it's really only good for Google.
On earlier versions of Android the SD card was a good way (and once they added that MTP abomination the only way) to move data between your phone and your computer. But of course Google has never wanted you to do that.
At least Apple lets you use iTunes or iCloud to backup your phone's data. And if you use iCloud backup, I believe its all done automagically, like with Time Machine.
And with Apple's new iCloud pricing, that option is looking pretty good, to have an always-up-to-date backup of your instantly-lose-able iPhone/iPad for 3 bucks per month ($36 per year) sounds like a pretty good deal to me. And Apple's "Family Plans" for using "Shared Storage" on iCloud are pretty reasonable, too.
And almost nothing uses the SD card when it's in "portable" mode. You need to adopt the SD card if you want to expand your phone's storage.