Again? Oh no, not again!
Android has more holes in it than a string vest.
Security researchers in China claim to have uncovered a second Android vulnerability that might be abused to modify smartphone apps without breaking their digital signatures. The flaw, discovered by the "Android Security Squad", stems from a Java-based issue (explained on a Chinese language blog here, Google translation here …
It's probably the best indicator that Android is far more popular than Linux.
It seems to be even more popular than MS Windows, however, please remind us when did any of the following infection with malware ever happen to an Android user:
-- by inserting a media
-- by clicking on a web link, visiting a webpage
-- when opening a document or email attachment
-- through the (MS) Remote Procedure Call
My company has recently just added our first apps to both the Windows Store and Google Play.
For Windows store, we had to had to provide company docs and basically verify our identity. Then when we submitted apps, Microsoft tests them. They reject them if they lack privacy policy, clear instructions what the app does, cause crashes or contain potential security issues (at least ones they suspect/find). I understand Apple does a similar process on its app store.
With Android, we just pay our 25 bucks, set up an account, upload our app and we're in business.
The biggest problem with Android is the app store, and the assumption by most users that if it's on Google's official play store, it's ok. Not sure this is necessarily an issue with Android technically, but in practice it is... because that is probably the biggest route to malware getting onto Android phones.
"So you're OK with your yet-again-unsafe platform then?"
I wouldn't be if that were the case, which it isn't, it's blatant FUD spread by the Screw Googlers.
First of all, this latest "vulnerability" isn't new at all, it's the same one as last time, so repeating the same story, whilst intimating that it's actually a new "vulnerability", just because someone new is talking about exploiting the old one in a new way, is clearly propaganda.
Secondly, this "vulnerability" has precisely zero to do with Android security, or even software at all. It's the same "vulnerability" one would have by downloading Photoshop from The Pirate Bay instead of buying it from Adobe. The fact of it being Android or Windows or Mac, Free or proprietary, is utterly irrelevant, except in the sense that, if it's Free and you actually have (and understand) the sources, then you'll discover whether or not it's malicious in advance, thus preventing the problem from ever manifesting in the first place.
IOW software's integrity is only as secure as its source.
But if idiots choose to download, install and run mysterious binary blobs from dodgy sources, what exactly do you expect Google to do about that? You may as well claim that 'su -c "rm -fr /"' is a "vulnerability" too, or that smashing your own head in with a hammer is a "vulnerability".
Freedom necessarily incurs risk. I'd rather have that freedom and take that risk, than be a slave in Apple's prison.
I'd rather have that freedom and take that risk, than be a slave in Apple's prison.
Weird definition of freedom you have. I either choose (yes, choose, nobody forces me) to use an iOS device and thus have less worries about what I install so I can spend my time simply using the device for which I bought it (read: it does in no way stop me from what I want to do, YMMV). Alternatively I choose Android which means I have the immense "freedom" to be forced to sign up to the "tell us the color of your underpants" Google terms of service if I want to use the native platform, and agree to something that can only be jokingly described as a "privacy" policy. And it's designed by an outfit whose main product is the output of continuously spying on us. Mwah. Hard choice.
I'm actually very happy that iPhones are no longer "fashionable", I like the platform but I hate the associated cult garbage.
You rich sods - a whole 64k? I had to start with 8k and that included the operating system.
The fact is that most programmers these days are lazy and if you give them a Gb of memory then they will use it and cry for more - but there are a lot of folks out here who cut their teeth on programming multitasking real time operating systems supporting multiple users in 32kb ... and doing real science too.
My first computer was a used Commodore 128, got it about the time Win 3.11 was getting its legs on PCs.
It came with several 64 and 128 floppy drives, one of which was a 3.5 floppy ( 1581, if i recall correctly.)
Any way, it formatted to 1.8 Meg, and at the time, held all all my software and data on one disc!
These days, it wouldn't even hold one decent mp3 or png.
Would you expect "GNU" to be pushing out updates to Red Hat, Ubuntu, Mint etc every time there is a bug/security flaw, or would you expect the Red Hat et al to be doing it?
What would happen if one of the OEMs had modified that bit of Android code to provide different functionality and Google went and changed it?
Should all manufacturers be stopped from making their own changes to the Android code to suit their own devices? Is it non open-source software that you think Android should be? You could always choose a Nexus or Google Edition phone.
The device manufacturers can take this code, test quickly and roll out the patch within a couple of weeks, it's easy for them to do and with a small team and some registered Beta users patches like this could be rolled out for all their devices (including ancient 3/4 year old ones) within a month.
It's not so much the system which is broken - *if* the OEMs/phone carriers push updates, they'll get to people's phones just fine. The problem is that all of the OEMs fork the OS to shovel their brand of crapware upon their victims... err.. provide added value to their valued customers... and then have no financial interest in updating anything but their current models.
The obvious solution is for everyone to immediately root their phone and install stock android or CyanogenMod. Then they'll get updates as soon as they're released, and Google *does* have a financial interest in updating the OS which feeds them user info and funnels customers through their store.
However, rooting a phone (usually) voids the warranty and, even if it didn't, is beyond the technical ability of most users. I wish there were an easy solution but there isn't.
Would you expect "GNU" to be pushing out updates to Red Hat, Ubuntu, Mint etc every time there is a bug/security flaw, or would you expect the Red Hat et al to be doing it?
What's in it for the phone manufacturers? If the average customer hasn't heard of this security issue, and even f they have they might not care, and the problem isn't unique to them, there's very little incentive for them to do any work. Google don't make them push updates, and the manufacturers would much rather just concentrate on getting their next batch of devices working and sold and encourage their customers to upgrade.
Even a small team of devs won't come cheap, and the work they do does not directly generate revenue. Unless Google's own Ts&Cs for their licensees include patching timescales and product support lifetime requirements, I don't see many manufacturers doing this out of the goodness of their hearts. I don't see Google making their Ts&Cs more onerous either, because they don't want to lose their customers, who do care about such things.
TL;DR: the manufacturers don't care, because customers don't care and aren't willing to pay a premium.
"The device manufacturers can take this code, test quickly and roll out the patch within a couple of weeks,"
Yes, but they don't. Not if you're using a not-the-latest handset (e.g. Samsung S2).
And the carriers are even slower to react. Try going to the "Android Firmware Download" page on Vodafone or T-Mobile. Isn't one? Oh right.
I appreciate there is OTA updates but, again, why not just let Google update that bit of code on your phone if it hasn't been touched by the vendor or carrier?
...if at all.
I notice Google frequently update the Google Play Services (over 3G too, when I've told Play not to update anything when not on WiFi - bastards); yet this highlights a stunning flaw in the Google system which is unable to differentiate between system specific stuff (up to the manufacturer) and genetic operating system stuff. It is no good saying that it is up to the OEMs and not Google for they entered into this knowing full well what the market is like, the many phones on sale with Android 2.3.x and the lack of "official ICS" for numerous devices because manufacturer and operator have your money and no longer give a f....
Quite simply, it should never have been set up in such a way as to require the cooperation of this many indifferent organisations just to patch a flaw in the operating system.
it should never have been set up in such a way as to require the cooperation of this many indifferent organisations just to patch a flaw in the operating system.
What, by making Google actually RESPONSIBLE for something? Not going to happen. Their model of "all the profits, none of the responsibilities" is working well so far, as long as they can keep pesky people away that ask about rights and privacy and actually following laws. Or paying tax..
If the oem ships the device with the option to install from 3rd party app stores turned off then they will probably not bother sending an update to fix it as 99% of the users will just be getting their apps from google play and Google should be scanning the play store to find any dodgy apps. and those that do turn it on will probably invalidate their warranty under some part of their t&cs so the oems aren't bothered about those users anyway.