Another flaw in Android.

Gary · Jul 16, 2013, 08:30:57

Security researchers in China claim to have uncovered a second Android vulnerability that might be abused to modify smartphone apps without breaking their digital signatures.

The flaw, discovered by the "Android Security Squad", stems from a Java-based issue.

The vulnerability is similar to the so-called master key vulnerability recently announced by researchers from mobile security start-up Bluebox Security and due to be explained in more depth in a upcoming presentation at Black Hat in Las Vegas at the start of next month.

http://www.theregister.co.uk/2013/07/16/android_sig_vuln_analysis/

Simon · Jul 16, 2013, 09:06:46

Oh dear... I guess this is the trouble when a platform becomes so popular.

Gary · Jul 16, 2013, 09:17:43

Quote from: Simon on Jul 16, 2013, 09:06:46
Oh dear... I guess this is the trouble when a platform becomes so popular.

True, mind you the hole has been there since version 1.6

Also with so many versions out there and many not supported now as it said patching could be hard work. Smartphones and tablets are the next logical step for attacks though

mervl · Jul 16, 2013, 13:58:58

Don't you ask for it if you install apps you're not certain of from unchecked third party sources? On default settings that's not allowed, and you even get a warning for the stupid.

Some people want to be nannied from the cradle to the grave. Others don't, and a rare few even relish taking responsibility for their own lives and actions. Take your pick.

davej99 · Jul 16, 2013, 14:43:36

Have only last year invested in an Android phone and tablet. I would never dream of using either for anything private. Aside from phone and email contact details, neither contain any personal information whatever or are used for financial transactions or sensitive communications. I assume both are unsecured open devices and cynically that all apps scam and spy. Do not use cloud and keep wireless and data-comms off unless I need them. I use pseudonyms in public media.

I am amazed that people use smart devices as wallet, credit card, diary and repository of all things precious and private, then share it all with Google or Apple or some other cloud service. I am also amazed folks publish their entire lives in social media and provide data for identity gathering.

Of course the humble PC has many vulnerabilities too, but we have better honed security and we are more mindful of the risks. I guess smart device security will get there too, but meantime I am prepared for anyone to take the contents of my wallet at will and I treat my phone and tablet the same.

Simon · Jul 16, 2013, 14:53:33

I'm the same, Dave. My iPhone does contain Contacts and all my Calendar events, which I guess could be a security issue, but I certainly would never use banking apps.

mervl · Jul 16, 2013, 17:57:20

I too got my first Android smartphone this year. And to me it was obvious: the first thing I did was made sure I understood (before I switched it on) its settings, and first thing once it was switched on implemented its security settings as I wanted them; the next was to install and set up a reputable security suite that I was familiar with and which gave me the cover I wanted (actually it required more than one, but I made sure too they all worked together). I didn't set it up until I made the time. I use apps on the phone and generally find that with a bit of intelligence and help I can find out (and control) more about what they are doing and use than I can with the PC. No problems so far, touch wood, but if there are I've only got myself to blame. Whatever you're comfortable with - provided you keep your eyes open, and use that thing between the ears.

Government seems to take the opposing view: when someone loses everyone has to pay. I took out an endowment in the early days and understood the risk, I had (once) a PPI and understood the limited cover, whatever the salesman said (or didn't). Nobody else did though, apparently. And smartphones come with a nanny in tow.

It pays to play dumb doesn't it?

Simon · Jul 16, 2013, 18:39:44

All very true, Merv. When I had an Android phone, I had an anti virus which I think was called Lookout.

mervl · Jul 16, 2013, 22:00:17

Yep Simon. Lookout is one of mine; I also use Atvast which has call management and firewall functions (as I'm rooted) and am trying out the Times recent recommendation of the free TrustGo, which looks reasonable on paper. Android is open source of course, so you have to be a bit more careful than perhaps with Apple's closed systems. But being a bit old-fashioned, I suppose, I think personal responsibility is something more than a political slogan. I enjoy the challenge! But being something of a self-taught techno-idiot it is a challenge, sometimes.

Simon · Jul 16, 2013, 22:25:56

Of course, Apple users, which include myself now, would claim that they don't need several layers of additional protection, due to the 'closed' system, which, in that sense, has it's advantages.

In essence, though, I guess that's the same as using an Android phone in it's default security mode - and Apple devices can be jailbroken, so it all depends on how adventurous you want to be, as to how much additional security you need. I used to jailbreak my iPhone 3GS, but only so as to gain the basic customisations allowed on other platforms, such as personal ringtones. Since they changed the OS to allow this anyway, I've had no need to jailbreak the 4S.

Gary · Jul 16, 2013, 22:52:44

I thought the whole reason Android was open was so you could use other stores you didn't have to live in a walled garden, that's been the impression that's given as to why iOS is restricted but Android is 'free' to use as you want. The huge rise in Android malware is because its popular 653% since 2011 I think ws quoted on the reg. Lookout is what Justina uses and its a good AV and gets good scores against malware, something you need on such an open platform I think.

Leaving something unpatched since version 1.6 is pretty bad, but I'm sure iOS has similar issues as does Windows phones, the problem is there is some fragmentation in android handsets, more are still running Ice Cream Sandwich than Jellybean last time I read about it, with networks slow to bother updating customised handsets and manufacturers not bothered to get patches out quickly on old handsets either. My Mother has an old HTC Sensation as does my wife, but my wifes one is a few versions behind as its O2 custom firmware and my mums is unlocked.

This kind of issue is going to be where the android could come unstuck, as Google need to make sure that handsets all pretty much run the latest versions, I like the HTC One, great phone, but how many updates it gets compared with a Samsung SG4 handset is an unknown quantity, and that needs to be addressed. iOS is better in that respect I think purely as most phones run the latest versions and so hopefully people who don't jailbreak are better secured, but at the end of the day no platform is ever truly safe...

Simon · Jul 16, 2013, 23:29:19

Serious question, as I never had an Android phone long enough to do it, but compared to updating an Apple device via iTunes, which a chimp could do, how easy is it to upgrade or patch an Android device? My cousin is looking at either the Samsung Galaxy Note or the iPhone 5, but being technically challenged, I would have though the iPhone better for someone who wants it to just work, and have easy upgrades.

Glenn · Jul 17, 2013, 07:54:20

It's an over the air update, the handset provider or carrier pushes the update to the phone, no need to connect it to a computer.

mervl · Jul 17, 2013, 09:57:54

Yep, upates are OTA (once accepted on notification, best done through wifi unless you've an unlimited plan, though, and just a reboot required) though some carriers are quicker than others, but at worse space out over a month or couple. (Some old phones say pre-2011 models can't be updated to the latest versions due to hardware limitations. They're still not particularly prone to malware with a decent AV as far as I'm aware though). Not sure why updates so critical though - I have an Android that I've kept on ICS, as Jelly Bean loses some program functionality I value. It has no noticeable loss of functionality or security whatsoever being kept on ICS, just some tweaking on the Jelly Bean update that really isn't noticeable unless you are pernickety. A decent AV offers an additional layer of comfort anyway.

For me the advantage of Android is that you can just let the system do its thing, as per Apple; or customise as much as you like. It's the choice (and price). If neither matters then that's fine and dandy. (And some of the informational widgets are pretty cool too). It's this idea we all have to be clones that doesn't appeal

.

EDIT: I've got a couple of hundred apps in total, and have yet to find any that I would want available on the third party stores that aren't available on the authorised Google Play Store (with Google's app checking), apart from Ad Aware to eliminate most ads (which I had to install from elsewhere, for obvious reasons, I suppose). I suppose there might be a few Google Play-haters who install from third party stores on principle, but there's no accounting for taste (I'm the living proof) after all. And I'd be a bit careful with Google+ which can eat your battery alive, but is just a tick to disable and switch on when needed.

Simon · Jul 17, 2013, 11:54:34

Thanks guys, that's useful to know.