Related
With the IT press getting hold of information regarding the Droid X (Slashdot story here) I thought I'd start a thread regarding this significant find.
As of posting, this is not confirmed. There's no credible source for this information yet, just a community hacker like most of us. If anyone finds better sourced information, post it here.
Mods: Might want to sticky this one
From the /. article:
"If the eFuse failes to verify this information then the eFuse receives a command to "blow the fuse" or "trip the fuse". This results in the booting process becoming corrupted and resulting in a permanent bricking of the Phone. This FailSafe is activated anytime the bootloader is tampered with or any of the above three parts of the phone has been tampered with."
EDIT: I understand there have been threads about this already, but they've moved down the rankings. Lots of people will be looking for information on this topic, and there doesn't seem to be any. A single thread for discussion and information posting seemed appropriate.
Go to boygeniusreport.com, scroll down and find "Reality Check: Modding the DROID X may not lead to a bricked phone."
eFuses have been in phones with TI's OMAP processors for a while now, but they have not been used to brick phones because of custom modifications to the phone. The phone still has an encrypted bootloader which will be hard to crack like just like the Milestone's but it doesnt necessarily mean that the eFuse will trip if the bootloader messed with.
Again, this is still an educated speculation and cant be confirmed until someone goes around and finds a way to unlock the bootloader and flashes a custom ROM on it (hopefully successfully )
i applaude companies that try to beef up security for their own sake. It's sort of like with the PSP, old Xbox, and Wii. They are just trying to protect their own business
We just need to worry about root for now...
Sent from my DROIDX using XDA App
The possibility of eFuse bricking your phone: officially debunked.
http://www.engadget.com/2010/07/16/motorola-responds-to-droid-x-bootloader-controversy-says-efuse/
storino03 said:
i applaude companies that try to beef up security for their own sake. It's sort of like with the PSP, old Xbox, and Wii. They are just trying to protect their own business
Click to expand...
Click to collapse
Gay
Sent from my Samsung Galaxy S using the XDA App.
Quite a few of us xda lurkers are itching to get root on our devices, but the DRM-debacle of the Sony phones has made many, including myself, hold off with unlocking the bootloader. Instead, we've put our hopes to new exploits that would allow root while keeping the bootloader locked, thus making it possible to keep all DRM functions in place, and also to restore the phone to factory conditions with the bootloader intact.
However, as Chainfire explains in the post below, the chances of any such exploit surfacing are slim. He says it's more important than ever to buy phones with unlocked bootloaders if we want to keep root.
Sadly, I'm afraid he's right and that the official bootloader unlock is the only way we'll be able to get root in the foreseeable future.
What do you guys think? Worth it or not?
Check out Chainfire's post on G+:
https://plus.google.com/113517319477420052449/posts/VxjfYJnZAXP
Fruktsallad said:
Quite a few of us xda lurkers are itching to get root on our devices, but the DRM-debacle of the Sony phones has made many, including myself, hold off with unlocking the bootloader. Instead, we've put our hopes to new exploits that would allow root while keeping the bootloader locked, thus making it possible to keep all DRM functions in place, and also to restore the phone to factory conditions with the bootloader intact.
However, as Chainfire explains in the post below, the chances of any such exploit surfacing are slim. He says it's more important than ever to buy phones with unlocked bootloaders if we want to keep root.
Sadly, I'm afraid he's right and that the official bootloader unlock is the only way we'll be able to get root in the foreseeable future.
What do you guys think? Worth it or not?
Check out Chainfire's post on G+:
https://plus.google.com/113517319477420052449/posts/VxjfYJnZAXP
Click to expand...
Click to collapse
Well it's @Chainfire talking, who are we to doubt him? I'm only waiting for a way to backup my TA-Partition (DRM keys), I wouldn't mind losing some features. Even tho I must agree that losing some camera quality is really annoying, but Android is pretty open source so I have no doubts that people will find something to reverse the algorithm loss or create their own.
And also when the occasion occurs that I need to send my device out for repair, that they don't refuse it due to an unlocked BL
I'm sure that's true in the long run, just not sure if it's true now.
It's economics. The security bugs are going to get fewer and further between, but they will arguably never be eradicated. You should expect it to take longer and longer to find new exploits, but I wouldn't bet a wooden nickel that there are no exploits left.
More likely, we will reach a point where the cost of finding an exploit is so great that they're no longer worth looking for to a critical mass of hackers.
On the bright side, the implementations get better all the time, and I see very little about my z3c that I would like to change if only I had root.
And I do think Sony should find a way to make the early rooters whole again. I feel terrible that so many people's $500 phones have been seriously degraded by a completely reversible software change.
Dsteppa said:
Well it's @Chainfire talking, who are we to doubt him? I'm only waiting for a way to backup my TA-Partition (DRM keys), I wouldn't mind losing some features. Even tho I must agree that losing some camera quality is really annoying, but Android is pretty open source so I have no doubts that people will find something to reverse the algorithm loss or create their own.
And also when the occasion occurs that I need to send my device out for repair, that they don't refuse it due to an unlocked BL
Click to expand...
Click to collapse
True, but as I'm sure you're aware, backing up the TA-partition requires said exploit to be found in order to get root. So I think it'll be a looong wait. [emoji20]
He still thinks root will be achievable in the early editions of Android L so I think it's safe to say root will arrive for this device under a locked bootloader, it will just take a bit longer than it has in the past to find an exploit.
Sent from my D5803 using XDA Free mobile app
This is really disheartening. It's kinda ironic that Sony, who in recent times has been raised in its support of the developer community of its phones, and even won XDA's OEM of the Year, has such a downer in its phones.
I know this doesn't work for everyone but I'm hopeful that the new AOSP L camera API will mean that AOSP custom roms have some native low light enhancement processing. Maybe...
Chances improve with new software so I t could happen with android L too.
pricey2009 said:
He still thinks root will be achievable in the early editions of Android L so I think it's safe to say root will arrive for this device under a locked bootloader, it will just take a bit longer than it has in the past to find an exploit.
Sent from my D5803 using XDA Free mobile app
Click to expand...
Click to collapse
Yup, but we're still looking at about five months wait considering Sony won't ship L until Q1 2015. Even then, there's no guarantee an exploit will be found.
Maybe I'm overly pessimistic about this. I do, however, have high hopes for the new camera API's regarding camera quality and post processing.
Personally, every day without root is a little painful, so I'll never last all those months. As soon as there are custom kernels available and a ROM like CM or PA, my locked bootloader goes bye-bye.
Chainfire is talking about the su daemon and problems running it (on Android L). He does not say anything about a root exploit. It seems you misunderstood his post.
zxz0O0 said:
Chainfire is talking about the su daemon and problems running it (on Android L). He does not say anything about a root exploit. It seems you misunderstood his post.
Click to expand...
Click to collapse
Let's hope Sony make or have made some little security mistakes.. To quote his post:
" Of course, this is all dependent on OEMs implementing everything exactly right. If a certain OEM doesn't protect one of their services correctly, then we can leverage that to launch the daemon without kernel modifications. While I'm fairly certain this will be the case for a bunch of devices and firmwares, especially the earlier L firmwares, this is not something you should expect or base decisions on."
Here's hoping they have missed something.
Sent from my GT-I9300 using XDA Free mobile app
pricey2009 said:
Let's hope Sony make or have made some little security mistakes.. To quote his post:
" Of course, this is all dependent on OEMs implementing everything exactly right. If a certain OEM doesn't protect one of their services correctly, then we can leverage that to launch the daemon without kernel modifications. While I'm fairly certain this will be the case for a bunch of devices and firmwares, especially the earlier L firmwares, this is not something you should expect or base decisions on."
Here's hoping they have missed something.
Sent from my GT-I9300 using XDA Free mobile app
Click to expand...
Click to collapse
Let's wait until January for the first android L release then :crying:
I've rooted two weeks ago and still enjoying the phone
zxz0O0 said:
Chainfire is talking about the su daemon and problems running it (on Android L). He does not say anything about a root exploit. It seems you misunderstood his post.
Click to expand...
Click to collapse
This.
The post was mainly aimed at Android L...
Google hired one of our very own (Towelroot) and iPhone's pioneering hacker so it's going to get tougher. I hope they hired him only for NSA purposes.
That move by sony is just stupid. if they wanted to protect their code, why not store it into the camera firmware (referring to the camera algorithms)?
Why do they have to kill Miracast?
Obviously that is the other side of the medal. investments on security = far less exploits available. we are gonna wait a while, but as a developer I really really miss Xposed. Each time I look at my G2 a little tear drops.
No way I'm gonna root loosing DRM keys. The camera is already weak (to be honest I would be used a word beginning in shi but let's be polite) so I'm not in any way gonna make it worse.
zxz0O0 said:
Chainfire is talking about the su daemon and problems running it (on Android L). He does not say anything about a root exploit. It seems you misunderstood his post.
Click to expand...
Click to collapse
Yes he does:
"As stated above, it seems for now that modifications to the kernel package are required to have root, we cannot attain it with only modifications to the system partition.
Combine that with a locked bootloader (and optionally dm-verity) and a device becomes nigh unrootable - exactly as intended by the security guys.
Exploit-based roots are already harder to do thanks to SELinux, and now because of the kernel requirements for persistent root, these exploits will need to be run at every boot. Exploits that make the system unstable (as many do) are thus out as well."
Then he goes on to say:
"Of course, this is all dependent on OEMs implementing everything exactly right. If a certain OEM doesn't protect one of their services correctly, then we can leverage that to launch the daemon without kernel modifications. While I'm fairly certain this will be the case for a bunch of devices and firmwares, especially the earlier L firmwares, this is not something you should expect or base decisions on. It is now thus more important than ever to buy unlocked devices if you want root.
It might also mean that every firmware update will require re-rooting, and OTA survival mode will be broken. For many (but far from all) devices we can probably automate patching the kernel package right in the SuperSU installer ZIP. We can try to keep it relatively easy, but updating stock firmwares while maintaining root is probably not going to work as easy and fast as it did until now."
zxz0O0 said:
Chainfire is talking about the su daemon and problems running it (on Android L). He does not say anything about a root exploit. It seems you misunderstood his post.
Click to expand...
Click to collapse
How can anything be a root exploit if it doesn't result in a functional su? I read Chainfire's post as Google making it impossible to elevate privileges from within Android, necessitating kernel level exploits which in turn will require unlocked bootloaders to install.
Once we get to where the bootloader has to be unlocked it's really not a root exploit anymore, is it?
michyprima said:
Why do they have to kill Miracast?
Click to expand...
Click to collapse
Because they don't want to support Miracast without HDCP. Remember that Sony is also a content provider. While that may be as annoying for a normal user as the degradation in camera quality, their approach actually still is developer friendly. Request a code - get full control over the device, at the cost of losing some functionality (software functionality). It's as simple as that. CM and other roms work perfectly fine on Xperia devices, and if you want to implement an equivalent camera algorithm, you're free to do so.
Iruwen said:
Because they don't want to support Miracast without HDCP. Remember that Sony is also a content provider. While that may be as annoying for a normal user as the degradation in camera quality, their approach actually still is developer friendly. Request a code - get full control over the device, at the cost of losing some functionality (software functionality). It's as simple as that. CM and other roms work perfectly fine on Xperia devices, and if you want to implement an equivalent camera algorithm, you're free to do so.
Click to expand...
Click to collapse
Can only agree to that. If you buy a Sony phone to act like a Sony phone (most people do!) then one should leave it as it has been delivered by Sony. If you can't agree to how it is, Sony gives you the option to unlock the BL and do whatever you want to do with the HW, but don't expect it to work/act as before. Personally, I have no issues with that at all.
On a different note, Linux/Android is comprised of x million lines of code. There're bugs in this code, there're bugs in the compiler, bugs in Java, bugs even in the Hardware etc. etc. There's no reason to believe (or fear) that Linux/Android would ever be perfect or non-vulnerable. Root will come, it's only a matter of effort and time...
Please help me in this. i need root apps and unlocking . coz i have no money etc ..... i need to root my device and want to install cm 12 on my device ....
Um... So do I. Do the research yourself, and spend time. This is so spam-like, and the research is ridiculous.
Yup.... Why motorola is treating customer like this. We paid u n that's it. I think they should provide unlock code for Droid mini as they do for others.
Sent from my XT1030 using XDA Free mobile app
Well, a few things. First off, if you are on android 4.4.4, there is no unlock for your bootloader. Next, there is a "free" rooting method, but based on what you have said thus far, I am going to go ahead and recommend against it. Motorola absolutely *SHOULD* provide bootloader unlock codes for any user not on contract, that wants one. The reason they do not is their agreement with Verizon Wireless stating specifically that they will not give unlock codes for Verizon devices that are not Developer Editions. Motorola phones that are supported are hard to come by, especially if you are a Verizon customer.
Personally, if your Mini is in good shape, (no scratches, dings, etc) i would sell it and hunt out another Mini or a Maxx on 4.4 on Ebay. (i have now done this successfully with a Mini and a Maxx) then you can (yeah, i know you don't like this part) pay $25 to get Sunshine to unlock the bootloader. Maybe that sounds like a lot of $$ for what it is. What i can say is a Dev edition of the Maxx (i know, i had a real one) is about $680 new. The retail version of the same phone was $550 or so. Even buying the phone from Motorola, you still paid more for Bootloader Unlock. I am old enough in the Android community to remember guys like Dan Rosenburg that never asked for $$, (or if you were insistant on paying, he asked you make a donation to charity), and also rooted every other device I have owned before the Mini for free. That used to be how it worked. Now, the only people interested are professionals who are literally spending time and money to find and utilize exploits. If you are really new, you should read up on security vulnerabilities, the qfuse system, and read up on the Azimuth Security blog and see what exactly was involved in the last run of bootloader unlocks. it isn't just someone playing code monkey and making a script. it is bricking (sometimes beyond all repair) $300-600 devices in an effort to make an unlock that might yield the money invested back.
As you said, and I live at the moment, you do not have money. This, my friend, sucks. I can say that in order to invest in my android devices, i have sold other things i cared about less (rare vinyls, extra devices, etc.) The reality is, $25 is not very hard to come up with if you are determined. Principally, at first glance, i disagreed with the premise of paying for what i feel should be an inherent feature of any android device, but when Motorola themselves say nothing will change the policy, I would much rather pay the money and know i am unlocked. google #unlockthedroids and you will see my names (kitcostantino, medicbeard, etc) a time or two...believe me i have tried. Motorola sells a crapload of devices to Verizon. Unfortunately, that means that Verizon (and also ATT) have too much clout and control over the Moto devices they sell for use on their networks.
The reality is, in the forseeable future, there will be less and less opportunity to unlock a retail device that is not a developer or pure edition. Security software checks and hardware gets better and better. the Devs that get through have a harder and harder time, and the knowledge is becoming more and more specific. I actually messaged DjrBliss on Hangouts to ask if he had any plans to work on the Turbo bl and he told me it was a stressful part of his life he was glad to be past. Honestly, he was so completely nice and cool about a total stranger contacting him, it blew me away. One of the most amazing exploit creators with ZERO pretentiousness, totally chill, and glad to talk to a fan (i have used his exploits on many of my phones). With dudes that capable not wanting to invest their time and efforts, we are left with mostly security experts to find our unlocks.(who can potentially make a crapload of money with their time and skillsets). Is $25 a lot compared to what these guys could be making? nope. but in all honesty, as I am inclined to do myself, I suggest you read up on anything Motorola related with regard to Qfuse, security checks, etc. The new age of exploits is upon us. The end user is going to have to be far more intelligent and far more comfortable doing things themselves to have control over their devices. In a way, it is a good thing because users that cannot do anything without a one-click or an app will be weeded out. In another way, it is horrible for android development, because those that do not have time, nor money to invest will get lost in the shuffle if they cannot buy a dev or unlockable device. I wish you the best man.
Can you guys learn to help instead of standing here complaining? For example, learn to deal with the All-PKG QHSUSB-DLOAD, download crap, be fearless and flash onto your device....
https://m.youtube.com/watch?feature=youtu.be&v=KyDnN3_hAmA
do u have root for 4.4.4?
do u have root for 4.4.4?
kaifkhan15 said:
do u have root for 4.4.4?
Click to expand...
Click to collapse
Yes.
http://forum.xda-developers.com/showthread.php?p=60085162
Sent from my locked but not stocked XT1080.
kaifkhan15 said:
do u have root for 4.4.4?
Click to expand...
Click to collapse
I use Kingroot to get my phone rooted. However, I failed to install TWRP by Flashify.
lwang9 said:
I use Kingroot to get my phone rooted. However, I failed to install TWRP by Flashify.
Click to expand...
Click to collapse
You rooted your phone but your phone's bootloader was still locked.
damiloveu said:
You rooted your phone but your phone's bootloader was still locked.
Click to expand...
Click to collapse
Im pretty sure he has an unlocked bootloader and then used kingoroot to Root.
method for 6-7.7
Hello, is it possible to get root for Droid mini with SU 6-7.7 somehow?
not as far as i know. not wp off full root at the very least. i have two droid maxx stuck on that same firmware with some success with temp root with kingroot, but reboot kills it. the newest firmware doesn't even do that.
Sent from my DROID Turbo using XDA-Developers mobile app
Nothing is updating.
Sent from my Nexus 6
I just got couple Fire HD 8 6th Gen tablets for my kids, and thought I'd flash them right away with a custom ROM. I was quite disappointed with the absence of development for this tablet.
Anyway, as far as I understood from reading the forum (and I just started, sorry if I missed something), the first problem is the factory locked bootloader. And it sounded from a post I read like it's something that cannot be solved: http://forum.xda-developers.com/hd8-hd10/help/rooted-boot-img-t3508316 (bootloader locked discussion starts at the bottom of the 1st page).
Well, I am definitely not a pro in mobile development (I work on server side software for living), so I beg your pardon if I'm wrong. But unlocking a locked bootloader is not something unheard of.
So, I was wondering, if it could be done for other device, then probably it can be done for this one too. And the fact that it has not been done yet could mean for example, that this device is somehow different. Or, it could mean that there was no one yet with enough expertise AND the device at hand to do it.
So if the latter is true, and it's just lack of attention from good developers. Then I guess it could be arranged to donate a device to a reputable XDA dev. A dev that would be interested in having a challenge. And a free device.
I would definitely pitch in, and if you would too, please tell. And if you know an XDA dev who has expertise to do it, please tell too, and give an example of their work.
All the above is open for discussion of course, constructive suggestions would be much appreciated.
The 7" is locked but got a lot of love and is now rootable. If the guys at Kingroot that interest, we might see something but otherwise not. Until rooted, not much point porting a ROM.
So I suppose the proposition is to send a device to KingRoot guys?
...in China.....
I was wondering how the issue of locked encrypted bootloader was solved for other Fire devices. Here's how it's been done for Fire HDX 8.9: http://forum.xda-developers.com/kin...bootloader-unlock-procedure-software-t3030281 . I suppose the bug used in this method has been fixed already, this is just a demonstration that it can be done.
That was cracked using a crypto bug. Basically exploiting a weakness in the RSA encryption of the bootloader's signature. It's incredibly rare for encryption to get totally broken like this, and easily patched with system updates. Kinda got lucky on that one. Best thing to hope for first is root, then try to find a way around the bootloader's protection. These keep getting exponentially harder, and there's a lot more money on developing protections than breaking them.
I received one as a gift. I will probably never use it unless its opened up.... i mean im appreciative that someone gifted me it. But I become really upset by the fact that samsung and amazon... all the big players really lock up their bootloader and force me onto some ecosystem when i know the tablet or device could work just so much better. Anyways, if there is anything i can contribute let me know...
Download the Kingroot App then run it. After running it once or twice it will ask you to send a device request. Root may eventually be achieved for the 6th Gen but that may be as far as it gets. Very unlikely that the bootloader will be unlocked. Amazon actively puts a lot of effort into keeping them locked. Its been a while since any newer version of these Fire bootloaders have been unlocked. The HD 8 5th Gen is about 2 years old and the only thing thats been achieved was root and that was done by Kingroot..... But hey nothings impossible....
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
What's the vulnerability?
Plain and simple the software needs removed.. doesn't that apply to the devs policy's which they agreed to here on xda not to publish anything which may be a threat to someone... So you know what should of happened is the devs should of removed the software right away. That never happened so I've lost all faith in theses devs and publishers of official software threads...
I ignore all posts where the word "of" is used instead of the correct "have" or at least the contraction ending in 've that sounds like of.
...should of happened
sliding_billy said:
I ignore all posts where the word "of" is used instead of the correct "have" or at least the contraction ending in 've that sounds like of.
...should of happened
Click to expand...
Click to collapse
I ignore all posts that don't make sense like the OP's and this thread.
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
First, there are no Oreo roms. Secondly, the devs who support our phones for free owe you nothing. Lastly, you need more than 12 posts to be taken seriously about anything around here. And, you can never post enough to attain the right to throw around accusations about the devs who, again, support our phone for free.
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
Tell us how you really feel!
Windows people ?
Sent from my Pixel using XDA-Developers Legacy app
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
If this is the case all root and bootloader exploits need removing also.
Any bootloader exploits or method of rooting without and unlocked bootloader is a SIGNIFICANTLY large security risk.
Sent from my Pixel using Tapatalk
Are we going to remove ALL the old ROMs from XDA? SHEESH.
In before the lock.
One thing I've found out over the years with hacking Android you eventually get tired of doing just hacking so you move onto security... Well that's the case with me anyways. Getting rid of vuneralable software is actually a good thing...
There's a reason why malware is successful with Android, and it's one that still hasn't been addressed: most phones are using old software and haven't been patched against it.
Google does a lot of work to make Android secure and keep it that way. It pays people to find security exploits, works with hardware vendors like Qualcomm or NVIDIA to fix them if needed, then writes a patch that can be injected into the existing version with no fuss. If you have a Pixel or Nexus or BlackBerry product, you'll then get these patches. If you have any other phone you roll the dice and hope the people who made it care enough.
Pixelxluser said:
One thing I've found out over the years with hacking Android you eventually get tired of doing just hacking so you move onto security... Well that's the case with me anyways. Getting rid of vuneralable software is actually a good thing...
There's a reason why malware is successful with Android, and it's one that still hasn't been addressed: most phones are using old software and haven't been patched against it.
Google does a lot of work to make Android secure and keep it that way. It pays people to find security exploits, works with hardware vendors like Qualcomm or NVIDIA to fix them if needed, then writes a patch that can be injected into the existing version with no fuss. If you have a Pixel or Nexus or BlackBerry product, you'll then get these patches. If you have any other phone you roll the dice and hope the people who made it care enough.
Click to expand...
Click to collapse
Nobody hacks individual phones. They hack companies and clouds.
****! Hey, can y'all hold it for just a moment? Need to run to the store real quick. I'm out of popcorn.
Seriously, though, just simply rooting your phone is a security risk. Also, from what i've seen, the majority of ROM users are smart about what they download. It's the general public that downloads mischevious apps that spread viruses. And as someone else mentioned, the malware and viruses don't target one person's phone. They are free floating and latch onto whatever moron downloads it. Your phone is not exactly the best place to download all your porn
But seriously, there are exploits with every security patch...it's the reason we get them every month, lol. Android is great and I love it but the OS itself is full of holes that malware developers consistently take advantage of.
Couldnt say this better myself..
Security is engineered into everything we do
Our goal is to make Android the safest computing platform in the world. That's why we invest in technologies and services that strengthen the security of devices, applications, and the global ecosystem.
It's also one reason Android is open source. Being open allows us to tap into a global network of security talent full of innovative ideas that help make Android safer every day. Security experts around the world can review our code, develop and deploy new security technology, and contribute to Android’s protections.
As the Android ecosystem evolves, we continue to invest in leading-edge security ideas. And we want to share our knowledge openly with you. Explore below to learn about the latest technologies and information that help secure Android.
Adrian Ludwig
Director of Android Security
Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
With some custom ROMs whether or not the have the Sept security patch is probably the least of your problems, if security is a concern of yours... you should be more concerned with things like;
- what keys are they using to sign their ROM (Apks included). Did they generate their own private signing keys and platform keys, or did they just use a devkeys or keys provided in the SDK?
- what changes have they made to aosp sources or not integrate (or revert) that could reduce security?
- have they messed with android's security or permissions model?
- have they included legacy code (like forward porting), that may have been dropped in the first place do to being insecure (legacy mediaserver without seccomp integration).
- have they modified selinux policies in ways that potentially could open up attack vectors.
- does the ROM have odexing enabled? The fact is, odexing while useful for booting/loading programs faster, also has the side benefit of making an apk harder to tamper with...
- have any changes that have been made been audited, or verified for correctness?
...and the list goes on. You are worried about a monthly security patch, with a handful or two of fixes for CVEs, yet make no mention of far bigger concerns that may be present in XYZ custom ROM.
Just saying.
contribute to Android’s protections. Is one thing which is lacking from what I see... I hope you understand that there are underaged people who don't know any better about what's best for them and come running off to try to be the cool kids by rooting or adding unsecured software on their phones.. rooting is so crazy to do now a days you're all really going to the extremes by bypassing security features just so you can have root... That's not the message the younger generation should be taught... They should be taught the importance of how security works not 50 ways to bypass it... There's not a feature out there which Google wouldn't consider adding officially but also Google doesn't go off and use unofficial code to pull features from it would look bad for their business..
And as long as there's a community of underaged people who do go off and root and install unsecured software you might wanna lead by example and provide them with the best security you can... A child with unsecured software is scary that someone would open up security holes for them to be a possible victim and the best you're actually willing to do is try to remove yourself from the responsibility of being responsible for it by saying if you install our software you are responsible for any damages. You can't just publish something then go out and say you take no responsibility when by law you're still responsible for any damages cause you never legally got you're software that way...
Since you're the ones distributing the software you're liable for damages if there was a defect in you're product which was distributed.. security flaws and security bypasses count as defects in a product..
Distributorship and Liability
Even though the distributor is not responsible for manufacturing a product, it can be held liable in the event of defects. Under strict product liability laws, the seller, distributor, and manufacturer of a defective product can be held liable if a person is injured due to the defect. Though manufacturers are typically most responsible since they created the product, the liability can also fall to those that distribute or sell the defective items.
This liability law prevents the plaintiff from the need to prove the chain of supply. In order for any entity in the line of distribution to prove it has no fault, it would need to show which entity is actually responsible for the defect
I suggest you stick with Windows dude
The only thing your posts are good for is making people spit their coffee with humour, and embarrassing yourself.
Sent from my Pixel using XDA-Developers Legacy app