“Nexus S has been rooted, let the madness commence!” proclaims Engadget. “This is only possible because Android's security is crap and it's exploited easily to gain root priviledges [sic]” adds a commenter.
You’ll have to excuse me if I strongly disagree.
The Nexus S, like the Nexus One before it, is designed to allow enthusiasts to install custom operating systems. Allowing your own boot image on a pure Nexus S is as simple as running fastboot oem unlock. It should be no surprise that modifying the operating system can give you root access to your phone. Hopefully that’s just the beginning of the changes you might make.
Legitimately gaining root access to your device is a far cry from most rooting exploits. Traditional rooting attacks are typically performed by exploiting an unpatched security hole on the device. Rooting is not a feature of a device; rather, it is the active exploitation of a known security hole.
Android has a strong security strategy, backed by a solid implementation. By default, all Android applications are sandboxed from each other, helping to ensure that a malicious or buggy application cannot interfere with another. All applications are required to declare the permissions they use, ensuring the user is in control of the information they share. And yes, we aggressively fix known security holes, including those that can be used for rooting. Our peers in the security community have recognized our contribution to mobile security, and for that, we are extremely grateful.
Unfortunately, until carriers and manufacturers provide an easy method to legitimately unlock devices, there will be a natural tension between the rooting and security communities. We can only hope that carriers and manufacturers will recognize this, and not force users to choose between device openness and security. It’s possible to design unlocking techniques that protect the integrity of the mobile network, the rights of content providers, and the rights of application developers, while at the same time giving users choice. Users should demand no less.
Click to expand...
Click to collapse
http://android-developers.blogspot....id+Developers+Blog)&utm_content=Google+Reader
All because of a comment.
Related
http://www.gamesindustry.biz/articles/us-government-rules-iphone-jailbreaking-legal
(You need to register, it's free but still, here's the article):
The US copyright office has modified the Digital Millennium Copyright Act to allow the bypassing of security measures on various electronic devices – including mobile handsets such as the Apple iPhone.
This effectively means that iPhones and iPads may be legally 'jailbroken', thus enabling the installation of games and programs that Apple has not sanctioned or has actively banned from the App Store.
This is despite the hardware company's previous attempt to claim jailbreaking violates its copyrights.
Similarly, Android devices may now be 'rooted'. The amendment also permits the software modification of "video games accessible on personal computers and protected by technological protection measures that control access to lawfully obtained works."
However, such circumventions are only permitted under specific circumstances. The installation of illegally obtained – i.e. pirated – software remains a no-go, so the exemption solely applies to lawfully-obtained applications that cannot otherwise be installed to a device.
Additionally, the purpose of any bypass should be "primarily to promote the security of the owner or operator of a computer, computer system, or computer network."
In other words, to test for security flaws or vulnerabilities. However, mobile devices carry an additional permission: "enabling interoperability of such applications, when they have been lawfully obtained, with computer programs on the telephone handset."
The extent to which a jailbreak would need to prove either security or interoperability was their purpose in the unlikely event they went to court is unknown for now, as are the repercussions of developers hacking Apple devices to test their as-yet unauthorised applications.
However, it will likely prove a blow to a company that has fought hard to retain tight control of software installations on its portable gadgets.
While jailbreaking is now permitted under certain circumstances, it will still void the warranty of a device
Alec Meer
Deputy Editor, GamesIndustry.biz 27/07/2010 @ 09:04
Click to expand...
Click to collapse
Nice post FRiKiNFRoG i'm loving it, can't wait to get my X10a rooted, just about a week old but hav'nt had the time to sit down and take care of it. Hope it's the same for Canada.
Ok so I have another noob question. Do I need some kind of firewall and antivirus program on my tab? I mean I spent a ton protecting my laptops and desktops, so is the tab already somehow pretty well protected or do I need something?
And if so what do you recomend
Sent from my SCH-I800 using XDA App
Get Lookout from market, it's free. Thats what I use as a antivirus program. It has some other extra features with it too.
By default Android does not accept connections from the outside unless you tell it to.
So for a firewall, to stop applications from accessing the internet (wifi or 3G) you can try Droidwall. It doesn't work with ClockWorkMod though because of the older version of busybox built in to it. So if you are not using ClockWork for your recovery, it should work.
There are very few (only heard of one so far) viruses that have hit smartphones as of yet. But it is good to be prepared.
you do NOT need an antivirus for an android device as it is present... All those reports you see of viruses on android are done by the company MAKING the antivirus software
drksilenc said:
you do NOT need an antivirus for an android device as it is present... All those reports you see of viruses on android are done by the company MAKING the antivirus software
Click to expand...
Click to collapse
What do you mean it is present? I didn't know android came with antivirus software. Yes, I have heard teh argument that antivirus software company are the ones making the viruses. But the fact is ( whatever the truth is) if you get hit with one, its still a pain. Since its free for now, go for it.
PS. Viruses has been on a decline though for computers and none made for smartphones yet. Lol maybe symanctec is had to cut cost and got rid of their programmers. I know Mcafee just got sold to Intel. Or maybe they are all waiting for the right time to release them when everyone's guard is down. Do I smell conspiracy Either eay, if the stuff on your phone is important, protect it.
You don't need one.
bpt888, drksilenc didn't mean the antivirus app makers were making viruses, he said that they were the only ones reporting on them.
What has been reported so far have not actually been viruses. It seems you have fallen into the trap those who make apps like lookout want people to fall into.
They report on things like, apps requesting device id's etc. You can see that an app will do this by looking at the permissions it asks for. eg, no need for an "antivirus" app.
If you actually read the "virus" reports from these companies, you'll see nothing is needed.
There are no viruses on Android.
None
Zero
Nil
Android anti-virus programs are a worthless waste. Actually less than worthless, as these useless programs just slow down your system for no benefit.
Android isn't Windows, it doesn't have holes the hackers can easily drive through.
If you concerned about your privacy install firewall (Droidwall for example) and tune its setting to block wallpaper or some other apps connecting to somebody you don't know.
Sometimes applications request internet access without good reason raising doubts in their purpose.
You will need to obtain root privileges to run firewall. Ironically this might lower your Tab protection against network intrusion. However, none of this is known threat unless you unknowingly install trojan and any other malware.
No virus software needed. Seriously it is a waste of time.
Sent from my SCH-I800 using XDA App
Geletis said:
Android isn't Windows, it doesn't have holes the hackers can easily drive through.
Click to expand...
Click to collapse
Sorry, but this is just FUD.
Windows is far more secure than most people give it credit for - it's just that it is the target for 99% of all attacks because it is so ubiquitous.
If and when Linux achieves some sort of relevance on the average consumer desktop, I'd expect to see a lot more attacks targeted its way and a corresponding increase in security issues.
Regards,
Dave
foxmeister said:
Sorry, but this is just FUD.
Windows is far more secure than most people give it credit for - it's just that it is the target for 99% of all attacks because it is so ubiquitous.
If and when Linux achieves some sort of relevance on the average consumer desktop, I'd expect to see a lot more attacks targeted its way and a corresponding increase in security issues.
Regards,
Dave
Click to expand...
Click to collapse
I agree, but surely the way that Linux (and Android) is made makes it inherently more secure? Without root access there's not much that can be done to truly compromise a Linux system, and Android sandboxes everything
TheGrammarFreak said:
I agree, but surely the way that Linux (and Android) is made makes it inherently more secure? Without root access there's not much that can be done to truly compromise a Linux system, and Android sandboxes everything
Click to expand...
Click to collapse
I agree there's a certain degree of additional security provided by sandboxing, but we've already seen APKs (e.g. Z4Root) that can gain root access, so it's not infallible. It is one of the reasons that I use Chrome on all platforms - if you check out Pwn2Own, Chrome has yet to fail, and that it mostly due to sandboxing - however, it is not a panacea!
There is definitely an element of "security through obscurity" around non-Windows OS's. Note the use of the word "element" - I'm not saying that Linux or any other OS are insecure, just that they are attacked less than Windows.
The point is that modern Windows is far more secure than most people realise - any OS given the same amount of attention by the "bad guys" in comparison to others. Vulnerabilities exist in all OS's and will continue to found and exploited.
I'm in full agreement that currently the real security threats on Android are down to users not paying enough attention to the permissions that an app requests when it is installed, but this will likely change as Android gains popularity.
I do pay attention to the apps I install, so I personally don't feel the need for any kind of security suite on Android at present.
Regards,
Dave
Cool, thanks for your thoughts.
Sent from my Galaxy Tab
2.2.2 has a security fix
http://www.engadget.com/2011/03/02/google-spikes-21-malicious-apps-from-the-market-with-big-downloa/
thoughts?
My thoughts are simple: Sprint needs to get its **** together and release an official 2.3 release. And Google needs to consider some sort of authentication program for apps to be distributed in the Market.
Certainly don't want to cut the independent developer community off, but it shouldn't be their responsibility to release new versions of essential operating software that contain fixes that disable malicious exploits. They are here to enhance our user experience.
The manufacturers need to be concerned about what the deleterious effects of outdated software can open their networks to. After all, these apps had full internet access, as I've heard. Who knows if, say a DDOS attack (or something worse), could be possible using phones, and what kind of effects that could have on the stability of the entire Sprint network.
As for Google, I'm not suggesting that the Market be completely walled-off, but maybe having something like "Google Approved" or "Verified Secure" or something, would give us users more confidence that apps come from verified and vetted sources. We could still install things not verified -- at our own risks -- but at least we'd have a choice and be able to proceed with better, more complete information.
TonyArmstrong said:
My thoughts are simple: Sprint needs to get its **** together and release an official 2.3 release. And Google needs to consider some sort of authentication program for apps to be distributed in the Market.
Certainly don't want to cut the independent developer community off, but it shouldn't be their responsibility to release new versions of essential operating software that contain fixes that disable malicious exploits. They are here to enhance our user experience.
The manufacturers need to be concerned about what the deleterious effects of outdated software can open their networks to. After all, these apps had full internet access, as I've heard. Who knows if, say a DDOS attack (or something worse), could be possible using phones, and what kind of effects that could have on the stability of the entire Sprint network.
As for Google, I'm not suggesting that the Market be completely walled-off, but maybe having something like "Google Approved" or "Verified Secure" or something, would give us users more confidence that apps come from verified and vetted sources. We could still install things not verified -- at our own risks -- but at least we'd have a choice and be able to proceed with better, more complete information.
Click to expand...
Click to collapse
+1 but i also think they should make an official malware scanner.
Rydah805 said:
+1 but i also think they should make an official malware scanner.
Click to expand...
Click to collapse
This.^^^^
I'm an Android convert (from iPhone), and my great fear is that the very openness we enjoy could expose us to very nasty ****. I don't wanna be locked down, but I do want some manner of enhanced security.
That malware scanner in combo with some sort of developer authentication and/or verification program would be excellent.
Vulnerability Allows Attackers to Modify Android Apps Without Breaking Their Signatures
This might be the reason why the new MF2 and ME6 are not downgradable and why the 4.2.2 update was delayed.
Source->http://www.cio.com/article/735878/V...ndroid_Apps_Without_Breaking_Their_Signatures
IDG News Service — A vulnerability that has existed in Android for the past four years can allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the OS.
Researchers from San Francisco mobile security startup firm Bluebox Security found the flaw and plan to present it in greater detail at the Black Hat USA security conference in Las Vegas later this month.
The vulnerability stems from discrepancies in how Android apps are cryptographically verified, allowing an attacker to modify application packages (APKs) without breaking their cryptographic signatures.
When an application is installed and a sandbox is created for it, Android records the application's digital signature, said Bluebox Chief Technology Officer Jeff Forristal. All subsequent updates for that application need to match its signature in order to verify that they came from the same author, he said.
This is important for the Android security model because it ensures that sensitive data stored by one application in its sandbox can only be accessed by new versions of that application that are signed with the original author's key.
The vulnerability identified by the Bluebox researchers effectively allows attackers to add malicious code to already signed APKs without breaking their signatures.
The vulnerability has existed since at least Android 1.6, code named Donut, which means that it potentially affects any Android device released during the last four years, the Bluebox researchers said Wednesday in a blog post.
"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," they said.
The vulnerability can also be exploited to gain full system access if the attacker modifies and distributes an app originally developed by the device manufacturer that's signed with the platform key -- the key that manufacturers use to sign the device firmware.
"You can update system components if the update has the same signature as the platform," Forristal said. The malicious code would then gain access to everything -- all applications, data, accounts, passwords and networks. It would basically control the whole device, he said.
Attackers can use a variety of methods to distribute such Trojan apps, including sending them via email, uploading them to a third-party app store, hosting them on any website, copying them to the targeted devices via USB and more.
Some of these methods, especially the one involving third-party app stores, are already being used to distribute Android malware.
Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store's application entry process in order to block apps that contain this problem, Forristal said. The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem, he said.
However, if an attacker tricks a user to manually install a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store. That's the case for all applications or new versions of applications, malicious or non-malicious, that are not installed through Google Play, Forristal said.
Google was notified of the vulnerability in February and the company shared the information with their partners, including the members of the Open Handset Alliance, at the beginning of March, Forristal said. It is now up to those partners to decide what their update release plans will be, he said.
Forristal confirmed that one third party device, the Samsung Galaxy S4, already has the fix, which indicates that some device manufacturers have already started releasing patches. Google has not released patches for its Nexus devices yet, but the company is working on them, he said.
Google declined to comment on the matter and the Open Handset Alliance did not respond to a request for comment.
The availability of firmware updates for this issue will differ across device models, manufacturers and mobile carriers.
Whether a combination of device manufacturers and carriers, which play an important role in the distribution of updates, coincide to believe that there is justification for a firmware update is extremely variable and depends on their business needs, Forristal said. "Ideally it would be great if everyone, everywhere, would release an update for a security problem, but the practical reality is that it doesn't quite work that way, he said."
The slow distribution of patches in the Android ecosystem has long been criticized by both security researchers and Android users. Mobile security firm Duo Security estimated last September, based on statistics gathered through its X-Ray Android vulnerability assessment app, that more than half of Android devices are vulnerable to at least one of the known Android security flaws.
Judging by Android's patch distribution history so far, the vulnerability found by the Bluebox researchers will probably linger on many devices for a long time, especially since it likely affects a lot of models that have reached end-of-life and are no longer supported.
Click to expand...
Click to collapse
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Key phrase here is "for apps not installed through the google store". Hence not an issue for a large fraction of users. Total case of FUD. Someone must be wanting to sell some av software.
Sent from my GT-N7100 using Tapatalk 4 Beta
Kremata said:
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Click to expand...
Click to collapse
Well, X-Ray scanner either does not detect this latest security flaw or N7100 (as of DM6) is allready patched.
Kremata said:
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Click to expand...
Click to collapse
This is the first link I found for XDA on this.
I think it's not that interesting because it's old, old news and exactly why it's being touted as a "new" discovery is beyond me, it's far from new.
We here at XDA have been using this method for years to modify stock Android and OEM system apps with great success. Here's an example by me from 2011: http://forum.xda-developers.com/showthread.php?t=994544 there's a literally hundreds of examples all over XDA.
The real question here is how Bluebox security got everybody to act as a PR machine for them. If they turn up at Black Hat with this "amazing discovery" they're going to get laughed off the stage.
djmcnz said:
This is the first link I found for XDA on this.
I think it's not that interesting because it's old, old news and exactly why it's being touted as a "new" discovery is beyond me, it's far from new.
We here at XDA have been using this method for years to modify stock Android and OEM system apps with great success. Here's an example by me from 2011: http://forum.xda-developers.com/showthread.php?t=994544 there's a literry hundreds of examples all over XDA.
The real question here is how Bluebox security got everybody to act as a PR machine for them. If they turn up at Black Hat with this "amazing discovery" they're going to get laughed off the stage.
Click to expand...
Click to collapse
Ahh! Thats the answer I was waiting for (and from a Recognized Developer). I knew XDA Devs were using this method. My new question is.. If they fix it will it be harder to create Mods? Will it slow down development?
Shouldn't this be posted in the generals forum?
Kremata said:
If they fix it will it be harder to create Mods? Will it slow down development?
Click to expand...
Click to collapse
I suspect so. If they fix it properly it would become impossible to change any aspect of the app without signing it again. If you wanted to maintain compatibility with the original then you'd need the developer's keys.
At the moment really only the manifest and some metadata within the apk is signed, if they extended that to the entire contents of the apk many mods (think themes for stock Google apps etc) are screwed unless users are happy to relinquish Play Store links and updates (i.e. backward compatibility).
Google may not go this far and may only choose to authenticate the code (smali) rather than all of the apk contents (graphics, strings etc), this approach would leave room for some mods to survive. Remains to be seen.
I have the 2012 Note 10.1 for personal use and have come to the unfortunate resolution that Android just isn't going to cut it from a business perspective. I am not putting the full blame on either the manufacturers or Android itself but without timely updates to a specific platform, I can not justify the use of these in a production environment. There is no way company can justify replacing their hardware yearly, or regularly, in order to get the latest features and security fixes that are provided in updates. Ignoring the additional features for the time being, from a security stand point there has to be a way to patch the devices in a timely manner. The additional features being provided drives the developers to migrate to the newer operating systems and leaving the old systems behind. A lot of times this creates a huge disadvantage in the fact you can run a particular application on one Android device but is unsupported on another.
Now to be fair. I am focusing on Android in this post but have tested Microsoft and iPad devices as well. All have certain advantages and disadvantages but the clear loser so far has been Android. If Android is going to survive in the business world, the manufacturers are going to have to step up and maintain their products actively for at least the full two years of their life expectancy.Android itself will have to hold the manufacturers accountable for keeping their devices maintained. From a personal use perspective, I think it is a great platform and love my Note 10.1. Would I like to see it get updated, I would love to see 4.4.2 on the device to allow me to run application I need that are no longer compatible with 4.1.2. However, I require vulnerability patches in a timely manner and that just isn't happening.
My last job had hired a full time developer to build a custom ROM and patch or update when needed for all the tablets being used on the floor. This approach worked for them because there was only one model in use across all departments.
You should blame Samsung for the late major update for GT-N80XX.
Android actively pushing regular update (minor & major).
Actually Samsung also pushing regular update, but it's only 1 major update (ICS to JB) & some minor/security updates.
If a business used the nexus tablets, they wouldn't have this problem.
theatomizer90 said:
If a business used the nexus tablets, they wouldn't have this problem.
Click to expand...
Click to collapse
Not necessarily true. Most current android version is 4.4.4 while my N7 LTE still sits at 4.4.3 with no update even spoken of. So if a business has data enabled tablets, they're still behind current version.
What OP posted doesn't really apply to large businesses. Between KNOX and other third party equivalents sensitive data is sandboxed and doesn't rely on the core B2C version of the OS to protect it. As much as Google may see Android's potential in the business environment no one I know in IT at a bunch of Fortune 1K companies is looking at mobile OS's (either Android or iOS) to replace desktop/laptops as "standard" issue. Tablet and smartphone apps have niche opportunities (commercial pilot manuals and logs, flight attendant passenger service tools, gate agent/hotel staff roaming terminals, sales people inventory access, remote staff automated forms, etc.) but migrating the entire enterprise to mobile architecture just doesn't make sense. So Android can't lose anything it never had and, outside Google's wishes, isn't seriously considered for. The lack of Chromebook adoption by the enterprise demonstrates their disinterest.
BarryH_GEG said:
What OP posted doesn't really apply to large businesses. Between KNOX and other third party equivalents sensitive data is sandboxed and doesn't rely on the core B2C version of the OS to protect it. As much as Google may see Android's potential in the business environment no one I know in IT at a bunch of Fortune 1K companies is looking at mobile OS's (either Android or iOS) to replace desktop/laptops as "standard" issue. Tablet and smartphone apps have niche opportunities (commercial pilot manuals and logs, flight attendant passenger service tools, gate agent/hotel staff roaming terminals, sales people inventory access, remote staff automated forms, etc.) but migrating the entire enterprise to mobile architecture just doesn't make sense. So Android can't lose anything it never had and, outside Google's wishes, isn't seriously considered for. The lack of Chromebook adoption by the enterprise demonstrates their disinterest.
Click to expand...
Click to collapse
Not sure if I totally agree with the application only being a niche market. I work for a call center and find that the tablets are becoming an indispensable tool. We have people walking the floor with these devices and using them to keep track of various statistics as well as using them to report potential issues. The ability to pull up data about current client information to respond in an almost instant manner has shaped things drastically. Having a sandbox is really great for protecting certain information, such as email, etc.. but can not protect the device data in flux, such as web browser content. If the system is compromised and access to the file system is obtained then all the data previously obtained becomes available to the attacker. Some measure can be made such as requiring Citrix as your primary form of connectivity but you are only pushing the security back to another device. The focus of this article was to point out the shortcomings of the this tablet as it pertains to the lack of updates.
Don't get me wrong, I truly love Android and will continue to use it as a personal device. However, there is no way I can risk releasing these devices into a production environment without the proper support. And yes, I blame the manufacturer for release and forget, and I blame Android for not enforcing the manufactures to keep these update. It is crucial to both parties to work together and produce something that is not just desirable but maintained for a reasonable amount of time. If Android could come up with a way to provide updates to devices directly and bypass the manufacturer they would have an unbeatable platform.
Zeab said:
Not sure if I totally agree with the application only being a niche market. I work for a call center and find that the tablets are becoming an indispensable tool. We have people walking the floor with these devices and using them to keep track of various statistics as well as using them to report potential issues. The ability to pull up data about current client information to respond in an almost instant manner has shaped things drastically. Having a sandbox is really great for protecting certain information, such as email, etc.. but can not protect the device data in flux, such as web browser content. If the system is compromised and access to the file system is obtained then all the data previously obtained becomes available to the attacker. Some measure can be made such as requiring Citrix as your primary form of connectivity but you are only pushing the security back to another device. The focus of this article was to point out the shortcomings of the this tablet as it pertains to the lack of updates.
Don't get me wrong, I truly love Android and will continue to use it as a personal device. However, there is no way I can risk releasing these devices into a production environment without the proper support. And yes, I blame the manufacturer for release and forget, and I blame Android for not enforcing the manufactures to keep these update. It is crucial to both parties to work together and produce something that is not just desirable but maintained for a reasonable amount of time. If Android could come up with a way to provide updates to devices directly and bypass the manufacturer they would have an unbeatable platform.
Click to expand...
Click to collapse
Anytime a serious security breach that can be used from without to effect changes on a device have come to light I have seen updates come out on all my tablets and phones, which is blessedly rare. Android does not operate in the way you are thinking. There is no need to constantly shove out security updates like windows. The system is pretty well secure unless you unsecure it yourself, new versions of the OS usually just add functions, however there is a current (when is there not?) RUMOR of a adobe bug on all versions of android lower than 4.0. Personally I still prefere windows for business simply because of ease of function and with baytrail cpu's and even more promising hardware coming this year I find no reason not to use windows for hard business needs if your business can benefit from tablet use. There are a plethora of cheap windows tablets coming and the current hp omni 10 is powerful enough to suit any light tablet buisness needs for just 299.00 if your business needs more power pay the premium for a surface pro with a full on i3,5,7 cpu fully capable of doing the work of a high end laptop. All that said, I feel Android is if anything more secure than a windows machine. Nothing comes in unless you invite it. Updates not needed until such time as Android can add base functionality in the realm of windows 7, and it is close imho.
Check the trends
Have to agree with Zeab. The university I work for is now supporting apple mobile devices but not android. And despite my having pressured for some support, what support is was for android devices is disappearing. Why ?
Android from one device to the next is different enough to make support difficult if not impossible. Providing advice on connections to secure servers and use of common software falls foul of the same issue.
Android device manufacturers have attempted to sequester their market by creating difference, but all they'll achieve is failure. Add to that the early obsolescence they have engineered and android is dying, even as its market share grows!
We now as a family have windows, apple and android devices. If I include TVs and media devices the list lengthens. The only option that provides continuity of operating system and software, and longer term support with updates is Apple. Given the way Microsoft has gone off the rails with windows 8.1 (I really do believe that OSs should make my computing experience easier, not harder), I think we will be going Apple in the future.