99% android devices vulnerable. Desire Z too. - G2 and Desire Z General

The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.
proof: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/
ROM: gen.y_vision_WWE_2.42.405.4_R1.3-EXT4 vulnerable.
I think, HTC will not update stock ROM, can i hope what xda developers will be update her ROMs?

As I understood this news, it must be user triggered. Someone must choose to install such an apk.
And most people that install from apk dont check the author of files anyways, so no big thing.
And if Playstore is in any way affected now or not, I do not know because I do not use it.
It always depends on how the stores/sites you get your apps from maintain a consistent trust relationship to app authors.
Would really be nice if a "Who is who and who made what" menu would be included into cm or aosp.

I think you are more or less safe when you stick to commonly used apps in the Play store. OTOH I had a app once that had notification ads in it, kind of spam.

The new ILWT CM7 supposedly has it fixed. Build 879

Unfortunately, Android accounts for 79% of phone malware and has become the new prime target. This really makes me think that having a good AV on my phone is important, yet how many of us don't? (including me!) Any recommendations that anyone has tested?

Come on, had anyone been hacked or smth?
We should just check software before installing, but i suppose google does it for us.

Related

Google vs. Cyanogen -- retarded

Few things about the Android as background;
1) Android is open source and is enough to run a device on its own.
1a) People will argue that it isn't, that proprietary binaries are required. This is a *hardware dependent* argument. Blame HTC for having proprietary closed source binaries. 'Droid works fine on an openmoko using all open source software. http://wiki.openmoko.org/wiki/Android
2) Not all of what is on your phone is actually part of AOSP, i.e. *market*, *gmail*, etc.
3) Open and closed source components can exist in the same system without conflict.
4) Any particular organization can develop BOTH open AND closed source components, and these can, in fact, exist in the same system without conflict.
The situation:
Cyanogen has been issued a cease and desist order by Google related to inclusion of closed source Google apps in "CyanogenMod ROMs".
The legal situation: These closed source apps are not licensed to Cyanogen for redistribution. Google does have the legal right to restrict distribution of said apps.
Why now: The most obvious recent change that could have prompted this order to happen now is the inclusion of the as-of-yet unreleased MARKET app. This market app, being unreleased, is in an unknown state. This app may not be finished testing, i.e., it may be quite buggy, to the point where it could do all kinds of nasty things, like MULTIPLE-CHARGING of customer's when they buy paid apps, releasing payment and/or account information to unauthorized targets, failure to put secure apps into secure locations or other vulnerability allowing easy copying of protected apps, OR OTHER vulnerabilities. That being the case, Google may be *WORRIED ABOUT POTENTIAL PROBLEMS* in the new market app (rightly, as it may not have completed testing and/or may have KNOWN issues).
Why the order against *all* closed-source apps: This is simple. How can they order the removal of *just one*? If they order the removal of *just* the new market app, the legal implication is that the other closed source apps *can* be redistributed, i.e. precedence is 9/10ths of the law -- they would be closing the door on the enforcement of those apps in the future, i.e., for security reasons since regarding the closed source apps, Google is legally liable for their correct function.
So would the ignorant people talking about how evil Google is for doing this, PLEASE STOP spewing your mouths off regarding things that YOU DON'T UNDERSTAND? You're not helping anybody.
EVERYONE should read this.
I will admit, this post made me re-think what is really going on. He is just the first to get a finger shook at him, the rest will follow unless the developers and Google get stuff squared away.
i still think google is acting like asswholes though.
I do to but thank you for looking at things clearly unlike alot of other people inlcuding my self at first but once i started thinking about the new market i understood google
Just curious here but can an open source app be developed to access Market? Or are the codes for accessing Market closed?
Makes sense now, Google Just don't want to be responsible for something like customer's info being stolen.. and have the masses calling or infront of their door with pitch forks inhand,,
Then,
Why didn't Google say this?
Instead, they patronize and belittle the community.
http://forum.xda-developers.com/showpost.php?p=4609612&postcount=3
I don't mean to attack the OP with this post.
It's just a question.
Most likely because they are a dev or a lawyer. They just don't like speaking English. They have to say it all complicated and then have someone else translate it for them.
i think that this is from a stupid lawyer team, and google just sent it for legal reasons, i think the dev team has nothing to do with this.... isnt this why the created android, to have an open source platform.... i think Cyanogen and google just need to come to a compromise, either that or we just dont use googles apps even though half of them have better counterparts in the market
i do know this, the law is the law. Is the law always perfect, hell no. Cyanogen did no wrong. He helped out every single one of us running an android powered phone.
Could something wrong happen with an experimental build? Ofcourse. That is why he has his own disclaimer. If you are smart enough to root your phone, you should be smart enough to realize potential dangers in running leaked and/or experimental code.
Google is being a douchebag for their actions. Htc doesnt issue cease and desist orders for all of you running hero and that directly involves their sales in their phones. How many windows mobile roms are on this xda forum? How many have been ordered by microsoft to stop distributing their work?
To me it is ridiculous google is doing this. I know they are legally right but that doesnt mean they should screw us early adopters of their software with lame and slow updates and a product that is obviously inferior to the coding and development of one man with the help of a few others.
The reason i bought my g1 instead of an iphone or windows mobile phone was because of this community. Now all of us have had the benefits of cyanogen in one way or another. I dont want to be a douchebag as well and not speak up for a man who has helped me out when he had no reason to do so
honestly cyanogen would have probably been fine had he left the new market out. fact is our phones came with the old version and thats what we payed for when we got them. if say on the g1 t-mobile decides not to offer and upgrade to 1.6 then that means there not going to pay google to have the new app on our phones so if we hack it and throw it on anyway then google doesnt make there money and we are in every way STEELING IT. if you worked for and got payed by google i bet it would upset you if people were steeling your product that you worked hard to create.
so do i agree they should force him to rethink some of his newer roms? yes
but i think the older ones that just have software our phones already came with should be left alone
AND i think we should be aloud to purchase the new software from google if we want it.
but google search google maps and all that crap has nothing to do with this as you can get them all FREE online this is probably 99% the new app being on peoples phones that didnt pay for it. you bought the original market when you bought your phone thats why google hasnt had a problem untill now.
everything set aside i love cyanogens work i love my 4.0.4.... i HAVE 4.1.11.1 saved i will probably even install it just to check it out if he doesnt come out with a stable version which is what i was waiting for. but if he comes out with a non google stable version i have no problem installing my old market onto it, i already have it backed up and ready to go. i payed for it and im keeping it no matter what rom i run! and i hope he keeps doing his thing im all for him and love what he does and would even pay for it if i had to! i hope this doesnt stop him and i hope they work things out. if he wants money for all the work hes been doing im sure people wont blame him and as long as it gives him insintive to keep going im happy!
my two cents
cy has been perfecting their roms and now that they got the tools that they need they are going to plagerize his programming and impliment it into their next great g phone....and the only way to say its theirs is by getting rid of any shred of evid that is out there
i understand what Google is doing..its upsetting but they have a point, they gave us an OPEN SOURCE OS, thats good enough, the devs make it a better, more fun, experience...so just shrug it off, rid it of ALL closed source apps.
Google should than allow the All Google apps available to those with Google Experience phones(before customizing with a ROM), they could make you register with your phones EMEI (maybe? if possible).
Also so this obviously means his ROMs arent here on XDA...What is XDAs stand on the situation? Were they pulled by XDA or did Cyanogen pull them?
I don't know if this has been suggested before. I've seen dev-team on iphone doing something similar: why don't you make an "installer" script that takes all Google APKs from the device (which has stock image) then flash the rom and reinstall the APKs.. This way you don't have to distribute google apks. Not sure if that's possible if there is some kind of encryption protection on Google apps, just a suggestion .
No matter what it was a mountain made out of a mole hill.
id just like to see google allow open access to their market place.
then put all closed source google apps on there for download just like any other apps.
However from what I understand its not as simple as this as they arent just apps there is a whole framework that goes with it. bah.
MS never sent a takedown notice
MS never sent a takedown notice to xda-developers.
Ready.........Fight!
http://googlefight.com/index.php?lang=en_GB&word1=Google&word2=Cyanogen
wshwe said:
MS never sent a takedown notice to xda-developers.
Click to expand...
Click to collapse
That is the stupidest thing I've ever heard;
1) xda doesn't host any wimo roms.
2) xda doesn't develop any roms at all -- that is up to the individual who does so.
3) How the hell would you know? MS probably did some real *****y stuff like sending goons to the modder's home, harassing the modder's wives, and issuing threats like "stop doing this, don't tell anybody we threatened you, and pay up $10,000 or we're taking you to court over it".

Idea (regarding google apps and devs)

I saw (I can't remember where and even tried googling for a while and couldn't find it again) a website that lists packages for phone manufacturers. One was like, stock (like what's on the g1 w/"with google" branding) another one was custom ui etc (I am assuming the package used for motoblur and rosie). < or something that that effect.
Now my point: I am not sure the cost of these licenses, but I was thinking maybe one entity (xda for example). Could purchase a license (with donation money) and allow devs like cyanogen, maxisma, drizzy, jac etc operate under that license.
Not this is just an idea, I don't know too much about licenses and how they work etc. its just an idea to discuss.
CBowley said:
I saw (I can't remember where and even tried googling for a while and couldn't find it again) a website that lists packages for phone manufacturers. One was like, stock (like what's on the g1 w/"with google" branding) another one was custom ui etc (I am assuming the package used for motoblur and rosie). < or something that that effect.
Now my point: I am not sure the cost of these licenses, but I was thinking maybe one entity (xda for example). Could purchase a license (with donation money) and allow devs like cyanogen, maxisma, drizzy, jac etc operate under that license.
Not this is just an idea, I don't know too much about licenses and how they work etc. its just an idea to discuss.
Click to expand...
Click to collapse
thats a stopgap until Google decides to change the agreement for their closed source software. the real solution is a fully open source flavor of android with proprietary repositories (a la Ubuntu)
alapapa said:
thats a stopgap until Google decides to change the agreement for their closed source software. the real solution is a fully open source flavor of android with proprietary repositories (a la Ubuntu)
Click to expand...
Click to collapse
It's not a stop gap, this would actually be effective, as it would legally allow them to include those apps in the ROMs.
But, how much those licenses cost is a whole nother world.
Yeah, I posted this very suggestion in one of the first threads created about this topic. I even have some ideas about funding and possible non-profit status for the organization that acquires the license for distribution... but it was lost in the *****ing and moaning.
Yes I believe that would be a viable option as far as licensing goes there are a set terms to them that after has been agreed to like a contract can't change we would be fine. But as the case with Blizzard entertainment they can change and most likely will all the time. I aggree best option would to be make a full open source option that would allow us to operate without the google apps but that is very tricky as well, for service especially like YouTube that has terms of use and unless sactioned by them they don't want you using that service. It was for that reason why youtube downloader was pulled from the market and also violated ToS for downloading. No other youtube app has really poped up. Another solution like has pointed out in dev forum is to back them up from a google image already on the device. They specially said we can't distribute them. Currently I am trying to find the terms for it if any one can find for me that would be great. Another idea that I have was to make an application that would allow user to install what ever custom rom without google apps then find the approriate image from google for the device rom is installed on. Download that image ROM file and extract out google apps and install on the device. Since was ment for that and I or xda won't be distrubting the apps that might fall as acceptible in their terms. If anyone can find the terms I would greatly appreciate it.
TheArtiszan said:
Yes I believe that would be a viable option as far as licensing goes there are a set terms to them that after has been agreed to like a contract can't change we would be fine. But as the case with Blizzard entertainment they can change and most likely will all the time. I aggree best option would to be make a full open source option that would allow us to operate without the google apps but that is very tricky as well, for service especially like YouTube that has terms of use and unless sactioned by them they don't want you using that service. It was for that reason why youtube downloader was pulled from the market and also violated ToS for downloading. No other youtube app has really poped up. Another solution like has pointed out in dev forum is to back them up from a google image already on the device. They specially said we can't distribute them. Currently I am trying to find the terms for it if any one can find for me that would be great. Another idea that I have was to make an application that would allow user to install what ever custom rom without google apps then find the approriate image from google for the device rom is installed on. Download that image ROM file and extract out google apps and install on the device. Since was ment for that and I or xda won't be distrubting the apps that might fall as acceptible in their terms. If anyone can find the terms I would greatly appreciate it.
Click to expand...
Click to collapse
well if flash comes out next month we wont need the youtube app.
Lol have you tried hero w flash. Slow as hell
well that not the official version so it hard to say. yeah did but the hero builds seem slow to me.
Jacheroski2.1 was pretty quick once swapper and everything was setup correctly
TheArtiszan said:
Lol have you tried hero w flash. Slow as hell
Click to expand...
Click to collapse
yea but adobe plans to release flash 10 for android as early as october
I read that Cyanogen or someone is already working on a workaround..kinda. A backup program which will backup your currently legal device apps, and upon install of his bare-bones rom, restore the original device apps.
Things will be close to the same. Just a bump in the road. They should know, people will always find a way. Legal or not.

Android 2.2.2 Security

2.2.2 has a security fix
http://www.engadget.com/2011/03/02/google-spikes-21-malicious-apps-from-the-market-with-big-downloa/
thoughts?
My thoughts are simple: Sprint needs to get its **** together and release an official 2.3 release. And Google needs to consider some sort of authentication program for apps to be distributed in the Market.
Certainly don't want to cut the independent developer community off, but it shouldn't be their responsibility to release new versions of essential operating software that contain fixes that disable malicious exploits. They are here to enhance our user experience.
The manufacturers need to be concerned about what the deleterious effects of outdated software can open their networks to. After all, these apps had full internet access, as I've heard. Who knows if, say a DDOS attack (or something worse), could be possible using phones, and what kind of effects that could have on the stability of the entire Sprint network.
As for Google, I'm not suggesting that the Market be completely walled-off, but maybe having something like "Google Approved" or "Verified Secure" or something, would give us users more confidence that apps come from verified and vetted sources. We could still install things not verified -- at our own risks -- but at least we'd have a choice and be able to proceed with better, more complete information.
TonyArmstrong said:
My thoughts are simple: Sprint needs to get its **** together and release an official 2.3 release. And Google needs to consider some sort of authentication program for apps to be distributed in the Market.
Certainly don't want to cut the independent developer community off, but it shouldn't be their responsibility to release new versions of essential operating software that contain fixes that disable malicious exploits. They are here to enhance our user experience.
The manufacturers need to be concerned about what the deleterious effects of outdated software can open their networks to. After all, these apps had full internet access, as I've heard. Who knows if, say a DDOS attack (or something worse), could be possible using phones, and what kind of effects that could have on the stability of the entire Sprint network.
As for Google, I'm not suggesting that the Market be completely walled-off, but maybe having something like "Google Approved" or "Verified Secure" or something, would give us users more confidence that apps come from verified and vetted sources. We could still install things not verified -- at our own risks -- but at least we'd have a choice and be able to proceed with better, more complete information.
Click to expand...
Click to collapse
+1 but i also think they should make an official malware scanner.
Rydah805 said:
+1 but i also think they should make an official malware scanner.
Click to expand...
Click to collapse
This.^^^^
I'm an Android convert (from iPhone), and my great fear is that the very openness we enjoy could expose us to very nasty ****. I don't wanna be locked down, but I do want some manner of enhanced security.
That malware scanner in combo with some sort of developer authentication and/or verification program would be excellent.

Huge security vulnerability in Android / 99% of devices are affected

Researchers at Bluebox Security have revealed a disturbing flaw in Android's security model, which the group claims may affect up to 99 percent of Android devices in existence. According to Bluebox, this vulnerability has existed since Android 1.6 (Donut), which gives malicious app developers the ability to modify the code of a legitimate APK, all without breaking its cryptographic signature -- thereby allowing the installation to go unnoticed. To pull off the exploit, a rotten app developer would first need to trick an unknowing user into installing the malicious update, but hackers could theoretically gain full control of a user's phone if the "update" posed as a system file from the manufacturer.
Bluebox claims that it notified Google of the exploit in February. According to CIO, Bluebox CTO Jeff Forristal has named the Galaxy S 4 as the only device that's currently immune to the exploit -- which suggests that a security patch may already exist. Forristal further claims that Google is working on an update for its Nexus devices. In response to our inquiry, Google told us that it currently has no comment. We certainly hope that device manufacturers do the responsible thing and distribute timely security patches to resolve this issue. Absent that, you can protect yourself by installing updates through the Play Store and Android's built-in system update utility.
Source:
http://www.engadget.com/2013/07/04/bluebox-reveals-android-security-vulnerability/
They ust read this here and on an Australian news website, news.com.au, they recommend;
So what can I do about this?
- Do not allow apps from unkown sources. To do this go to Settings, Security and untick "allow unknown sources".
- Well, the news isn't good. Until further notice, news.com.au recommends that you don't download any non-Google apps.
- Bluebox has recommended that users update their operating system to the latest version.
- Also, if you have any apps which store your personal information such as credit card or PayPal information (like eBay, Amazon or Etsy), you should remove this information immediately.
- Remove any personal information from your phone (do you have your credit card pin stored in your notes? Get rid of it)
Crap advice for majority of users I feel.
Most users will have 'unknown sources' off by default but they advise not download any non Google app even from the play market as mentioned elsewhere in article.
They say to update your phone, how easy is that to do when carriers and manufacturers don't release up to date firmware for phones..
That is fine for people like us that flash new Roms all the time but for normal folk it's not a viable solution.
I don't really think the threat is so great, going by those that report such though we all had better stop using android..
I am more concerned with apps using other apps permissions/data flaw
and google play update/install protocall being not encrypted/catchable and falsifyable.
Regarding what is stated in article, this was known almost day 1 which is why from beginning android said dont install non market stuff. And it has also been known crapware has entered market.
So all in all, its an obvious article.
Sent from my GT-N7000 using Tapatalk 2
I totally agree baz77, this has been know for a very long time now. There are also quite a few apps in Play that are "crapware".
The issue has been fixed on Google's side and CyanogenMod (08/07 nightly and yesterday's security release CM10.1.1.)
Now, it is up to the OEMs to follow
I guess I got it wrong, it is a separate issue, glad the pros getting it fixed, they need to be applauded! Salute!
Sent from my GT-N7000 using Tapatalk 2

CopperheadOS

Has anyone else seen this yet? It's a supposed secure OS for nexus devices. https://copperhead.co/android/downloads If anyone checks it out, let us know how it goes.
Wow I never seen this.:laugh:
Looks interesting, Im gonna check it further. Probably a AOSP based with some patches, fdroid, and some anti-gapps apps?
Most definitely curious as to how this runs....they want you to relock the bootloader though...????????????
Runs really nice. But there is no open source support for my android wear watch which I need.
No thank you. I would rather trust google and NSA, instead of some no name offshore company.
Sent from my Nexus 6P using XDA Labs
suhridkhan said:
No thank you. I would rather trust google and NSA, instead of some no name offshore company.
Sent from my Nexus 6P using XDA Labs
Click to expand...
Click to collapse
Toronto is off-shore?
Lol
Sent from my Nexus 6P using XDA-Developers mobile app
Locking the bootloader is good for your security.
Sent from a 128th Legion Stormtrooper 6P
toronto is offshore? do you think they live in igloos still aswell?
also this is just aosp with google signatures,
i tested for fun, boot animation is crap,
some lag going n settings,
no playstore access, no gapps at all from what i saw,
secure unsure, i dont know enough to rip apart the source and see if any holes from the company,
I was intrigued by Copperhead since reading about the Unaphone, another Google free operating system. Unlike Unaphone, whom's developers were providing it only for their proprietary hardware, when I saw CopperheadOS I knew I was going to try it for sure!
Previously running Resurrection, my phone already had an unlocked bootloader. Even if it hadn't, flashing Copperhead using the developer's instructions is very easy.
First impressions were good. The phone was noticeably more responsive, lacking google services normally running, and stable since the OS itself is based on stock which was considerably more stable than other roms I've tried. All the features you would expect from 6.0.1 are present and working. What is not preset however is the Google Play store or services! I didn't appreciate the implications of not having google services before actually trying to use a phone without them. Although it is possible to sideload gapps, one would rather negate the point of this ROM.
Poking around the settings the first thing I noticed were granular security settings with detailed descriptions. There is also a nice security versus performance slider for the layman. The idea of preventing exploits using the techniques in this rom is my main reason for using it.
After an evening of use, the vast majority of closed-source-paid apps I was able to replace with open-source alternatives. There are a few exceptions I am still trying to figure out, but overall, I think if you are willing to cut the google-cloud-services cord its worth a try. If you really must, most apk's for closed apps can be found and installed but these decisions should probably be weighed carefully.
I never realized my reliance on google and closed apps until I tried to use an OS that doesn't rely on them. Trying this rom is a good exercise in living off the google grid; or at the least driving the use of google services back into the browser.
At the end of the day this rom has its place for the privacy and security minded enthusiast, but for the average user, sticking to something with google services is probably more realistic.
longview41 said:
Toronto is off-shore?
Click to expand...
Click to collapse
pacman photog said:
toronto is offshore? do you think they live in igloos still aswell?
Click to expand...
Click to collapse
The 'offshore' part was simply a figure of speech.
What I mean is that if you don't trust google with your data, you have more reason not to trust an unknown company.
At least google is transparent about my data, and gives me control of how much I want to share with them. https://myactivity.google.com/myactivity
Installed it yesterday on a Nexus 5x and so far it runs great. It indeed seems really security orientated with no default root or GApps. Didn't try to activate xposed (which I hope will work) or related stuff yet but so far I intend to keep it.
Copperhead is trusted. They will be working with Guardian Project and Fdroid to build a complete system. Read this post for more info: https://copperhead.co/blog/2016/03/29/crowdfunding-partnership-announced
mg.degroot said:
Installed it yesterday on a Nexus 5x and so far it runs great. It indeed seems really security orientated with no default root or GApps. Didn't try to activate xposed (which I hope will work) or related stuff yet but so far I intend to keep it.
Click to expand...
Click to collapse
Please let us know if you're able to root, install xposed and still relock the bootloader.
mg.degroot said:
Installed it yesterday on a Nexus 5x and so far it runs great. It indeed seems really security orientated with no default root or GApps. Didn't try to activate xposed (which I hope will work) or related stuff yet but so far I intend to keep it.
Click to expand...
Click to collapse
Could you please share some screenshots... Would like to try the OS... But would like to see how it is ...
Also do you see the sRGB mode in developer options... Without it the colors on the Nexus 6P are inaccurate at best...
Stop asking about features or customisation options, this rom has none. Its about security, not features
kbBT4A5e said:
I was intrigued by Copperhead since reading about ...
After an evening of use, the vast majority of closed-source-paid apps I was able to replace with open-source alternatives. There are a few exceptions I am still trying to figure out, but overall, I think if you are willing to cut the google-cloud-services cord its worth a try. If you really must, most apk's for closed apps can be found and installed but these decisions should probably be weighed carefully.
I never realized my reliance on google and closed apps until I tried to use an OS that doesn't rely on them. Trying this rom is a good exercise in living off the google grid; or at the least driving the use of google services back into the browser.
At the end of the day this rom has its place for the privacy and security minded enthusiast, but for the average user, sticking to something with google services is probably more realistic.
Click to expand...
Click to collapse
Thanks for sharing your experience. So we have decide if security is really more important than our investment and dependency in the Google ecosystem. I depend on G too much. My email is like my passport or online identification. I dont sideload unknown or unverified apps, dont visit links i dont know about, etc. Yes, i can still be remotely exploited, but i am not a gov official or some sort of millionaire with top secret info on my phone, as most of us. You saved me couple of hours of my day
A little update since I've been running this for about 2 weeks. I sideloaded gapps and the phone has been running fine, but found out today while trying to install the latest OTA update from copperhead it fails to install due to inconsistencies detected in the system partition since I installed gapps; from a security standpoint this feature is great. Unfortunately I can't function without gapps. In order to get the latest security updates, which is probably more important than the security features cooked into copperhead, I must: reflash the device with the latest full image, install twrp, sideload gapps, restore the copperhead recovery, then reinstall all my apps.
This being the case to get OTA updates, unless you can really commit to opensource with no gapps its not really worth the hassle.
Using it for an extended period I did notice the device was a bit slow even on medium security settings. Originally I had it maxed right out, but it wasn't usable. On medium it was a small price to pay for security but its hard to quantify the value.
I think its time to return to an AOSP rom for me.
I'm running it currently runs great but I can't figure out how to fix the dreaded APN issues :\ Tried almost every fix on XDA haven't gotten Any dev help either :\ other than the lack of data its a great ROM. Apparently I'm not alone judging by the other post on XDA about this. Apparently this is a known issue with no real fix. Sucks since its the only reason I got this phone
Hi guys add me also 09945673600

Categories

Resources