I've noticed that I seem to be missing a few updates that I expected I'd be one of the first in line for as a Nexus 4 owner.
Firstly, the Master Key vulnerability fix doesn't seem to have reached my phone. At least, according to Bluebox security scanner
Secondly, I still have no visibility of the new Google Maps redesign
My phone is a generic operator free Nexus 4 running stock (custom kernel though). Anybody else still waiting, or have I fallen off the automatic updates conveyor belt so far?
Where are you from? App updates from Google reach different parts of the world at different times.
thisisgil said:
I've noticed that I seem to be missing a few updates that I expected I'd be one of the first in line for as a Nexus 4 owner.
Firstly, the Master Key vulnerability fix doesn't seem to have reached my phone. At least, according to Bluebox security scanner
Secondly, I still have no visibility of the new Google Maps redesign
My phone is a generic operator free Nexus 4 running stock (custom kernel though). Anybody else still waiting, or have I fallen off the automatic updates conveyor belt so far?
Click to expand...
Click to collapse
We are sailing in the same boat. Rooted with only custom recovery rest stock.
vanmarek said:
Where are you from? App updates from Google reach different parts of the world at different times.
Click to expand...
Click to collapse
Based in the UK. If you've had the vulnerability patch already, did it come in the form of an app download or an ota update?
I'm in the UK and had the Maps update the day it was released.
thisisgil said:
Based in the UK. If you've had the vulnerability patch already, did it come in the form of an app download or an ota update?
Click to expand...
Click to collapse
Google hasn't released a patch for the vulnerability that's why you haven't gotten it. All they have done so far is release the code to their OEM's so they can patch their individual versions of Android. More than likely Nexus devices will get the patch in the 4.2.3 OTA whenever it gets released. In teh mean time their is an app in the Playstore, ReKey, that will address the vulnerability. Or you could just turn off install apps from unknown sources in the security settings which will also take care of the issue temporarily.
As for the other app updates they can take up to 2 weeks to deploy to all phones.
Related
Researchers at Bluebox Security have revealed a disturbing flaw in Android's security model, which the group claims may affect up to 99 percent of Android devices in existence. According to Bluebox, this vulnerability has existed since Android 1.6 (Donut), which gives malicious app developers the ability to modify the code of a legitimate APK, all without breaking its cryptographic signature -- thereby allowing the installation to go unnoticed. To pull off the exploit, a rotten app developer would first need to trick an unknowing user into installing the malicious update, but hackers could theoretically gain full control of a user's phone if the "update" posed as a system file from the manufacturer.
Bluebox claims that it notified Google of the exploit in February. According to CIO, Bluebox CTO Jeff Forristal has named the Galaxy S 4 as the only device that's currently immune to the exploit -- which suggests that a security patch may already exist. Forristal further claims that Google is working on an update for its Nexus devices. In response to our inquiry, Google told us that it currently has no comment. We certainly hope that device manufacturers do the responsible thing and distribute timely security patches to resolve this issue. Absent that, you can protect yourself by installing updates through the Play Store and Android's built-in system update utility.
Source:
http://www.engadget.com/2013/07/04/bluebox-reveals-android-security-vulnerability/
They ust read this here and on an Australian news website, news.com.au, they recommend;
So what can I do about this?
- Do not allow apps from unkown sources. To do this go to Settings, Security and untick "allow unknown sources".
- Well, the news isn't good. Until further notice, news.com.au recommends that you don't download any non-Google apps.
- Bluebox has recommended that users update their operating system to the latest version.
- Also, if you have any apps which store your personal information such as credit card or PayPal information (like eBay, Amazon or Etsy), you should remove this information immediately.
- Remove any personal information from your phone (do you have your credit card pin stored in your notes? Get rid of it)
Crap advice for majority of users I feel.
Most users will have 'unknown sources' off by default but they advise not download any non Google app even from the play market as mentioned elsewhere in article.
They say to update your phone, how easy is that to do when carriers and manufacturers don't release up to date firmware for phones..
That is fine for people like us that flash new Roms all the time but for normal folk it's not a viable solution.
I don't really think the threat is so great, going by those that report such though we all had better stop using android..
I am more concerned with apps using other apps permissions/data flaw
and google play update/install protocall being not encrypted/catchable and falsifyable.
Regarding what is stated in article, this was known almost day 1 which is why from beginning android said dont install non market stuff. And it has also been known crapware has entered market.
So all in all, its an obvious article.
Sent from my GT-N7000 using Tapatalk 2
I totally agree baz77, this has been know for a very long time now. There are also quite a few apps in Play that are "crapware".
The issue has been fixed on Google's side and CyanogenMod (08/07 nightly and yesterday's security release CM10.1.1.)
Now, it is up to the OEMs to follow
I guess I got it wrong, it is a separate issue, glad the pros getting it fixed, they need to be applauded! Salute!
Sent from my GT-N7000 using Tapatalk 2
Just read this article
http://www.news.com.au/technology/gadgets/samsung-galaxy-devices-vulnerable-to-keyboard-exploit/story-fn6vihic-1227402233319
Discovered by American mobile security specialists NowSecure, the SwiftKey keyboard that comes pre-installed with a number of Samsung Android devices allows easy access for hackers to attack.
Click to expand...
Click to collapse
I was just about to buy a Samsung Galaxy S6 Edge, however there does not appear to be any ROMS that allow Original (ASOP) Android to be installed. Apparently because the CPU Samsung use.
Are stock android ROMS ever going to become available ?
My SM-G925I does not comes with Swiftkey :/ But anyway I thought if you just update the Swiftkey in Play Store, it will be fixed?
I never had swiftkey on any of my galaxy devices I guess it's just one phone provider or more likely a journalist looking for a story
Sent from my SM-G925F using Tapatalk
I believe it should be easy to fix. I cannot try because I have have Swiftkey preinstalled but I believe these are the methods you can try...
1. Update the Swiftkey to the one on Play Store.
2. Disable the Swiftkey application. I believe all non Samsung system applications and some of Samsung's system applications should be able to be disabled. Swiftkey shouldn't be a problem...
3. You are here on xda so chances you will be rooting your phone I assume? If you have root, you can just uninstall it.
tanjiajun_34 said:
I believe it should be easy to fix. I cannot try because I have have Swiftkey preinstalled but I believe these are the methods you can try...
1. Update the Swiftkey to the one on Play Store.
2. Disable the Swiftkey application. I believe all non Samsung system applications and some of Samsung's system applications should be able to be disabled. Swiftkey shouldn't be a problem...
3. You are here on xda so chances you will be rooting your phone I assume? If you have root, you can just uninstall it.
Click to expand...
Click to collapse
Totally overblown vulnerability article today on Swiftkey. Firstly I seriously doubt 600M phones have it. I just checked 8 Samsung phones from various carriers - Sprint, Verizon, US cellular - S3, S4's, S5's, Note 2 and 3's and out of those 8 only one had Swiftkey on it. Easy to uninstall or Freeze if rooted. I take this as a punch back from someone on the Apple fan club finding a minor and hard to exploit vulnerability in android since Apple just got hit big in the last week or so. If you didn't find one of the articles detailing this exploit here's the skinny: It only can be exploited if you are on Wifi and on the same Hotspot or router as a would be hacker. That hacker needs to do some fairly complex stuff to spoof a Swiftkey server and your phone has to be trying to download a language pack update. I'd say there is about a 1 in 600 million chance of that happening
iSheep will find a way to blow things out of proportion to make samsung look bad
It's actually not the SwiftKey keyboard that has the vulnerability. SwiftKey have licensed some if their prediction technology to Samsung and it is actually the stock Sammy keyboard that can be exploited.
Yes. So, If I freeze or uninstall Samsung keyboard, vulnerability should be gone, right? I don't use that keyboard anyway.
Sent from my SCH-I545 using XDA Free mobile app
Update: Samsung reached out to us to announce that it will soon patch the vulnerability through Knox. Read the full statement below:
Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security. Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.
Click to expand...
Click to collapse
Click to expand...
Click to collapse
Source: Phone Arena
Hi there is already a fix posted by Samsung. You can go to lock screen security in settings then other security settings. Make sure it is on auto update.
http://www.google.com/url?q=http://...sntz=1&usg=AFQjCNFKhxsYgn6q9FoAWKdu9YpevXN_Fw
do i get this Updates with a rootet phone?
Had the Nexus 6P - but even with Franco kernel and normal use battery life wasn't long enough. Saw the release of the S7 Edge unlocked which was great so I went and picked it up from best buy last night. Big reason is the monthly update cycle and keeping everything patched from a security standpoint without the Verizon bloat and slow release cycles.
Went to check the patch level and saw "Android security patch level: May 1, 2016". Checked for updates and are none.
Anyone else experiencing this? Appears to be missing June for sure and the newly released July security patches.
kennedyd013 said:
Had the Nexus 6P - but even with Franco kernel and normal use battery life wasn't long enough. Saw the release of the S7 Edge unlocked which was great so I went and picked it up from best buy last night. Big reason is the monthly update cycle and keeping everything patched from a security standpoint without the Verizon bloat and slow release cycles.
Went to check the patch level and saw "Android security patch level: May 1, 2016". Checked for updates and are none.
Anyone else experiencing this? Appears to be missing June for sure and the newly released July security patches.
Click to expand...
Click to collapse
Yeah mine has the same update. Does yours have the briefing feed on the left of your home screen? I noticed mine doesn't like the carrier ones do.
Same here..
Alaris said:
Yeah mine has the same update. Does yours have the briefing feed on the left of your home screen? I noticed mine doesn't like the carrier ones do.
Click to expand...
Click to collapse
Yep - same with me - no briefing feed when you swipe left - nothing there.
Wonder whats happening - would hope Samsung provides updates to their own phone.. ?
I'm guessing it's because the phone just came out that they haven't released an update with the latest security patches yet. They probably have to set up their update servers for this new phone and a bunch of other behind the scenes stuff to get updates rolling. I would assume that it will get something within the next couple weeks and then continue to keep up with the other variants.
Does this variant of the S7 Edge have an unlocked bootloader?
No unlocked bootloader - just not tied to an individual carrier i.e. verizon, etc. with the extra bloatware.
Still no updates yet to the SM-G935U.
Ended up returning it and going back to my Nexus - no updates really sucks.
Has anyone figured out how to get briefing on the left screen. I used that a lot and i can't get it to work. Even went to the play store and Samsung store, got briefing but it won't let me enable it on the home screen settings...?
I've gone round and round with Samsung support about this particular unlocked device. The bottom line is that they are saying OTA updates for these devices might not be available because those are normally pushed through the carrier. They suggested to use their Smart Switch tool to apply updates. Even though this is a terrible idea and they should use OTA (with the invention of non-carrier WiFi these days ), I checked using this tool and surprise... there were no updates available.
I'll spare everyone the entire conversation, but this is how it ended:
"We understand. If you have an unlocked the latest updates for firmware and security can be done through Smart Switch. If you have checked for an update using Smart Switch and there aren't any currently available, we couldn't speculate on when that may change. In many cases this wouldn't be delivered OTA because OTA updates are normally pushed by carriers. Unlocked devices may not be able to get updates directly from the carrier currently being used. ^Jay"
Mine just updated today with the August 1st security patches. If had to guess, they waited until the Olympics were over since they handed these unlocked devices out to every athlete in attendance and they didn't want them receiving updates during the event.
Hopefully now that the unlocked models have received their first update, they will continue to get regular updates at the same time as other variants.
just checked for update - 164.13 mb ) ( g935v flashed to g935u)
Interesting
secsquirl said:
Mine just updated today with the August 1st security patches. If had to guess, they waited until the Olympics were over since they handed these unlocked devices out to every athlete in attendance and they didn't want them receiving updates during the event.
Click to expand...
Click to collapse
Thanks for posting this one, thats good to hear. I wonder if they will proceed further. Good to hear Samsung's infrastructure will support updates in the future. I wonder if its only for security patches or if they will do incremental updates to OS as well, like Android N for example.
Just got this tonight. I didn't have automatic update turned on but I checked and this showed up. Idk if i should do it or not.
I'm on T-Mobile with the SM-G935U. I got the update a few weeks ago and now it shows the Aug 1,2016 Android security update.
As far as root and bootloader unlock should i not do the update or just go for it?
Can the sm-g935U be flashed using DFS Tools? Does these codes bring up the diag menu?
##3424#
###366633#
Can someone please try those codes and see if the diag menu shows.
Thanks
PapaDocta said:
Can the sm-g935U be flashed using DFS Tools? Does these codes bring up the diag menu?
##3424#
###366633#
Can someone please try those codes and see if the diag menu shows.
Thanks
Click to expand...
Click to collapse
Those codes don't bring up anything. Neither does *#0*# - I'm still on the damned May 1, 2016 Security update and it doesn't seem to think I need one.
Hi, whats the latest security patch level? I just got my phone and it is showing after the firmware update 1-Apr-2017. My company is not permitting me to access exchange due to old security patch level. What is the latest version and is there a way to force it or install it somehow? Thanks.
April 1st is the current patch level.
thanks for the response, this will be a problem for me then as our admins will require the patch to be installed in a week or 2 after being released by Google.
samitro said:
thanks for the response, this will be a problem for me then as our admins will require the patch to be installed in a week or 2 after being released by Google.
Click to expand...
Click to collapse
Your admins seem a bit clueless when it comes to updates on android phones, let alone non-pixel phones.
In most cases, the patch level will be 15 to 20 days behind on the flagships in unlocked regions with no carrier bs.
The gap widens as major upgrades loom in (ex: from 6.0 to 7.0).
The s7 was left on an old security patch for a few months until 7.0 came out with the latest ones.
Oh, and as the device becomes older, updates switch to 4 month cycles, check the samsung security website for more details on what devices are on what release cycles. Currently, this is anything older than the S6.
EDIT: Link: http://security.samsungmobile.com/introsm.html
Not so good I was looking forward to move away from my iPhone. Thanks anyway.
I purchased an S8 and found out that the security patch is outdated and is not supported by my employer
OP are you using Microsoft Intunes/Company Portal to handle your Exchange account?!
May release is already out since 25th~ of May in some (if not most by now) markets, run an update.
JaeMelo said:
OP are you using Microsoft Intunes/Company Portal to handle your Exchange account?!
Click to expand...
Click to collapse
No, my company required Airwatch MDM to access corporate email.
Skander1998 said:
May release is already out since 25th~ of May in some (if not most by now) markets, run an update.
Click to expand...
Click to collapse
My S8 is the USA unlocked version. No update till now. (Already checked)
sabaatworld said:
No, my company required Airwatch MDM to access corporate email.
My S8 is the USA unlocked version. No update till now. (Already checked)
Click to expand...
Click to collapse
Can you please screenshot your settings -> software info page?
sabaatworld said:
I purchased an S8 and found out that the security patch is outdated and is not supported by my employer
Click to expand...
Click to collapse
Your employer is an idiot if he thinks all android phones will be on the latest security patch, only the pixel is updated monthly.
Skander1998 said:
Can you please screenshot your settings -> software info page?
Click to expand...
Click to collapse
Here you go
peachpuff said:
Your employer is an idiot if he thinks all android phones will be on the latest security patch, only the pixel is updated monthly.
Click to expand...
Click to collapse
My employer doesn't require I use any specific phone, they require that the phone I use on their network be patched with the latest OS Security patch (whether Android, Apple or Microsoft). That doesn't make them an idiot, it makes them conscious about data-loss/breaches. As a consumer of technology you REALLY want that.
More employers are requiring that mobile phones have monthly security patches applied. So far only Apple and Google fit the bill. Google has even cranked up the price of their mediocre flagship because they KNOW this. All the other mobile manufacturers are just handing the business market to Apple and Google by being blind to this.
And I can verify what the OP said. I just purchased an Unlocked S8+ and the security patch level is April 1, so it's 2 months behind the Samsung promised "montly security patching".
Received a firmware update today plus security patch for June
Now you can easily hide the nav bar for immersive experience. Very nice addition.
mbashat said:
Now you can easily hide the nav bar for immersive experience. Very nice addition.
Click to expand...
Click to collapse
It's a very welcome edition and saves messing around with adb commands to get the full immersive experience, shame though that you cannot enable or disable it yet on a per app basis.
daleski75 said:
It's a very welcome edition and saves messing around with adb commands to get the full immersive experience, shame though that you cannot enable or disable it yet on a per app basis.
Click to expand...
Click to collapse
I have checked and the good news is that you do have the option to select which apps run in full screen mode. Not all apps are supported though.
To do this select Settings>Display>Full Screen Apps.
mbashat said:
I have checked and the good news is that you do have the option to select which apps run in full screen mode. Not all apps are supported though.
To do this select Settings>Display>Full Screen Apps.
Click to expand...
Click to collapse
Thats something else and only means the app is filled to the 18.5:9 screen ratio. That was there since launch of the S8(+)
my last was april... shame Samsung...
https://www.armis.com/blueborne/
Glad I got some Bullets V2 from OnePlus. My Soundpeats QY7 Bluetooth headphones are great and all, but the Bullets are just as good if not better.
Also, this bug won't affect us since it'll be fixed by the time we get Oreo, anyway.
HampTheToker said:
...
Also, this bug won't affect us since it'll be fixed by the time we get Oreo, anyway.
Click to expand...
Click to collapse
Currently that bug is fixed in various AOSP versions (from 4.4 to latest) ONLY if your security patch level is September 5. If it is not September 5 you are vulnerable and you should be concerned about it.
xclub_101 said:
Currently that bug is fixed in various AOSP versions (from 4.4 to latest) ONLY if your security patch level is September 5. If it is not September 5 you are vulnerable and you should be concerned about it.
Click to expand...
Click to collapse
Just like everyone was concerned about stagefright and Dirty COW. Yeah, they are vulnerabilities, but no real world examples of them being used maliciously.
Sent from my OnePlus 3T using XDA Labs
MrMeeseeks said:
Just like everyone was concerned about stagefright and Dirty COW. Yeah, they are vulnerabilities, but no real world examples of them being used maliciously.
Sent from my OnePlus 3T using XDA Labs
Click to expand...
Click to collapse
Stagefright was a vulnerability where you had to download a specially-crafted video and play it with the default video player, so extensive user interaction was needed. Dirty COW was seen in the wild on Linux machines but again the user needed to actively run native code from a program in order to elevate and gain root.
BlueBorne is slightly different in that the user does not need to do anything else than have his Bluetooth active, something who every Android user with a smart watch or a pair of Bluetooth headphones has.
The fact that we do not know of any exploits in the wild does not mean that such exploits do not exist, there is a limit up to where you can just fool morons into installing free wallpaper apps.