Related
With the Moonlight source available at http://ftp.novell.com/pub/mono/sources/moon/, I'm curious as to how difficult it might be to compile and package Moonlight for use with the Xoom's browser. My university uses Silverlight/Moonlight for online lecture viewing (pretty sure the software they use is called MediaSite), and it would be awesome to be able to access these from my Xoom.
I run Ubuntu on all my PCs and I've been able to compile applications like MythTV, but I have no experience with Android in that regard. Any ideas?
I'm actually curious to know if that could work. I seriously doubt it, but if Silverlight could be added onto the Xoom's browser, it means that the Xoom could have Netflix support, until they block the Xoom.
Suntarus said:
I'm actually curious to know if that could work. I seriously doubt it, but if Silverlight could be added onto the Xoom's browser, it means that the Xoom could have Netflix support, until they block the Xoom.
Click to expand...
Click to collapse
Unfortunately, Moonlight doesn't support the DRM features required by Netflix that are present in Silverlight. It's the same reason why Linux users have issues getting Netflix working. Moonlight is decent, but the lack of DRM support makes it a little less useful for a home user.
Sent from my ADR6300 using XDA App
This may sound stupid, but since Silverlight is available for Google Chrome, and the browser on the Xoom (Honeycomb) is basically Chrome, is it possible to port Silverlight to it? I'm thinking while Silverlight is not open source, it might be possible to tweak the Honeycomb browser itself (which is open source) to better match it to Chrome (also open source), and thus provide us with Silverlight in some way.
Of course, doing this would be very difficult, and I'm not even sure that my idea is solid.
It's not possible. Silverlight is compiled for x86 platform and we don't have source code of it. Xoom has ARM processor which is much different.
I see.
Of course, there'll be a Netflix app for any Tegra 2 device (Xoom included) soon enough. ("Netflix is using the Tegra 2 development platform to bring the Netflix experience to Android super phones and tablets. We're working closely with NVIDIA to ensure Netflix takes full advantage of Tegra's outstanding acceleration and security capabilities." -- Greg Peters, Vice President, Product Development at Netflix)
But what about Moonlight? Same issue concerning x86 and ARM? The fact that Silverlight for Mobile exists means that there is a chance to get it working properly.
Suntarus said:
This may sound stupid, but since Silverlight is available for Google Chrome, and the browser on the Xoom (Honeycomb) is basically Chrome, is it possible to port Silverlight to it? I'm thinking while Silverlight is not open source, it might be possible to tweak the Honeycomb browser itself (which is open source) to better match it to Chrome (also open source), and thus provide us with Silverlight in some way.
Of course, doing this would be very difficult, and I'm not even sure that my idea is solid.
Click to expand...
Click to collapse
The Android browser uses the same rendering engine, WebKit, but it doesn't have that much in common with Chrome. Additionally, plugins like Flash and Silverlight need to be compiled for the OS, not the browser. Silverlight works in Firefox on Windows, but not on Linux.
Sent from my ADR6300 using XDA App
Moonlight on Android
This may sound stupid, but since Silverlight is available for Google Chrome, and the browser on the Xoom (Honeycomb) is basically Chrome, is it possible to port Silverlight to it? I'm thinking while Silverlight is not open source, it might be possible to tweak the Honeycomb browser itself (which is open source) to better match it to Chrome (also open source), and thus provide us with Silverlight in some way.
Of course, doing this would be very difficult, and I'm not even sure that my idea is solid.
The Android browser uses the same rendering engine, WebKit, but it doesn't have that much in common with Chrome. Additionally, plugins like Flash and Silverlight need to be compiled for the OS, not the browser. Silverlight works in Firefox on Windows, but not on Linux.
Click to expand...
Click to collapse
So I took up your question with Miguel De Icaza...having wondered this same thing myself just recently.....and his answer...
Miguel de Icaza
@marcelol<omitted> Don't think so.
7 minutes ago in reply to marcelol<omitted> from web
Click to expand...
Click to collapse
There you go folks....straight from the man himself. Pesky DRM will get ya every time.
Vulnerability Allows Attackers to Modify Android Apps Without Breaking Their Signatures
This might be the reason why the new MF2 and ME6 are not downgradable and why the 4.2.2 update was delayed.
Source->http://www.cio.com/article/735878/V...ndroid_Apps_Without_Breaking_Their_Signatures
IDG News Service — A vulnerability that has existed in Android for the past four years can allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the OS.
Researchers from San Francisco mobile security startup firm Bluebox Security found the flaw and plan to present it in greater detail at the Black Hat USA security conference in Las Vegas later this month.
The vulnerability stems from discrepancies in how Android apps are cryptographically verified, allowing an attacker to modify application packages (APKs) without breaking their cryptographic signatures.
When an application is installed and a sandbox is created for it, Android records the application's digital signature, said Bluebox Chief Technology Officer Jeff Forristal. All subsequent updates for that application need to match its signature in order to verify that they came from the same author, he said.
This is important for the Android security model because it ensures that sensitive data stored by one application in its sandbox can only be accessed by new versions of that application that are signed with the original author's key.
The vulnerability identified by the Bluebox researchers effectively allows attackers to add malicious code to already signed APKs without breaking their signatures.
The vulnerability has existed since at least Android 1.6, code named Donut, which means that it potentially affects any Android device released during the last four years, the Bluebox researchers said Wednesday in a blog post.
"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," they said.
The vulnerability can also be exploited to gain full system access if the attacker modifies and distributes an app originally developed by the device manufacturer that's signed with the platform key -- the key that manufacturers use to sign the device firmware.
"You can update system components if the update has the same signature as the platform," Forristal said. The malicious code would then gain access to everything -- all applications, data, accounts, passwords and networks. It would basically control the whole device, he said.
Attackers can use a variety of methods to distribute such Trojan apps, including sending them via email, uploading them to a third-party app store, hosting them on any website, copying them to the targeted devices via USB and more.
Some of these methods, especially the one involving third-party app stores, are already being used to distribute Android malware.
Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store's application entry process in order to block apps that contain this problem, Forristal said. The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem, he said.
However, if an attacker tricks a user to manually install a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store. That's the case for all applications or new versions of applications, malicious or non-malicious, that are not installed through Google Play, Forristal said.
Google was notified of the vulnerability in February and the company shared the information with their partners, including the members of the Open Handset Alliance, at the beginning of March, Forristal said. It is now up to those partners to decide what their update release plans will be, he said.
Forristal confirmed that one third party device, the Samsung Galaxy S4, already has the fix, which indicates that some device manufacturers have already started releasing patches. Google has not released patches for its Nexus devices yet, but the company is working on them, he said.
Google declined to comment on the matter and the Open Handset Alliance did not respond to a request for comment.
The availability of firmware updates for this issue will differ across device models, manufacturers and mobile carriers.
Whether a combination of device manufacturers and carriers, which play an important role in the distribution of updates, coincide to believe that there is justification for a firmware update is extremely variable and depends on their business needs, Forristal said. "Ideally it would be great if everyone, everywhere, would release an update for a security problem, but the practical reality is that it doesn't quite work that way, he said."
The slow distribution of patches in the Android ecosystem has long been criticized by both security researchers and Android users. Mobile security firm Duo Security estimated last September, based on statistics gathered through its X-Ray Android vulnerability assessment app, that more than half of Android devices are vulnerable to at least one of the known Android security flaws.
Judging by Android's patch distribution history so far, the vulnerability found by the Bluebox researchers will probably linger on many devices for a long time, especially since it likely affects a lot of models that have reached end-of-life and are no longer supported.
Click to expand...
Click to collapse
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Key phrase here is "for apps not installed through the google store". Hence not an issue for a large fraction of users. Total case of FUD. Someone must be wanting to sell some av software.
Sent from my GT-N7100 using Tapatalk 4 Beta
Kremata said:
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Click to expand...
Click to collapse
Well, X-Ray scanner either does not detect this latest security flaw or N7100 (as of DM6) is allready patched.
Kremata said:
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Click to expand...
Click to collapse
This is the first link I found for XDA on this.
I think it's not that interesting because it's old, old news and exactly why it's being touted as a "new" discovery is beyond me, it's far from new.
We here at XDA have been using this method for years to modify stock Android and OEM system apps with great success. Here's an example by me from 2011: http://forum.xda-developers.com/showthread.php?t=994544 there's a literally hundreds of examples all over XDA.
The real question here is how Bluebox security got everybody to act as a PR machine for them. If they turn up at Black Hat with this "amazing discovery" they're going to get laughed off the stage.
djmcnz said:
This is the first link I found for XDA on this.
I think it's not that interesting because it's old, old news and exactly why it's being touted as a "new" discovery is beyond me, it's far from new.
We here at XDA have been using this method for years to modify stock Android and OEM system apps with great success. Here's an example by me from 2011: http://forum.xda-developers.com/showthread.php?t=994544 there's a literry hundreds of examples all over XDA.
The real question here is how Bluebox security got everybody to act as a PR machine for them. If they turn up at Black Hat with this "amazing discovery" they're going to get laughed off the stage.
Click to expand...
Click to collapse
Ahh! Thats the answer I was waiting for (and from a Recognized Developer). I knew XDA Devs were using this method. My new question is.. If they fix it will it be harder to create Mods? Will it slow down development?
Shouldn't this be posted in the generals forum?
Kremata said:
If they fix it will it be harder to create Mods? Will it slow down development?
Click to expand...
Click to collapse
I suspect so. If they fix it properly it would become impossible to change any aspect of the app without signing it again. If you wanted to maintain compatibility with the original then you'd need the developer's keys.
At the moment really only the manifest and some metadata within the apk is signed, if they extended that to the entire contents of the apk many mods (think themes for stock Google apps etc) are screwed unless users are happy to relinquish Play Store links and updates (i.e. backward compatibility).
Google may not go this far and may only choose to authenticate the code (smali) rather than all of the apk contents (graphics, strings etc), this approach would leave room for some mods to survive. Remains to be seen.
https://9to5google.com/2016/11/11/google-pixel-hacked-pwnfest/
Google’s latest*Pixel*smartphone has been hacked by a team of hackers at the PWNFEST event. The Qihoo 360 team was able to demonstrate the ability to*achieve*remote code execution*to win a $120k prize.
The exploit launched the Google Play store before opening Chrome and displaying a web page reading ‘Pwned By 360 Alpha Team’ …*
The Pixel wasn’t the only thing*to fall victim at the*PWNFEST*conference: Microsoft Edge running under Windows 10 was*also hacked, and Chinese iPhone jailbreak team Pangu worked with JH to find*a*Safari exploit*that gave them root access on Apple’s macOS Sierra. Finally, Qihoo 360 also breached Adobe Flash with a combination of a decade-old vulnerability and a win32k kernal flaw.
There is no report yet of anyone successfully claiming the $180k available for an iOS 10/iPhone 7 Plus exploit.
All systems hacked were running the latest versions. Details of all the exploits will be passed to the companies concerned to enable the software*to be patched to prevent black-hat hackers using them for nefarious purposes.
Everything got hacked there. Not even really news anymore. Modern OS's including mobile and simpler systems now are all hackable. The only thing to really save us users is to try not to be a target.
I haven't had an update for my LG G4 in so long. Google has released many patches which fix extreme vulnerabilities with the Android OS, including a patch for the latest severe Broadcom exploit (common name: Broadpwn). This is a severe exploit: "The most severe vulnerability in this [runtime] section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process," Google describes in the July 2017 Android Security Bulletin.
Info about exploit: http://thehackernews.com/2017/07/android-ios-broadcom-hacking.html
More info about exploit: http://www.zdnet.com/article/iphones-and-ipad-owners-update-now-to-block-broadpwn-wi-fi-hack/
Android fix: https://source.android.com/security/bulletin/2017-07-01
According to this page (https://www.ifixit.com/Teardown/LG+G4+Teardown/42705), the LG G4 has the Broadcom BCM4339HKUBG 5G WiFi Client which would be affected by this exploit since it affects all BCM43xx chipsets.
Apple released iOS 10.3.3 to fix this.
Does anyone know if the Nougat update will incorporate this Android patch level? Is there any way to contact LG to force them to send an update which fixes this severe exploit?
gyrex said:
I haven't had an update for my LG G4 in so long. Google has released many patches which fix extreme vulnerabilities with the Android OS, including a patch for the latest severe Broadcom exploit (common name: Broadpwn). This is a severe exploit: "The most severe vulnerability in this [runtime] section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process," Google describes in the July 2017 Android Security Bulletin.
Info about exploit: http://thehackernews.com/2017/07/android-ios-broadcom-hacking.html
More info about exploit: http://www.zdnet.com/article/iphones-and-ipad-owners-update-now-to-block-broadpwn-wi-fi-hack/
Android fix: https://source.android.com/security/bulletin/2017-07-01
According to this page (https://www.ifixit.com/Teardown/LG+G4+Teardown/42705), the LG G4 has the Broadcom BCM4339HKUBG 5G WiFi Client which would be affected by this exploit since it affects all BCM43xx chipsets.
Apple released iOS 10.3.3 to fix this.
Does anyone know if the Nougat update will incorporate this Android patch level? Is there any way to contact LG to force them to send an update which fixes this severe exploit?
Click to expand...
Click to collapse
Man. This exploit may be the next new root method. We dont want it patched but yes julys security updates for g5 included this patch. Which most devices will get patched probly quite quickly
---------- Post added at 12:33 PM ---------- Previous post was at 12:32 PM ----------
As said lg already knows about it and sprint released an update for the g5 so the sprint g4 shouldnt be far behind
But rumor has it this may be the new root method for 7.0.
TheMadScientist420 said:
Man. This exploit may be the next new root method. We dont want it patched but yes julys security updates for g5 included this patch. Which most devices will get patched probly quite quickly
Click to expand...
Click to collapse
Um, yeh, I'd like my phone patched thanks. If/when someone develops a hack to use this exploit, I'd prefer not to have my phone and information exposed at public wifi points. LG needs to provide a patch for the G4 ASAP....
gyrex said:
Um, yeh, I'd like my phone patched thanks. If/when someone develops a hack to use this exploit, I'd prefer not to have my phone and information exposed at public wifi points. LG needs to provide a patch for the G4 ASAP....
Click to expand...
Click to collapse
Um yea why not open a thread with lg and not a modding community that tries to take advantage of every exploit we can find.
Again lg has already begun patching it. On some device. Tell em to patch yours next. See how fast is happens.
---------- Post added at 09:16 PM ---------- Previous post was at 09:15 PM ----------
Or get a iphone if ure worried about security.
Haha worrying about public WiFi vulnerabilities. Best way is to turn off. You are only aware of this because of publicity. Whereas the exploits you aren't aware of or never will be aware of can still effect you when WiFi radio is still on in public. There's stuff out there that you'd never see coming and no one will discover only because of the oblivious public
dontbeweakvato said:
Haha worrying about public WiFi vulnerabilities. Best way is to turn off. You are only aware of this because of publicity. Whereas the exploits you aren't aware of or never will be aware of can still effect you when WiFi radio is still on in public. There's stuff out there that you'd never see coming and no one will discover only because of the oblivious public
Click to expand...
Click to collapse
This bug or security risk affect all wifis from what i read ad long as an attacker is in range of ure device. Again from what i read. So public or private suposedly at risk.
gyrex said:
I haven't had an update for my LG G4 in so long. Google has released many patches which fix extreme vulnerabilities with the Android OS, including a patch for the latest severe Broadcom exploit (common name: Broadpwn). This is a severe exploit: "The most severe vulnerability in this [runtime] section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process," Google describes in the July 2017 Android Security Bulletin.
Info about exploit: http://thehackernews.com/2017/07/android-ios-broadcom-hacking.html
More info about exploit: http://www.zdnet.com/article/iphones-and-ipad-owners-update-now-to-block-broadpwn-wi-fi-hack/
Android fix: https://source.android.com/security/bulletin/2017-07-01
According to this page (https://www.ifixit.com/Teardown/LG+G4+Teardown/42705), the LG G4 has the Broadcom BCM4339HKUBG 5G WiFi Client which would be affected by this exploit since it affects all BCM43xx chipsets.
Apple released iOS 10.3.3 to fix this.
Does anyone know if the Nougat update will incorporate this Android patch level? Is there any way to contact LG to force them to send an update which fixes this severe exploit?
Click to expand...
Click to collapse
Much more details can be found here now: https://blog.exodusintel.com/2017/07/26/broadpwn/
successful exploitation requires the victim to either click on an untrusted link or connect to an attacker’s network and actively browse to a non-HTTPS site
Click to expand...
Click to collapse
And again another proof of what I say always and everywhere.
My following statement matches for both: Anti Malware software and installing security patches
Security patches have one exception to this though: when a security bug can be executed remotely without any user interaction.
In theory you can have a patch level of 1970 for your device as long as your device can not be remotely attacked without user interaction. The main point of I would say 90% of infections is just the user.
I do not want to offend you or anyone but I have to say it this direct hard way:
The best anti malware protection was / is / and will always be: ....YOU (your brain - think before you click)
Do not install dubious software.
Do not click on unexpected links send to you or from untrusted sources / users.
Do not open attachments which you do not expect to get (even when the sender is your friends address! keep in mind that he can be infected!).
.. or just simply: Use your brain before clicking and/or installing
Anti malware software is only a LAST RESORT and NOT your main protection!
That's what the most humans forget or just do not (WANT TO) know.
This is the same for smartphones or desktop PCs.
Click to expand...
Click to collapse
Regarding your question if LG will release that fix just take a look here:
https://lgsecurity.lge.com/security_updates.html
You will find that CVE listed in the July patch level for the G4 so yes it gets patched for this device but it depends on your carrier when.
.
steadfasterX said:
Much more details can be found here now: https://blog.exodusintel.com/2017/07/26/broadpwn/
And again another proof of what I say always and everywhere.
My following statement matches for both: Anti Malware software and installing security patches
Security patches have one exception to this though: when a security bug can be executed remotely without any user interaction.
In theory you can have a patch level of 1970 for your device as long as your device can not be remotely attacked without user interaction. The main point of I would say 90% of infections is just the user.
I do not want to offend you or anyone but I have to say it this direct hard way:
Regarding your question if LG will release that fix just take a look here:
https://lgsecurity.lge.com/security_updates.html
You will find that CVE listed in the July patch level for the G4 so yes it gets patched for this device but it depends on your carrier when.
.
Click to expand...
Click to collapse
Sorry, I have no idea what you're talking about. There's very little of what you wrote which makes any sense.
gyrex said:
Sorry, I have no idea what you're talking about. There's very little of what you wrote which makes any sense.
Click to expand...
Click to collapse
ask what you do not understand and I can explain.
.
gyrex said:
attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process," Google describes in the July 2017 Android Security Bulletin.
Click to expand...
Click to collapse
If by "execute arbitrary code within the context of an unprivileged process", you mean executing something that can unlock bootloader in non H815 or H811 models, then you're onto something.
BIG_BADASS said:
If by "execute arbitrary code within the context of an unprivileged process", you mean executing something that can unlock bootloader in non H815 or H811 models, then you're onto something.
Click to expand...
Click to collapse
nope, I believe it means root access privileges, or being able read information that for example an wifi stack would not need (like your contacts, location etc.)
Levent2101 said:
nope, I believe it means root access privileges, or being able read information that for example an wifi stack would not need (like your contacts, location etc.)
Click to expand...
Click to collapse
Interesting. I'd like to see where this goes. Someone with non H815 or H811 should take backup of their current image before this gets patched.
I'm not sure if DirtyCow ever worked for rooting these tablets, but for those of us without root, there may be some light at the end of the tunnel.
"A flaw in the original patch for the notorious Dirty COW vulnerability could allow an adversary to run local code on affected systems and exploit a race condition to perform a privilege escalation attack.
The flaw in the Dirty COW patch (CVE-2016-5195), released in October 2016, was identified by researchers at the security firm Bindecy. On Wednesday, they released details of the vulnerability (CVE-2017-1000405) found in the original Dirty COW patch, affecting several Linux distributions."
The number of devices affected are significantly less than those which were vulnerable before.
Not applicable to Android, hence unlikely to work on FireOS I suppose.
In terms of scope, the difference is just that the current bug is not applicable to Android and Red Hat Enterprise Linux.
Click to expand...
Click to collapse
gabosius said:
Not applicable to Android, hence unlikely to work on FireOS I suppose.
Click to expand...
Click to collapse
Totally missed that. Oh well. I guess it wouldn't hurt to try if you feel brave enough.
DragonFire1024 said:
Totally missed that. Oh well. I guess it wouldn't hurt to try if you feel brave enough.
Click to expand...
Click to collapse
I did scan mine with few CVE scanners (which were a bit outdated), nothing useful found.
However, research on LP CVEs shows a fairly large amount of LPE exploits available in Mediaserver (mostly discovered in 2017), but not sure whether its applicable for FireOS though.
EDIT: Reference