See here.

Worrying if true. I suppose this is why Microsoft is coping the iOS model for Win 10 Mobile?

It’s an open OS, which means it’s pretty much victim to all sorts of malware, Google not appearing to much give a toss about policing it. On the one hand, it does make it easy for people who know what they’re about to get inside and poke around and customise it to their own requirements, but on the other that leaves it very vulnerable to all sorts of iffy crap floating around that can catch users not convercent with technical stuff to get bitten in the ass*.
It’s why I wouldn’t touch it with yours; I like to have a system where I’m not constantly having to be on my guard against apps being hijacked without me noticing.
It’s a bit like the old joke about keeping an open mind; people will only come and fill it up with rubbish. 😆
*See Windows, up until Win 8. Can I interest you in antivirus software, sir? 😉

Insecure android?

Sorry, I’m not really understanding that reasoning behind open source.

All operating systems are potentially open to a security risk, open source or not. The trouble with Android is that the manufactures are more interested in pushing new hardware than updating their software. One of the reasons why I like a Nexus device, as the software is actually updated on it.

But I know so many people not updating iOS because they will have to clear too much space to get it. Or people running Windows XP because it does everything they want and they see no need to update.

So the fact that hundreds of millions of Android devices have had massive long standing security flaws explains all those threads on the Web about people suffering the consequences after getting their phone hacked. Or maybe it’s not such a big issue outside the geek phone security testing labs, much like the recent news about controlling cars by hacking the dab radios.

It’s an open OS, which means it’s pretty much victim to all sorts of malware, Google not appearing to much give a toss about policing it.

No, you’ve misunderstood. It’s nothing to do with Google / Android’s security model in this case.

Google policing apps wouldn’t have prevented Stagefright, and “Android very insecure” could be straight out of the Daily Mail. It’s a bug pure and simple, something which could happen on literally any platform.

This latest risk is a flaw in how MMS is handled (depending on your MMS app). It can be readily mitigated by disabling the auto-download of MMS messages. You should do that right now if you have an Android device.

Of note also is that it’s not an in-the-wild exploit yet. Popular thinking is that it will be ‘released’ after a forthcoming security conference; I expect it will, and I expect that it won’t be widely patched by then. That will be Google’s failing.

Every system has its flaws but it’s not exactly the first time Android (and Google) have been caught with their pants down.

Here’s a older story about apps with malware being discovered on Google Play:
http://www.bbc.co.uk/news/technology-31129797

And here’s a story explaining how malware on Android can infect other apps and steal credit card details:
http://www.bbc.co.uk/news/technology-28544443

But I know so many people not updating iOS because they don’t how to install it will have to clear too much space to get it

😀

Of note also is that it’s not an in-the-wild exploit yet. Popular thinking is that it will be ‘released’ after a forthcoming security conference; I expect it will, and I expect that it won’t be widely patched by then. That will be Google’s failing

But even if Google patch it, the manufacturers and carriers won’t push out the update promptly…

Last week, I was hanging out with some hackers and security experts at a conference in Brooklyn when I took out my Sony phone.

“Oh! The journalist uses Android. That’s secure!” said one guy next to me, in a highly sarcastic tone.

Right then….

Still happy enough with an Android phone.

OpenBSD is an open-source operating system. All code is freely available to download and look at by anybody

In the history of the operating system, they have only had 2 or 3 remotely exploitable weaknesses from the default installation (i.e. no customisation at all). Very impressive record!

All the code written is audited by other developers, and then audited again by others, producing a bulletproof operating system. Thousands of people have contributed features/bug fixes/security fixes over the years.

All the code written is audited by other developers, and then audited again by others, producing a bulletproof operating system.

That’s the theory, but in practice most code isn’t audited by anyone – e.g. code which is almost universal turns out to have major flaws such as at Heartblead bug in OpenSSL to the the latest remote crash exploit in Bind.

The thing with stagefright is not that the OS is insecure, rather that it highlights the way that Android is not iOS. iOS gets centralised updates straight from Apple that have been fully tested for _your_ phone and _will_ work. If someone finds a vulnerability in iOS, it gets patched and gets released*.

Android is a bit more complicated. Google uses what could be classed as a reference deployment (their Nexus it), but everyone else has heavily modified versions, so any fixes have to come from them. If you want a fix for something, Google has to make it, release it to the repositories, then the manufacturer has to take the patch, then check it in, then release it. Then the carrier has to put it up of download, then you have to get it. That _will_ take ages, _IF_ they can be bothered for a £25 quid phone.

That’s really the kicker… This thing has a relatively simple mitigation (see above), so why spend the money doing all that dev and QA for a phone that’s throwaway? From a business PoV it makes no sense. Morally, that’s wrong, I know, but money counts and it all comes off the bottom line.

I’m not going to get drawn into open vs closed source for being more secure. There are arguments both ways and it’s like arguing full vs. coordinated disclosure. Both have advantages. I’d still say that iOS is arguably more secure than Android though, but only if it’s not been jailbroken.

Yeah, someone is stealing my battery life out of my S5, charged last night, its gone down 7% in an hour without me even using it!

That could just be poor signal. Or are you downloading pron in the background?

The thing with Heartbleed is, it was very old software. As footflaps says, unless there’s a full security audit, it’s unlikely to get picked up today. New open source software on the other hand, theoretically at least, is more likely to be rigorously tested than something that’s been kicking around since the late Jurassic and “just works”.

Yeah, someone is stealing my battery life out of my S5, charged last night, its gone down 7% in an hour without me even using it!

The way modern battery technology works, it will charge to 100%, then stop. The battery will then drain a little, say 5%, and the charger will then kick back in to take it too 100% again, rinse and repeat. So it’s entirely possible to have your phone plugged in all night, come back in the morning and find that it’s not quite fully charged.

Couger, whilst I do generally agree with you, I’m not sure I fully do.

We saw Heartbleed kick off a huge wave of interest in OpenSSL and its vulnerabilities and the resulting fixes show that it is primarily the newer versions (1.1.1 and 1.0.2) that have problems. The same thing with other open source components like QEMU with VENOM.

Yes, older components have issues that have never been fixed because they ‘just work’, but they also tend to be more stable. Newer software will, just by its very nature, be flaky (sort of) and vulnerabilities will be there. Finding them might be a bit more of a challenge and exploiting them even more so, but they will be there.

This is really the sort of conversation to have over several pints and a curry.

The interesting difference is that iOS might well have just as bad a flaw and you might not know about it – and whilst Apple do release updates, as mentioned above there are significant issues with them being rolled out (haven’t upgraded the iPad as it’s only 16GB and the update needs ~4GB which is far more than the free space and to be honest hadn’t considered that was the only way to keep it secure – not sure why they can’t just release a far smaller security patch if that is needed).

Is this something a bog standard mobile phone customer needs to worry while he’s trying to choose a new phone?

No not really.

Cool

How would I do that? Can’t find an option. Only on 4.0.4 here (hence I’m never going to get an update, but was planning on rooting phone and doing Cyanogenmod which is suddenly rather more urgent)

We saw Heartbleed kick off a huge wave of interest in OpenSSL and its vulnerabilities and the resulting fixes show that it is primarily the newer versions (1.1.1 and 1.0.2) that have problems.

Yeah, perhaps not the greatest example, thinking about it. The vulnerability crept in between 1.0.0 and 1.0.1, which would’ve been (Googles) March 2012.

This is really the sort of conversation to have over several pints and a curry.

You’re not wrong. (-:

How would I do that?

Depends entirely on your messaging app, it’s application-specific. (Ie, look in the app, not in global Settings.)

Hmm OK, the only messaging app I’ve ever used is the default thing called “Messaging” and can’t see any options for MMS there – have never sent or received one (though it does seem to allow you to send them if you include a pic – I have no allowance, so upload to imgur and send links)

Instructions I’ve found show you how to do it in Hangouts or Google Messenger – don’t think I have either of those.

I’m using the default messager (on HTC so may be HTC-specific, hard to be sure).

On mine it’s (from the app), Settings / MMS / Auto-retrieve [].

Hmm again – have no settings at all for MMS in my messaging app. Neither do I have an option to select default messaging app. Looks like I have no control over this, either I’m vulnerable or I’m not, but I can’t stop auto-download of MMS if that’s what it does. All a bit rubbish – presumably a big issue for anybody with an old phone like mine.

Looks like my only option is rooting, so I now have a really, really good reason to get on with that.

I think if you were to install a third-party app, you’d be able to force that to take over from the default. (I used to do this with GoSMS on my previous handset as the bundled app was toilet.)

Whether it’s worth the hassle is arguable though, I suppose. “Vulnerability” does not automatically imply “exploit,” time will tell whether it actually becomes a likely problem in the wild.

There is an argument for just automatically rooting / custom flashing an older out-of-support device anyway. I’ve got Lollipop (CM12) running on my old Sensation as a backup phone, it’s given it a new lease of life and that’s a four year old handset.

New open source software on the other hand, theoretically at least, is more likely to be rigorously tested than something that’s been kicking around since the late Jurassic and “just works”.

I just don’t buy that at all, people just borrow OS modules and unless there is a problem, no one really delves into the code in any rigorous way as if they did, the benefit of nicking OS modules over just developing it yourself would shrink. The whole ‘Many eyes’ thing is just wishful thinking.

Ah well, the reason I was going to root is because I’m so short of space on the phone (have to delete data from Google Play in order to free up enough space to update apps I do use – I don’t use FB on phone* because installing the updates I need to run that leaves me without enough space to download mail) and wanted to clear out all the pre-installed junk I don’t use.

*some might say that’s a good thing

App2SD might help with that.

What phone is it, out of interest?

Surely open source is more secure, eg a good linux distro?

Isn’t the issue actually with closed source – where you don’t know whether microshaft etc are gathering every conceivable piece of data in relation to your personal life and or business? Open source allows people to poke around inside and see what is really going on.

Open- vs closed-source is a very complicated topic…!

Tinfoil hats aside, the default privacy settings in W10 are a bit terrifying. Worth hitting ‘Advanced’ when you get to this point of the install. (WHAT HAPPENS NEXT WILL SHOCK YOU!!1!)

Yeah and you can’t even lock down 10 properly unless you have enterprise….and even then….if I was in charge of R&D in a largeish business I don’t think I’d trust it? I’m not a programmer though, however surely Windows 10 ability to do things like key logging with a simple toggle of a few lines of code makes it far easier to exploit?

Open source allows people to poke around inside and see what is really going on.

As far as I can tell only two sets of people really delve around in the code (of OS and CS systems):
1. Government agencies, Hacking software developers (who sell to Government agencies) and hackers who want to find zero day issues and won’t tell anyone as their mission is to exploit them
2. Security researchers, who will tell the developers what they find

The money and resources of 1 far outweigh 2.

So, if I’m on Gingerbread should I be worried? 😛

(FWIW it IS an Xpreia X10 so there isn’t anything else out there)

haven’t upgraded the iPad as it’s only 16GB and the update needs ~4GB which is far more than the free space

Only if you do it over-the-air (cos it needs space to download the update, unzip it then keep the rollback files till it is complete).

If you do it via iTunes then that’s all done on the PC/Mac so you don’t need free space on the device.

Sorry, last thread hijack – already have as much as possible on the SD card, but it won’t let me move some stuff (like FB 🙄 ), am assuming rooting will also solve that issue. It’s an Xperia Ray – 4 years old, but apart from the memory issue works fine for me (wanted something cheap with Ant+)

It’s a complex issue TBH.

Certain apps you can’t move to SD, as they need to be present before the SD card is mounted on boot (eg, anything with a widget). Custom ROMs attempt various trickery with partitioning that I don’t fully understand if I’m honest, but the minutiae is dependent on the ROM really.

Slight thread derail; I have a Hudl 1 that I’ve rooted, but I didn’t think I could flash it unless I can find a custom ROM for the specific device (to match the hardware). I don’t think I have the skills to customise one myself. Did you find/write a custom ROM for the Sensation or is there a way round needing one?