Android OS suffers from a massive security hole, and nobody cares enough to fix it.
57 replies, posted
[QUOTE=Sam Za Nemesis;48308425]It's not just the carriers even though they are a big part of the problem.
Upgrading Android versions is a pain because almost everything changes between versions and there's no standard since it uses their own Bionic libraries that are only meant to work specifically with individual android components, now multiply this for every Android branch for every cell phone in existance
The upcoming patch will only be released for the latest Android revision meant for Google devices and manufacturers will have to patch Stagefright manually if their phones aren't running the latest version of Android, leaving in consideration code adaptations between different code revisions
And for each update for each phone the manufacturers and carriers need to go through endless QA
[editline]27th July 2015[/editline]
Would be pretty cool if Android followed the steps of GNU distros and the user could just fetch the individual patch through a package management software but this will never happen[/QUOTE]
Sure, but security patches like this tend to be pretty simple. It's the QA/delivery processes that are the most messed up.
CyanogenMod has already been patched since July 14.
[url]https://plus.google.com/+CyanogenMod/posts/7iuX21Tz7n8[/url]
[url]http://review.cyanogenmod.org/#/c/103266/[/url]
[url]http://review.cyanogenmod.org/#/c/103267/[/url]
[url]http://review.cyanogenmod.org/#/c/103268/[/url]
[url]http://review.cyanogenmod.org/#/c/103269/[/url]
[url]http://review.cyanogenmod.org/#/c/103270/[/url]
[url]http://review.cyanogenmod.org/#/c/103272/[/url]
[url]http://review.cyanogenmod.org/#/c/103273/[/url]
[url]http://review.cyanogenmod.org/#/c/103274/[/url]
[url]http://review.cyanogenmod.org/#/c/103275/[/url]
[url]http://review.cyanogenmod.org/#/c/103276/[/url]
Why can't android install updates like Linux does? No matter what computer I use at home they all get the updates and they're even different configurations. I thought android was a mobile version of Linux? It uses a Linux kernel. Updates to android and the issues of slow updates need to be heavily focused on by Google can't the system update it self in a different manor so all phones would stay updated?
How to temporarily keep yourself safe:
[T]http://i.imgur.com/BUP1OG5.png[/T]
Delete your MMS settings.
[t]http://i.imgur.com/NEX13za.png[/t]
Restore later when patches appear.
[QUOTE=PotaDOS;48308999]How to temporarily keep yourself safe[/QUOTE]
Or just turn off auto-retrieve and don't open messages from strange numbers?
So at any point I can receive a random text message and suddenly lose full control over my phone?
Oddly enough most phones on the Japanese market keep your plain text SMS as the default communication method and hangout is ofcourse installed but generally disabled by default. Gutted Hangout and disabled the App as a precaution.
[QUOTE=MasterFen006;48307120]yeah but its in the hangouts app and nobody fucking uses that[/QUOTE]
my phone periodically tells me that hangouts has crashed and is forced to closed, I never even touch it
in fact, it's been disabled for ages on my phone and it still ends up crashing
[QUOTE=MasterFen006;48307120]yeah but its in the hangouts app and nobody fucking uses that[/QUOTE]
I use hangouts for just about everything though? Never had an issue with it ever.
If I read this right, it's only caused within Hangouts? I'm wondering because I'm not using it myself and I disabled it.
[QUOTE=Merijnwitje;48314172]If I read this right, it's only caused within Hangouts? I'm wondering because I'm not using it myself and I disabled it.[/QUOTE]
[QUOTE=1/4 Life;48307137]
The failure is in Stagefright, the media handler for the Android OS. Hangouts is an example. Every single app that accepts MMS messages is capable of this.
Hangouts
Google Messenger
AOSP Messages
Textra
TextSecure
Handcent
Older versions of Facebook Messenger
Etc, etc.[/QUOTE]
[QUOTE=Merijnwitje;48314172]If I read this right, it's only caused within Hangouts? I'm wondering because I'm not using it myself and I disabled it.[/QUOTE]
No it also effects most messaging services, someone posted a list on 1st page
Just took a look in the AOSP messaging app (running CM12 5.0.2) and disabled the auto-retrieve function of MMS messages which should do the job for now.
It's not even just messaging apps
stagefright is the system that generates thumbnails for videos (which display in apps)
anywhere there is a video thumbnail, that video was processed by stagefright
if you download a video, you are just as vulnerable. the mms vulnerability is just major because it requires no prep work on target end
[QUOTE=MasterFen006;48307120]yeah but its in the hangouts app and nobody fucking uses that[/QUOTE]
It's the default messaging app on the Nexus 5 and I can't be assed to change it because it's not like it doesn't work.
[QUOTE=LordCrypto;48314229]It's not even just messaging apps
stagefright is the system that generates thumbnails for videos (which display in apps)
anywhere there is a video thumbnail, that video was processed by stagefright
if you download a video, you are just as vulnerable. the mms vulnerability is just major because it requires no prep work on target end[/QUOTE]
so no matter what I do, I am fucked?
[QUOTE=jason3232;48315344]so no matter what I do, I am fucked?[/QUOTE]
pretty much
it's already been disclosed to google, security fixes for nexuses going out next week
time will tell whether OEMs/carriers will get off their collective asses and push fixes out quickly
once they reveal at blackhat, all bets are off.
[QUOTE=Ta16;48314064]Oddly enough most phones on the Japanese market keep your plain text SMS as the default communication method and hangout is ofcourse installed but generally disabled by default. Gutted Hangout and disabled the App as a precaution.[/QUOTE]
The exploit has nothing to do with Hangouts.
[editline]28th July 2015[/editline]
[QUOTE=Archonos 2;48313950]So at any point I can receive a random text message and suddenly lose full control over my phone?[/QUOTE]
Yes
[QUOTE=Taepodong-2;48314283]It's the default messaging app on the Nexus 5 and I can't be assed to change it because it's not like it doesn't work.[/QUOTE]
Hangouts is a pretty decent app considering what it tries to do. SMS, MMS and IM handling in one app is pretty nice. Even if I don't know anybody who actually uses GTalk.
Arbitrary code execution through a thumbnail is a pretty interesting exploit, gotta say...I really do wonder if the OEMs will get their asses in gear for this one, they have a hit and miss record of responding in a timely manner to severe security exploits last I remember.
[QUOTE=Archonos 2;48313950]So at any point I can receive a random text message and suddenly lose full control over my phone?[/QUOTE]
Only if MMS auto-retrieve is enabled. All other methods of exploiting this require you to download an infected file or visit a malicious website. The MMS issue is just especially bad because someone can attack you with nothing but your phone number.
All of this might be overblown though - [url=http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/]this blog post suggests that only devices running Jelly Bean or earlier are "at the worst risk"[/url].
[QUOTE=MasterFen006;48307153]i dont even know who uses MMS so it doesnt really matter to me
plus any phone that matters in the last 2 years gets updates anyway so this'll be fixed soon[/QUOTE]
you are dumb
it's just like with NSA and people saying "I don't care, I have nothing to hide."
snip
Sorry, you need to Log In to post a reply to this thread.