|
|
Subscribe / Log in / New account

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

[Posted October 16, 2015 by ris]

Ars Technica reports that a handful of app distributors are putting many Android users at risk by bundling root exploits with their wares. "It took just one month of part-time work for the computer scientists to reverse engineer 167 exploits from a single provider so they could be reused by any app of their choosing. Ultimately, the researchers concluded that the providers, by providing a wide array of highly customized exploits that are easy to reverse engineer and hard to detect, are putting the entire Android user base at increased risk."
to post comments

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 16, 2015 19:46 UTC (Fri) by lmb (subscriber, #39048) [Link] (1 responses)

That is a very interesting take on the problem.

And here I would have thought that Google and the phone vendors put their users at risk by not providing timely updates for the OS and fixing those security holes. But then, I may be a bit old-fashioned.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 18, 2015 13:40 UTC (Sun) by BostonEnginerd (guest, #102233) [Link]

That's just crazy talk! How can you possibly ask a vendor to patch the flaws in their product?

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 16, 2015 21:02 UTC (Fri) by mfuzzey (subscriber, #57966) [Link] (4 responses)

If all devices were officially rootable by their owners there would be no need for packaged root exploits and the risks they entail of abuse by others..

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 16, 2015 22:02 UTC (Fri) by adler187 (guest, #80400) [Link] (1 responses)

"... there would be no [legitimate] need for packaged root exploits ..."

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 25, 2015 0:52 UTC (Sun) by malor (guest, #2973) [Link]

Well, the only market would be an illegal one. Regular people wouldn't need it and wouldn't pay for it, so presumably making an exploit kit would be less rewarding, and they wouldn't have as much care and attention lavished on them.

I regard this as a direct consequence to locking the hardware; it belongs to the user, not to the company, and acting any other way puts everyone at risk.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 17, 2015 22:52 UTC (Sat) by tinko92 (guest, #102129) [Link] (1 responses)

It's true that there would be no need for packaged root exploits, but there should be none regardless of the security situation, because the vendor should respect our freedom to use root capabilities anyway.

Also the risk is not entailed by the fact that the exploits exist in the form of packaged root exploits. The risk is entailed by the fact that these security vulnerabilites exist and, more importantly, are not fixed by the vendor because he sells a locked down product, which doesn't receive any further support after ~18 months, depending on the purely arbitrary decisions of the vendor. In PC world this would be a joke, if Apple or Lenovo would sell laptops, whose OS could not be updated after less than 2 years, these OEMs would fade into irrelevance.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 28, 2015 23:43 UTC (Wed) by ILMostro (guest, #105083) [Link]

EXACTLY! Thank you, that's what I was going to say; though, in a less eloquent form. :D

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 16, 2015 21:14 UTC (Fri) by josh (subscriber, #17465) [Link] (5 responses)

This seems completely ridiculous. If phones have vulnerabilities, the phone vendors are ultimately at fault for leaving those devices vulnerable. Disclosing the existence of such root vulnerabilities (especially those that have been around for so long) tells malware developers nothing they don't already know, while providing tools specifically designed to help end users on locked-down devices.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 18, 2015 23:04 UTC (Sun) by zblaxell (subscriber, #26385) [Link] (4 responses)

> Disclosing the existence of such root vulnerabilities (especially those that have been around for so long) tells malware developers nothing they don't already know

It allows the malware developers to freeload. It's expensive to weaponize other people's bugs. It's much cheaper to extract an existing battle-tested exploit from a demonstrably successful product. Ordinary exploit PoC code doesn't get peer review, updates and maintenance like these tools do.

It's not just saving just time and money, either. Using a popular published exploit tool cuts down on identifiable traits that are often useful to forensic investigators. The black hats win twice here.

The tools wouldn't exist at all if vendors didn't insist on not providing legitimate access to the device firmware in the first place.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 19, 2015 2:34 UTC (Mon) by dlang (guest, #313) [Link] (3 responses)

Do you really think the bad buys aren't figuring these exploits out at least as fast as the people creating these apps?

I expect that they are creating these apps by watching the malware lists and piggy-backing on them rather than the other way around.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 19, 2015 4:11 UTC (Mon) by zblaxell (subscriber, #26385) [Link] (2 responses)

TFA mentioned original exploits not seen before their inclusion in the tools. That implies that at least one exploit exists today that wouldn't have existed otherwise (or would at least be used more discreetly if it did exist).

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 19, 2015 5:18 UTC (Mon) by dlang (guest, #313) [Link] (1 responses)

not seen before by whom? Do the authors of the collection even claim that they developed all the exploits? I doubt it.

I always question people who claim that any collection of exploits contains a bunch of new exploits never seen before.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 19, 2015 6:44 UTC (Mon) by zblaxell (subscriber, #26385) [Link]

There is significant value even in the mere collection, maintenance, and testing of the exploits. Black hats can focus their time and effort on their malicious payloads instead of building their own delivery vehicles.

That's still a net advantage for black hats even if the total number of theoretically available vulnerabilities remains constant.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 17, 2015 6:03 UTC (Sat) by tinko92 (guest, #102129) [Link] (12 responses)

I think this article is mixing up two separate issues and comes to a completely twisted conclusion. That is surprising because it is very easy to untangle them.
Issue #1: Phone vendors are not providing fixes for known vulnerabilities.
Issue #2: Phone vendors are restricting the freedom of their users by denying them access to the root user.

Legitimate app developers are providing a workaround to issue #2 (and thereby partially to issue #1 because some users can ultimately gain access to their boot loaders and install newer versions of android or distributions with less non-trusted apps). They do not create these vulnerabilities out of thin air. It is the vendor who fails to provide a security fix. The correct way to work around this problem is:

Tackle issue #2 politically and try to force vendors to provide software that respects the freedom of a user more than it does now.
Tackle issue #1 by holding the vendor accountable, where possible, or boycott him for not providing security fixes for exploits that are known to the community anyway.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 17, 2015 6:07 UTC (Sat) by pabs (subscriber, #43278) [Link]

I think you need to replace the hardware industry with an ethical hardware industry before the two issues you mention are going to go away.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 17, 2015 17:22 UTC (Sat) by ncm (guest, #165) [Link]

Rootability would be great but would solve nothing connected with this problem. Only a vanishingly tiny fraction of owners are mentally equipped to use such a feature, and only vanishingly tiny fraction of phones have any alternative firmware available to put on them, anyway. Those alternatives have their own security problems and update-channel problems.

Accountability could be helpful if it could be made to work, but the legal "industry" has very mature and sophisticated tools at hand to sidestep such obligations.

Solutions that don't actually work can be worse than no apparent solution at all.

A system of required source-code escrow and insurance deposits, with a separate agency to roll out automatic updates for affected hardware, could be made to work. I doubt anything short of that could. (Likewise for home routers.)

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 17, 2015 17:23 UTC (Sat) by ncm (guest, #165) [Link] (8 responses)

Rootability would be great but would solve nothing connected with this problem. Only a vanishingly tiny fraction of owners are mentally equipped to use such a feature, and only vanishingly tiny fraction of phones have any alternative firmware available to put on them, anyway. Those alternatives have their own security problems and update-channel problems.

Accountability could be helpful if it could be made to work, but the legal "industry" has very mature and sophisticated tools at hand to sidestep such obligations.

Solutions that don't actually work can be worse than no apparent solution at all.

A system of required source-code escrow and insurance deposits, with a separate agency to roll out automatic updates for affected hardware, could be made to work. I doubt anything short of that could. (Likewise for home routers.)

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 17, 2015 19:39 UTC (Sat) by dashesy (guest, #74652) [Link]

I rooted my phone (Galaxy SIII now few years old) so I could secure my phone against Stagefright. If the vendors provide and easy path, of course that would be preferable.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 17, 2015 22:44 UTC (Sat) by tinko92 (guest, #102129) [Link]

I do agree with you, that rooting doesn't solve all of the security issues, although I do think that it can provide ways to work around some of them. But my point was that they should in fact be regarded as seperate issues.

I would not agree that only a tiny number of users can make use of rootability. There are apps that require root access for uses which can be interesting to larger fractions of users like advanced call blockers, Titanium Backup or crapware removal. Besides, it's a freedom issue, so there is no justification required to demand rootability.

I agree that accountability can be a difficult issue. It might be more helpful to try to push vendors of smartphones and of parts like SoCs, radios, etc. to mainline their drivers, so that providing upgrades becomes much easier and less expensive overall. Also that would make fixes available to everybody. If they'd also manage to seperate their "skins" from the OS, we could get seperate:
- kernel updates, which would require hardly maintenance apart from shared driver maintenance through the kernel community and a phone-specific config-file that specifies the modules
- Android updates, which could be gotten directly from AOSP
- TouchWiz/etc. updates, which could be delivered by Samsung as just another apk that serves as an implementation for a Launcher

Of course this would work against the vendors tactics to lock users into their platform and to force them to buy new phones, but these tactics justify boycott anyway.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 18, 2015 0:17 UTC (Sun) by ssmith32 (subscriber, #72404) [Link] (5 responses)

Only a tiny fraction are mentally equipped? oh please. It's not that hard. Maybe they don't care enough to put in the effort, because a phone is just a phone to many people. Sure I like to root and install new roms, and screw around with my phone, but I'm a computer geek. Lots of people are other kind of geeks. It doesn't mean they lack the mental ability, just the motivation.

mental toolbox

Posted Oct 18, 2015 6:53 UTC (Sun) by ncm (guest, #165) [Link] (4 responses)

I suppose that, in your world, motivation is a physical substance.

My wife is probably more intelligent than you, but she is not mentally equipped to root her phone, or to perceive a need to do it.

mental toolbox

Posted Oct 18, 2015 12:24 UTC (Sun) by Trelane (subscriber, #56877) [Link] (2 responses)

> My wife is probably more intelligent than you, but she is not mentally equipped to root her phone, or to perceive a need to do it.

Honestly, the latter is the root of the problem, not the former.

There are lots of folks who aren't trained to fly airplanes, repair drains, install an electric circuit, or fix a car. Yet a lot of folks fly in airplanes and have functioning drains, electrical systems, and cars.

It seems very strange to me that we as a society are so content to keep computing weird in this regard.

mental toolbox

Posted Oct 23, 2015 6:42 UTC (Fri) by marcH (subscriber, #57642) [Link] (1 responses)

> It seems very strange to me that we as a society are so content to keep computing weird in this regard.

I don't think anyone is "content" with the current state of computing; yet no one, absolutely no one wants to pay for the enormous quality cost of trying to make computers secure and reliable.
They're the most complex systems ever made - for both good and bad reasons.

mental toolbox

Posted Oct 23, 2015 11:19 UTC (Fri) by hummassa (subscriber, #307) [Link]

> no one wants to pay for the enormous quality cost of trying to make computers secure and reliable.

unless you have a finite-time algorithm for the halting problem, the cost is infinity.

mental toolbox not needed, use cash

Posted Oct 19, 2015 1:54 UTC (Mon) by gdt (subscriber, #6284) [Link]

To talk about motivation is to miss an important point: simply pay someone who is motivated.

I do that with my phone today: I could replace a broken screen on my phone, I have the tools, but I'm happy to pay someone to do it.

If there was a formal way to root the phone then I'd do the same: I could install a replacement less-buggy OS, but I'm more likely to pay someone to do it. Probably the same someone I'd get to fix the screen.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 28, 2015 23:55 UTC (Wed) by ILMostro (guest, #105083) [Link]

By implementing a workaround for your issue #2 you ostensibly relieve the vendor from any/all accountability for issue #1. Ultimately, it's cheaper (in the long run) for vendors to release Open firmware that users/community can support on their own. However, this cuts into their bottom line in the short term regarding a specific device model, not to mention subsequent models and/or technologies that evolve from that intellectual property. To get a win-win (short term AND long term), they simply abandon support as soon as possible and direct consumers to buy their "new" device model that they do support--until further notice.

"Ethical hardware vendors" don't trade on the stock exchanges; once they do, they're expected to perpetually increase profits at all cost.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 17, 2015 6:06 UTC (Sat) by pabs (subscriber, #43278) [Link] (1 responses)

Anyone know of any FLOSS Android Root tools that use Linux etc exploits to get root? For iOS there is OpenJailbreak but I'm not aware of any such things for Android. This would be really useful for people looking to install non-Android distros or obtain control over their own device.

https://openjailbreak.org/

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 17, 2015 20:53 UTC (Sat) by lindi (subscriber, #53135) [Link]

https://github.com/android-rooting-tools could be an option if you ask the author to specify some license.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 17, 2015 22:25 UTC (Sat) by feistyfeline (guest, #56554) [Link] (3 responses)

This is absolute FUD, if I read the article correctly. Rooters are doing what they are supposed to do, there's no mistraking the fitness of purpose. Repurposing the exploits for malevolent purpose is fair use, though I might not want a virus on my device. I agree with all that say google dropped the ball in that managed code should examine before hand code that might likely misbehave. So then comes the anti-virus guys. Are they just smoke and mirrors and barrels of snake oil? They should have access to all the apps in all the stores to investigate the behavioral aspects of the apps. And Joe/Jane user should know to be careful about the apps and sites they use, especially the home brew apps from dubious sources.
My two cents is that antivirus on Android is not really useful for scanning actual apps unless the apps are actual known malware. The location, backup, password management etc features are useful nevertheless.
I am disappointed that this article exists purely because there was a need to root, but rooting research exists regardless and the anti-virus and Android developer guys have the same opportunity to fix problems that trouble makers have to cause mischief.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 20, 2015 6:53 UTC (Tue) by tpo (subscriber, #25713) [Link] (2 responses)

> And Joe/Jane user should know to be careful about the apps and sites they use, especially the home brew apps from dubious sources.

The situation today is, that if you have the need for some functionality - to use you phone as a torch f.ex. - then you'll go to the app store, then search it and you'll get presented with dozens or more apps that provide the same functionality. Then you need to select each, touch the install button only to be able to see at this instant that the app is asking you to give it completely unreasonable permissions - f.ex. to do "in app purchases" or to "access your call history" etc.

As far as I remember, at the inception of the "App" concept respectively the App Store Google decided to divide the app permissions into those discrete rights, to let the user be able to see those rights and to give the user the ability to decide whether she wants to install apps with the presented permissions or not.

However also since the beginning Google hasn't been motivated to actually let the user /choose/ apps based on those rights.

The effect of this is the same as the well known "do you really want?" or respectively the "do you accept?" dialogs on Windows - at some point the user gets worn out of clicking "Cancel" for n-th time and accepts whatever is presented to her.

The smartphone OS world is a defacto duopoly which gives the OS vendor a lot of power to get away with whatever practice it has of treating the user. Or inversely: the userbase has in comparison a relatively small leaver to push the vendor to act accordingly to the user's interest.

As far as I can see people are not installing apps from outside of the App Store - apps that you are calling "home brew apps". It's the apps in the app store that are the problem. It is the way the App Store works which is detrimental to the user making reasonable choices. Which in turn is due to Google's missing motivation or maybe incentive to change the App Store to the better.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 20, 2015 12:09 UTC (Tue) by foom (subscriber, #14868) [Link] (1 responses)

Google actually just changed how it works for new apps on Android 6.0, to stop asking at install time, and start requesting permission the first time the app needs the data -- letting you deny the permission instead of the whole app.

http://arstechnica.com/gadgets/2015/10/android-6-0-marshm...

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 20, 2015 22:19 UTC (Tue) by songmaster (subscriber, #1748) [Link]

Yeah, but Google also gave the ability to access the network to all apps with no permission required. I hope that doesn't include Cellular data access…

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 19, 2015 11:10 UTC (Mon) by vidara (guest, #49756) [Link] (5 responses)

I am really pissed of by the phone manufactures for their sloppiness. They should be punished!

Perhaps a different ecosystem for Android is needed. Surprised no one mentioned cyanogenmod earlier. I really hope to see adaptation of cyanogenmod by phone manufacturers and strongly believe that will benefit all parties and that either that or something similar is the way to go forward. CM is quick at getting out security patches for supported devices.

The reason I started using CM was initially for it's privacy control. The latter years after seeing most of my less then 5 year old android phones losing officially support after a way to short time and the very slow rolling out of security fixes and new releases I am now done with the a lot of the Android brands (Samsung, HTC I am looking at you especially). I will not buy another phone unless it's a guaranteed support and promise quick patching and upgrades for a minimum of 4 years.

Alternatively if the phone gets official CM status and have a open firmware "policy" making it supportable by cm, I will consider buying it. Who can argue against running the latest, security patched android (well, at least 5.1 for now) on an Galaxy S2.

But of course there are downsides with CM, if the maintainer of a device loses interests, it will become unmaintained as well. But at least at a much better state than if running stock. But I rather take that risk than running a swiss cheese of an OS protecting my most important assets, 2-factor and email confirmation for a ton of sites, banking. Yes, literally access to everything. If you get full access to my phone you basically become me. This is a very serious matter which need to draw a lot more attention than already is.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 19, 2015 11:18 UTC (Mon) by vidara (guest, #49756) [Link] (1 responses)

Just to clarify my slightly ot post. Getting CM on a phone typically involves using those root exploits. Luckily some manufacturers give have official tools to unlock a device. But the whole reason for the need to root (at least for me) would be gone if the phone manufactures could get their s**t straight.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 19, 2015 20:05 UTC (Mon) by tuna (guest, #44480) [Link]

If people would buy from the manufacturers that do provide root all manufacturers would eventually provide root.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 19, 2015 23:11 UTC (Mon) by mathstuf (subscriber, #69389) [Link] (2 responses)

> I will not buy another phone unless it's a guaranteed support and promise quick patching and upgrades for a minimum of 4 years.

The security lifetime of the new Nexus devices is the longer of 3 years from initial availability (this month) or 18 months after the it is taken off of the Google Store. That's as good as it's going to get until the next Nexus refresh (either 12 or 24 months out).

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 20, 2015 19:19 UTC (Tue) by vidara (guest, #49756) [Link]

Yes, that's true. And my Nexus 10 has been supported all the way up to 5.1.
Sorry to see it won't get 6 though, because it's still a decent tablet with at least
a couple of more years in it.

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 21, 2015 23:01 UTC (Wed) by christoph_d (guest, #62481) [Link]

Which means you will only be vulnerable for up to about 6 weeks (see stagefright on nexus) untill google manages to completely roll out the fix. And that's 6 weeks from when the fix was available not from first (nonpublic) report of the issue

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 22, 2015 15:19 UTC (Thu) by Aissen (subscriber, #59976) [Link] (1 responses)

If such collections starts to be built in a metasploit fashion (I mean easily re-usable), I could foresee the arrival of the dreaded worm that should make securing android (with timely updates) a top priority for OEMs, carriers, and law makers.

Android has been protected from this with the huge diversity, but if software authors are building { device: exploit } collections, things should get much more interesting (and dangerous).

How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

Posted Oct 25, 2015 8:52 UTC (Sun) by pabs (subscriber, #43278) [Link]

There are folks building open source exploits:

https://openjailbreak.org/
https://github.com/android-rooting-tools could


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds