Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Cellphones Handhelds Security IT

Android Holes Allow Secret Installation of Apps 132

CheerfulMacFanboy writes with a link to Heise Online which says "'Security researchers have demonstrated two vulnerabilities that allow attackers to install apps on Android and its vendor-specific implementations without a user's permission. During normal installation, users are at least asked to confirm whether an application is to have certain access rights. Bypassing this confirmation request reportedly allows spyware or even diallers to be installed on a smartphone.' One vulnerability was identified when a security specialist analysed HTC devices and found that the integrated web browser has the right to install further packages (used to automatically update its Flash Lite plug-in). Attackers can exploit this if they have found another browser hole. 'Android specialist Jon Oberheide demonstrated another hole which involved misusing the Account Manager to generate an authentication token for the Android Market and obtaining permission to install further apps from there. However, this initially requires a specially crafted app to be installed on the smartphone. Nothing could be easier: Oberheide released the allegedly harmless "Angry Birds Bonus Levels" app into the Android Market and, upon installation, this app downloaded and installed three further apps ("Fake Toll Fraud," "Fake Contact Stealer," and "Fake Location Tracker") without requesting the user's permission.'"
This discussion has been archived. No new comments can be posted.

Android Holes Allow Secret Installation of Apps

Comments Filter:
  • by Anonymous Coward on Saturday November 13, 2010 @10:45PM (#34219706)

    And sits down to watch the fanboy battle begin. Go go go

    • Re: (Score:3, Funny)

      I dare the posters on this site to go this entire thread without mentioning Apple.

      • Re: (Score:1, Funny)

        by Anonymous Coward

        Oh damn! Already foiled.

      • Re: (Score:3, Interesting)

        Android has a security vulnerability? A security hole in the browser lets a malicious website infect the phone? Isn't this very similar to a problem my iPhone had just a few months ago? Yeah, it's a different method of infection and the levels of access aren't the same (I believe the iPhone could be totally rooted by this) but the fact remains that these devices aren't 100% secure.

        Is this type of thing news? Only in the sense that it serves as a reminder to those who will listen that you have to be caref
        • by MrHanky ( 141717 )

          Why shouldn't this be news, when new Windows and iPhone exploits are news? The question is whether these holes will be fixed for all Android phones, and not only in the upcoming Android 2.3.

          • by Meski ( 774546 ) *
            I don't get this. Software gets fixed by releasing new versions. Like 2.3. Which will likely be pushed automatically. Unless you bought one that has been infected by all the cruft that carriers put on them, in which case you're stuck with the Windows Mobile model of updating - buy a new phone with the latest OS on it.
            • by MrHanky ( 141717 )

              Unfortunately, you are wrong. There's only one phone that more or less automatically gets the latest version of the Android OS -- the Google Nexus One. It's got nothing to do with the carriers, just that different phones have different hardware, and the various hardware makers also like to customise the UI to differentiate themselves from other Android phone makers, and provide so-called "value" for their customers (the advertisers, not the end users). You can't just push stock Android on to any Android pho

              • Yeah, I don't use my Android phones for more than a week before installing some kind of custom ROM on them. Most users will never even think of doing updates though. The carriers may push an update if this bug gets enough press though. That still means people won't update, but the ones who care can be safe. Or the users who have friends who care.
        • by TheRaven64 ( 641858 ) on Sunday November 14, 2010 @06:07AM (#34221168) Journal

          Isn't this very similar to a problem my iPhone had just a few months ago?

          Nope, it's entirely different. This is a security hole, while the iPhone had a jailbreak opportunity.

          • Getting back to the topic... what I didn't get from the article is whether or not this exploit works if you use another browser (e.g. firefox) rather than the integrated one.
          • I'm not sure if you're being sarcastic or not, but jailbreak opportunity is by definition a security hole. With the iPhone/iPad vulnerability, you could literally go to a webpage and your device was jailbroken. You didn't have to approve or install anything. It was convenient, but that jailbreak code could just as easily have been a toll caller, person tracker, cookie stealer, etc.
        • by msauve ( 701917 )
          "Android has a security vulnerability? A security hole in the browser lets a malicious website infect the phone?"

          That's not what the summary said - it said there's one "security hole" (the user explicitly giving a browser rights to install apps) which can only be exploited "if they have found another browser hole." (my emphasis)

          The Linux "login" command has the same sort of hole, because if you can only find that other hole which allows you to get root, you can do anything. One can fix that by making i
        • by DrSkwid ( 118965 )

          It is hard to "be careful" when what that means is "use sparingly".

          How on earth is one supposed to know "Angry Birds Bonus Levels" is more than what it says.

          If it was me I'd write my malware as a stalking horse and then slip the pwnage in as an update in a few months.

      • Just think of how Hitler would make use of this security hole!

    • by icebike ( 68054 )

      Well the summary did fail to mention The browser hole has been closed in Android 2.2.

      Hey, pass some of the popcorn over here, I't trade you for this here cold brewsky.

      • by RDW ( 41497 )

        'Well the summary did fail to mention The browser hole has been closed in Android 2.2.'

        Which is great news for everyone stuck on earlier versions without an upgrade path...

        Time to open a six pack!

  • by Schuthrax ( 682718 ) on Saturday November 13, 2010 @11:00PM (#34219758)

    So that means anyone can compile and install his or her own fixes? So this sounds like a non-issue to me.

    • before they install their apps.

      • That's not enough. They also have to self-compile them (because how else would you be sure that the app really is compiled from the source they've seen?) with a trusted compiler (or else the compiler may insert a vulnerability). Of course after having read the source of the compiler itself, and having hand-compiled it (because otherwise you'd have to rely on an unchecked compiler to compile your compiler).

        Oh, and don't forget to study the circuit design of your phone's processor!

    • Re: (Score:2, Informative)

      by amRadioHed ( 463061 )

      Actually this sounds like it is an HTC Sense issue, not an Android issue. Android doesn't come with a browser that uses Flash Lite. And since HTC Sense is not open, people can not make their own fixes.

      • by wampus ( 1932 )

        Um, I'm pretty sure the stock browser in Froyo has the ability to run plugins, and Flash is in the Market. Sounds like Adobe did an awesome job of recreating their desktop experience on my phone. Well, HTC on Adobe's behalf. Course, the entire point of securing the rest of the userland is kind of lost when you can just gain root through a fork bomb with no permissions needed...

        • The hole was closed in Froyo. Froyo uses regular Flash, the vulnerability is in Flash Lite. You can update Flash without an OS upgrade.
        • Yeah, the stock browser has a Flash plugin which is updated via the market as all other apps are. This is talking about the HTC Sense browser using a Flash Lite plugin which apparently auto-updates via its own mechanism separate from the market.

    • So that means anyone can compile and install his or her own fixes? So this sounds like a non-issue to me.

      I would have modded you insightful. You're just as screwed with open source as you are with closed source.

  • by Anonymous Coward

    A security hole so @#^%&@ adobe can update its garbage flash player every thirty seconds because of security issues.

    • A security hole so @#^%&@ adobe can update its garbage flash player every thirty seconds because of security issues.

      It beats having an unpatched and vulnerable adobe flash....

      • It's an incentive just to uninstall flash altogether. Mobile battery life and 3G download quota being the main beneficiaries.

        They're up to version 10.1 now - Adobe have had over a decade to implement secure sandboxing. If they were serious they'd offer a blank cheque to, say, Theo from OpenBSD and fix Flash and Acrobat Reader properly once and for all.

        • Re: (Score:1, Interesting)

          by Anonymous Coward

          I'm not sure that throwing a systems guru at what is effectively application software would be a prudent use of company funds. First off, going by the available feature set for Flash "developers," the code base for the Flash runtime would make Java and its standard libraries look concise. Hell, it implements two discrete native scripting environments; I'm not even getting anywhere near rendering logic.

          Now you might say that in a sane world, "systems" logic (such as device access) would be entirely separate

        • I personally have flash uninstalled on systems where its practical, blocked with individual object unblocking where its not.
    • by Urkki ( 668283 )

      A security hole so @#^%&@ adobe can update its garbage flash player every thirty seconds because of security issues.

      No, more like a retarded way of allowing flash player to update. If that's specifically for flash, then it should require signed packages, or possibly a fixed URL where it downloads Android updates from, or both (to avoid DNS spoofing etc).

      Either that, or mentioning Flash was just sensationalism, and it's just one use case.

    • So why don't the browser and plugins have separate updaters? I can update Firefox and the flash plugin separately on Windows and Linux.
  • by mlts ( 1038732 ) * on Saturday November 13, 2010 @11:07PM (#34219794)

    As mentioned before on /., Maybe Google should consider moving to a repository system. By default, Android devices should have a repository where apps are vetted, Apple App Store style. Of course, have the ability for a user to easily turn on the second repository (which would be the current Google App Store) for items not found on the "blessed"/default repo.

    This has worked for OSS projects for over a decade. It should work quite well for Android.

    • Re: (Score:3, Informative)

      by Rich0 ( 548339 )

      Uh, that's exactly how it works right now - only market apps can get onto the phone, unless the user enables the installation of non-market apps. The problem here is that Google left a back-door open. No amount of security design will help if the vendor leaves a back-door open. The iPhone in theory doesn't run anything not signed by Apple, but since lots of users are walking around with jailbroken iPhones they didn't get it right either.

      Google just needs to stop leaving back-doors open in their OS. Apps

      • by mlts ( 1038732 ) *

        Exactly. Google has a decent app store. However, I'd like to see the default be a store that is vetted, perhaps even the same store, except just showing apps that have been checked over and approved (perhaps with an additional fee for the time to approve.) Then offer an option right next to the one to install from ADB to use un-approved apps.

        This way, Joe Sixpack (whom we all know and love) will tend to stick in the walled areas where there is far less chance of him downloading malicious software.

        • Re: (Score:3, Insightful)

          by Rich0 ( 548339 )

          I still think a better solution is to make it impossible to write malicious software in the first place.

          Apps should not generally open arbitrary network sockets. Apps should generally not be able to use gobs of bandwidth. Apps should generally not be able to call 911/etc.

          Maybe an in-between solution is for Google to vet apps that request more sensitive permissions. So, if your app just displays on-screen, makes connections back to the distributor's website with modest bandwidth use, and maybe plays some

          • by mlts ( 1038732 ) *

            The problem with that is that there are ways around that. If I can have my app phone home, then I can install a proxy on the receiving end to allow connections anywhere on the Internet. If my app plays music, then I can do nasty things from random farts to other things. Microphone access? I now have a bug 24/7 which can either stream in real time, or save the compressed sound for transmitting every so often when the device isn't used.

            Your idea of a failsafe permission set is good; I'd like to see an app

            • by Rich0 ( 548339 )

              While I like letting apps advertise their minimum permissions, I'd still like to be able to override them.

              I'm not concerned with apps that call back to the source website and then get to the internet via a proxy. That is a perfectly safe way to provide internet access - if the app does something nasty they're doing it on the attacker's IP and not mine. If the attacker wanted to send spam from phones this way, or whatever, then they'd just do it without the phone component.

              That is why java sandboxes allow

          • Perhaps you should go and live in Switzerland. There is no crime ins Switzerland because "Im der Schweitz, das crime is verboten!"
          • This is really a great idea...

          • by Macka ( 9388 )

            I still think a better solution is to make it impossible to write malicious software in the first place

            If it was that easy it would have been done already.

            Maybe an in-between solution is for Google to vet apps that request more sensitive permissions.

            And how do you determine if an app is going to request sensitive permission without umm, vetting it in the first place? Chicken and egg situation there mate.

            Perhaps another step is to make it so that by default the app asks for the more sensitive permissio

            • by Rich0 ( 548339 )

              And how do you determine if an app is going to request sensitive permission without umm, vetting it in the first place?

              Simple - developer uploads app to market. If app's manifest only requires "safe" permissions then it goes right into the market. If it wants more, then a human looks at it. That is a compromise between the current Google and Apple approaches.

              So you have a situation where the app is constantly asking the user for confirmation before doing things, kind of like how MS Vista used to do.

              There

          • My understanding is that when install an android app it gives a list of permissions of what it needs to access. Problem is, according to those I know who have the phone, barely anyone pays any attention and just clicks "okay". Also, most Android users are not geeks and wouldn't know the first steps towards compiling or installing an OS update on their phones. So when the phone manufactures stop supporting that model phone, they are SOL.

            As far as app stores are concerned, if this continues to be a "prob

            • by Rich0 ( 548339 )

              Problem is, according to those I know who have the phone, barely anyone pays any attention and just clicks "okay".

              Well, WHY don't they look at it?

              Simple - your only choices are agree or don't agree. It is like an EULA - what is the point of reading it? The fact is that you wouldn't have bought/downloaded/etc the software if you didn't want to run it, so what is the point in reading a bunch of text that you can't do anything about.

              Now, if you could CHANGE the permissions then people might actually care wha

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Where in the article summary implicates Google as the responsible party? Read again.

        VENDOR SPECIFIC IMPLEMENTATIONS have this security hole. HTC specifically added a permission to update internal plug-ins.

        • by Rich0 ( 548339 )

          Ah, then the fault is not with Google.

          Granted, you should note that ALL Android distributions are vendor-specific. They do of course vary in how much the vendors mess with the core OS.

      • There is exactly one hole described in Android in this story, that involves fake Market authentication tokens. That sounds like a real vulnerability that needs to be addressed.

        The other issue is a hole that HTC opened up in the browser app to update Flash Light. If you run a proper Android phone with a proper version of the OS (2.2) and have Flash installed, it updates via Market like every other app. This is a stupid HTC kludge. You can't completely stop stupid people from shooting themselves in the fo

    • by hey! ( 33014 )

      Actually, why one size fits all? Why not multiple app stores? Choose the app store you trust an which meets your need.

      Better yet, why not let anybody vett applications then sign the installer? You as a user would choose which certifiers to trust. Some certifiers might be *necessary*, others *sufficient*. This would be great for IT departments who issue Android phones. They could require all apps to be certified by them, or by a set of trusted analysis.

  • by giorgist ( 1208992 ) on Saturday November 13, 2010 @11:13PM (#34219826)
    See now that Android is becoming a big target = installed base
    Old phones are rarely updated.
    New phones and evices are still coming out with 1.6
    Old 1.6 phones are still alive

    All vulnerabilities will persist.

    So an auto logging in banking app is there for the taking
    • by Rich0 ( 548339 ) on Saturday November 13, 2010 @11:26PM (#34219870) Homepage

      Well, it remains to be seen if they backport fixes to 1.6, but I agree completely that this is a potential weakness of the platform. Vendors are WAY too quick to abandon old phones. If it isn't still in stores, they don't care about it.

      In fact, probably the best way for us poor G1 owners to get some official updates for our phones is to start releasing viruses designed to take down the cell network. THAT would get some updates out quick! :) (Disclaimer - I'm not advocating that anybody actually do this of course!)

      • by stox ( 131684 )

        More likely, it would get G1's banned from the network.

        • by Rich0 ( 548339 )

          Yeah, I'd like to see that happen. Keep in mind that for another six months there will still be tons of people who bought G1s under contract and they are stuck with them. Can you say class-action-lawsuit?

          However, if they just release G1 owners from contract and provide access to non-contract deals then I'd be happy with this approach... :)

      • Fortunately for the individual user, the process of rooting a G1 and flashing a custom ROM is very straightforward and well documented (running Cyanogenmod 6.0 currently).

        Though this opens up a lot of new concerns about platform incompatibility, not to mention that there is no guarantee that a given ROM is legitimate. It is by no means a solution for the community as a whole.

        • Re: (Score:3, Interesting)

          by Rich0 ( 548339 )

          True, but while CM has been a great solution for a while the focus of that distro has moved on to newer phone models. While CM 6.0 runs on the G1 it is VERY slow, and doesn't support apps/data on SD ext3, and official Froyo apps on SD doesn't work well for many apps.

          6.1 seems to be a lot better, but I think it is only a matter of time before the G1 stops getting much attention, which then leaves a lot of more experimental mods floating around. CM was nice because it focused more on usability/stability and

          • It remains to be seen if Gingerbread will even reasonably run on a G1, so it may be a non-issue that the focus of CM has moved on. It was rather heroic they got FroYo running on it so well.

            I noticed you outlined several issues with the older CM6. I'm running CM6.1 on my G1 rignt now, with several relatively easy performance tweaks. It is as fast or faster than the sanctioned T-Mo firmware, supports apps and data on SD ext2/3/4, and official apps on SD seem to work fine. Only problem I've encountered is 3
            • by Rich0 ( 548339 )

              I wouldn't be surprised if the newer versions work fine. I'm not sure it is really the OS so much as the accessories/etc that contribute to RAM use.

              If you stripped out some of the features that are RAM-hungry while keeping the functionality I think that it would work fine. Cut down on the graphical glitter (3D gallery, fancier home screen, etc), and focus on functionality (better Exchange support, chrome2phone, API, etc). Much of the original benefit in CM was in the stuff that was left out - some of thi

      • Have any fixes been backported and have any of those fixes been released from the manufacturer?

        The Xperia X10 *just* received 2.1. There's a pretty common bug in 2.1 where it can't connect to Cisco routers with a self-signed security certificate on their enterprise hardware. You wouldn't believe the number of hospitals, research institutions, and hotels have this same setup. The problem is that you cannot connect to any of these wifi networks.

        From what I've read online on google's forums is that the fix was

        • by arivanov ( 12034 )

          Not necessarily. The old versions may stay and it may still be a viable platform provided that they updates are funnelled through the market same way package repositories in Linux work.

          You want to run this app. Fine, but you will have to update to the latest patchlevel or update your OS to a newer version altogether.

        • by Rich0 ( 548339 )

          I tend to agree. I think the biggest problem is that these are $500 devices being bought by average people for whom $500 is quite a bit of money. Or maybe they're only $200 but only if you sign up for a new account/etc - which you can't do all the time.

          And yet, the vendor treats them like a disposable free phone, and they only get updates for six months. Most consumers that buy a $500 device expect it to last years. Now, for devices that don't require updates to function that is one thing. However, sma

      • G1 users are hit by only one of the two. Teh one that is essentially a "local" exploit. The remote exploit (HTC + Flash Lite) only hits Android 2.1 based phones with HTC Sence. Way to screw things up HTC!!!!
    • See now that Android is becoming a big target = installed base
      Old phones are rarely updated.
      New phones and evices are still coming out with 1.6
      Old 1.6 phones are still alive

      That was the worst attempt at a haiku ever.

  • by Anonymous Coward

    There are a lot of upsides to phones that can install aps, browse the web, and so on and so forth. This article is an example of one of the downsides, though. With computer-type capabilities, you get computer type problems. The old wired phones, and probably even most "dumb" cell phones pretty much were only vulnerable to people who had physical access to them altering their behavior. Now phones can theoretically get viruses and dial out on their own and so on and so forth.

    I'm not advocating that people

  • by Anonymous Coward

    I've been suspicious for a long time that Google is having Microsoft write all their software. This proves it.

  • If I'm not mistaken, all mobile phones have backdoors for telco's to use, for silently pushing firmware updates and bricking phones, etc.

    I might be mistaken, but I'm pretty sure that's what my cousin told me, who works with setting up mobile infrastructure.
  • a few month ago there was a vulnerability that left your data wide open with or without a pin on the iphone. Or the fake iphone security update that basically takes over your iphone (http://bit.ly/afwVEu). If you allow programs that aren't made by the apple or google you will always have this problem. Program A needs access to do this, you give it access, now anything in program A that was put there has that access too. Oh new iphone safari browser hole (http://www.epagini.com/2010/08/iphone-vulnerabili
  • Until smart phone manufacturers realize that they are making general purpose computing devices we will see this. To some there is a "war" going on between Apple and Android but that really misses the issue - in this respect trying to figure out which is the "better" on is like trying to figure out if Frosted Flakes or Fruit Loops is the better breakfast cereal - it is personal preference and there are most likely "better" solutions out there (and as a disclaimer I am an Android user - Droid One).

    Until one s

    • by khchung ( 462899 ) on Sunday November 14, 2010 @05:40AM (#34221090) Journal

      Until smart phone manufacturers realize that they are making general purpose computing devices we will see this.

      I say just the opposite. Until the Android crowd realize that a lot of people do not want a general purpose computing devices on their phone, they will be talking past all iPhone users.

      I work with computers for a living, I know very well the high cost of ownership for owning a general purpose computing devices. I do not want that for my phone. I deliberately stayed away from "smartphones" until Apple got smart enough and produce one that obviously is not intended to be a PC on a phone.

      All your reasons for calling Android "superior" is exactly the reasons that I found it inferior. I want a limited device that only do what I want and no more. The "no more" part is important to me, as it keeps the cost of ownership low. This seems to a point that the Android crowds never understand.

      Maybe you find it intellectually simulating to find which security hole is patched in which Android version, and fun to track down exactly which Android version can be hacked to be installed on your phone (since your phone supplier probably won't give you a fix until a year later).

      For me, I just want iTunes to periodically check if my phone has the latest patch and tell me about any updates, so I can install it by clicking "Yes".

      • Re: (Score:2, Interesting)

        by TheRaven64 ( 641858 )

        I want a limited device that only do what I want and no more. The "no more" part is important to me, as it keeps the cost of ownership low.

        It's called the 90-10 problem. 90% of the users only want 10% of the features. The problem is that they don't all want the same 10%. This is why modern computers have so many features that you never use - it's not because people want general purpose computers, it's because people all want different special-purpose computers.

      • by bigstrat2003 ( 1058574 ) on Sunday November 14, 2010 @09:53AM (#34222110)

        Your logic fails. First, the main aspect of the iPhone that you could claim is an advantage over Android, the harsh policing of the app store, is irrelevant for security. Google can, and has, taken down apps that were insecure. The Android Market can be just as monitored as the iOS app store is. The real advantage is not anything to do with the market, it is the fact that you can install apps that are not from there. I'm sure you'll say "but I don't need that", but that's not true. You don't need it yet. I'm sure you'll feel differently if you ever have the bad luck to start to heavily use an app that Steve Jobs decides offends him in some way, and subsequently gets removed from the app store.

        Second, if your reason for having an iPhone includes "I can just wait for iTunes to tell me when there's a new version", that's ridiculous. You can be ignorant of security flaws on Android, as well. Trust me, there's no one that makes you go read up on them on /. (although apparently you would do so anyway, since you read this article). You can just wait for the phone to tell you that there's a new update for the OS available, and install it. Just like the iPhone! Of course, just like the iPhone, if there's a security bug you won't know about it and can be exploited, but if that's really what you want you can get it.

        • by khchung ( 462899 )

          It is not my logic that fails. It is merely that my values is different from yours, and you have already assumed your values is the correct one so anyone not subscribing to the same values has faulty logic.

          For the value of a hypothetical possibility that I might like and heavily use an app that will eventually banned by Jobs, the trade off is to give up the Apple app store for the Google one that I cannot make any payment from where I live. Not to mention that there are fewer apps to start with. I am not i

      • The iPhone *is* a general purpose computer, as such it has all the risks associated with it.

        The fact that *you* are only allowed the bits they want to let you see may make you feel like it isn't, but from a security standpoint (of which I was primarily addressing) it is a general purpose computer. This limits how much *you* do, not how much a hacker/phreaker can do.

        Of course, I do agree that I'm talking over most iPhone users heads (apparently yours included), but not in the way you mean. A large portion of

        • As such I find no security difference and a great deal of usability difference.

          You exhibit the same problem as those who blindly support the idea that "security by obscurity is no security at all," in that you appear to dismiss the fact that security isn't made of one thing or another, but the sum of all the efforts to make something secure.

          The iTunes App Store does not itself make the iPhone secure. It only attempts to improve the quality and conformity of applications provided to the user.
          The lockdown/sandboxing of the iOS device itself makes it harder to install apps that have not

          • "You exhibit the same problem as those who blindly support the idea that "security by obscurity is no security at all," in that you appear to dismiss the fact that security isn't made of one thing or another, but the sum of all the efforts to make something secure."

            Almost all security comes through some form of obscurity - you password, private key, pre-shared key, or heck even your one time pad are only secure because no one else knows them. In the and all security comes down to obscurity - so no, I do not

            • What you fail to understand - and searching on Apple iPhone exploits shows - is that the pre-screening Apple gives has *no bearing on the security of the phone*.

              So how does a scan for what APIs your app calls not have any bearing on security?

              Nor are the immune to the description you give of the G1's - ask anyone with any hardware before the 3G where all their shiny new updates are.

              If you read the point I was making, it wasn't that the G1 doesn't have updates. It's that Google can only push updates directly to end users of the G1, N1, and MyTouch dev phones. Google cannot push updates directly to users of other handsets like the Droid, the Epic, the Evo, and all other handsets/tablets/etc.

              But yeah, the fact that Google is no longer supporting the G1 is true too.

              Indeed, the original iPhone is in the same b

  • I'm sure many Apple devotees will see this news as confirmation that Apple's "we know better than the user" approach is superior.

    While I disagree for a number of reasons, for sake of argument, let's assume that they are right. If the walled garden approach is better, won't some enterprising entity create just such a service for Android? The platform is open, anyone can create a market place. Several alternative markets already exist.

    There is no reason someone couldn't make a tightly controlled market whe

  • more features == more security holes less feature == less h4xx0r My next purchase: http://www.johnsphones.com/store/johns-phone-white/item24 [johnsphones.com]
  • If I were rovio software (the makers of angry birds) I would be pretty annoyed that the name of their popular game, and artwork from it, has been used to distribute a malicious program, even if it's just for demonstration purposes.

    . So the real question is, will rovio hit the authors with an explosive angry bird or bomb them with an egg-dropping angry bird?

    On the plus side, this has reminded me that there is one more level pack I can buy for my n900...
  • Really though all OS's have their vulnerabilities, doesn't matter who makes em they all have em. Welcome to software!

    The real issue here is how quickly these are fixed and how easy it is for the end user to get that fix. All major desktop software have done a decent job of making it easier to get the updates, the end user just has to either allow the install or maybe do a click through update. Phones are moving in that direction but some move quicker than other. I hope in time android will be at a point

What we anticipate seldom occurs; what we least expect generally happens. -- Bengamin Disraeli

Working...