Defending Your Cellphone Against Malware 157
Hugh Pickens writes "Kate Murphy writes that as cellphones have gotten smarter, they have become less like phones and more like computers, and that with more than a million phones worldwide already hacked, technology experts expect breached, infiltrated or otherwise compromised cellphones to be the scourge of 2012. Cellphones are often loaded with even more personal information than PCs, so an undefended or carelessly operated phone can result in a breathtaking invasion of individual privacy as well as the potential for data corruption and outright theft. But there are a few common sense ways to protect yourself: Avoid free, unofficial versions of popular apps that often have malware hidden in the code, avoid using Wi-Fi in a Starbucks or airport which leaves you open to hackers, and be wary of apps that want permission to make phone calls, connect to the Internet or reveal your identity and location."
Pickens continues: "One common ruse is a man-in-the middle attack when a target receives a text message that claims to be from his or her cell service provider asking for permission to 'reprovision' or otherwise reconfigure the phone's settings due to a network outage or other problem. Don't click 'O.K.' Call your carrier to see if the message is bogus. For the more paranoid, there are supersecure smartphones like the Sectéra Edge by General Dynamics, commissioned by the Defense Department for use by soldiers and spies which may soon be available to the public in the near future. 'It's like any arms race,' says mobile security consultant Michael Pearce. 'No one wins, but you have to go ahead and fight anyway.'"
Easy fix (Score:5, Funny)
Use a Blackberry. Lack of apps aside, even if the malware authors want to code one, the antiquate API would drive them to whiskey abuse.
Blackberry? (Score:2)
Re:Easy fix (Score:5, Funny)
Use a Blackberry. Lack of apps aside, even if the malware authors want to code one, the antiquate API would drive them to whiskey abuse.
Use a BlackBerry? But how will I get my "totallies freez and safes, I promizz" LOL Catz knockoff? My phone wants catz that wantz cheezeburgerz, and I don't want to spend $1 to do it!
Re: (Score:2, Interesting)
Re: (Score:1)
Re: (Score:1)
And get off my lawn!
Have you TRIED to program a Blackberry? (Score:2)
I was doing an iPhone app that was supposed to have a Blackberry version also.
I told them it might be possible but I'd have to review the difficulty level. So, I spent the weekend examining the Blackberry API.
Now I know Java and C++ and lots of other languages quite well. I have seen a ton of different API's on various platforms, I've even done some J2ME work in the distant past.
NOTHING I have seen was as horrible to think about programming against than the Blackberry API. I flatly stated that it would t
Re:Easy fix (Score:5, Insightful)
I miss my blackberry everytime i write an email, but i would miss my android more as a useful device.
Re: (Score:2)
It's a standard webkit based HTML5 browser since OS6 which puts it exactly on par with safari.
So, just out of curiosity, does it also have the same major usability killer as Safari on the iPhone and iPad? I'm talking, of course, about the way that it formats text, drawing it for a window much larger than the screen, and then shrinking it (and the font size) to illegibility. And not "reflowing" if you rotate the screen, showing that it's equally badly formatted for both layouts. To make it legible, you have to enlarge it to get a readable font, and then scroll back and forth horizontally to read
Android only of course (Score:3, Insightful)
And of course the main platform prone to issues is android. Flame al you want but the endless reports of various significance all show it's true that android is more prone to malware than iOS and windows phone
Re:Android only of course (Score:4, Insightful)
Re:Android only of course (Score:4, Insightful)
It's a problem with being able to run software of the user's choice. Wall it up and the problem goes away. Users are stupid therefore you make decisions for them and it becomes more secure because the primary attack vector (the user) gets cut off.
I'm not advocating a Great Wall of China but it should be a bit harder to find malware than picking some random app from the platforms officially sponsored market place.
Wrong, "dupes" not affected on iOS (Score:1)
To me the whole issue sounds more like dupe-only than Android-only
That may be true that only "stupid" people get Android viruses (if you define stupid as simply non-technical, which is rather egotistical but whatever).
However iOS users, "stupid" and smart both do not get viruses or malware on iOS because there is none. It's not a matter of degree, it's a matter of Android users can get viruses/Malware and iOS it is not possible (today) to catch anything no matter what you download.
The truth of the story is
Re: (Score:2)
You clearly live on Paradise Island and make love to Wonder Woman when you can free yourself some time from pleasuring the other Amazons.
Re: (Score:2)
There was a time when Android executed every single keystroke you typed as root [current.com] in the background. No platform can lay claim to being perfect. What matters is exploits that are out there in use in the wild.
But was no malware (Score:2)
Are you fucking retarded? There was a period of time when you could totally own an iPhone remotely just by sending it a text message.
Read more careful, dense Apple Hater.
Did I claim there were no VULNERABILITIES? No.
Instead I claimed there is no MALWARE, which was and is true.
Once upon a time, you could have assumed Slashdot readers could understand the difference...
You must be one of the "dupes" he was talking about.
Re: (Score:1)
Not realistic (Score:4, Insightful)
So, in other words, all apps that actually make use of the fact that it's a mobile device able to determine its position in real space to enhance the user's real-world experience...
Sounds to me like the OS makers need to address this, and give user-level ways of doing things that don't compromise the whole system if something nefarious happens, and then also give the manufacturer of the OS the ability to alert users when the manufacturer learns of malicious applications so that they can be removed.
Re: (Score:3)
it's actually pretty simple.
make the os ask for permission when the permission is needed, not when the app is installed.
you know why they don't like that? they figured it's not a good way since it hampered app use levels on j2me phones (because most j2me phones lacked "allow always" option or making enabling that option pretty hard, users didn't like that or it was claimed to be too technical, as if it's too technical to ask an user if he wants to send a premium sms or not - ..yea smartphones and smartphone
Re: (Score:3)
Making the OS ask users for permission is not a clever idea. Either every app they install aks for pretty much the same thing, and they are conditioned to press "Yes", or the users just click "Yes" because they want the app to work.
Curation mostly works. Yes, there are issues in terms of censorship that need to be overcome, but having a central party that at least tests the app and attempts to screen for malware can be a good thing.
Re:Not realistic (Score:4, Insightful)
I don't know what Android has been up to since about 2.2, but one thing that has always irked me is that it displayed a list of "This application wants to do: X,Y,Z - Allow or Deny?"
What I'd much prefer is if you could allow or deny individually, i.e. Internet access but not contacts or phone. However I can kind of see why they wouldn't want to do that - it could cock up the advertising funded ones.
Re:Not realistic (Score:4, Informative)
What I'd much prefer is if you could allow or deny individually
If you can root your phone and install Cyanogenmod then you will gain this ability.
Re: (Score:2)
What I'd much prefer is if you could allow or deny individually
If you can root your phone and install Cyanogenmod then you will gain this ability.
Mine's still on 5.07, so I presume it was added after that. It's working well enough now that I'm a little scared to update it, especially as it's older hardware...
Re: (Score:3)
Re: (Score:2)
Cyanogenmod's implementation is buggy - apps force close all the time when you use it. I use LBE Privacy Guard - for whatever reason when it blocks access the app works fine. I suspect it is because the latter lies to the application, and the former generates errors or whatever. Cyanogen for some reason is morally opposed to lying to applications.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
What I'd much prefer is if you could allow or deny individually,
Blackberry has had that type of fine-grained control for years. I believe that newer versions of Android have something like this as well.
Re: (Score:2)
It would be better if they bifurcated internet access permission into 'internet access for only serving ads' and 'general internet access'. That way there's no risk of non internet related applications connecting to it behind your back.
signing also has content sensoring (Score:2)
It's one thing to lock out apps that may send out spam but a other to lock them out based on content.
Yes, excellent idea, just like iPhone (Score:2)
make the os ask for permission when the permission is needed, not when the app is installed.
This is what iOS does. When an application needs access to location data, it asks you right then - so you have the full context of what it is trying to to and if it makes sense to have that permission at that time.
I think it makes a world of difference in terms of really protecting users who can't otherwise understand a big list of permissions. If you were just running along in a game and the system asked "hey, I'd
Presumably (Score:5, Interesting)
By "cellphone" they actually mean "Android". I've never heard of iOS, BlackBerryOS or WinPho7 having any serious malware issues, granted there have been a couple of minor incidents, but Android seems to be the platform of choice to have your phone join a botnet.
Re: (Score:1)
Only because Google doesn't control what Android users can put on their phones, at least not as tightly as Apple does. If you get an iPhone, it still needs to be defended against malware, but Apple does most of the work for you. That's the advantage you get for the developers giving up some of their independence.
Also, popularity may play a role. Some metrics have Android as the most popular smartphone OS, which makes it the most enticing target for malware authors. Same reason Windows is the most virus-pron
Re:Presumably (Score:5, Interesting)
The major problem is that I can't HAVE Google do the work for me, and I certainly can't look into the source of most of these applications. Nevermind that I don't want to have to look into the source of applications to know if they're safe.
If Google had a way to force vendors to give us Android updates (to close security holes) and having a separate, vetted market for applications Google has the source of and has inspected for malware and proper behavior, Android would be vastly more attractive.
As it is, iOS and App Store cover those needs. So I bought an iPhone.
Amazon (Score:4, Insightful)
Re: (Score:2)
As it is, iOS and App Store cover those needs. So I bought an iPhone.
Apple doesn't get the source, it only gets the binary. Besides, Apple itself admits that it doesn't inspect the code for Malware (it only inspects the application for proper UI behavior). It doesn't want to open itself up to the liability of having approved an app on the criteria of security when an app could still be Malware.
The only reason iOS will have less Malware than Android is because the Apple app store has a higher barrier to entry. That's really the only reason. Malware writers need developer acco
Re: (Score:2)
App Store is at least somewhat monitored - if Google did the vetting, I would trust them more than I do Apple, true, but as it is Google does no inspecting and has next to no barrier to entry.
Overall, those were the two questions that made me get an iPhone to replace my Android phone. Well, in addition to better availability of games.
Re: (Score:3)
Also, popularity may play a role. Some metrics have Android as the most popular smartphone OS, which makes it the most enticing target for malware authors. Same reason Windows is the most virus-prone desktop OS. (Well, one of the reasons, anyway)
If that were true then the malware for iOS vs Android would be in proportion to the apps for the two platforms. i.e. More for iOS than Android.
But there's no malware for iOS.
As to the market share. Considering just phones, iPhone was ahead until about a year ago. Then Android moved ahead. Then this last quarter, iPhone has regained it's lead.
Considering all iOS devices vs Android,it's not clear that Android passed iOS at any stage.
Re: (Score:2)
All that link proves is you don't know the difference between vulnerabilities [wikipedia.org] and malware [wikipedia.org].
Re:Presumably (Score:5, Interesting)
Android has a perfect storm for this to occur:
1: There is a low barrier for entry. One gets Eclipse, some Java tools, the Android SK, and they can write APK files. $25 later, and one can upload into Google's store. Apple is $99/year, and it requires going into ID theft territory to create another account if Apple drops the axe on an app developer. Android development can happen on Windows, Macs, and Linux. XCode only can happen on one platform, be it a true Mac, or a hackintosh.
2: Android is used on inexpensive smartphones. This makes it a very popular platform in China, India, and other nations developing an ecosystem, as well as countries that separate the phone from the provider. So, there are a lot of the devices out there. iOS devices are very popular, but not as common and wide ranging as Android models.
3: Android's permission model is strong, and rooting does not affect security in the slightest. An installed app won't get anything that it does not have access to, unless it manages to pull off some successful root exploit (which is difficult as the app has to escape the Dalvik VM first.)
Where the problem happens, is that permissions are not fine grained enough. Combine this with the user training to mindlessly click on any button labeled "send/accept/OK/submit/pay/download", and an app can be tossed on a device that shouldn't have anywhere near the permissions it requested. For example, a game does not need access to a contact list.
What would be nice is if Google went back to the modal dialogs with the permission contents in them, forcing a user to look at it, as opposed to displaying them below the button that allows for a quick double-tap purchase.
3: The current Google app repository is more of a marketplace than a store. The good thing is that a developer can have an extremely tight and fast feedback cycle, churning out updates hourly in some cases without having to wait for a bean counter to approve them. The bad thing is that apps that are not vetted can be an avenue for malware.
4: In some countries, pirated apps are the norm, so finding a bunch of Angry Birds APK files that have the LVL code yanked is the norm rather than the exception.
All and all, this isn't really Google's fault -- Android went from being on the sidelines to a mainstream OS in remarkable time, especially with the fact that iOS was well entrenched with an App Store. Android matured from doing the basics to an OS that is not just consumer-friendly, but can support the needs of businesses with Exchange support.
This is anecotal, but in the US, I'm sure the chance of a malicious app is low, even an inexperienced user just clicks on download, then accepts without looking. A clued user can look at reviews, discount the vague ones that are shills, and look for the scathing reviews. For example, a game that popped up also brought along with it some adware, and it was obvious with the 1-2 stars it was rated that something was afoot. A couple reviews of "one star, spams contact list" will sink an app before Google comes by with the ban-hammer.
I stated this in another post, but I still think that the current Google Marketplace structure is well done. However, a significant improvement would be a tier of service of Google actively vetting apps, where an app developer who pays for the higher level of assurance (since black box reviewing of apps does take time and money) can release an app as normal. Then, Google can sign that version when they get done reviewing, and this can be on their own schedule. A subsequent update would be allowed on the store, but it would be unsigned until Google reviewed and approved it.
This way, phones can ship by default only allowing Google-vetted apps. If a user wants to get other apps, they can answer a warning dialog about doing so at their own risk [1].
IMHO (and I've stated this before): If Android devices shipped with a store/marketplace/repository that hand-approved apps (with facilities for allowing full
Be wary of everything, then? (Score:2)
So, pretty much all of them, then. Great.
Increasingly, I find myself alarmed at how many "need" the access to my contacts permission in order to operate. As well as those that need my location (for better targeted advertising, apparently).
I hope the masses eventually wise up to this and start refusing even the big-name apps until they relinquish permissions they don't *really* need.
Two choices about it... (Score:5, Interesting)
With iOS, there is not much one can do about malware, if it gets past Apple's gatekeepers. JB-ing the device and slapping on Firewall iP is probably the best thing one can do. However, the barrier for entry for malware writers is very high. It is pretty difficult (and more expensive) for a blackhat organization create a new account with Apple , paying them a C-note a year), and cook up some personal info (like bank accounts and such to register under) to even be able to see iTunes Connect, much less have the app approved. This has done a good job in keeping iPhone users safe, although in theory, if an app decided to have some type of module that would allow code execution, users would never know about an app that would be slurping contact info, E-mails, and other items then shipping that off to a blackhat server, especially if the app was smart enough to do it only on Wi-Fi, or a small trickle over 3G.
Because of this, the only permission iOS asks for is for using the GPS. Since the App Store does all the work essentially, there isn't that much of a need to have anything more than that.
Even with Firewall IP, there is no protection against apps deciding to spam with SMS, other than Apple's gatekeepers.
So, Apple's security model may have some (in theory) bad flaws, but it has proven to be decently tight, with exploits being used for jailbreaking as opposed to turning the device into a mobile money machine for criminal organizations.
Android's model is more robust in some ways. If Android phones were shipped with a marketplace that vetted/approved apps [1][2], this would virtually eliminate compromised phones [3].
The nice thing about Android is that even with full root and a custom ROM, app security is just as tight as it is on a vendor ROM. Unlike jailbreaking on iOS which completely creams the security model, apps on Android still function exactly the same on a rooted phone, other than being able to prompt the user for su access.
Since Android isn't reliant on a store's gatekeepers, its permission model has to be robust. It has been OK so far, provided users read and disallow apps like a game demanding full access, but it would be nice to have a better model -- something along the lines of minimum permissions needed to run the app, optimal permissions, and maximum permissions (a notepad app that just stores notes in its directory generally does not need full access or access to root unless it has some special features.)
What can help Android immensely would be an app that runs as root and can allow/disallow access to SD cards, contacts, SMS, phone, and networking. There is an app called LBE Privacy Guard which runs as root and offers features that should really be part of Android (perhaps some features behind an Advanced menu.) CyanogenMod also has similar features for restricting access.
Another app that is a must have for rooted devices is DroidWall, which is essentially a shell for performing iptables commands. This is an immense help because it can not just block network access for apps, but limit the bandwidth hogs to Wi-Fi (or security sensitive apps to 3G).
Pretty much for the tl;dr in all of us, Android would be best off with two tiers of stores, and having the user go through a dialog of "these apps are untested, but the reviews will be a good guide. Use at your own risk" before a user gets access to the free-for-all market. Couple that with the functionality of DroidWall and LBE Privacy Guard which can be set to prompt/allow/deny access to critical things (contacts, network, phone, SMS) integrated into the OS, and Android would be a lot more secure.
[1]: Amazon is good at vetting apps, and it would be nice for Google to offer two tiers of their Marketplace, where one tier would be the current free-for-all, while having another tier (which would cost app developers more because of the time taken) just for apps that would have a "blessed" flag attached.
[2]: It goes without saying to have a way to add more stores, or if Google w
True iOS barrier is lack of ability by app (Score:2)
The thing about iOS is, let's say you get malware past Apple or manage to get arbitrary code executed in an app.
What then? You can't do anything interesting (to malware authors). You can't hook into the system keyboard. You can't send an SMS silently to rack up charges. You can't snoop the contents of other applications to pull back data from something like a Chase app.
All of those things are potentially possible on Android, if the user simply agreed to the laundry list of permissions presented to the
Re: (Score:2)
WTF are you talking about? The malware can simply execute the latest jailbreak exploit are the fanboys are so excited about. Then it can do whatever it wants.
Nope (Score:4, Interesting)
The malware can simply execute the latest jailbreak exploit are the fanboys are so excited about.
That is why Apple quickly fixes remote exploits but leaves tethered jailbreaks alone.
The ability to do what you are suggesting is never an option for long enough that malware can make use of it.
Of course, on Android you have another problem - since many carriers are so reluctant to update, you have vulnerable Android versions handing around a LONG time. That makes it even more appealing for malware writers.
Re: (Score:2)
Re: (Score:2)
I can see this being used as a central point of attack to gain access to the phone. If anything happens to that you can't trust your phone anymore.
Dumbphone user here... (Score:5, Insightful)
And the more I read about this, the better off I think I am.
Seriously, this summary sounds like there is really no way around this BS except by using a dumbphone and never connecting anything to the Internet.
>free app clones of pay ones are a problem
No, closed source "free" apps are the problem.
--
BMO
Or buy an iPhone (Score:3)
The article likes to make it sound otherwise but iOS does not have this issue.
No, closed source "free" apps are the problem.
It's not realistic to think that everyone would compile applications if they could, or be able to do a source audit to see they are truly safe.
Re:Or buy an iPhone (Score:5, Insightful)
It's not realistic to think that everyone would compile applications if they could, or be able to do a source audit to see they are truly safe.
No, it's not that *I* necessarily need to see the code (while I appreciate the freedom that I could), but I know other people *can* and *do*
That's the advantage.
Nefarious code does not live long in open sauce. Basically because not everyone is Ken Thompson to quote Tom Christiansen.
Tom Christiansen has a pretty good rant about why the source-code world is superior. I have saved this as a text file since I read it the first time here, because it is that good.
http://news.slashdot.org/comments.pl?sid=2540&cid=1522840 [slashdot.org]
--
BMO
Re: (Score:3)
No, it's not that *I* necessarily need to see the code (while I appreciate the freedom that I could), but I know other people *can* and *do*
No, you only know that they can, not that they do. Nor do you know that even if they do, would they recognise the few lines of code that are performing a malware task. Code review is slow and tiring.
Re: (Score:2)
In order for people to contribute to an open source project, one must do code review anyway as a matter of course, and most projects are multiple people.
Sure, maybe you can slip your nefarious code past a few end users if you are a sole developer, but try getting it past your fellow developers in a project.
"Three people can keep a secret if two of them are dead." - Franklin.
--
BMO
Re: (Score:3)
Most open source code is a produced by a sole developer. There are way ore calls for programmers to join projects than there are programmers interested in joining projects.
And even where there are multiple programmers, they tend to find their own specialist areas of the code that are probably never looked at by anyone else.
The idea that "given enough eyeballs, all bugs are shallow" is a fallacy.
http://en.wikipedia.org/wiki/Linus'_Law [wikipedia.org]
Re: (Score:2)
Then Linux and its utilities and all the desktop stuff must be full of malware, right?
Because nobody ever looks at code, right?
--
BMO
Re: (Score:2)
Then Linux and its utilities and all the desktop stuff must be full of malware, right?
It's had more than closed source OSX has.
Because nobody ever looks at code, right?
I didn't say nobody. The Linux kernel has lots of eyes. But most open source software is not the Linux kernel, and most of it is never code reviewed.
You can be sarcastic all you want. That's all you've got, because what I've said is true. And if you're a developer you'll know it. If you're only a user you might not realise it though.
Re: (Score:2)
So Linux must be the most secure kernel around with NO priviledge escalation bugs since 1991, right? Oh wait, there was one that was fixed a couple of weeks ago that was being exploited.
And surely there wasn't a 30+ year old bug in BSD, I mean, everyone's looked through it so many times.
Even having a ton of eyes on the same code, bugs/holes/vulnerabilities are still glossed over. Op
Know and Think (Score:2)
No, it's not that *I* necessarily need to see the code (while I appreciate the freedom that I could), but I know other people *can* and *do*
I can set up a project on Github. There can be a long history of commits supposedly accepted from "other" people.
And it can all be a sham, I may never even let anyone else submit anything.
It doesn't even matter if someone looked and found something, if I simply didn't accept changes back. How would you know?
And the truth is, how many real-world people could or would e
Re: (Score:2)
Well, if you're the only one who has physical access to the phone, getting a dumb phone that can't connect to the internet is the best way to avoid getting hacked... although most of the "hacking" is through social engineering.
As smart phones get more and more prevalent this will get worse. Apple's app store tries to remove the social engineering factor, but it'
Re: (Score:1)
And the more I read about this, the better off I think I am.
Seriously, this summary sounds like there is really no way around this BS except by using a dumbphone and never connecting anything to the Internet.
Why even step outside.
Simple really (Score:5, Insightful)
Don't download every dumb shit dancing santa talking cat bullshit app your mom's co-workers recommend
option B is to not use a smartphone and get over your facebook/twitter addiction
As long as they don't send spam... (Score:2)
n/t
Really? It's called common sense. (Score:2)
Re: (Score:2)
Apple and malware (Score:2)
From the article NOT behind the NYT paywall:
Miller's reward for showing Apple that it, too, is vulnerable? They kicked him out of the app developers program. Nice going, guys.
Isn't that exactly how Apple deals with malware? Think what would happen if Google did that.
Re: (Score:2)
it would be helpful to actually read what happened.
I defend ANDROID smartphones w/ HOSTS files (Score:4, Interesting)
DO THE FOLLOWING (after obtaining a good reputable solid HOSTS file, like mvps' -> http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
---
1.) Get ahold of the "Android Debugging Bridge" (ADB) & install it
2.) Mount your system mountpoint as READ + WRITE (as powerful of priveleges as you need is this)
3.) Using the PULL command, copy the file over from your PC (or even on your ANDROID if its there already) using PULL & overwrite the etc. folder's copy of HOSTS
---
* DONE!
(Yes, it's THAT simple vs. hosts-domain based threats which ARE THE MAJORITY OF THEM OUT THERE (because hosts-domain names are recyclable unlike IP addresses)... &, it works - you CAN'T be burned if you can't go into the malware kitchen!)
APK
P.S.=> Of course, your HOSTS file will need to have the domain/hosts name of the C&C servers, & that you have to obtain for this to work vs. threats like bogus servers &/or maliciously scripted sites. Here's some good sources for that above & beyond mvps.org (I noted them above):
http://hosts-file.net/?s=Download [hosts-file.net]
http://www.malwaredomainlist.com/hostslist/hosts.txt [malwaredomainlist.com]
http://mirror1.malwaredomains.com/files/ [malwaredomains.com] (justdomains here)
http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext [yoyo.org]
http://sysctl.org/cameleon/hosts [sysctl.org]
http://someonewhocares.org/hosts/ [someonewhocares.org]
http://hostsfile.org/hosts.html [hostsfile.org]
http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu]
https://zeustracker.abuse.ch/monitor.php?filter=lastupdated [abuse.ch]
https://spyeyetracker.abuse.ch/monitor.php?filter=lastupdated [abuse.ch]
http://www.malwareurl.com/ [malwareurl.com]
http://www.safer-networking.org/en/download/ [safer-networking.org] (updater for Spybot "Search & Destroy" & it fortifies HOSTS files)
Those are some of my regular sources that are reputable & reliable for custom HOSTS file data populations vs. known threats online - I consolidate them here via programs I wrote that normalize/deduplicate repeated entries, sort/alphabetize the results, & change from larger + slower 127.0.0.1 (longer & loopback ops happen here) to the faster & smaller 0.0.0.0 (or even 0 on Windows 2000/XP/Server 2003): Enjoy!
... apk
Re:I defend ANDROID smartphones w/ HOSTS files (Score:5, Insightful)
Yes, it's THAT simple
Only on Slashdot could you say that with some vague sense of truth to it.
Re: (Score:2)
Alternatively, don't download shit you don't trust?
Mind you, that might be too straightforward for most people to follow, I know.
Google (Score:2)
more firewall granularity (Score:1)
I've often wished the android permission model considered "phone home" and "access the Internet" separately. It seems much less risky to me to allow an application to access a predefined small set of sites than to access "everything".
VPN over wireless (Score:1)
If I go to the coffeeshop I use VPN to connect, I do have a paid VPN account but I also have a VPN server set up at home on my NAS so I can use that as well if I don't want to pay.
Normally WiFi is off as is Bluetooth.
The only apps that get permission to use my location are TomTom GPS and some camera software both of which are vetted, everything else gets denied as I don't use social sites or any other crapware.
I only give out my real phone number to a very small group of friends & family, everyone else
Solution for rooted android devices (Score:2)
Install Droidwall [android.com], a powerful FOSS IP tables firewall. Use the whitelist feature to only allow network access to apps that need them to function.
Next, use an ad blocking hosts file. Either manually update /system/etc/hosts, or use AdAway [android.com], which will auto update your hosts file with ad server entries and is also FOSS.
Third, get LBE Privacy Guard [android.com]. This monitors permission usage and lets you override the defaults (something which I believe is baked into CyanogenMod) on a per app basis by alerting you whenever
solution: signed code (Score:2)
Just don't use Android (Score:2)
Err.. what? (Score:2)
but.. but.. they ALL require internet access.. apparently...
(grrr, damn you google for preventing me from being able to control my own phone. no, a jailbreak is not acceptable. I paid for this device. give me root access on it, and soon.. ice cream sandwich *should* have had sudo made available. grrr)
Re:Or... (Score:5, Interesting)
And they'd have been just as wrong too.
The "install an infected app from the app store" route is only one of many ways to infect a device like this. A remote exploit, like how Microsoft's browser brings down hundreds of thousands of PCs a year, is much more likely IMHO to cause real widespread chaos.
Re: (Score:2)
Re:Or... (Score:4, Informative)
Re: (Score:3)
Re:Or... (Score:4, Insightful)
There's always a first time, but I think there's a good chance the security impact of these vulnerabilities will remain theoretical. Despite JailbreakMe 2.0 being open sourced after an updated version of iOS was released, which would have made it relatively easy to modify the code into an attack, I didn't hear about any such modification except a proof of concept that showed up much later.
Re: (Score:1)
When you have an example of this actually occurring, let me know.
You are joking? One of the original jailbreaks drive-by rooted your iPhone just by visiting a website.
Re:Or... (Score:5, Informative)
My iPhone doesn't tell me when an app wants permission to connect to the internet or share/sell my personal information with 3rd parties :-(
Re: (Score:1)
Re: (Score:3)
My iPhone doesn't tell me when an app wants permission to connect to the internet or share/sell my personal information with 3rd parties :-(
Mine does. Requests per domain per app (asked once when the app tries to connect), and requests for listening sockets.
http://isource.com/2009/11/05/firewall-ip-a-firewall-app-for-the-iphone/ [isource.com]
If you are not jailbroken, then you can only use the Apple store, and those apps are tested at the API level to verify what they do.
Sure you can't block banner ads this way, but that is by design.
Jailbreak it, and you get the Cydia app, and access to multiple stores (same repo system as apt-get, which you get installed
Re: (Score:3)
> Apple already screen it for you.
Don't you mean Apple already sold it for you?
Re: (Score:1)
Easy enough to avoid malware. Just run Windows! Wait a minute...
Re: (Score:2)
Re:Or... (Score:4, Insightful)
So we are once again stuck onthe myth perpetuated by the Apple marketing machine that iOS is secure.
Lets disregard that it's been hacked repeatedly and easily, and lets also forget the tens of thousands of people who've had there iTunes accounts hacked and been charged for apps they have never downloaded (I know of 3 personally, none of whom ever got their money back)
But yes, the 50 (out of 400,000) malware infected apps are scary.
Re: (Score:2)
50 out of 400k malware infected apps?
The implication seems to be there's only 50 malware infected apps somewhere. Android Market? Only fifty malware infected applications on *the Android Market*?
Have you LOOKED into the Android market? It seems like I can't search for anything without having fifty different knockoffs with extremely broad requirements pop up.
Re: (Score:2)
Re: (Score:2)
Knockoffs with extremely broad requirements certainly hint towards malware.
Not that I'd install them myself.
Re: (Score:3, Insightful)
So we are once again stuck onthe myth perpetuated by the Apple marketing machine that iOS is secure.
Oh boy, "Apple marketing machine" eh? Queue "imperial march."
Lets disregard that it's been hacked repeatedly and easily
Hardly easily. The first jailbreak admittedly was easy, but take a look at the iOS hackers blogs: jail breaking these things is now crazy hard. Jailbraking now takes multiple exploits and a phone which is physically connected to your system. The latest exploits took months to develop, all the while people are told not to upgrade because the upgrades invariably patch the holes.
Anyway jail breaking is a red herring, what counts is exploits used in t
Step 2 (Score:2)
Don't ever turn it on, or for heaven's sake, don't take it out of airplane mode...
Re: (Score:2)
Buy an i*****, not an Android.
If you're ignoring for the moment the spyware that's installed on an i*****, then yes, that's a good idea.
Re:Step 1 (Score:4, Insightful)
What spyware is installed on an iPhone out of the box, pray tell?
Re:Step 1 (Score:5, Funny)
Re: (Score:3)
Probably CarrierIQ [slashdot.org]. Apple has admitted it's there, but not enabled by default.
CarrierIQ is on a lot of phones, including Android phones, so this point is moot anyway...
Re: (Score:2)
The problem is that the version of CarrierIQ on IOS have the spyware bits disabled. The "spyware" parts were only active on Androids, and even then, it wasn't even spyware.
Re: (Score:2)
Re: (Score:2, Insightful)
Any system which allows users to run 3rd party software of their choosing is going to be vulnerable to the stupidity of its users. You can't fix stupid users without putting them in a jail cell.
As long as the user is the primary attack vector it's hard to make a blanket statement about a platform's security. Back when Windows would get infected simply by bing turned on and connected to a network without the user doing a damned thing, it was easy to make a blanket statement about how secure Windows was.