Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices 123
msm1267 writes: Security researcher Joshua Drake today disclosed two more flaws in Stagefright, one that dates back to the first version of Android, and a second dependent vulnerability that was introduced in Android 5.0. The bugs affect more than one billion Android devices, essentially all of them in circulation. One of the vulnerabilities was found in a core Android library called libutils; it has been in the Android OS since it was first released and before there were even Android mobile devices. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities. Google has released patches into the Android Open Source Project tree, but public patches are not yet available.
Stagefright (Score:4, Funny)
It's always been the audience that scares me, not the stage.
Call for mass-forking of Android (Score:1, Insightful)
One of the great strengths of GNU/Linux is its diversity. Like biological life, it is constantly changing, morphing and becoming something new. And also like biological life, constantly changing helps protect against "bad stuff".
I hereby call for a "fork-fest" of Android - everybody make your own distribution of Android, remove code, add code, make it different. Android is sort of lip-service to the open source ecosystem. I'm not saying that this vulnerability is a result of that lip service, but I'd really
Re: (Score:3, Funny)
Yeah! Let's have loads of different new vulnerabilities to deal with. And the fragmentation of different versions of Android isn't enough, so let's add a fuckton of forked versions into the mix to spice things up.
Inevitable that the whole will become stronger? Android (hardly forked) is wildly successful as is, Linux (heavily forked) is wildly unsuccessful on the desktop. Let's please not take Android down the path of desktop Linux.
Jeez. It'd be less fork-fest and more bug-kakke.
(sorry, just had to slip tha
Re:Call for mass-forking of Android (Score:4, Insightful)
Fragmentation is one of Android's weaknesses, not a strength.
Calling for more fragmentation makes no sense. It would leave people stuck on islands where features lag behind, incompatibilities abound, and no fixes will be available for future vulnerabilities. Fragmentation makes the problem worse, not better.
The point isn't to emulate a walled garden, nor is it to have everyone brew their own a la Linux. The point is to make the user experience close to the simplicity and compatibility of the walled garden, while still preserving the open platform.
Re: (Score:2)
The point isn't to emulate a walled garden, nor is it to have everyone brew their own a la Linux. The point is to make the user experience close to the simplicity and compatibility of the walled garden, while still preserving the open platform.
Unfortunately, the "Curated Collection" (a/k/a "Walled Garden") approach and the "Free-for-All" (a/k/a "You asked for it") approach appear to be mutually-exclusive.
Android tries to split the difference now as it is, by having the User have to "disable" the "Only From Play Store" download switch (or is it the other way around?) but that simply doesn't work, mainly because even very significant percentages of Play Store Apps have been found to be unsafe.
Face it. Android's Security Model is a shambles, and
Re: (Score:1)
Uhm... You know that a tens of thousands of malware / spyware apps trampled that walled garden a week or two ago, right?
There has been a bunch of apps that should not have been allowed on the store but made it in on top of that (even though they were found useful, but that's not the point)... things like the secret flashlight tethering app a couple years ago, that security researcher who had 10-100k users download his potentially malicious command-and-control center?
Are you seriously still believing that i
Re:Call for mass-forking of Android (Score:5, Informative)
Uhm... You know that a tens of thousands of malware / spyware apps trampled that walled garden a week or two ago, right?
Tens of thousands? REPUTABLE Citation, please?
There has been a bunch of apps that should not have been allowed on the store but made it in on top of that (even though they were found useful, but that's not the point)... things like the secret flashlight tethering app a couple years ago, that security researcher who had 10-100k users download his potentially malicious command-and-control center?
Are you seriously still believing that i things are immune to malware?
I (and Apple) never said iOS Devices are IMMUNE from Malware; but I think that iOS' track record in that regard speaks for itself.
Plus, I love the way that Fandroids keep harping on the VERY few examples of things slipping past (having to go back YEARS to find one or two examples of Trojans that made it through Apple's Approval Process, and blithely IGNORE the metric buttload of (also see the links in that article) malware-containing Apps [arstechnica.com] in the Android ecosystem, a good number of which are, or until recently, when Google started getting more serious about vetting Apps, were available in the Play Store.
Re: (Score:2)
And yet everyone who posts that fails to realize how different everyone else's view of a 'perfect' OS is. Fragmentation means we don't all have to be the same.
Re: (Score:2)
http://laughingsquid.com/wp-co... [laughingsquid.com]
Re: (Score:3)
Practically all medium to high-end devices got their first StageFright patch faster than APL fixes their bugs LOL
I think my phone got it last week. But I'm not sure, because my carrier doesn't even tell me what bugs their new OS updates have fixed. I may or may not have if on my Nexus 7. I know I don't have it on any of my other Android devices, because manufacturers have abandoned them.
I know I got the latest Apple bug-fixes on my iPad, because it downloaded last night, and said what it fixed.
Android security updates are a complete clusterfsck. Enough that my next phone is more likely to be Windows than Android (but
Re: Call for mass-forking of Android (Score:1)
I have what was, when released, alleged the best Android device out there.
It took the call carrier more than a year to release the first upgrade.
At that, the update did not patch known security issues in Andrpif, even though Google had publicly teleased those security patches.
I can rest assured that the security patch for Stagefright, on Android for that device will never come.
Re: (Score:1)
Yeah! Let's have loads of different new vulnerabilities to deal with. And the fragmentation of different versions of Android isn't enough, so let's add a fuckton of forked versions into the mix to spice things up.
Inevitable that the whole will become stronger? Android (hardly forked) is wildly successful as is, Linux (heavily forked) is wildly unsuccessful on the desktop. Let's please not take Android down the path of desktop Linux.
Jeez. It'd be less fork-fest and more bug-kakke.
(sorry, just had to slip that one in).
You are exactly correct, which is why none of the Fandroid-Mods will Mod you up.
Re: (Score:2)
Jeez. It'd be less fork-fest and more bug-kakke.
Well... That's an image I didn't need...
never gonna look at my phone the same way again...
Re: (Score:1)
They already have a bunch of different versions... There's CyanogenOS, PrivatOS (for the blackphone), Fairphone's version (don't know what it's called), Xiaomi's MIUI and may more version of Android that haven't gotten much traction over the years. What you're calling for has already been done and continues to be done.
FYI, there was even a Linux Gizmos article on 2 of these variants yesterday (http://linuxgizmos.com/forked-android-smartphones-advance-to-second-generation/)
Yeah, that's the ticket: Trade broken "Official" Android versions with "Who the fuck knows?" versions from Jailbreakers.
Psst! Hey buddy: Wanna buy a REALLY SECURE version of Android? Come on over to this site. All ya gotta do is Jailbreak your phone's bootloader, sideload this REALLY SECURE version of Android, and everything will be A-Ok, I PROMISE...
Re: (Score:1)
That the problem android is already massively fragmented every device / carrier combo is a unique device with its own update rules
That's why nexus devices get updates and nothing else does. The carriers won't update jack shit as that is like work.
It is why Apple has such high new is and security update rates. They told the carriers to fsck off.
Re:Call for mass-forking of Android (Score:4, Insightful)
The carriers are only going to do the minimum for each device. Why would they invest development time in a device that isn't for sale anymore?
Re: (Score:1)
A sense of moral responsibility?
Nah, I'm just kidding! :)
Re: (Score:1)
A sense of moral responsibility?
Nah, I'm just kidding! :)
Now that made me laugh. It's sad that the idea of moral responsibility for a corporation is so absurd.
Re: (Score:2)
Not necessarily for corporations, but definitely for telcos.
They've had no sense of moral responsibility since telegraphs were in use.
Re: (Score:2)
The carriers are only going to do the minimum for each device. Why would they invest development time in a device that isn't for sale anymore?
Um, because Apple does?
Re: (Score:2)
Re: (Score:1)
The problem is phones sold by the carrier, which are then customised. Apple doesn't allow this kind of customisation, so there's no reason for the carrier to the anywhere on the upgrade path. Most Android vendors do, which means that you have to get the firmware upgrades from them, rather than the manufacturer. If you buy one directly, then manufacturers vary wildly (and so do devices from the same manufacturer) in how timely they are in pushing updates. And they're all pretty bad, so there's no much incentive to compete.
Thanks Captain Obvious.
So, since you have (correctly) identified the problem, why hasn't Google fixed it?
Re: (Score:3)
Probably market dynamics. Google doesn't have relationships directly with carriers except for with the Nexus devices. The carriers deal with the OEMs, and the OEMs deal with Google. Google has all the muscle, and none of the standing to get it done. The OEMs have none of the muscle, but all of the standing.
As Apple plays both the part of Google and OEM in their ecosystem, they have both the muscle and standing.
Re: (Score:2)
Probably market dynamics. Google doesn't have relationships directly with carriers except for with the Nexus devices. The carriers deal with the OEMs, and the OEMs deal with Google. Google has all the muscle, and none of the standing to get it done. The OEMs have none of the muscle, but all of the standing.
As Apple plays both the part of Google and OEM in their ecosystem, they have both the muscle and standing.
I agree that Google let the horse out of the barn in the beginning; but maybe the OEMs, if not the Carriers, will change their tune if enough migration away from Android happens.
It that world, even a 1% migration amounts to hundreds of thousands, if not a few million, lost sales.
Re: (Score:2, Troll)
I continue to hate on google.
a friend convinced me to try a 'new' android phone (older used one but a few gens back so its now affordable). my one and only android, the N1, is stuck at 2.2 or something equally ancient and I'm tired of that being such a POS.
refurb phone came with 4.4. I rooted it (lg g2) and installed twrp recovery (not easy at all, for some reason) and then a custom rom based on 4.4, supposedly with lots of fixes.
I then find out that vpn is broken (by design) in ALL 4.4 codebases. everyo
Re: (Score:2, Informative)
Unless you bought a Nexus device, most of the issues you mention are the fault of the Vendors and the carriers, not Google.
Re:Call for mass-forking of Android (Score:5, Interesting)
google designed a faulty os, their update model is broken, their fragmentation is a nightmare and the fact that they broke vpn's for ALL of 4.4 is NOT a carrier issue, my friend!
I love to blame carriers, too; but vpn api being broken for a year and NOT BEING FIXED is a carrier issue to you? how in the world is that their fault when google, themselves, abandoned 4.4 for key bugfixes?
I'm supposed to jump on 5.0 and not expect MAJOR bugs to be fixed in just a few versions back; a still-current version for most people??
google owns this one. sorry if that goes against your narrative but vpns being broken in a whole version and never being fixed is a huge slap in the face.
Re: Call for mass-forking of Android (Score:2)
When there is a security vulnerability found on Windows, I can download the patch without waiting for Dell no matter how much crapware Dell installs.
Re: (Score:2)
There's no one standing between an iPhone user and Apple disrupting the process. The user's phone is connected directly to the vendor, who can push updates to it without interference.
As a result, a user who bought an iPhone 4S in 2011 is still on the latest and greatest today. Someone who bought a Galaxy S2 in 2011 was left at Jelly Bean.
Re: (Score:2)
I so wish that the next version of android that google tells carriers to fuck off.
I am so done with the baked in crap from HTC/Samsung/etc and the deviation from pure android get's so bad that some like HTC confuses some people.
New version require it to be pure with NO apps baked in and permanent or they cant advertise or use the name "android" in any way. It will force them all overnight to stop it. They also need to force them to push out updates 15 days after google does or lose the rights across all
Re: (Score:3)
It will also force them to find a new platform.
Do you thing either the OEMs or the carriers are going to stop doing this?
Brand differentiation, monetization, vendor lock in ... all of these things say these companies have no interest in selling a vanilla version of Android. What's in it for them? Samsung has their own store, their own apps and ecosystem, and want people locked into Samsung.
I agree with the sentiment, but if you think it'll happen you're kidding yourself.
Re: (Score:2)
No it wont. You seem to not understand consumer demand.....
Want an example? sure!
Look at any phone running a Microsoft OS.
Re: (Score:2)
I so wish that the next version of android that google tells carriers to fuck off. I am so done with the baked in crap from HTC/Samsung/etc and the deviation from pure android get's so bad that some like HTC confuses some people.
New version require it to be pure with NO apps baked in and permanent or they cant advertise or use the name "android" in any way. It will force them all overnight to stop it. They also need to force them to push out updates 15 days after google does or lose the rights across all products.
Apple did it. What's Google's problem?
Does anyone here even SLIGHTLY believe that Google doesn't have as much negotiating leverage as Apple?
Re: (Score:2)
Does anyone here even SLIGHTLY believe that Google doesn't have as much negotiating leverage as Apple?
Holy crap yes.
Apple sells phones directly to users for the carriers.
Google sells an OS to the phone manufacturers who customize who then sell it to the carriers who customize it some more who then sell it to the users.
Google can't do shit to that chain. Mindbogglingly, it's actually what they wanted.
Re: Call for mass-forking of Android (Score:2)
Microsoft sells an OS to computer manufacturers who customize it and they sometimes sell them to resellers who further customize it (i.e. Best Buy). Guess what? When Microsoft provides a security update, I don't wait on Dell or Best Buy for the patch.
When MS releases a new OS, t
Re: (Score:2)
Google chose a different route than Apple or Microsoft. The worst of both worlds, if you will.
That's entirely on Google.
Re: (Score:2)
Google doesn't deal directly with the telcos, except in the case of Nexus.
Telcos buy phones from the OEMs, the OEMs license the OS from Google. Google can't force the telcos to do shit without throwing all the OEMs under the bus and making them seriously consider moving to a competing platform, or in the case of Samsung, get whole-hog behind Tizen.
Quit making excuses for Google.
They are DEFINITELY powerful enough to force a new Reseller Agreement down pretty much every OEM's throat, except maybe Samsung.
And if Samsung is the sole major resistant OEM, guess what's going to happen to THEIR sales?
Re: (Score:2)
I so wish that the next version of android that google tells carriers to fuck off. I am so done with the baked in crap from HTC/Samsung/etc and the deviation from pure android get's so bad that some like HTC confuses some people.
Are you complaining about carriers or manufacturers? Google can't tell manufacturers (HTC/Samsung/etc) to fuck off, because they're the ones that build the device. There are already fairly strict restrictions on what you can do if you want to include the Play store (i.e. you have to install all of the other Google crap), which is what's pushing Samsung to fork Android, but the core open source OS is... open source.
The manufacturers, on the other hand, could tell the carriers to fuck off, and not provide
Re: (Score:3)
My M8 is running Android 5.0.1, not the latest, but not what it was born with (4.4.2).
Lots of phones get updates, but lots of lower performance phones do not, for obvious reasons. And unpopular phones ditto.
The carriers do abandon phones regularly, but not universally.
Re: Call for mass-forking of Android (Score:2)
It's OK the market will fix it.
Re: (Score:2)
And how exactly does this solve the problem of hardware manufacturers not updating locked firmware?
Re: (Score:2)
And how exactly does this solve the problem of hardware manufacturers not updating locked firmware?
Do you really think that the OEMs don't have the "magic key" that unlocks the unlockable?
Because if not, and they REALLY have to get out the JTAG programmer and open up each and every phone, then those OEMs should be taken out back, stripped, and introduced to goatse...
Re: (Score:2)
Because if not, and they REALLY have to get out the JTAG programmer and open up each and every phone, then those OEMs should be taken out back, stripped, and introduced to goatse...
Tell you what.
You do whatever you can to fulfill this entertaining bit of justice. And the wireless companies will spend a small portion of their significant wealth to buy whatever it takes to prevent the occurrence of this. Which one wins?
Yeah, in a just world, Android users wouldn't be held captive by wireless providers that
Re: (Score:2)
The reality on the ground is this: a large subset of the > 1 billion current Android devices will never be free of this vulnerability. And that's ok by the manufacturers and network providers, because it's a market opportunity.
And it's ok by Apple, too; who are beginning to see the record-breaking hordes of jaded Android users migrate back to the relative safety (and definitely better upgrade policy!) of iOS.
Re: (Score:2)
Nope. We can get a Windows phone for considerably less. This may be the opening Microsoft needs.
...and get a considerably less valuable platform.
There's a reason that people are flocking in record numbers from Android to iOS, and NOT to Windows Phone, and it ain't no "Reality Distortion Field", or other such nonsense.
Re: (Score:2)
Fragmentation isn't the problem. Even if somebody built a secure fork who would adopt it? Not Google. Not Samsung. Android is fundamentally built without security in mind. This is just the beginning of the Android flaws, they could be coming for years. It needs a complete audit and overhaul. Jezus now I have to fork over almost a grand to Apple so I can do my job safely!
Re: (Score:2)
One of the great strengths of GNU/Linux is its diversity. Like biological life, it is constantly changing, morphing and becoming something new. And also like biological life, constantly changing helps protect against "bad stuff".
You're confusing evolution with Intelligent Design. Constantly changing, even randomly, is a valid way to outwit a slowly evolving creature -- but for software, it means constantly risking the introduction of new flaws. In biology, just about any change means the enemy has to slowly evolve to take advantage of it -- but for software, you face intelligent attackers. Software has an advantage compared to biology -- well-made software provides an impermeable defense, that can't be breached unless you convince
Re: (Score:2)
Re: (Score:2)
Fragmentation is why Google is going to have a hard time containing these vulnerabilities. The number of phones that will never be fixed is shockingly high.
Re: (Score:2, Insightful)
The heartbleed name made perfect sense actually. It targeted the OpenSSL Heartbeat feature, and the exploit caused it to leak sensitive data.
I can't claim to know why stagefright got it's name though as I don't know all of the details about it.
Re: (Score:2)
I believe that libstagefright in Android is the module that makes it possible to see a preview of certain MMS messages. So, if someone sends me a picture, and I open the messages app, next to their name in the conversations list I see part of the picture they sent, and of course if I click on the conversation I'll see the whole thing. I believe that libstagefright is what makes that little preview in the conversation list possible. I'm not sure why the developers chose to call that library stagefright th
Re: (Score:2)
Stagefright is one of the Android media libraries. It's sort of the Android analog of ffmpeg's libavcodec and libavformat
https://android.googlesource.com/platform/frameworks/av/+/master/media/libstagefright
Re: (Score:2)
Next up in the queue of names:
"Death-by-Torture"
"FlayedAlive"
"Disemboweled"
and lastly....
"Pink-Unicorn" (just to mess with people's heads)
Re: (Score:2)
This is literally a vulnerability in the "libStageFright" operating module - not a marketing term.
Google gave away too much control (Score:2)
It's unfortunate that Google gave away so much control of Android. This means pretty much all Android devices are vulnerable, and unless the user has the skill and ability to install a non-vendor version of Android (eg: cyanogenmod), then these people are screwed.
Most android device manufacturers can't be bothered to release updates for their devices, and even when they do, you may still get railroaded by the carrier, leaving a very large number of devices vulnerable to who knows how many exploits. Of cou
Re: (Score:1)
It's unfortunate that Google gave away so much control of Android. This means pretty much all Android devices are vulnerable, and unless the user has the skill and ability to install a non-vendor version of Android (eg: cyanogenmod), then these people are screwed.
No, what's "unfortunate" (actually bordering on criminal negligence) is Google not AMENDING their OEM and Carrier Policies to be more in line with Apple's.
The ONLY explanation at this point is that Google simply doesn't care about what happens to its Users, so long as the Click Revenue and Data Mining is running full-tilt-boogie.
It's open source, fix it yourself (Score:1)
Won't buy from Motorola or Verizon again! (Score:5, Interesting)
How do I inform Verizon and Motorola that I won't buy an android phone from them EVER AGAIN until they start supporting their products with security patches?
My phone STILL hasn't been patched from the first stagefright vulnerability. I've disabled functionality on the phone in order to protect it.
I'm downright upset about the lack of security fixes from Motorola/Verizon.
Seriously, how do I let those two corporations know in an effective way that they'll NEVER get another phone purchase from me until they've changed their do-nothing security practices? Not one penny!
Re:Won't buy from Motorola or Verizon again! (Score:5, Insightful)
Well ... you could picket naked outside of their offices ... you could post a stern comment on Slashdot ... you could send a stern letter to their customer service ... or you could simply not buy them.
Except the first one, which might get you some media coverage, the remainder will all have the exact same result ... nobody will give a crap.
Don't get me wrong, I agree with you. But one lone consumer saying they won't buy the product? Sorry, but the net result of that is precisely nil ... corporations don't care about one individual, and unless a very large amount of customers do something very vocal, nothing at all will happen.
And those "market solutions" everybody talks about? They don't happen either, because consumers fail to care, or nobody builds the competing version and sells it in order for people to choose it.
So, your only real solution? Buy a Nexus device. Those are the ones which always get updates. Pretty much every proprietary version will get support until the manufacturer moves on to the next model.
Re: (Score:2)
So, your only real solution? Buy a Nexus device. Those are the ones which always get updates. Pretty much every proprietary version will get support until the manufacturer moves on to the next model.
That's not your ONLY solution...
And iOS almost always reaches several models back with Updates. And if they are critical Updates, sometimes even further back than usual.
Re: (Score:3)
GP talks about Android, story is about Android ... and you spout off about iOS.
Sorry, thanks for playing ... here's a lovely parting gift.
Look, I have both Android and iOS devices. But, honestly, randomly saying "yarg, use teh Apple" is kind of pointless here.
And, quite frankly, having had Apple upgrade my original iPad to the point of uselessness and then abandon it, I'm not willing to update my iPod touch ... because I no longer trust Apple to not fuck up my device and the
Re: (Score:1)
Re: (Score:2)
You don't and they don't care. This is why I only buy Nexus phones and use AT&T.
But you can still buy a new Nexus 7 in the local electronics stores. Apparently that's getting one more OS upgrade next week, then security fixes for one more year. Then it's done.
Google don't support their devices, either.
Re: (Score:2)
Easy, stop buying phones from them and only buy from play.google.com
Re: (Score:2)
Easy, stop buying phones from them and only buy from play.google.com
Has Google added any non-basic phones yet? I only have four requirements and I'd buy pretty much any phone that had them:
1) MicroSD slot (swap cards as needed)
2) removable battery (security)
3) unlocked bootloader (load useful software)
4) will activate on the VZW network (geography)
Everything else about the phones are common enough today that I don't even care. I haven't found a single one so far that passes this basic test. Prove me wron
Re: (Score:2)
I also valued the sd card and swappable battery. it was hard for me to convert over to an lg g2 (at a friend's request). the sd card this is not hard to deal with; a $10 OTG adapter gives you usbstick access or even micro-sd. it sticks out (dongle) but its not horrible.
battery wise, my phone can take new batteries but its a huge issue to open the phone and dig out so many things. the batt is not soldered it, but its pretty deep inside. still, a batt change would be needed every 2 years or so and when t
Re: (Score:3)
You don't. Verizon just does whatever the hell they want to do.
Though if a stagefright vulnerability made it into the wild and started bringing down Verizon's wireless infrastructure...that might trigger a reaction. Hard to say though, because the affected customers would get a high data bill, which Verizon would love. Though if they can demonstrate in a civil court that a Verizon brand phone operating within Verizons own parameters is misbehaving due to somebody the customer has no relationship to taking n
Re: (Score:2)
There are people whose job it is to figure out what people want. You need to find those people and communicate with them.
Re: (Score:2)
Re: (Score:2)
I bought a Moto G directly. They've shipped a fix to 'carrier partners', but it's not yet appearing for direct download.
Install AOSP or CM and you'll get the fix. Sadly, both are somewhat rough. Latest AOSP for titan murders my battery.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Send them a comically large postcard stating this fact, take pictures as you go to mail it and post them to their corporate Twitter/Facebook/whatever.
The text on the comically large postcard should be sarcastic and ironic. Dress it up to be like a giant check those prize patrol vans hand out. Use words and phrases like "Congratulations!" or "You have been selected to never get any of my money!" or "1,000,000,000 Devices Vulnerable!".
The tech tabloids and "news" aggregators will pick it up and the "story"
Re: (Score:2)
Answer: class action lawsuit.
Re: (Score:2)
While the process to buy one is kind of a pain until the company figures out their manufacture and supply issues, look at OnePlus for your next phone. The phones are not tied to any carrier, you own them outright and they sell them dirt cheap for very low margins (hence the complete lack of spare inventory standing by for you to purchase). I have a OnePlus One that is almost a year old and it's currently running Android 5.1.1 (shipped with 4.4.4 I think) plus Cyanogenmod. The current phones are running t
Re: (Score:2)
Motorola seems ok to me - I have an unlocked 2013 Moto X and got a Stagefright update a couple of weeks ago.
I try to avoid Verizon if I can anyway.
Re: (Score:2)
Re: (Score:2)
What Moto phone do you have anyway? The OG Moto X recently got the fix along the with the Lollipop update and the Moto Droid Turbo just began soak tests today so it is probably coming to everyone within a week or two.
I am a Computer Systems Engineer and an Android developer as well as the proud owner of an OG Moto X DE, and I was utterly unconcerned about the 1st Stagefright vulnerability because of ASLR protection. With Stagefright 2.0 they claim they can get around ASLR, but this has yet to be proven by
Re: (Score:2)
My phone STILL hasn't been patched from the first stagefright vulnerability. I've disabled functionality on the phone in order to protect it.
Protect it from what? If your phone was made in the past 3 years it likely has a version of Android that implements ASLR which severely limits what arbitrary code execution can do on a device. This is espeically important given the insane fragmentation of Android which makes all but the most targeted of attacks quite useless and even then they are very difficult. End result is that no one has been able to show that Stagefright is being actively exploited in the wild.
This has all been a very big yawn, and I
move to an MVNO, root, trash their apps (Score:2)
I need access to Verizon towers because it is the only signal that I can get at work.
I first signed up with Page Plus Cellular, then moved to Tracfone after the America Movil buyout. I finally upgraded to a 4g device six months ago.
I can't run cyanogenmod because of Verizon's fascist bootloader locking. I do run an alternate touchwiz rom, and I have purged everything from it that mentioned Verizon.
And when Verzion shows up in my Facebook feed, I ask them why they lock their bootloaders and FORCE their users
Re: (Score:2)
Re: (Score:2)
Perfect example of a cure that is worse than the disease.
Re: (Score:1)
Perfect example of a cure that is worse than the disease.
Really?
Tell me that when you're personal info is siphoned-off by the next cool Android App you sideload (or even get from Google Play).
Ya know, it's not the "Hello Kitty" wallpaper-type Apps that are obvious to spot when they ask for every Permission in the world; its the ones that SEEMINGLY have a perfectly-legitimate reason for wanting to see your phone-state, etc. that actually use that Permission nefariously that are the hard one's to catch.
Yes, that is possible on iOS; but history shows that, for
Re: (Score:2)
I wish them luck. There's very little personal info on my highly volatile and easy to use device which none the less I keep without a unlock code so it can easily be returned by a good Samaritan. But really that's beside the point if you think that somehow I run around installing useless shit on my phone for kicks. As for side loading the only app I side loaded was F-droid, an open source app store.
Also if history has shown that iOS is somehow magically immune to rogue programs then you need your prescripti
Longtime Android user, but contemplating Apple (Score:2)
I may actually end up switching to an iPhone this fall instead of a new Android phone.
That may depend on some other things like root availability and CyanogenMod planning for possible handsets, but even with those a lot of the nice things on And
Not that worried (Score:1)
Re: (Score:2)
Much like Android's patching system, you are way too late.