Forgot your password?
typodupeerror
Cellphones Google Handhelds Security IT

Researcher To Release Web-Based Android Attack 136

Posted by timothy
from the oopsie-daisy dept.
CWmike writes "A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones. It is being disclosed Thursday at the HouSecCon conference by M.J. Keith, a security researcher with Alert Logic. Keith says he has written code that allows him to run a simple command line shell in Android (video) when the victim visits a website that contains his attack code. The bug used in Keith's attack lies in the WebKit browser engine used by Android. Google said it knows about the vulnerability. 'We're aware of an issue in WebKit that could potentially impact only old versions of the Android browser,' Google spokesman Jay Nancarrow confirmed in an e-mail. 'The issue does not affect Android 2.2 or later versions.' Version 2.2 runs on 36.2 percent of Android phones, Google says"
This discussion has been archived. No new comments can be posted.

Researcher To Release Web-Based Android Attack

Comments Filter:
  • by mykos (1627575) on Thursday November 04, 2010 @10:42PM (#34132478)
    So many phone makers seem to think the worst thing in the world is to provide users an official update. Maybe this will get them in gear.

    As an aside, does anyone know what phone makers are good about keeping updates coming?
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Still waiting for 2.2 from Samsung... so not them!

      • by stoolpigeon (454276) * <bittercode@gmail> on Thursday November 04, 2010 @11:22PM (#34132648) Homepage Journal

        If you are on the Galaxy S like I am, Froyo started rolling out today in the UK [androidcentral.com] - hoping the US is not far behind.

        • Re: (Score:3, Insightful)

          by toastar (573882)

          If you are on the Galaxy S like I am, Froyo started rolling out today in the UK [androidcentral.com] - hoping the US is not far behind.

          If you have root like I do, you probably have had froyo for months

          • by cwtrex (912286)
            I have been researching roms and kernels for the Samsung Epic, which of course is a CDMA phone and has 4g. You didn't mention which Samsung S you have, but are you aware of a rom that is Froyo and also has CDMA, Wifi, and 4g capabilities for the Samsung Epic?

            Is there a way to keep the stock rom, but force it to upgrade to froyo using root?
          • Re: (Score:3, Insightful)

            by peragrin (659227)

            And this is one of the main reasons not to get an Android phone. In order to get upgrades you have to root(jailbreak) the phone. Apple may be a control freak, but at least they are willing to support their products for more than 6 months.

              So many Android phones have come and gone one would think that an game AI was trying to find the right product. I just realized Android phones are the Zerg of cell phones. Cheap, mass produced, and die off quickly.

            • Re: (Score:3, Informative)

              by GooberToo (74388)

              By your definition, Apple's products complete fit the bill. In fact, given one product problem after another, even without your comments, they seemingly fit the bill. Though honestly, I don't believe your assessment of the market, Android+iPhone is even close to reality.

              Just the same, Android phones vary widely in fit, function, and quality. Some even exceed the iPhone's quality by a wide margin. Android's success is not because "resistance is futile" mentality as you attempt to push. Its succeeding because

              • by jeffmeden (135043)

                I am honestly not trolling... But, please tell me which Android phone is "well beyond what Apple currently provides [in the iPhone 4]"...

                • by GooberToo (74388)

                  Several HTC, Samsung, and Moto devices have all been highly regarded. Especially the latest Samsung S series units. Moto and HTC also make some of the lowest of the lower end devices too.

                  Seriously, go check out some of the android sites like www.androidguys.com and you will find lots of good information on good Android devices.

                  Generally the biggest complaint about Android devices originate from the the Apple camp and it almost always boils down to - its not an iPhone and/or it doesn't run the OS I'm used to

                  • by jeffmeden (135043)

                    Owning a Fascinate (verizon galaxy s phone) I can say that while advanced, and smart, it is not really any measure better than the iPhone. Lacking a front facing camera, any sort of LED message notification, and sporting a screen technology that is both lower in resolution and far harder on battery life make it impossible to ever classify it as "well beyond what apple currently provides". The incredible's lack of significant screen resolution (even after the switch to LCD to improve reliability and batter

                    • by GooberToo (74388)

                      The S family is actually fairly large. I can't speak to your particulars but I can absolutely assure you, there are many phones which are on par or simply out class the iPhone.

                      Much of your complaints are also of the personal opinion variety rather than technical merit. That goes back to my open mindedness comment before.

                    • by jeffmeden (135043)

                      As a cellphone is something one must live with day in and day out, personal opinion on size/shape/feel are HUGE factors, and dismissing these with a wave of your hand is incredibly ignorant. Feel free to include details on your merit-based argument if you *really* think it's that compelling.

                    • by GooberToo (74388)

                      You're trolling.

                      Your personal opinion is not my personal opinion. The opinions of the iPhone crowd rarely match that of the Android crowd which rarely match that of the "other" crowd. So your saying it doesn't match your personal opinion holds zero sway. The legitimate point remains, with absolutely no hand waving, excluding your own. There are many Android devices which are superior to that of the iPhone. Period.

                      Which means, strictly based on your own personal opinion, its up to you if you can find one you

                    • by jeffmeden (135043)

                      You're such an anti-apple fanatic that you can't see the forest for the trees, and think that anything outside your notion of "fair" is a troll. I asked you twice to name these specific "technical, non-subjective features" that you insist certain phones posses that make them superior to the iPhone. Please do so, unless you want to be the one trolling.

            • by jDeepbeep (913892)

              So many Android phones have come and gone one would think that an game AI was trying to find the right product. I just realized Android phones are the Zerg of cell phones. Cheap, mass produced, and die off quickly.

              I'd have to agree with you. I have a Droid Eris that Verizon has declared end -of-life in under a year of its release, and they have also stated it will never be updated to 2.2. I have no choice but to root the phone, since I'm not going to buy a newer, shinier unsubsidized device at $600+ a pop.

            • by whodunnit (238223)

              Yes like my ipod touch, that for one update i had to PAY to get the upgrade, and now is completely un supported. Yep... apple rules. Oh no, wait.. the suck. And that's why I bough an android phone.

              And you don't have to root your phone to get an update, but you CAN.

              Damn fanboys.

          • Re: (Score:3, Insightful)

            by jeffmeden (135043)

            If you have genuine security needs (and concerns) like I do, you wouldn't touch a rooting system and hacked rom with a 10 meter patch cord. Hoping for increased security by running "newer" code from completely untrusted sources... What could possibly go wrong?

            • by Spykk (823586)
              Who is a trusted source? Apple? Motorolla? I'll trust the source code that I am free to read myself long before I'll trust anything a phone manufacturer forced on me.
      • Re: (Score:3, Informative)

        by Johnny O (22313)

        Samsung or Sprint (I forget which) already stated that the Moment (which I am posting this from) will NOT be getting 2.2. We are STUCK with 2.1.

        • by Anonymous Coward

          2 year contract, 6 month technology cycle. Didn't you expect this? I know I did when I bought mine. Just root the sucker and put on a third party rom, which runs incredibly better anyway.

          • by Johnny O (22313)

            I came with 1.5. I was PLEASANTLY suprised they upgraded to 2.1. Lots of other phones released at the same time are going 2.2. This one was abandonded. Android 2.2 comes with tethering and Sprint doesn't want that (without fees).

            • "I came with 1.5."

              You are a serious enthusiast. I am loved my first Android phone, as well as my recent one, and I plan on getting the Mytouch HD now that is has been released, but I never came; it didn't even get me hard.

              • by jeffmeden (135043)

                "I came with 1.5."

                You are a serious enthusiast. I am loved my first Android phone, as well as my recent one, and I plan on getting the Mytouch HD now that is has been released, but I never came; it didn't even get me hard.

                You are overlooking the possibility that he is a sentient smartphone and was merely referring to the software which was preloaded at birth...

                • I am overlooking no such thing. His SlashID is lower than mine, and he was therefore born well before Smart Phones themselves of any sort existed.
                  • by LandGator (625199)

                    Perhaps he rooted /. in order to acquire a lower SlashID.

                    • "Perhaps he rooted /. in order to acquire a lower SlashID."

                      Try to be serious. Do you really think I hadn't considered that? A sentient being capable of doing such a thing would hardly waste their time with Slashdot. Sheesh ... do you people even stop to think just a little bit before posting these kind of ridiculous and sad attempts to seem smarter than I am?

                      Sincerely,

                      - SAM (Sentient Android Master)

        • I think you'd still be fine without rooting as long as you installed mobile firefox from the Android store? This is a webkit attack that targets the default browser.
    • by Nerdfest (867930)
      Why would it? In most cases they almost seem to be of the attitude that "You bought it, now it's your problem".
    • by cheater512 (783349) <nick@nickstallman.net> on Thursday November 04, 2010 @10:53PM (#34132530) Homepage

      N900 is pretty good. 3 core updates (I think) so far plus a upgrade to Meego when it is finished.
      Also half the price of similar phones.

      • by mcvos (645701)

        Really? It was still $500 when I considered the N900. (I chose against it because I don't want a stylus; I want multitouch.)

      • by Doug Neal (195160)

        But the catalog of applications available is dire. Nobody is developing for it. Yes there are a few apps which are really cool, but they're the exception, and they don't have the same level of polish as you'd expect from Android or iPhone apps. And still no decent Webkit browser!

        I'm dumping my N900 for an Android device as soon as I'm out of contract. Sad really because the hardware is excellent, and it had a lot of potential.

        • Erm...Why do you want a Webkit browser?
          Its got essentially raw Firefox and all its capabilities.

          As alternatives it has Fennec and Opera as well.

          • by Doug Neal (195160)

            Because Webkit is superior to Gecko - it's faster and it uses less memory. The built in MicroB browser is not very quick. Fennec is even worse. The GUI responses lag behind the input noticeably.

            I wasn't aware of Opera being available for the N900 though, I will give it a try.

            • I doubt Webkit would do any better than MicroB on the N900. Remember that its processor it half the speed of most newer phones.

              And no Gecko is not inherently slow and bloaty. Put any experience you have with desktop Firefox away because it doesnt quite apply to Fennec or MicroB.

    • Re: (Score:3, Insightful)

      by rmcd (53236) *

      One problem is that the phone makers insist on idiotic customizations of the android interface, so updates can take a long time because they have to update the customizations as well as the OS.

      The other problem is that hardware becomes outdated and perhaps challenging to update. T-mobile just started updating the MyTouch 3G (which I have). This is a 15-month-old phone running stock android, and I think it took them a long time because the hardware is old.

      I don't think this is as trivial a problem as some of

      • by causality (777677)

        One problem is that the phone makers insist on idiotic customizations of the android interface, so updates can take a long time because they have to update the customizations as well as the OS.

        Emphasis added.

        I don't think this is as trivial a problem as some of the commenters would suggest.

        It's trivial because those customizations that hinder updates are idiotic. If they were important and non-essential then it would be non-trivial. As it stands, the problem is very easy to solve.

        • by rmcd (53236) *

          You're right, but ...

          It's easy to solve if customers demand clean implementations. I don't see that happening anytime soon. No one I know (apart from friends who are the type to read slashdot) even knows what android is, let alone the difference between "with google" and not.

      • by tlhIngan (30335)

        One problem is that the phone makers insist on idiotic customizations of the android interface, so updates can take a long time because they have to update the customizations as well as the OS.

        The other problem is that hardware becomes outdated and perhaps challenging to update. T-mobile just started updating the MyTouch 3G (which I have). This is a 15-month-old phone running stock android, and I think it took them a long time because the hardware is old.

        It's phone makers AND carriers. The only real reason

    • by bhagwad (1426855) on Thursday November 04, 2010 @11:41PM (#34132732) Homepage
      Won't it be nice if someone sues a carrier for not providing updates because of which their phone was hacked and valuable data lost? It'll be like a wet dream come true for me :D
      • Re: (Score:2, Insightful)

        by khchung (462899)

        Won't it be nice if someone sues a carrier for not providing updates

        So you would be happy to encourage carriers to pick phones that do not have updates so they won't be liable for not providing the updates to customers?

    • Re: (Score:3, Informative)

      by Zarf (5735)

      Motorola Droid has had every update so far.

      • by markhb (11721)

        Yeah, well, I've got the original CLIQ, which is just getting the long-awaited upgrade from 1.5 to 2.1, with very few hopes of getting an official bump to 2.2. I wonder if they can backport the WebKit fix from 2.2 into 2.1 without breaking everything in sight.

    • by zarthrag (650912)
      My nexus one gets 100% pure updates through T-mobile. If I'm impatient, I can run official builds directly from google. No missing features, no custom UI elements. I'll have tethering for free while everyone else pays, and any other feature Google releases that doesn't defy my hardware.
      • by peragrin (659227)

        The Nexus 1 uses stock android though.

        the majority of HTC models lag 6-12 months behind in updates simply because they have to make sure their UI updates correctly on the older hardware. It is also why HTC stops updating phones much earlier than apple does simply because it becomes far to much work for a limited group that you want to purchase new phones anyways.

    • by rwa2 (4391) *

      As an aside, does anyone know what phone makers are good about keeping updates coming?

      Um, anything supported by CyanogenMOD [slashdot.org]? I specifically shopped for a phone on their list.

      Not as convenient as OTA updates, sure. But there's enough good stuff in there to make it well worth the effort to flash from 2.1 to 2.2

    • by trcooper (18794)

      HTC and Verizon have been good on the Incredible. The second update to the phone in 6 months is set to go next week. This will be a minor update to the Froyo release that went out in August / September I believe. I also expect that we'll see Gingerbread a month or two after it's released.

       

    • by tixxit (1107127)
      I JUST got a 2.1 update from TELUS (Canada) for my HTC Hero. It was several months after most other providers released the update. As far as I know, this is it for support for my phone; HTC only promised up to 2.1. It is annoying that phone companies sell 3 year contracts that come with a phone, when that phone is only supported for 1 year. For all the Apple bashing, at least they actually support their product for the expected lifetime of the device, rather than ditching it as soon as it hits that 1 year
    • by ronocdh (906309)

      As an aside, does anyone know what phone makers are good about keeping updates coming?

      No. I have a Nexus One and am extremely pleased with it. The unlocked bootloader means I can run whatever version of the operating system I want. Google releases the source code months (in some cases, maybe years) before most phone manufacturers get around to offering an update, but modding communities like CyanogenMod [cyanogenmod.com] have an extremely fast turnaround. They build for many different handsets, by different vendors, patch often (there are nightly releases available if you're into that), and don't seem to have

      • by tehcyder (746570)

        I wouldn't stand for having a computer that restricted the software I'm allowed to run on it, and I don't see any reason to change that philosophy for using a "smartphone."

        Having come late to the smartphone joy ride, I've concluded that it's a fucking waste of time, and in future I'll stick to using computers for the internet and everything else, and leave the phone for calls and texts only.

        I really can't be bothered with having to update the operating system for what is still basically just a phone.

        • by ronocdh (906309)

          I really can't be bothered with having to update the operating system for what is still basically just a phone.

          You know, a lot of people would say that same thing about their computers. And if you're thinking of devices like the Nexus One as "basically just a phone," you haven't spent time with one. Even calling it "basically just a computer" is selling it short; this thing has a faster processor, more RAM, and more storage space than my desktop computer from ten years ago. And it fits in my pocket.

          If you want to be all "Get off my lawn" about smartphones, be my guest. But the influx of mobile computing is happenin

  • What about the rest on versions lower than 2.2?
    • by tjhart85 (1840452)

      What about the rest on versions lower than 2.2?

      Google provided the code with the fix in it, it's up to the manufacturers to give it to the people that bought the phone.

  • Isn't this roughly similar to the effects obtained by the earlier exploits on iOS? However, there many users first feeling was some relief from the monolithic Apple gate system, but here on Android the spin feels more like traditional tech news.

    • by tepples (727027)

      Isn't this roughly similar to the effects obtained by the earlier exploits on iOS?

      Technically it is. But unless you bought your Android phone from AT&T, you have the option to put in your own command prompt through "Unknown sources". So any jailbreaks for Android are considered less necessary, and the risk outweighs the benefit.

      • Re: (Score:3, Interesting)

        by the_humeister (922869)

        Even if you do have an AT&T Android phone, which I do, it is still possible to use apk (a tool found in the Android SDK) to transfer programs to the phone. It's pretty simple to use too. Of course, to get rid of the crapware AT&T installs, rooting is still required.

  • Thomas A. Anderson is specialized in killing Agents, John Connor in killing Terminators, and now M.J. Keith kill Androids... that comes just in time when Hollywood was running out of ideas for a new movie.
  • I read the headline and immediately thought a mad scientist was about to unleash an army of things resembling a cross between Spiderman and the Terminator, and we should all cower in terror in our makeshift basement bunkers awaiting our inevitable destruction.

    But TFA revealed it's just a smartphone hack.

    All we need is a brand of toilet paper called "Flying Car" and my disappointment with the 21st century will be complete.

  • Headline = 1,000,000 points. Copy = I don't know - about a dozen points. Maybe.
  • by JSBiff (87824) on Friday November 05, 2010 @12:39AM (#34132962) Journal

    I wonder if there is any law which covers this sort of situation. The original G1 was only released like 3 years ago - not really very old, but T-Mobile has completely abandoned owners/users of the G1 and is not providing any additional updates.

    Honestly, I blame Google. From day 1, it should have been mandatory that OS updates would come from Google, forever. Carriers don't give a crap about keeping users in updated code once the phone is sold. To them, it's just a device which comes in a box, gets sold, and if it becomes 'obsolete' within 2 years, well that's just another box they can sell you in 2 years.

    It's absolutely inexcusable that a programmable, Internet enabled device of the complexity of a G1 should not have guaranteed security updates for the included software, for a minimum of 10 years.

    • Re: (Score:2, Interesting)

      by getto man d (619850)
      Google and the hardware manufacturers are both to blame; Google (for the reasons you stated) and the manufacturers for adding in their 'own' elements departing steadily from vanilla android.

      I've seen many comments on /. how Android is amazing, especially since it is fragmented (linux and windows arguments) but this is the worst possible case for the mobile platform, IMHO. Unless of course you don't mind upgrading your phone every 'x' amount of years. Some of us don't have the spare $$ and truly want a
    • by Psiren (6145)

      10 years support for a phone is never going to happen, and it shouldn't. A ten year old device like that would be hopelessly outdated. Even something 2 years old looks pretty pathetic nowadays. They should however be forced to provide updates for the duration of your contract. I know mobile contracts over in the US are pretty fucked up, but here in the UK my current phone is on a two year contract. I just got the update to 2.2 yesterday, but I've still got another 20+ months of contract to run. That's certa

    • Re: (Score:3, Interesting)

      by Woek (161635)

      One of the selling points of the Google Nexus One phone was direct support from Google, and therefore the quickest updates. The phone is quite a bit more expensive than the HTC desire/incredible, which is practically the same phone.

      • Re: (Score:3, Interesting)

        by TimTucker (982832)
        This was also a selling point of the ADP1 (basically the developer version of the G1). Some of us did shell out early for an unsubsidized Android phone with the expectation that it would be directly supported by Google.
    • by akadruid (606405)

      I don't know why you've selected the G1 - it was one of the better supported phones. It got all the upgrades for the first year, from 1.0 to 1.6.

      Pick something like LG GW620/Eve/InTouch Max/KH5200. Released in 2010, in dozens of countries, running android 1.5, it was never updated and was fully abandoned by manufacturer and carriers in under 6 months. There are hundreds of thousands of them out there on 18 or 24 month contracts which won't expire until 2012.

      It is fully capable of running android 2.2, and

  • Yes, there will be a lot of trouble once people lose all their contacts & emails, buy a random Market app for 1000 and similar.

    But this will _force_ makers, vendors, network operators and everyone else to introduce sane update policies. These machines are a small PC. They need the same software update capabilities.

E = MC ** 2 +- 3db

Working...