Stupid Chinese hackers.

tpatt100

Bl8ckr0uter wrote: »

The fact that you could even go to a forum and get fixes proves my point. And when I say easy, I mean easy for the type of people on TE not Joe User.




Do you really know who is producing the patches when you are dealing with vendors? I mean without outsourcing/offshoring you can't really be sure who is really giving you patches/updates/etc. You know what they are coming from (at least by name) but have you ever talked to a MS patch developer?

For the root patches that I have used I have talked with some on the people who developed to exploits to get root and many people who have used them before me. Of course they could be lying but that is the chance I take. You take the same chance when you deal with any vendor.


I am not saying one is better than the other I am just saying there are risk in everything.

A vendor patch means I have a vendor I can go to and complain if something happens. There is a company I can sue if I wanted to lol. Root patches and root processes come from some guy named Hansolo69 or some stuff and the file is uploaded to some overseas free file sharing server. And this is to get "root" access to your phone?

I don't know anybody from Microsoft when I run Windows update but I know Microsoft is an actual company. I don't have to talk to anybody to know that at least the patch comes from their servers using their process using their company name.

Bl8ckr0uter

tpatt100 wrote: »

A vendor patch means I have a vendor I can go to and complain if something happens. There is a company I can sue if I wanted to lol. Root patches and root processes come from some guy named Hansolo69 or some stuff and the file is uploaded to some overseas free file sharing server. And this is to get "root" access to your phone?

I don't know anybody from Microsoft when I run Windows update but I know Microsoft is an actual company. I don't have to talk to anybody to know that at least the patch comes from their servers using their process using their company name.

Then don't complain if said vendor doesn't update your phone lol. And I am talking about you personally not a business. Surly if a patch BSOD your machine you won't be suing MS....

I personally think that Google should treat android like RH treats linux. Have their own version of android (pureAndroid) and then just us AOSP like Fedora/Centos. Take away the android branding from non pureAndroid phones (like RHEL is different from Centos/Fedora) but allow for interoperation between the two platforms. They could end this "fragmentation" "issue" really quick. I know they are trying to do it but they need to move faster for the consumers sake.

tpatt100

Bl8ckr0uter wrote: »

Then don't complain if said vendor doesn't update your phone lol. And I am talking about you personally not a business. Surly if a patch BSOD your machine you won't be suing MS....

If a patch from Microsoft comes embedded with malware that compromises my machine and allows hackers to access confidential information I would probably try. For a BSOD doubt it.

My point is, Android updates for their OS are seriously lacking and slow to get. Easy to get a fix via anonymous sources just makes it easier to get malware so your either stuck waiting months to years for an official update or you risk going to anonymous sources. Which was the whole point of this thread was the increase in malware.

Bl8ckr0uter

tpatt100 wrote: »

If a patch from Microsoft comes embedded with malware that compromises my machine and allows hackers to access confidential information I would probably try. For a BSOD doubt it.

The real question is would you even know it? I think that's the real danger. Good AV on a phone is cool but PID/PS (phone intrusion detection/prevention system) would be much more worth while.

tpatt100 wrote: »

Which was the whole point of this thread was the increase in malware.

The whole point of the thread was that there is an attack vector that is hard to monitor for intrusion. Prevention is good but detection is a must. Everyone couldn't confirm or deny if his phone had been hacked.

Everyone wrote: »

Haven't found any signs of intrusion on any of my computers, which makes me wonder if my Android phone was compromised. I'm very good at keeping a network, and my Windows and Linux boxes secure, I've had years and years of experience doing that. This phone always worries me though, as I have very little experience with Android phones. Don't even know where to begin to see if it's the phone that's been compromised.

tpatt100

Well Google at least notifies you when your gmail gets hacked. Its happened to me twice both times within a month of upgrading my phone. Since most phones are made overseas who knows what they might embed probably coming from some disgruntled employee in the sweat shop

Security takes a backseat on Android in update shambles ? The Register

" The majority of Android smartphone users are walking around with insecure devices running out-of-date OS builds, leaving personal and business data at greater risk of attack.

The latest figures from Google's Android developer web site show that 44.4 per cent of users have the latest version of Android (Android 2.3 or later installed) on their devices. A further 1.9 per cent are running developer builds.

That leaves 53.7 per cent running older versions, the majority of which (40.7 per cent of the total userbase) are running Android 2.2 (Froyo). The stats come from users visiting Google's App Store over a fortnight.

A study by application security firm Bit9 found that the sheer complexity of the Android ecosystem - in which updates are distributed in different ways and at different times (if at all) based on manufacturer, phone family, phone model, carrier, and geographic location -has meant security has taken a back seat, leaving smartphone users more vulnerable as a result.

Bit9 looked at the 20 most popular Android handsets from the likes of Samsung, HTC, Motorola, and LG. It found many Android smartphone suppliers launch new phones with outdated software out of the box. To make matters worse, many suffer from tremendous lag times in rolling out updates to later and more secure versions of Android.

Six of the 20 surveyed phones are running Android 2.2, a version that shipped 18 months ago in May 2010. A further seven are running builds of Android that are at least nine months old. Only seven of them were up to date.

The average time between when an update is available from Google and when it is pushed to the phone is 185 days – slightly more than six months. For example, across the Samsung models Bit9 studied, the average lag time is over 240 days (over eight mon

Bl8ckr0uter

There are nightly builds for cyanogenMod. Which do you think is more risky?

tpatt100

Bl8ckr0uter wrote: »

There are nightly builds for cyanogenMod. Which do you think is more risky?

I would try that but my freaking phone is bootloader locked /cry... Found that out a month after I bought it, because I never thought to look into that stuff lol.

Bl8ckr0uter

tpatt100 wrote: »

I would try that but my freaking phone is bootloader locked /cry... Found that out a month after I bought it, because I never thought to look into that stuff lol.

What phone do you have? I bet you could crack it in a few hours....

tpatt100

Bl8ckr0uter wrote: »

What phone do you have? I bet you could crack it in a few hours....

Motorola Razr.

Turgon

Everyone wrote: »

Facebook told me that someone logged into my account there from a mobile device in China. I'm on my computer at least 8 hours a day for work, so I got the notification right away and was able to take action immediately.

Maybe that's what I get for logging on from unsecured WiFi at a hotel. I keep my home network locked down tight. Just to be extra sure, added rules to my firewall to block all of Asia and Africa today. Been meaning to do that for a while anyway.

Most annoying part was going and changing all my passwords.

Haven't found any signs of intrusion on any of my computers, which makes me wonder if my Android phone was compromised. I'm very good at keeping a network, and my Windows and Linux boxes secure, I've had years and years of experience doing that. This phone always worries me though, as I have very little experience with Android phones. Don't even know where to begin to see if it's the phone that's been compromised.

Im glad I dont use these sites, or keep up with the phone thing.

Webmaster

JDMurray wrote: »

I don't care for Apple's tight-fisted policies, but their app approval process does prevent the distribution of Malware on its platforms.

I don't think anyone does care much for their policies except Apple self, but I don't really care much "about" it either. I simply haven't noticed myself being limited by their policies up to a point where I started caring, not as a user, not as a developer. So I'm not saying the critique is invalid or entirely unjustified, they sure don't "play nice" all the time, but to reuse the popularity/obscurity argument, they partly get so much heat because they made phone apps popular in the first, while such approval processes aren't invented and used solely by Apple. (e.g. see Nokia's Content-Guidelines)

The app approval process entails much more than checking for content compliance. A major part of the process is Quality Assurance. Most apps that don't make it through the approval process get rejected because they don't meet QA and human interface design guidelines. The latter is mostly to ensure some consistency and expected behavior amongst apps. There's an incomplete list of reasons ("app store review guidelines") that'll cause an app to get rejected, the first item being "Apps that crash will be rejected" and the rest being fair enough imo. For most developers the approval process is a good thing, as you know QA for software is expensive (and they provide support to help it through the approval process) and not all developers are able to test it on every iOS device version themselves. Publishing an app with bugs can kill the app's chances in the App Store (through bad ratings) before it had a chance.

Anyway, back to my point, it seems Google took the 'quantity over quality' approach, filling up their app store as fast as possible (so they too can advertise "we have x apps in the app store"). However, not doing content control (or Apple doing it) is no valid excuse for the lack of proper QA on the droid market. I do think it's more easy and likely for Google to improve than Apple to change its ways...

It looks like Microsoft is learning from it all already: Windows 8 app store approval policy outlined - Neowin.net

JDMurray wrote: »

I sure would like to know what Apple's Malware testing procedures are, but good luck with finding out that.

Yeah they don't go as far as to tell developers even what their Malware testing procedures exactly entail (I don't think MS, Nokia, or Nintendo does though). They do cover the issue a couple of times in the "app store review guidelines", for example: "Apps that transmit viruses, files, computer code, or programs that may harm or disrupt the normal operation of the [X] service will be rejected". It's also scanned for using non-public APIs (using undocumented functions for example can also lead to rejection). I think a common misconception is that there is actually a person going through the entire app, while in reality most of it is automated. That's why frequently apps with "inappropriate" (for some) content are removed from the store "after" being approved, and why buggy apps can still make it through the process.

The link to the approval process in the dev area is down atm, probably falls under the NDA for developers too, but I'll take a look later to see if they mention anything more specific regarding security tests.

For now the satirical version might "shine some light" on it:
Step by Step: Apple's App Store Approval Process | PCWorld

MentholMoose

Webmaster wrote: »

That has been a common and valid argument in Apple vs Windows vs Linux, i.o.w. in desktop OS discussions, for years. Used it several times myself. But, when it comes to the mobile market the argument doesn't hold any water because Android may be the #1 most wide-spread phone OS, many if not most of them never connect to the internet and are not used as "smartphone". iOS also didn't get malware (as far as I know/remember) during the time it was leading (which has a lot to do with Apple's "approval" process).

I would find these usage statistics (first link) much more interesting if I were to pick a popular target:
Browser market share

McAfee threats report: Android is in the crosshairs | ZDNet

http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2011.pdf

So no, Android being attacked has little to do with it being "#1" in anything else than being the easiest popular phone OS to deploy malware on (just stating a fact... I don't have "feelings" towards either "brand"), nor the lack of popularity of others. As Bl8ckr0uter pointed out so delicately: it's due to the nature of the platform and the nature of the Android Market.

TE mobile stats:

comScore: Apple Grows Mobile Marketshare From 9.8% To 11.2%, But Samsung’s Still Top OEM | TechCrunch

comScore says 47% of smartphone subscribers are using Android. If you have an Android phone, you most likely either 1) got it cheaply by subscribing to an expensive data plan, or 2) paid full-price for a relatively expensive unlocked Android phone. In either case I think it's unlikely that you wouldn't connect it to the Internet since that's pretty much the main reason to have a smartphone, so I don't know where you got this idea. Is this idea based on the discrepancy between browser stats and mobile OS stats? The browser data is skewed by the fact that iOS is on more non-phone devices (iPads in particular). This is definitely true for this forum considering that there are almost as many iPad users as iPhone users. The data for this forum is skewed by other factors as well (for example, the forum browser stats you posted don't separate Safari on iOS from Safari on OSX, plus this forum is highly focused so the user base is not representative of the general population of smartphone users anyway).

I don't see how market share is unimportant in determining what mobile OS is targeted by malware developers. Indeed, malware distribution is easier on Android, and Apple's app approval process likely plays a significant role in making iOS less of a target relative to Android. But market share is definitely still critical. If Microsoft made malware distribution for Windows Phone as easy as it is for Android, would the platform suddenly be targeted? It's doubtful, due to lack of market share. It's very similar to desktop OSs. Why is there so little malware for OSX? Is it because it's just so much harder to distribute malware on OSX that cyber criminals don't even try, or because OSX doesn't have significant market share?

If ease of distribution was so important, why wasn't the Android Market inundated with malware shortly after it was launched? Was it any harder to distribute Android malware then than it is now? No, in fact it may have been even easier since Google probably wasn't watching as closely. It takes time for malware developers to learn a new platform, which would explain some delay, but if ease of distribution was all that mattered, malware writers should have immediately gone after Android with full force, which didn't happen. The big difference between then and now is that Android now has significantly more market share and there is thus significantly more incentive to develop malware for the platform.

Webmaster

Regardless of the OP's post being about his phone, it's the same iOS, tablet or phone, so when it comes to picking a popular target (i)OS there's no reason to discriminate iPads, or droid tablets for that matter. But, if you want to nitpick, the old version of Google Analytics, over the same time period (month), does provide a slightly "better" overview:



Anyway, I am not trying to point out that iOS is more popular than Android, here at TE or for the general population, so please spare me that argument. Comparing one report about the mobile market to another is usually like comparing apples to oranges anyway. I included the stats and the external link to point out iOS does clearly not have the lack of popularity that contributes to making it a less popular target for malicious individuals than Android - as the classic argument goes for OSX or less popular browsers. And like I said in my previous post I made the same argument several times myself. So yes, more popular means more likely target, not arguing with that. Juniper mentioned that in this very context too, Symbian hackers are moving to Android.

I also didn't say "ease of distribution is all that mattered" nor that market share is completely irrelevant, that's taking it a little extreme (without a significant market share they wouldn't be in this discussion). I'm just saying that popularity, market share, usage, which iOS has plenty of too, by itself doesn't explain why malicious individuals are so successful on droids compared to iOS. The lack of QA for apps does.

In either case I think it's unlikely that you wouldn't connect it to the Internet since that's pretty much the main reason to have a smartphone, so I don't know where you got this idea.

Sure "never connect to the internet" was obviously exaggerated... but I think you'd be surprised how many people buy a "smartphone" (and droids comes in many shapes and sizes) and actually use it primarily as a "phone" (and "messenger"/beeper/alarm clock) without downloading loads of apps and browsing websites. Droids come in many shapes and sizes and not all of them give the "smartphone" experience you might enjoy on your droid.

If Microsoft made malware distribution for Windows Phone as easy as it is for Android, would the platform suddenly be targeted? It's doubtful, due to lack of market share.

Indeed, so basically we agree that the ease of malware distribution on popular platforms (whether it's Apple, Android, Windows) likely contributes a lot to it becoming a bigger target?

MentholMoose

Webmaster wrote: »

Regardless of the OP's post being about his phone, it's the same iOS, tablet or phone, so when it comes to picking a popular target (i)OS there's no reason to discriminate iPads, or droid tablets for that matter.

Look into what mobile malware actually does. Sure, there are trojans that simply steal FB passwords and only need Internet access, but there are others like this:
Premium rate SMS Trojans hit Google's Android Market | ZDNet

SMS scams can generate significant income for scammers and they don't work on non-phones, so the type of device does matter.

Webmaster wrote: »

I also didn't say "ease of distribution is all that mattered" nor that market share is completely irrelevant, that's taking it a little extreme (without a significant market share they wouldn't be in this discussion).

Well you said my argument "doesn't hold any water" so I must have misunderstood your point. If your argument is that assuming a platform (OS, browser, whatever) has high enough market share, then ease of distribution becomes a differentiating factor, I would agree. The basis of that argument is that market share is important, which was what I suggested from the beginning (though apparently I should have made my post more clear).

Webmaster

MentholMoose wrote:

Well you said my argument "doesn't hold any water" so I must have misunderstood your point.

Yeah I did and that might be putting it a little extreme myself... I should have gone with "that kite doesn't fly here", however, I said that within a context, "when it comes to the [current] mobile market", in which there is no such significant difference in market share or usage between iOS and Android that by itself explains the rather large difference in malware distribution, and therefor does not compare well to the classic examples (the kite) you mentioned.

The forum stats include Android tablets too (including my own), that list of droid devices goes on and on, but, again I was merely trying to show that there is plenty of iOS popularity to choose that as a target instead or as well. I can show you a dozen of reports from more or less reputable sources of which about half says Android is most popular, other half claims iOS is - it depends on how they shine the light.

If your argument is that assuming a platform (OS, browser, whatever) has high enough market share, then ease of distribution becomes a differentiating factor, I would agree.

Yes, and specifically in plural because of "the" two competitors, so assuming multiple platforms have a high market share (which I did assume was implied else they wouldn't be in this thread), then ease of distribution might very well be a differentiating factor. And the stats contribute to that conclusion and hence why I said Android being #1 has little to do with it (if they came in 2nd or 3rd they'd still have the same lack of QA).

SephStorm

Bl8ckr0uter wrote: »

Why do you have a smart phone if you don't use apps? How can you complain about security if you don't even update the ones you have? :

I got it for the occasional use of the internet, easier texting than older phones and thats about it. I have no need for most apps. The only ones I really use are youtube and maps. My main chief complaint is about the rights that the app updates ask for. Why does youtube need to know about my phone number and serial number? Just transmit the packets. Youtube, with updated rights, can build a list of who you call/calls you.

Anywho Droidwall is a decent iptables front in (It doesn't install iptables, it just makes it easy to manage). I have used lookout but I wiped my phone (actually I put a custom rom on it) and I haven't reinstalled it. Also rooting your phone does not void your contract (at least Sprint doesn't care). If I need to send my phone back to them I will just boot back to sense and take my SD card out. It really isn't that hard. I am a little confused as far as your statement for security purposes. Do you think that rooting your phone makes it less secure. Most of the really good security programs require root (including DroidWall) and with the Superuser app, you can manage which apps get to run as root.

It was something I read when I was considering whether to root my phone. Now, I'm no phone expert, however it seems to me, that rooting a phone is much like running your PC as Admin. Now, as you say, there is an app that lets you manage that, but all it takes is installing that one app that you want to run as SU, that happens to be trojaned.

It is kind of shocking to hear a statement like that come from you. I thought you would have hacked that thing along time ago

The idea was not foriegn to me, but I had to make a needs assessment. I have no need at this point to do so, can someone explain why it really benefits me? I cant bring my phone too work, so my time with the device is limited anyway.

Bl8ckr0uter

This looks promising for Android Security
SEAndroid - SELinux Wiki