I think you misunderstood me. Android deliberately allows users to hack into their own phone and remove its security. It allows users to install malicious apps if they want to or even root the phone entirely.
So there is nothing to solve or patch here. You could get ios if you want user to not have that power(even there it isn't very hard to install malicious accessibility app through sideloading).
Please pardon my ignorance. I'm not a security expert.
Is there any reason this can't be fixed by just copying iOS in this regard ??? I guess the question I'm asking is, this bug is entirely fixable right ???
Not trying to diminish the seriousness of it. It sounds pretty horrible. Just saying that if Android's architecture will allow you to do something like iOS does, but it's simply unimplemented currently, that's one thing. It would be quite another thing if Android's architecture would NOT allow you to do something like iOS does. As I said... I'm not a security expert... but it SOUNDS like you can implement a fix that would mirror the protections provided in iOS ???
Android allows sideloading, and the security problem arises not from users who “elected” to use those features, but from those who were duped into using them. For example somebody might be trying to play a Pokémon emulator, end up on a side loading site with some technical instructions, and load their phone with malware without even realizing it.
1. There is an exploit that leaves complete control of your phone to anyone without you even having to look at the screen.
2. Some applications want to use too much permissions on your phone. You probably don't want to install them.
And the second is a bigger problem? Really?
Android is the most transparent and detailed about what applications can actually do on your phone from any such system I've ever seen. People make concious (stupid, but concious) decisions to still use apps and ignore the presented information. This exploit removes all control a user may have.
By making this comparison in the first place, you are confusing the discussion already. Yes, Android can and should improve when it comes to user control. But this is a problem that leaves hundreds of millions devices exploitable even without depending on user ignorance. This exploit and the issue you mention are not even related.
After doing some research on security it seems that Android's problem is overblown. The malware I've come across mostly stems from people downloading random apps from the web and then granting full privileges to that app. Which in turn does things with the permissions the person granted it.
That doesn't really seem to be a security hole as much as it is a user problem.
I guess it's simple to say Android is insecure, but it doesn't seem to be the case. Any more so than a rootable iOS device.
Am I mistaken? Are there reports of apps gaining root access?
You hear about Android security problems all the time. There just isn't a single open (now fixed) flaw like this on Android to write about. There are surely specific hacks for individual devices, and those probably get covered, but not as "Android" things.
Bullshit. The massive holes in Android security are caused by the inept app permissions system. Restricting hackers that jump through hoops to get access to their file system even more is not going to stop the thousands of apps that spam all your contacts, etc.
You could patch Android and run it in an emulator. Or patch Snap not to care. Not super familiar, but there should be a way. Client side security can only do so much.
No, what we need is the ability to modify the system software on our phones easily to stop this kind of thing. On a normal Unix system you would just run the app as a separate user (or worst case, sandbox it) but on android non of the interfaces (or really much of anything at all) can be controlled by the user.
As I see it, the main 'security' problems faced by Android are caused by lack of control and transparency for the user.
Until security threats created by the blinkered users - and by the lack of timely updates - are made obvious to them, such 'mitigations' are weak tea indeed.
My phone app would work much better if Android would drop all of its security measures and just let my app access everything on the system. That would make the lives of the bunch of people who use my app much better.
Exploits can be used to privilege escalation on all platforms, that's not Android specific thing.
Adding to that, Android vendors are not that bad in fixing exploits. I had two devices (Sony phone and Asus tablet) that were always fixed before the exploit got widely known. I could not root them (yes, I wanted to do it without unlocking) if I updated as soon as the updates were available.
With SEAndroid getting into stock Android, even that is going to be a thing of past.
The Android security model strictly forbids it. This should be enough of a problem as it is the very foundation to establish security for the system's user.
So there is nothing to solve or patch here. You could get ios if you want user to not have that power(even there it isn't very hard to install malicious accessibility app through sideloading).
reply