TechSpot

Bluebox's Android signing flaw has now been exploited by hackers

By David Tom
Jul 26, 2013
Post New Reply
  1. Nearly a month ago, mobile security firm Bluebox uncovered a security flaw in Android that affects almost all devices released over the last four years. The vulnerability would allow malicious code to be injected into any application without altering its...

    Read more
     
  2. hahahanoobs

    hahahanoobs TS Evangelist Posts: 1,631   +432

    "Unfortunately, the open concept of the Android platform is proving to be its major downfall."

    +1000
     
    misor likes this.
  3. windmill007

    windmill007 TS Rookie Posts: 308

    Ya that "closed" OS isn't looking half bad now is it.
     
  4. misor

    misor TS Evangelist Posts: 1,163   +197

    hahaha. good one. :)
    I hope this will "force" google and its partners to effectively upgrade all android 2.3.xx to android 4.xx and for google's partners to provide asap the much needed firmware updates.

    I wonder how lucky Symantec is in being able to "spot the the first malware in the wild? that has successfully exploited the Android app signing flaw".
    (which leads me to somewhat entertain the idea that the malware security businesses are the ones behind the creation of some of these malwares. :) )
     
  5. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 8,550   +2,894

    I've always thought this, which is why I will not purchase security software.

    Have you heard the phrase we watch each others backs? Thats the relationship between Anti-Mal-ware and Mal-ware. It's all a front to collect revenue. How could you think otherwise when our own government is fighting for secrecy about surveillance tactics? I wouldn't be surprised if push comes to shove and we found out they were all connected. I would be willing to bet our fight against Mal-ware is a fight against governments collecting information and supporting AV software companies to help motivate them in keeping their mouth shut. With the government putting a muzzle on companies, its an easy conspiracy theory to support. Especially when you read about the efforts of companies counter attempts to government surveillance. That would fall right in line with new Mal-ware definitions.
     
  6. More proof that open source is not inherently secure than closed source.
     
  7. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 8,550   +2,894

    ^^ I didn't realize that was an actual debate!
     
    St1ckM4n likes this.
  8. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,620   +376

    Um I still don't see the issue. Google Play is yet to be affected. So who is getting infected and where are they getting their apps from?
     
    Arris likes this.
  9. p51d007

    p51d007 TS Evangelist Posts: 908   +384

    One reason why I don't buy my device from a carrier (other than the restrictions & bloatware), is because I want complete control over the device, not the carrier. Heck, you are lucky to get one update from them during the 2 year contract (USA). I root my device as soon as I get it.
    This allows me to blow out the rom that comes with it, and customize it how I see fit. I patched my device from this. The nice thing about apple, is that keep complete control over everything, which helps, but their screen size isn't to my liking (I have a 5.3" screen).

    "The manufacturers have to design and distribute firmware updates for each device, and there is currently no all-inclusive solution."
     
  10. St1ckM4n

    St1ckM4n TS Evangelist Posts: 2,920   +627

    'Alternate' sources. Since it is possible on Android (and a big 'feature' over iOS, ironically), people will bash Android for it.

    It's like downloading Skyrim from getfreegames.com (made up) and complaining that you are infected.
     
  11. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,620   +376

    Well yes agreed if the site is not reputable, it is a risk but Android does have the distinct advantage that there are multiple reputable stores. E.g. apps from the Samsung store.
     
  12. St1ckM4n

    St1ckM4n TS Evangelist Posts: 2,920   +627

    Pretty much. Samsung store, Amazon, etc. Google doesn't control the requirements here, so we aren't even sure how Amazon et al track the authors or such.

    It's a huge advantage over iOS (ability to install from other sources), but in this case it's a disadvantage because people and media only see the bad stuff. Simple solution - turn off the option, use Google Play Store...
     
  13. This wasn't ever a debate. What's been said is that it's /likely/ open source is more secure than proprietary software, as the source code is there for everyone to read. Proprietary software allows for the developers to put in spyware and tracking. It also allows for the developer to ignore security holes completely until exploited, even though they know it's there (this has been the case with both Microsoft and Apple many times). Android does not have the best of open source communities, but development projects such as Linux continuously patch security holes because they can be seen by anyone and fixed by anyone.
     
  14. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,620   +376

    Yes and security algorithms can be vetted by peers for robustness.

    One example of poor proprietary implementation was the Philips Mifare (Classic) card specification. A Mifare card encryption could be cracked by a 5 year old laptop in less than a minute because the security algorithm was effectively trivially brute-force crackable. I think Oyster card used those cards. Maybe a few others.
     
  15. Emexrulsier

    Emexrulsier TS Guru Posts: 508   +45

    The iphone isn't that closed... it wedges my door open quite well tbh I'm well impressed!
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...