Bluebox's Android signing flaw has now been exploited by hackers

David Tom

TS Addict
Nearly a month ago, mobile security firm Bluebox uncovered a security flaw in Android that affects almost all devices released over the last four years. The vulnerability would allow malicious code to be injected into any application without altering its...

[newwindow="https://www.techspot.com/news/53386-blueboxs-android-signing-flaw-has-now-been-exploited-by-hackers.html"]Read more[/newwindow]
 

misor

TS Evangelist
"Unfortunately, the open concept of the Android platform is proving to be its major downfall."

+1000
hahaha. good one. :)
I hope this will "force" google and its partners to effectively upgrade all android 2.3.xx to android 4.xx and for google's partners to provide asap the much needed firmware updates.

I wonder how lucky Symantec is in being able to "spot the the first malware in the wild? that has successfully exploited the Android app signing flaw".
(which leads me to somewhat entertain the idea that the malware security businesses are the ones behind the creation of some of these malwares. :) )
 

cliffordcooley

TS Redneck
which leads me to somewhat entertain the idea that the malware security businesses are the ones behind the creation of some of these malwares.
I've always thought this, which is why I will not purchase security software.

Have you heard the phrase we watch each others backs? Thats the relationship between Anti-Mal-ware and Mal-ware. It's all a front to collect revenue. How could you think otherwise when our own government is fighting for secrecy about surveillance tactics? I wouldn't be surprised if push comes to shove and we found out they were all connected. I would be willing to bet our fight against Mal-ware is a fight against governments collecting information and supporting AV software companies to help motivate them in keeping their mouth shut. With the government putting a muzzle on companies, its an easy conspiracy theory to support. Especially when you read about the efforts of companies counter attempts to government surveillance. That would fall right in line with new Mal-ware definitions.
 
G

Guest

More proof that open source is not inherently secure than closed source.
 

Darth Shiv

TS Evangelist
Um I still don't see the issue. Google Play is yet to be affected. So who is getting infected and where are they getting their apps from?
 
  • Like
Reactions: Arris

p51d007

TS Evangelist
One reason why I don't buy my device from a carrier (other than the restrictions & bloatware), is because I want complete control over the device, not the carrier. Heck, you are lucky to get one update from them during the 2 year contract (USA). I root my device as soon as I get it.
This allows me to blow out the rom that comes with it, and customize it how I see fit. I patched my device from this. The nice thing about apple, is that keep complete control over everything, which helps, but their screen size isn't to my liking (I have a 5.3" screen).

"The manufacturers have to design and distribute firmware updates for each device, and there is currently no all-inclusive solution."
 

St1ckM4n

TS Evangelist
Um I still don't see the issue. Google Play is yet to be affected. So who is getting infected and where are they getting their apps from?
'Alternate' sources. Since it is possible on Android (and a big 'feature' over iOS, ironically), people will bash Android for it.

It's like downloading Skyrim from getfreegames.com (made up) and complaining that you are infected.
 

Darth Shiv

TS Evangelist
'Alternate' sources. Since it is possible on Android (and a big 'feature' over iOS, ironically), people will bash Android for it.

It's like downloading Skyrim from getfreegames.com (made up) and complaining that you are infected.
Well yes agreed if the site is not reputable, it is a risk but Android does have the distinct advantage that there are multiple reputable stores. E.g. apps from the Samsung store.
 

St1ckM4n

TS Evangelist
Well yes agreed if the site is not reputable, it is a risk but Android does have the distinct advantage that there are multiple reputable stores. E.g. apps from the Samsung store.
Pretty much. Samsung store, Amazon, etc. Google doesn't control the requirements here, so we aren't even sure how Amazon et al track the authors or such.

It's a huge advantage over iOS (ability to install from other sources), but in this case it's a disadvantage because people and media only see the bad stuff. Simple solution - turn off the option, use Google Play Store...
 
G

Guest

More proof that open source is not inherently secure than closed source.
This wasn't ever a debate. What's been said is that it's /likely/ open source is more secure than proprietary software, as the source code is there for everyone to read. Proprietary software allows for the developers to put in spyware and tracking. It also allows for the developer to ignore security holes completely until exploited, even though they know it's there (this has been the case with both Microsoft and Apple many times). Android does not have the best of open source communities, but development projects such as Linux continuously patch security holes because they can be seen by anyone and fixed by anyone.
 

Darth Shiv

TS Evangelist
This wasn't ever a debate. What's been said is that it's /likely/ open source is more secure than proprietary software, as the source code is there for everyone to read. Proprietary software allows for the developers to put in spyware and tracking. It also allows for the developer to ignore security holes completely until exploited, even though they know it's there (this has been the case with both Microsoft and Apple many times). Android does not have the best of open source communities, but development projects such as Linux continuously patch security holes because they can be seen by anyone and fixed by anyone.
Yes and security algorithms can be vetted by peers for robustness.

One example of poor proprietary implementation was the Philips Mifare (Classic) card specification. A Mifare card encryption could be cracked by a 5 year old laptop in less than a minute because the security algorithm was effectively trivially brute-force crackable. I think Oyster card used those cards. Maybe a few others.