'Fake ID' flaw in Android leaves four out of five phones at risk

By Shawn Knight ยท 12 replies
Jul 29, 2014
Post New Reply
  1. Security researchers at Bluebox Labs have uncovered a design flaw in Android that could allow malware to take over a device.

    Read more
  2. Nima304

    Nima304 TS Guru Posts: 365   +81

    Google really needs to solve the problem on getting updated versions of Android to users. It really isn't a tough problem.
  3. insect

    insect TS Evangelist Posts: 349   +132

    Still seems low risk to me because you would still have to download and approve the permissions for the app. Even if it is faking it's approved thing to get onto the playstore you still need to take two stupid actions - 1) download it and 2) grant it permissions. This is more akin to the guard letting the person through after seeing their ID and asking them what they are there for and they say "to steal your info". If you give an app permissions to read your phone book, access wifi, access data, modify SD card, use carmera, use GPS, etc etc etc then you're not looking out for your best interests.
  4. insect

    insect TS Evangelist Posts: 349   +132

    Google pushes out updates very often (almost monthly, sometimes more often for big bugs). However, they do not manage the phones. That is up to the vendors and wireless providers which have to go through all sorts of tests on their custom apps and hardware. This is the same for large companies with Windows updates, etc.

    If you want the lastest, you can have it by loading custom ROMs, but you risk losing some features that vendors have installed (like most of the gimmicky crap Samsung puts in).
    Darth Shiv likes this.
  5. lipe123

    lipe123 TS Evangelist Posts: 718   +236

    It's not Google its samsung, lg, etc etc that wont take the updates google release and roll it out to their phones.
    Timonius and Sancticide like this.
  6. hahahanoobs

    hahahanoobs TS Evangelist Posts: 2,040   +678

    Gotta love open source software...
  7. Nima304

    Nima304 TS Guru Posts: 365   +81

    Are you guys familiar with the Windows operating system? How many different configurations of hardware does that OS run on, do you think? How many different vendors produce hardware, install that software, and sell the resulting package as a whole to consumers? Does Microsoft have any trouble sending updates to those who have Windows installed? No, because the way OEMs add custom software to that system is entirely different.

    As opposed to making an entirely custom OS for their phones, carriers should simply make minimal changes to the UI and install their **** bloatware no one uses as a package on the operating system, which would make it easy to pass Android updates to all of their phones, given that the software hasn't been changed much from stock. You see this all the time in Linux administration; someone recently discovers Linux, and decides they want to change everything about their system because they can. They love the result, it runs immensely well for a couple of months or years, and then, when it's time to update, they realize they can't and have to completely rebuild the system to accept updates or start over from an updated base. It's immature, stupid, and bad for the consumer when carriers take this kind of approach simply because they can, and there's no excuse for it.
    Timonius and Darth Shiv like this.
  8. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,811   +472

    @Nima304 Yes you are right. Google got their update release model wrong. They left it to the phone manufacturers to push the updates out.

    I can imagine it would place a lot of restrictions on the end clients if you were to manage it at the higher level of OS provider (google) rather than phone manufacturer. It's the classic problem Apple has with rolling iOS updates to older models of phones.

    The question is what should the strategy really be?

    I'm thinking Google should push updates to all phones but the updates are, as suggested, MS style in that you get security updates for older OS's and there is some mechanism to migrate a phone to a higher major version. Maybe a whitelist of phone models that Google sets at request of phone manufacturers or alternatively a user option?

    In any case, older Android versions currently are not being patched and this is a really bad thing for the ecosystem.
  9. lipe123

    lipe123 TS Evangelist Posts: 718   +236

    Can't speak for the other companies but Samsung devices try and make a name for themselves with the Touchwiz ui thats not the same as the stock google offerings etc.
    Also that bloatware you talk about is how these companies get a lot of revenue.

    The fact is Google would probably like to roll out updates directly but the manufacturers of the devices don't want it like that. They are the ones with the money invested in a product and don't want to leave the OS of that product in someone else's hands.

    Also the real responsibility lies with the user, cyanogenmod has a super easy installer available now that will root and re flash your phone with a brand new android 4.4 release without any technical knowledge.
  10. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 8,647   +3,274

    How would you solve it?
  11. Nima304

    Nima304 TS Guru Posts: 365   +81

    Change the updating system so it resembles how most Windows/OSX/Linux users get updates; from the company that made the OS, not the company that created hardware that said OS runs on.
  12. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 8,647   +3,274

    Makes sense to me.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...