Related
I came across this article while surfing the internet. I wanted to share this with you guys, and see what your feelings were on this.
"Mobile Device Security and Android File Disclosure
Back in November, Thomas Cannon brought to light an issue within the Android operating system. Specifically, he found that it was possible to obtain the contents of files on an Android device by simply persuading its owner to visit a web site under attacker control. The issue only garners a 3.5 CVSS score, but yet it’s still fairly serious.
Thomas reported this issue responsibly to Google and they took it seriously. However, since then they have come back with a ridiculous remediation plan. Granted, its probably not entirely Google’s fault, but the overall situation looks very bleak for Android.
The problem is that Google stated that a fix will be available as part of an update to the upcoming Android 2.3. While that, in itself, may not be totally ridiculous, the reality of the situation is that Google is only one party involved in Android. There are two other groups, namely OEMs and Carriers, that must also do their part in getting the fix to users. Although Android devices are becoming increasingly functional, the security posture remains abysmal.
The security posture for desktop applications has improved vastly with all of the sand-boxing, automatic updates, and various other exploit mitigation technologies. Meanwhile, Android includes almost none of existing security protections. In fact, mobile users are being left out in the cold, unable to get a patch for a trivially exploitable cross-zone issue. For that matter, they can’t even control whether their device’s browser automatically downloads files or not.
This situation is not news, rather it is a sad fact. It is totally unfair for end users to be left out to fend for themselves. After all, they are paying a small fortune for these devices and the service to be able to use them. Hopefully the vendors involved will wake up before a network worm outbreak occurs.
Originally, Thomas disclosed the details of his bug on his blog. Later, he removed some details to help protect users. I believe that responsible disclosure is a two-way street that requires responsibility on both sides. Since Google, OEMs, and carriers all continue to act irresponsibly, it is necessary bring more attention to this issue and the situation as a whole.
I spent a little time and managed to recreate the issue with nothing more than HTML and JavaScript. As of today, I have released a Metasploit module to take advantage of the flaw. It is available in the latest copy of our Framework product, or you can view the source via the link to our Redmine project tracker above.
Before I go deeper into the consequence of this bug, I want to point out that Thomas outlined several workarounds for this vulnerability in his blog.
Now, take a deep breath give some thanks to the fact that, under Android, most every process runs under a separate, confined, unix-style user account. This design feature partially mitigates this issue, lowering confidentiality impact to “Partial” and bringing the CVSS score from 5 to 3.5. That said, an attacker can still gain access to some pretty interesting stuff.
For starters, an attacker can steal any world-readable file. In my tests it was possible to get potentially sensitive information from the within the “proc” file system. This type of information could include kernel versions, addresses, or configuration that can be used enhance further attacks.
Also, you can snarf any files that are used by the browser itself. This includes bookmarks, history, and likely more. This kind of information could potentially be embarrassing or possibly even give an attacker access to any saved passwords or session cookies you might have stored.
Perhaps the easiest win though, is that you can grab anything off of the SD card. You might ask, “Anything?! What about the user separation?” Well, because the SD card has been formatted with the “vfat” (aka “fat32”) file system, there is no concept of ownership. All files are owned by the same user id since the file system itself cannot encapsulate who created which file. As Thomas said, files in the SD card that have predictable names are ripe for the picking. This includes pictures and movies. These may in fact be some of the most private data on your device.
In conclusion, I hope that the Android security debacle will get resolved as soon as possible. If Google, OEMs, and carriers can’t work it out, perhaps another party will step in to maintain the operating system. I believe this could be very similar to the way various Linux distributions operate today. If the situation is not resolved, I fear the Android device pool could become a seething cesspool of malicious code..."
Here is the address
http://blog.metasploit.com/2011/01/mobile-device-security-and-android-file.html
Sent from my PC36100 using XDA App
Shocking. Thanks for the info.
Nice find. You are right that oems and manufactures need to stay on top to mantain security. Hopefully meaningful post like this will make users aware of the possible dangers of the internet, data, and phone usage
Sent from my ADR6300 using Tapatalk
Ouch. Wish Android updates were like iOS..
Android is open, one of the main assumptions is that there is no single company, which controls it. I could create my own phone with Android, sell it to people and give them no support at all - Google can't do anything about it.
There is only one solution to this problem: people have to choose their phones wisely. People look at phone specs, at CPU, RAM, camera, but they ignore future support and openess. Recently Motorola has stated they will lock bootloaders in their future phones. People will go for these phones anyway and then they will complain they can't do anything with some horrible bugs, they will complain about Android and Google, but they should complain about Motorola and themselves. While Nexus S owners will have same bugs fixed by both Google and community.
Choose your phones wisely.
SD with vfat...good catch. Horrible bug while many users trying to move their apps to SD. And maybe 80-90% of the apps in the market require modify SD card perm? Horrible. Verizon SGS is screwed since that phone have little internal and lots of external SD.
I'm so glad you guys came across this thread, and it didn't get lost in all the other threads. I hope some of the devs see it. Can a fix be implemented at the Rom or kernal level?
Sent from my PC36100 using XDA App
Good day community,
Over the past several months, a few of us have been working on a projerct some may be familiar with. We have bundled an add-on to specific BlueStacks versions to allow for a complete Operating System environment, full of communications tools.
We didn't "develop", any of it. We have taken the time to scour the internet and primarily this site to garner the education, information and knowledge to actually bring it to fruition. We would like to say a big THANK YOU to the entire community here. We feel this is am important piece to a software life-cycle where developed information is compiled into a fully functioning system, exposing your people's craftsmanship.
The motive here is a moral one. I have been a communications engineer for 22 years and have seen and done things I thought weren't possible. I have been tasked with trying to develop an education platform technology matrix for schools. Specifically using my innovation abilities to solve problems. I am not a coder, I am more of a script writer. I have found success in making disparate hardware and software work together, and producing middle-ware scripts and functions to technologically solve challenges. In every sector.
I believe I have identified one of the major issues related to student success rates. Basic communications is hindered in many schools, internet cut out, and dictator like classroom regime. I feel communications is the king of industry and whomever has the information the fastest, cheapest, and accurate, wins. This is proven time and time again in capitalism. I feel students should be able to sms, or exchange pictures and peruse social networks, both to each other and their teachers. These are real-world tools, and the primary back-bone of a child's social life. But students need to learn to be accountable for they digital actions,
This "OS" changes things ever so slightly., not every student can afford the gear required to have that type of communication. If every kid could afford an iphone and ipad, than I don't need to do this project. Android on the other hand, little or no cost at all.
I will be deploying Android for Windows across the board. Students will have to setup a Google account and online storage. Copies of AW can be had for their home computer. The environment is the environment kids all love and use, the emulated touch interface is "cool" and the kids can support it and maintain it mostly themselves, and sync it to their PC phones or other devices, but those are NOT required. And no need to upgrade the PC's for a while, BlueStacks is Linux(ish), it's hardware demands are low, and I can keep the PC's at there current level.
I distribute it on thepratebay, another long story for another day, but this is the best way to ensure it stays out there, and the price is right to be able to push it out to the world. We have tirelessly worked to ensure compatibility with the apps the devs release and I know this particular release of AW has restored many of the items BlueStacks cripples
We have started a mini marketing campaign to drum up interest, although modest. And for you devs, this open an ENTIRE new revenue stream you didn't even have before. Making Android the primary OS used.
---------------------------
That's the agenda, I would like to open a support thread for it somewhere on here. I have an armada of info, tools, rootkits, tricks and troubleshooting information that we feel can be valuable to the community. I'll get things posted here ASAP. Anyone that has played with this at all before will be able to appreciate all of the challenges we had to solve.
We did not knowingly disassemble or modify any of the original distribution files of any applications, staying in accordance with about every license agreement on earth.
--------------------------
Looking for some feedback, questions, thoughts, ideas.. have to get 10 posts or something anyway...
Thank you to everyone!
-js
What's the difference between your project and the Android x86 project?
syung said:
What's the difference between your project and the Android x86 project?
Click to expand...
Click to collapse
AFAIK Bluestacks has its own VM, so you doesn't need to install Virtual Machine any more.
I used this for a several months and it helps me to try an application without to send it to any Android device.
If you use Android x86 project, yo need to install it inside a Virtual Machine or make a USB Bootable, and as far I know it has limitations in the Play Store. Only some application that supports the architecture can be downloaded..
The Android x86 project is a piece of this absolutely. What BlueStacks is and what they have done is this:
Taken x86 gingerbread and ad an arm translator inside there. This is very unique, all of the other arm emulations fail out there after you even try to put them to the test with heavier use or apps. Basically the compatibility is just not there.
BlueStacks then added the vm player which is the most sophisticated player there is. Network mounts to shared fordler without installing drivers, and opengl support for limited HD graphics.
What we did
BlueStacks also crippled the hell out of the original ROM. All kinds of things missing that had to be put back in piece by piece, and still ensure compatibility. Some things fine to leave out, other maybe useful.
poring over the information, rooting bluestacks came easy, so we rooted every single v7.x of bluestacks, and began the mountain task of building compatibility. The winners are 7.4 for SD and 7.8 for HD. 7.8 handle the interface scrolling operations WAY better than later revisions. I can tell it was after this rev they forced on Surface Pro support, not back checking compatibility. And 7.4 installs on any machine but drops the arm translator. Still a nice product to put on an old machine, but little support for modern apps, and there won't be
Then doing a fair assessment of applications to do all the tasks one needs, file manipulation, printing, music, calling etc, We've spent over 200 hours trying to get a reliable lock screen, failed on that But we got most of it.
Finally adding and getting gapps to fully function was about like trying to drink a beer while standing on your head, it was like a marathon game of whack mole, we'd fix something, then something else friggen slam us over the head. Then we got to writing script, and adding widows apps like virtual keyboards and mouse to basically be able to run the entire OS with 1 finger as if you were Stephen Hawking.
We had an excellent response to the initial concept stuff version 1.1. It held on to around 400 seeders and 1000 user swam for about a week then began to fizzle. We expect that to triple and estimate 100,000 downloads in the first week. It is my opinion thepiratebay is the most accurate source for demand of anything digital, people that keep a copy and seed, actually really like something, versus an artificial "like" that other sites have and profit from. That's all Trip9d0zen stuff, about removing fake values and replacing it with real information exchange freedoms, so actually all financial can get to a creator, don't want to digress to far in this thread, but there is an ideology we have in common with thee twitters and thepitatebay's who have just the extreme basics of censorship, only to ensure safety, but never manipulated the information. We have evidence and models to change current businesses, and put the devs out in-front of these projects (or the artist selected agents). The more systems Android runs on, more success one can have. And Windows being the biggest, hands down, why not?
We feel this is by far the most compatible Android environment one can use, and can actually be used by anyone as an effective tool.
We know full well that once released, the ungodly amount of app work requests will be at its highest, but that's why I am here, where the devs are.. is this a revenue stream they want to suppport,?
I am personally using it exclusively for all my communications, social media and document creation, I only use windows for video playing files.
Hope that helps answer, here is the info to commercials for it, as our lil-1337s eloquently cranked out, smartasses...
youtube search for js99912
-js
It looks interesting, i'll check that up!
Dexcellium said:
It looks interesting, i'll check that up!
Click to expand...
Click to collapse
Me too. Thanks
Android for Windows 2.0
new version just went live..... can someone reply with a hot-link, thanks
thepiratebay.sx
/torrent/8440340
Adding Game Data / Mount SDcard.sparse BlueStacks
Ok, I have been asked about this more than anything,
Used to be the SDcard was a .fs file and could be manipulated easy, now it's a bit more involved, but none to difficult.
You need to download:
thepiratebay.sx/
torrent/8453985
This will get you to be able to mount the SDcard.sparsefs as a drive letter in windows... Nothing new, just consolidating info as I have been requested for this more than anything else. Enjoy!
-js
Hello guys!
I am new to this world completely! So please forgive my naive questions if they sound as such.
I was having a debate with an instructor of mine about iOS vs Android, and as I started criticizing Android for its fragmentation problem, my instructor started defending Android in that Android's latest move towards pushing an updated API to most of its user-base could very well negate the shortcomings of its firmware (OS) varieties. The main reason for this debate was me stating that if Apple decides to compete against google in advertising, it may reach almost all of its users through an 'unchallengeable' advantage as almost all of them run on the same OS, whereas if Android were to similarly display it ads on built-in apps as well as external apps provided by developers in Android's Appstore (ads provided by these two companies not developers, and pushed via developer-app by purchasing ad-space within their apps), Android wont be able to reach its users as iOS due to fragmentation. He ended up challenging me: if I find him a way in which iOS' firmware would create a barrier against Android's API, he'd give me 10 bonus points at the end of the semester, and if I fail, he'll cut 10 points from my final result!! Question, therefore, is: if these two giants decide to dog-fight in advertising, how could Apple exploit Android's fragmentation issue despite Android's API which could reach its old and new firmwares?
Kindly know that none of us are developers as we both specialize in business. We just happen to have huge interest in tech, especially in Apple vs Google, iOS vs Android!
Despite my lack of technical knowledge, I accepted the challenge because its sounds rather counter-intuitive, to me, that Android's API wouldn't be tackled if Apple decides to play dirty through its OS-unified (almost) user base. Why go through the hassle of overhauling the firmware if a simple fix as API could bridge the gap?!
A solution with very thorough explanation would be very much welcome and appreciated!
Thanks in advance.
From https://source.android.com/security/bulletin/2017-12-01 --
The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
Thoughts on this one, guys?
Any possibility this could be mitigated somehow, short of tossing the Android device in the trash and buying an iPhone instead?
In particular, is there any way to just disable the mediaserver or whatever altogether? It would be much better to not be able to play videos, than the possibility of any video pwning your entire device, no?
Vulnerabilities like these are patched almost every month (just have a look at the bulletins of the months before), so this one doesn't seem any worse than those that have been there before. To the best of my knowledge, neither of these have ever been exploited in the wild - not even Stagefright back in 2015, according to Google: https://www.theregister.co.uk/2017/02/15/google_stagefright_android_bug_zero_success/
Note that the security bulletin you linked to also states the following:
"The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed."
Click to expand...
Click to collapse
I hope they can't be bypassed too easily...
What I don't understand is what 'privileged' means here. Does it mean 'root' or does it relate to Android app permissions? The former sounds much worse, and I'd find it alarming if the media framework stuff would (still) run as root (or something similar). Would be great if someone could clarify this.
As I tend to be kinda paranoid when it comes to computer security, I'm also always worried by issues like these, but my impression is it's probably something we have to live with :-/
In particular, I don't see a reason to believe the iPhone is more secure (apart from the fact that it receives regular updates in contrast to most Android phones...)
One would probably be better off with a system that is so exotic that no one would bother to develop an exploit for it - unfortunately, I haven't found one so far...
by sophisticated government attack i mean something with virtualization technologies, several masking and hiding capabilities like FinFishers solutions.
Does:
Updating to the newest version of ios
hard reset the phone
securely remove the spyware?
1) i see more as a bonus question that is not really needed, but might be interesting too.
I would thank you for a careful but practical answer, since this question relates to some "moving parts" like: "Is it possible to load a "real" update from an infected phone, or will a sophisticated attack redirect those requests" and if there is something you can do to prevent this etc. or the question whether a hard reset really deletes everything or if the spyware can somewhat hide in "blocked" or wrongly addressed areas of the storage and so on.
On the other hand i do know that there never is absolute certainty and would be more interested in a "probabilistic view".
Thanks to the Forum!
I think your question is pointing to widespread security problems with most technology. Manufacturers often use closed source software and the same goes for most of the hardware devices. This makes security very difficult and of course these weaknesses are now being exploited by state sponsors.
Stuxnet was a good example and well worth reading about.
https://en.m.wikipedia.org/wiki/Stuxnet
http://itmanager.blogs.com/notes/20...e-protected-the-iranians-against-stuxnet.html
It infects microcontroller chips that do memory management. The introduced code returns modified data, maybe not even on each read.
So if the phone internal memory uses these microcontroller chips then even loading a new rom wouldn't help. You have to be able to have access to the microcontroller firmware and introduce your own access certification. It is very difficult to do this at present as most of the hardware information is not available, both for phone and internal chips.
Unfortunately this means that state sponsors can take the devices apart, inspect chips with an electron microscope, thus obtain a lot of secret information for their hacks.
Having had stuxnet on a laptop I became interested in these problems.
Contaminated updates again depend on the resources available. These rely on https and code signing.
https://arstechnica.com/information...ate-authorities-conspire-to-spy-on-ssl-users/
http://www.crypto-it.net/eng/theory/software-signing.html
A contaminated update requires access to the certificates and a delivery method such as intercepting a request from a known ip address.
Many states have access to the certificates and the means to target downloads. Using tor for updating might give some protection, as would a system to compare your download with that obtained by other people. We don't have this working automatically yet as far as I know.
https://www.torproject.org/docs/verifying-signatures.html.en
Phones have a second operating system where code may not be secure.
http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone
https://www.rsaconference.com/event...ile-apt-how-rogue-base-stations-can-root-your
You can minimize risk by keeping a device in airplane mode and using a separate mifi device.
If you consider yourself an innocent target or just want to minimise risk then perhaps regularly buy second hand or new devices from shops, keep them in airplane mode, keep the necessary software to send by bluetooth and check the md5 sums.
Web browsers could be another security problem if they can run exploits, but this is probably outside the scope of your question.
Secure communications apps will probably work fine as long as they don't require updates. Beyond that, keep it all locked up in a safe you built yourself.