A new security vulnerability affecting android users as an X-Frame-Options flaw which when combined with a recent Android WebView (Jelly Bean) bug allows hackers to install apps on users device without their permission. The vulnerability affects users running Android 4.3 Jelly Bean and that use a UXSS vulnerable browser. As Tod Beardsley, engineering manager at Rapid7 reports:
"Users of these platforms may also have installed vulnerable aftermarket browsers. Until the Google Play store XFO [X-Frame-Options] gap is mitigated, users of these web applications who habitually sign in to their Google Account will remain vulnerable."
Click to expand...
Click to collapse
Source
How to prevent being vulnerable
Update to newer Android version
Use a browser like Chrome or firefox that isn't vulnerable to UXSS
Don't keep your Play Store account logged into any third party browser apps
Source
Related
Unchained 1.0: the unofficial Play Market client.
The core purpose of this app is to allow you to use Play Market without leaking any private information to Google.
Unchained will:
Allow you to browse the list of apps installed on your device, see new app versions available on Play Store, download and install them;
Work alongside official Play Market client as well as on device with no gapps at all;
Search the market to find and install new apps.
Unchained will not:
Install paid apps, even if you legally paid for it;
Leak any data to Google or anyone else;
Evolve into full-fledged Play Market client.
Require root permissions to install or operate.
Play Market account
To use Unchained you need to provide market account details. Use full gmail address and password, as well as android id. To get android id on a working android device dial *#*#TALK#*#* in stock dialer and look for "aid" or "androidid". More details on finding android id here, an app to get android id for you is here. The word is out there the android id must be linked to the account you provide. I can neither confirm nor burst this myth.
A word of warning
Accessing Play Market with unofficial tools violates Google terms of service. Your account may be blocked because of Unchained usage. I strongly advise you to use a disposable account for any of the unofficial Play Market access tools. I've been using these tools for a few years now and my account still works but it does not mean Google will not change its policy in the future.
Alternatives
APP Downloader will allow you to download any app using your browser.
NOGAPPS project can update installed apps, but cannot be installed alongside official Play Market client and requires root to install.
In February, Google proclaimed "Android is yare for work," marking an official opening to the Android for Work effort first introduced at Google I/O 2014. Today, Google's official Android for Work app has hit the Play Store, yare to avail users running Android 4.0-4.4W (since setup is built into Lollipop) and working with Android for Work partner solutions set up their contrivance for work use.
For those out of the loop, Android for Work is Google's take on dual-persona contrivance management, sanctioning users to have two replicas of the same app - one for personal use and one for business. The two are securely kept separate from one another but appear on the same contrivance, betokening users can jump between work and personal apps effortlessly, kenning that data from work apps can't carry over or commix in with the apps' personal counterparts.
Download from Google Play:
Download from Here Google Play
Sounds cool but can you name examples of this when it would be useful? And to who?
Good explanation but I guess I'm more out of the loop than I thought.
Just curious to know if there is a reason Google Play Services can't be used to roll out fixes to this or any other exploit/bug. It's great that Google's fixed it in the OS but given that you don't tend to get major OS upgrades unless you buy a new phone it means it'll be years until most users are safe. If the OS is a collection of files then why can't any file be fixed and rolled out via Google Play Services or the play store more or less immediately for all versions of Android?
Just got the Stag Rom up and running on my Moto Stylus. Added MicroG from F-droid and all seems to work well. When I did a scan with ClassyShark, MicroG showes 4 trackers, Google AdMob, Google Analytics, Google Firebase and Mapbox ? anyone know why ? something that is needed for MicroG to work ?
Baja24 said:
Just got the Stag Rom up and running on my Moto Stylus. Added MicroG from F-droid and all seems to work well. When I did a scan with ClassyShark, MicroG showes 4 trackers, Google AdMob, Google Analytics, Google Firebase and Mapbox ? anyone know why ? something that is needed for MicroG to work ?
Click to expand...
Click to collapse
Did you consider to ask in the µG thread? I assume there're probably more knowledgable members around.
[APP] microG GmsCore - lightweight free software clone of Google Play Services
Introduction microG GmsCore is a FLOSS (Free/Libre Open Source Software) framework to allow applications designed for Google Play Services to run on systems, where Play Services is not available. If you use your phone without GAPPS this might...
forum.xda-developers.com
Personally, I'm user of µG for many years on all my devices but not an expert. I assume µG requires those libraries to make applications to run that usually require the Google Play Services but I'm convinced that they've been "disabled" in such a way that they don't deliver Google's intended results.
Thanks, kind of what I thought.
Hi there,
I have read that native Gapps core is "spying on you", so I flashed an Arrow OS without Gapps integration on my phone, and installed afterwards MicroG.
Now some apps won't work, because it can't check the license (like paid Litchi app).
Is a custom Firmware, with Gapps core integrated behaving the same as native one in the stock Firmware according "spying on you", or are they in general more safe then Stock ones?
Thanks in advance.
MicroG is a clone of Google's proprietary core libraries and applications, means it simply provides a placeholder for many APIs Google Play Services / Google Services Framework / GMS apps are relying on.
So it's not surprising that when using MicroG some GMS apps and also some 3rd-party apps won't work as expected.
Given that Android 8+ is comprised of multiple disjoint components....
"To solve the hardware abstraction layer issue, Android 8.0 Oreo and later version like Android 9.0 Pie formalize the division between hardware subsystems like audio or camera,and their clients on the software side. These new formal divisions specify the interface between a HAL and its users. There are now around 60 formal interfaces for various hardware components, known as HIDLs."
Click to expand...
Click to collapse
This thread is asking about the over two dozen (and counting) Android core modules encompassed in Project Mainline/Treble/Google Play system updates/etc., now mostly simply referred to as "Google System updates"...
"One of Google's biggest efforts for Android in recent years is to make updating parts of the operating system easier, cutting out the middlemen wherever possible to deliver updates directly to customers. Originally referred to as Project Mainline, the system is now called "Google Play system updates" or sometimes "Google System updates."
These updates are downloaded and installed automatically by the Play Store, with the installation finalizing whenever you decide to reboot your phone. Generally speaking, the system is designed to go unnoticed, a goal that Google has achieved with relative success."
Click to expand...
Click to collapse
I have asked this fundamental question of everyone I can ever since the modular system often called project Mainline/Treble/etc had been announced way back for Android 10 & up...
"Android 10 or higher converts selected system components into modules, some of which use the APEX container format (introduced in Android 10) and some of which use the APK format. The modular architecture enables system components to be updated with critical bug fixes and other improvements as needed, without affecting lower-level vendor implementations or higher-level apps and services."
Click to expand...
Click to collapse
I have yet to get _any_ answer whatsoever that has any basis in published facts from Google on for how long, or even by whom, these updates are pushed to your phone.
"Updated modular system components can be packaged together and pushed to end-user devices, *either by Google* (using the Google Play Store infrastructure) or by the Android partner (using a partner-provided OTA mechanism)."
Click to expand...
Click to collapse
The fundamental question...
For the two dozen core modules covered in project Mainline, for how long does {Google/partner} update those two dozen core modules over Google Play Update services on Android 10+ phones? And how can we tell?
The answer...
Is it finite?
Is it forever?
Is it arbitrarily finite?
For how long are the two dozen core modules updated over Google Play for any given Android 10+ device?
(Also: How do we know when/if Google Play System Updates are happening?)
(And by whom?)
Note that Android is comprised of many classes of components:
Android security patch version (Settings > About > Software)
Google Play System version (Settings > About > Software)
Google Play Services version (Settings > Apps > Google Play Services)
Google Play Store version (Settings > Apps > Google Play Store)
Firmware versions (e.g., Qualcomm firmware covered under Project Treble)
Default system app versions (e.g., googlequicksearchbox, and many others)
And note that each of those components has a different way to check for updates:
Settings > Software update
Settings > About phone > Software information
Settings > Apps > Your apps > Google Play {Services,Store}
Google Play Store > Settings > About > Play Store version > Update Play Store
For how long are the two dozen core modules updated over Google Play for any given Android 10+ device?
(Also: How do we know when/if Google Play System Updates are happening?)
(And by whom?)