Google is releasing a security fix for all phones, is this going to affect the ROMs? Will this be something Devs will have to build a ROM patch for?
Here is the article with the details:
Google Fixes Android Glitch That Affected '99 Percent' of Devices
Google said Wednesday that it has fixed a security glitch that reportedly opened up 99 percent of Android-based devices to a security breach.
"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts," a Google spokesperson told PCMag. "This fix requires no action from users and will roll out globally over the next few days."
Google would not say what percentage of devices were actually affected.
At issue is a Tuesday report that said 99 percent of Android devices are vulnerable to attack when they're used to log into a site on an unsecured network. The report, which came from researchers at Germany's University of Ulm, claimed that phones or tablets running on Android 2.3.3 or earlier were vulnerable because of an improperly implemented ClientLogin authentication protocol. ClientLogin is used to verify users' identity on Android apps, and it saves the authentication data (authToken) for up to two weeks. The authToken is obtained from ClientLogin by providing a username and password on an https connection.
But the researchers said that when a user would login to a site like Facebook or Twitter that stored data could be open to attackers who could use the info to falsely gain access to their private information like Google Contacts and Calendars.
The researchers—Bastian Könings, Jens Nickels, and Florian Schaub—decided to simulate an attack to see if there findings were correct.
"We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis," they said. "The answer is: Yes, it is possible and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs."
There was also an issue with the way data was handled when devices were synced with Picasa, but Google said this has also been fixed. Called a "silent fix," a Google spokesperson said all users will get the update automatically.
Click to expand...
Click to collapse
My understanding is this is a Google server side fix, and isn't something that needs to be "pushed" out to mobile devices.
Sounds more like it'll be an update to 1-2 apps to patch the security hole.
Related
I consider the "find my phone" software a necessary must on any mobile device. The ability to locate, ping, and wipe your Mobile is an extraordinary advantage in the digital age. I've used it once to find an errant iPhone 3GS and again on WP7 with a Samsung Focus along with helping my sister who continually forgets where her iPhone is.
What do you use on your Galaxy Nexus? Have you had an unfortunate circumstance that allowed you to field test it yet?
I've always had Lookout installed with all my phones. Fortunately I have never had to use it.
https://market.android.com/details?id=com.lookout&feature=search_result#?t=W251bGwsMSwyLDEsImNvbS5sb29rb3V0Il0.
I used ' Where's My Droid' on my N One and continue to use it on my GNex, also had loads of added bits with tasker working off the same trigger like lock phone and give warning message with a contact number to return... just in case it was a nice old lady that found it Not sure if Tasker will work fully on ICS yet so i've not set it up.
I also had Lookout installed but whenever i tried to locate it on their site it could never get a lock on. I dont know if they didn't fully support the UK that was the problem or that i was always flashing ROMs and it constantly being installed caused problems.
I have a Google Apps account for my family and a few of us have Android devices, so I installed the Google Apps Device Policy app on all the Android phones (in the Market and it's by Google). That app enables device policies and such for each user/device (encryption, syncing, syncing while roaming... anything a business would want to restrict/allow for their device).The plus about that app is that it gives me access to this (the mydevices link):
http://www.google.com/support/mobile/bin/answer.py?answer=1235372&topic=1233222
It's free and allows Google Apps users to lock, locate, reset pin, ring device, etc for Android devices. Remote wipe and everything else is part of Google Apps too.
Don't need a separate app and monthly fees, it's all handled by Google and works perfectly.
Interesting. Do you have to setup a server or what? I understand the client side policy app but not the backend.
How do you tie them together?
G2x - 2.3.7 CM7
Transformer - 3.2 Revolver OC/UV
player911 said:
Interesting. Do you have to setup a server or what? I understand the client side policy app but not the backend.
How do you tie them together?
Click to expand...
Click to collapse
Didn't have to set up anything, no servers or tying any services together. On my android phone, I just setup my account with my Google Apps email/password, install the Device Policy app, and .... done.
All the devices show up for my family in my Google Apps control panel (under settings -> mobile if you're familiar with Google Apps's panel). And that mydevices link "just works". Don't have to set up anything else, it's great. Google does it all for you.
I believe the device policy app periodically pings Google's servers every few days (it's a bare app with no settings, only a couple pages of info on policies and current status), that process lets the Google Apps admin (me in this case) restrict/allow anything via the Apps Control panel.
The mydevices webpage is more of a "push", since "ring device", "reset pin", "locate device", and all those buttons are instantaneous. i.e. I click "ring device" and a few seconds later my phone rings super loud, even when on silent (this is assuming there is a data connection available to the phone).
I got SeekDroid from the Amazon Appstore when it was free. It's pretty good. It gives the GPS location from where the phone was last used, lets you send alarms and messages to the phone, lock the phone, and remote wipe the phone and SD card if necessary.
---------- Post added at 02:06 PM ---------- Previous post was at 02:04 PM ----------
BinaryTB said:
Didn't have to set up anything, no servers or tying any services together. On my android phone, I just setup my account with my Google Apps email/password, install the Device Policy app, and .... done.
All the devices show up for my family in my Google Apps control panel (under settings -> mobile if you're familiar with Google Apps's panel). And that mydevices link "just works". Don't have to set up anything else, it's great. Google does it all for you.
I believe the device policy app periodically pings Google's servers every few days (it's a bare app with no settings, only a couple pages of info on policies and current status), that process lets the Google Apps admin (me in this case) restrict/allow anything via the Apps Control panel.
The mydevices webpage is more of a "push", since "ring device", "reset pin", "locate device", and all those buttons are instantaneous. i.e. I click "ring device" and a few seconds later my phone rings super loud, even when on silent (this is assuming there is a data connection available to the phone).
Click to expand...
Click to collapse
that sounds cool, i may have to look into it when my GN arrives.
BinaryTB said:
I have a Google Apps account for my family and a few of us have Android devices, so I installed the Google Apps Device Policy app on all the Android phones (in the Market and it's by Google). That app enables device policies and such for each user/device (encryption, syncing, syncing while roaming... anything a business would want to restrict/allow for their device).The plus about that app is that it gives me access to this (the mydevices link):
http://www.google.com/support/mobile/bin/answer.py?answer=1235372&topic=1233222
It's free and allows Google Apps users to lock, locate, reset pin, ring device, etc for Android devices. Remote wipe and everything else is part of Google Apps too.
Don't need a separate app and monthly fees, it's all handled by Google and works perfectly.
Click to expand...
Click to collapse
Unfortunately the first line is: This article applies only for Google Apps for Business, Education, and Government customers.
Any work arounds found by XDA?
Anyone else?
Another vote for Seekdroid. It always worked well on my Desire and i plan on using it with my GN. One of the best features is you can actually remove seekdroid from appearing in the phone menu or app list which prevents anyone from removing the app without your permission.
I used http://www.mobiledefense.com/ on my nexus s. Not sure if they ever released a retail version yet though. Kinda curious about the Google Apps thing now though...
Cerberus, Cerberus, Cerberus!!!
Such an excellent application! Please check it out, you won't be disappointed!!
I'm surprised no one has mentioned Prey yet.
Just tried Cerberus. Wow. Awesome! Thanks for the suggestion.
I've always used prey - I actually had a friend get his laptop stolen in Africa, and he's currently coordinating with the African police to get it back. They've made arrests and stuff - I was extremely impressed.
African police drop what they are doing to chase down a misplaced gadget?
More stories please?!
I've always used wheres my droid, but after reading above about prey i am probably going to switch to that.
I've used prey since day one and find it very good and also the ability to alert you it's missing if the sim card changes is a god send as well.
Might check out cerberus as someone mentioned it 3 times so compelled to look now lol
Just launched prey and the logon prompt is all screwed up and you cannot put in some details so you can never login... time to try others now.
---------- Post added at 09:52 AM ---------- Previous post was at 09:28 AM ----------
Brought cerberus really like the fact it can take a photo of the person trying to get past my passcode, might try it out on my other half lol
bmstrong said:
I'm surprised no one has mentioned Prey yet.
Click to expand...
Click to collapse
https://market.android.com/details?id=com.prey
Excatly.
The best i've ever tried up to now.
Love the way it enables gps also if it's down.
I'm surprised no one has mentioned AndroidLost. AndroidLost has remote wipe, GPS locate (never had to use it), send SMS/MMS from phone remotely, make calls, take pictures without the user knowing, record audio clips with the MIC without the user knowing.... all through a web page. No one else uses this?
Last month raygun.io released its official Android provider, which captures all unhandled exceptions (before the app crashes) and sends it to the service, where the stack trace, hardware/OS data, etc are displayed. It also includes custom data and ad hoc sending support (like in a catch {} block), as well as app version tracking and unique user tracking (for a count of how many affected users for a particular bug). This helps tackle fragmentation as you can see what bugs affect certain models, and for what versions.
If there's no network available when a crash happens, the provider caches it and sends it the next time it can. And the capture & sending all happens asynchronously, so no blocking of the UI thread. Hope someone can benefit from this
OK,I bought my device in mid November for Xmas gift. Since the beginning of the year, I decided to use one of the perks. Low and behold I am charged. I try to contact the company involved and they say that they only provide a limited trial. But Samsung states the trial period is much longer. I contacted Samsung abouot my issue, and wonder what I was not sent during my registration. I own many Samsung devices and have had my account since late 2008. So I know my account registered the device and should have had some details in regards to perks. The only thing I got was a one time webpage with a Google play code for my credits, everything else was just unlinked information for all new subscribers to the perks.
Has anyone dealt with perks and have any ideas to resolve such issues? I don't want to be charged for something I am trying out.
Possible fix
Well, I finally an answer back from the second point of contact... they stated that they normally don't support tablet but offer support through phone service. Any way now I must call Samsung support to run through the issue one more time, so they can figure out what to do.
Some head way
OK, got done with my call to Samsung.
I learned not to register the device through your Samsung account devices page. I have many Samsung items through the years, as I had learned it is easy to go and register that way.
The proper link is http://www.samsung.com/us/register-for-your-galaxy-perks/#note-8 for the Note 8.0
Also for some odd reason they want a google email account, which I never had until after registering. Take note that if you have an existing Samsung account, the email address needed for registration completion is your gmail email address.
I wish web developers had a brain, this is not the first time I have seen such a broken way cross linking account information, just annoys the krappa out of me.
Now to fix the issue with Samung Link unable to fetch account authentication information with my Samsung account. Yes, I deleted and recreated the Samsung account many many times. Just another annoying issue. (
While waiting...
OK, while I had some time, I fixed my Samsung link issue... had to make it a system app. Samsung loaded PS Touch, and Samsung Link need to be kept as system apps. Though most of all the system apps can be removed and side loaded for Google Play to manage install/removal processes. I prefer it that way for reloads and memory management outside of using Titanium Backup. The less utilities to perform tasks the better. Somebody should do a right up on using built in function to perform most all needs, instead of finding more apps to do what you can do on your own and without rooting.
I doubt I'll ever fix the Video Hub issue... seems that it is getting info from Samsung servers about the device. If the device does not match the white list at the authentication server, your a no go at getting content. At one time the Note 8.0 was in the white list, now it looks like it is region select and will check firmware along with device.
I have an app to fake the ID and location, but Video Hub is not a concern just an odd app that has some interesting features that go beyond google play hardware requirements.
Woopie! )
Samsung got me my perks rewards resent to my email address. The Google account that I had to make since I did not use goodle before owning the Note 8.0.
Now I am going to redo my account on which I paid a months subscription, so I can apply my perks.
This is recurring in all phones I've had for at least a year now. Once again...And it is just now that I am once again getting upset at Google Play Services making itself a device admin daily on startup so it can update its app daily. So it can weasel into the browser and log my account and store cookies and track and etc etc etc.
If I do not lose my phone, then it should stop activating the find my device. If I lock my screen, then it should stop activating itself as an administrator. If it was just to find the device, then it should stop putting itself as an account in my browser.
The Google Play Services can no longer be reverted. It has turned the phone into just another chunk of Google Garbage.
It's a critical part of android. What is it you are trying to achieve by locking it down?
James.Miller said:
It's a critical part of android. What is it you are trying to achieve by locking it down?
Click to expand...
Click to collapse
site storage in browser. I believe it is s carrier config or carrier settings. I have ridden myself of it by disabling carrier configs on other phones but here I can't disable carrier system apps.
I play with it off on some phones, and of course on rooted phones. It is irremovable here now. I had it removed during the first few days on my new A70 but now can't get it off noway no how.
The carrier configs and other things from carrier are a real problem. Carriers (used to) push settings they deem appropriate at regular intervals on an old phone I had. Their settings push included things like turning on location, and worse. all kinds of settings would get changed. Google calls these in its "partner" app. It's all tied together. There are credit agencies certs, and security companies in the system app.
James.Miller said:
It's a critical part of android. What is it you are trying to achieve by locking it down?
Click to expand...
Click to collapse
I may sell the phone if I can't use it on internet without continued police insults on my humanity. I'm sick of it all. Been taking abuse for years. Only useful as a gaming and music player.
In my experience, once you have confirmed to your own recognition that they are behind the curtain of the device, talking to you invisibly thru the back door in the comments sections of the internet, then the phone is no good.
I believe that screenshots of their android back-doored comments, -- along with proof in pictures or recordings that they have been speaking in narrative to you that way -- should be grounds for money back from the phone company for the device. The device is faulty then beyond the shadow of a doubt and worthless and irreparable. Money back should be the rule for hacked devices.
comments, recommendations...or other festures being hacked. I have had apps hacked, I have had voice recognition dictation hacked. etc. I don't remember a list of features of android I've stopped using because of insult hacks. The predictive words on the keypads, and auto correct, used to be a favorite exploit they'd use to deliver cracked commentaries against my humanity...
All features and apps I no longer use. And how many people would never pick up on how these devices are being used against them.
I think the phones should be peogrammed to avoid cached dns results, and to randomize the dns it uses. The apps such as YouTube should never return to an open session or use a cache. These devices are fast enough and simple LTE/4G is fast enough to load fresh sessions from sites from new lookup services.
if Google needs to have Find My Device in Android to serve customers who are afraid their devices will be stolen by non professional phone thieves or lost, then they should sell different versions for those who don't want a system admin like Google which gets its money from data theft and spamming.
The persistent settings in the browser for its default site bothers me. I got rid of it on my Oreo running phone. Took awhile, but I finally got rid of it on one phone by deleting all browser data. It comes back when the browser restarts on internet tho, and persists again like a foul barnacle. Used to be able to get rid of it.
Here it's seen it camoflages itself if I change the default search page, but it still persists
Hello everyone,
I'm used to the LineageOS on my previous phone and now I've upgraded recently to this phone but I feel my personal info too much available to Google and MI system apps and I don't want that, thats why I went to LineageOS on my previous phone but, like others custom firmwares, it have several bugs which limits the potential of the phone.
Even not using an google account I can feel my life is being spied because a few things happen:
- if someone calls me, a friend or whatever, and its not in my contacts list it asks me if its spam. For what? To send the info somewhere using the internet connection and warns others if its spam? If it reads my contacts for this it can read those for anything, like copy my whole contacts list which I'm not comfortable with and I'm not able to control. I'm afraid that later if i use the regular browser to access Gmail for instance, I'm afraid the OS is prepared to warn google that all the info that' I've shared so far belongs to that particular Google account and that phone IMEI is also used but that account. I'm crazy? Maybe, but all this is possible and I want to make it impossible.
- If i do not allow Google services from accessing my text messages APP (built-in app) i keep getting a warning from the system that something it will not go OK if I do not turn on that access from Google services. Why the hell should google services needs to access my texts? My first phone, 20 years ago, could send SMS without google, why the hell google needs to see my texts now?
The list continues but I'm not willing to loose the nice things this OS have too, but for me personal info is too valuable and I dont want to give away any information from my contacts list, SMS texts, the places I visit, my tastes and so on, all this is my personal life and no one needs to know about it, not even just for statistics. Some people on my contacts list doesn't use Android and dont want the personal phone number stored somewhere and connected to me somehow, not that Im a criminal or something like but all this combined together its like a personal "Facebook" for Google and MI to use, they know who are the persons who I connect with, who are near me at a certain period of the day, where I usually do shopping, well, all my life is being stored somewhere, and I want to end this.
Is there a way to keep the current OS and block every outgoing info coming from the phone? I've made some research and i come to this so far
- AFwall can be a solution, but how good it is?
- Removing google services is not an option using ADB, the OS will not work
- Disable google services is not working. The system keeps turning it on automatically
Please give me your feedbacks with your experiences about this security issue, I think several people feels the same way, and how did you managed a work around to this keeping the original OS.
PS: For now I didnt unlock the bootloader, but I will if the solution goes that way.
Thank you everyone
Tomalamix
Living in the age of Google, one cannot use phone & Internet without your info being collected for ad purposes or whatsoever.
Ad purposes i can live with that,. what I cant live with is my personal data being stored by a 3rd party company besides my cell operator
Ive been watching the Anti-Gapps group but it seems discontinued i guess, i think this is a task fitted for them