The Androids Crooks Are Looking For

HardOCP News · May 17, 2011

Researchers at the University of Ulm say that anyone running older versions of Android on their phones are vulnerable to attack.

We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis. The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.

sigvoror · May 17, 2011

This really sucks for people who haven't rooted their phone, because the carriers in the US suck about getting updates to the phones. Of course, some phones, such as my OG Droid, won't officially get to 2.3.4, but that is one of the reasons why we root.

Ashbringer · May 17, 2011

This is why Android phone manufacturers need to start updating their phones. It's stupid that they're allowed to get away this far.

Ashbringer · May 17, 2011

sigvoror said:
This really sucks for people who haven't rooted their phone, because the carriers in the US suck about getting updates to the phones. Of course, some phones, such as my OG Droid, won't officially get to 2.3.4, but that is one of the reasons why we root.

Unfortunately for Motorola owners, Motorola decided to lock the kernel, which makes it very hard to update the phones OS. The original Droid isn't effected by this, but newer ones are. Being a Motorola Cliq 2 owner, I found this out the hard way. This doesn't mean you can't update the Android OS, you just gotta do it around an older kernel. Which I hear is a big pain in the ass.

There is good news, Motorola is planning on unlocking the kernels on phones, but they have yet to announce what phones will be unlocked. Most likely, older phones.

WhiteZero · May 17, 2011

In other news, PSN was hacked because of an old version of Apache and Windows XP is more vulnerable than Windows 7...

hamm3rhead · May 17, 2011

WhiteZero said:
In other news, PSN was hacked because of an old version of Apache and Windows XP is more vulnerable than Windows 7...

But those scenarios are fixable by the user.. certain android phones are restricted by the manufacturer to shitty old versions. Apples Oranges Pears Lemons

Mabrito · May 17, 2011

Ashbringer said:
Unfortunately for Motorola owners, Motorola decided to lock the kernel, which makes it very hard to update the phones OS. The original Droid isn't effected by this, but newer ones are. Being a Motorola Cliq 2 owner, I found this out the hard way. This doesn't mean you can't update the Android OS, you just gotta do it around an older kernel. Which I hear is a big pain in the ass.

There is good news, Motorola is planning on unlocking the kernels on phones, but they have yet to announce what phones will be unlocked. Most likely, older phones.

Not the Kernel, but the Bootloader they lock.

Vermillion · May 17, 2011

hamm3rhead said:
But those scenarios are fixable by the user.. certain android phones are restricted by the manufacturer to shitty old versions. Apples Oranges Pears Lemons

Well if you don't connect to an open WiFi network it's not an issue to begin with.

obs · May 17, 2011

Vermillion said:
Well if you don't connect to an open WiFi network it's not an issue to begin with.

Now compare this, an exploit on virtually all Android devices by merely connecting to an open Wifi network (which are being increasingly used) vs the Apple PDF exploit which got updated and fixed for all iOS devices. Or even the many holes in IE over the years.

This is a huge hole and Android's OS fragmentation will make sure there is a proliferation of susceptible devices for a long time. And unlike the other problems listed, it's nearly impossible for the non-tech person to fix via a patch.

MrLonghair · May 17, 2011

Ashbringer said:
This is why Android phone manufacturers need to start updating their phones. It's stupid that they're allowed to get away this far.

Most are.

It's just that Verizon, AT&T and the other criminal communications corporations don't want to do anything about it, they want to sell new phones instead of giving out new updates making phones safer.

Blown 89 · May 17, 2011

MrLonghair said:
Most are.

It's just that Verizon, AT&T and the other criminal communications corporations don't want to do anything about it, they want to sell new phones instead of giving out new updates making phones safer.

^This

larryBird44 · May 17, 2011

I think with Ice cream vendors are mandated to provide updates for hardware that can support it for at least 18 months. Google recognizes fragmentation and is working to alleviate that concern.

Vermillion · May 17, 2011

obs said:
Now compare this, an exploit on virtually all Android devices by merely connecting to an open Wifi network (which are being increasingly used) vs the Apple PDF exploit which got updated and fixed for all iOS devices. Or even the many holes in IE over the years.

This is a huge hole and Android's OS fragmentation will make sure there is a proliferation of susceptible devices for a long time. And unlike the other problems listed, it's nearly impossible for the non-tech person to fix via a patch.

True. I never said it wasn't an issue. There is a third part to this issue though. Why are these apps not using the HTTPS versions of all these sites to begin with?

MrLonghair said:
Most are.

It's just that Verizon, AT&T and the other criminal communications corporations don't want to do anything about it, they want to sell new phones instead of giving out new updates making phones safer.

Exactly. Second part to that thought pattern though is why are they continually releasing old versions of the OS in the first place? To date no phone has been released with Android 2.3.x on it.

kllrnohj · May 17, 2011

Vermillion said:
Exactly. Second part to that thought pattern though is why are they continually releasing old versions of the OS in the first place? To date no phone has been released with Android 2.3.x on it.

What on earth are you talking about? 2.3 was released with a new phone, the Nexus S. The nexus one has since been updated to 2.3.4 (newest version, same as Nexus S). Furthermore, the new hotness Galaxy S2 launched with 2.3.

So there are at least two phones that shipped with 2.3 and nothing else, and one that has been updated so far.

Vermillion · May 17, 2011

kllrnohj said:
What on earth are you talking about? 2.3 was released with a new phone, the Nexus S. The nexus one has since been updated to 2.3.4 (newest version, same as Nexus S). Furthermore, the new hotness Galaxy S2 launched with 2.3.

So there are at least two phones that shipped with 2.3 and nothing else, and one that has been updated so far.

Sorry, long day so I didn't proofread. I forgot to say other then Nexus S and S2, but that's still pathetic considering how long 2.3.x source has been out. I don't hold Samsung in high regard so even with 2.3 I don't expect them to update shit. Hopefully, they prove me (and everybody else) wrong.

Moto and HTC have yet to release anything with 2.3.x on it. DX has had leaked GB ROMs for weeks and nothing. Even DX2 is still rumored to possibly launch with 2.2.2 instead of 2.3.x. TBolt had a leaked 2.3.4 RUU yesterday. Unfortunately, the new radio kills 4G speeds.

The Androids Crooks Are Looking For

HardOCP News

[H] News

sigvoror

Weaksauce

Ashbringer

Supreme [H]ardness

Ashbringer

Supreme [H]ardness

WhiteZero

2[H]4U

hamm3rhead

Gawd

Mabrito

Supreme [H]ardness

Vermillion

Supreme [H]ardness

obs

Supreme [H]ardness

MrLonghair

[H]ard|Gawd

Blown 89

2[H]4U

larryBird44

Supreme [H]ardness

Vermillion

Supreme [H]ardness

kllrnohj

Supreme [H]ardness

Vermillion

Supreme [H]ardness