- Security has been and will be Android's weak link because of its openness. Here is an interesting read how vulnerable Android users are for an identity theft.
99% of Android handsets vulnerable to account credential theft05-17-11 10:23 AMLike 0 -
- Can't get much worse than that... politicians can't even get that high an approval/disapproval rating...
I understand these data leaks for Android are subject to many variables, but we are entering a world where using a mobile device as a payment method, both online and in-store, is becoming commonplace. People call RIM behind the times... but without security, you are left with garbage.05-17-11 11:06 AMLike 0 - Thats ridiculous. On the other hand, in 2011, I'm not connecting to any "open" wifi internet connections unless I'm at work or at home, both of which are protected. Now, if I need to stop at a coffee shop and check something on my computer, I'll use my broadband modem. In this day in age, I don't understand why anyone connects to unsecured wifi hotspots for anything.bp3dots likes this.05-17-11 11:27 AMLike 1
- Tre LawrenceBetween RealitiesBest comment from the story:
No fragmentation here
Good info.05-17-11 11:42 AMLike 0 - Thats ridiculous. On the other hand, in 2011, I'm not connecting to any "open" wifi internet connections unless I'm at work or at home, both of which are protected. Now, if I need to stop at a coffee shop and check something on my computer, I'll use my broadband modem. In this day in age, I don't understand why anyone connects to unsecured wifi hotspots for anything.
Posted from my CrackBerry at wapforums.crackberry.com05-17-11 12:04 PMLike 0 - I'm running 2.3.4 so I guess I'm safe?
But regardless, this is terrible for those who don't have access to this update, and even worse for people who are completely unaware. Patches like this should move backwards IMO. If Gingerbread 2.3.4 fixes the issue, then FroYo 2.2 should get a 2.2.4 update, Eclair should get a 2.1.4 update, etc (if the problems are on previous versions as well - which I'm assuming they are).05-17-11 12:34 PMLike 0 - Tre LawrenceBetween RealitiesI think it is a fairly serious issue, but one that most users won't be overly bothered about... right or wrong.
The "openness" sword swings both ways. As of right now, I am prepared to live with the drawbacks. That won't -- and shouldn't -- be the same for all Android users.
The bad app thingie didn't have me worried at all.05-17-11 01:02 PMLike 0 -
- I saw this article earlier. I'm all for one platform basking another in the name of saying "Ours is better!" But this is pretty scary.
I really hope that Google gets some sort of fix out soon, because even though I don't own a Google phone, people I know do, and they are at risk here.
Shame really, I hope that nobody is seriously affected by this.
Posted from my CrackBerry at wapforums.crackberry.com05-17-11 01:55 PMLike 0 - This is the problem with the "open" platform model. The less control you have over what others can do with your platform, the more vulnerable it is to exploits and attacks. Not saying that the attacks will happen, but when you relinquish that control you make yourself susceptible to this. And though it's not entirely an Android problem, it's the inherited problems of the platform model. I'll keep saying it.... Until Google starts really controlling things (maybe not as strict as Apple) we will continually hear about these things. I think Google exercising some control benefits all users in the long run. The only people that would be upset are the wannabe hackers who aren't hackers but pretend to be one on the Internet.05-17-11 02:14 PMLike 0
- DenverRalphyRetired Network ModIt will be interesting to see how quickly Google can send out a patch. I may be mistaken, but I'm pretty sure Google can issue security patches without having to wait on carriers. They've done it before with other aspects of Android (like the market app).05-17-11 02:20 PMLike 0
- Unfortunately, with the little issues and quirks I've been having, this might be the end of the line for me.
I got my Atrix back out yesterday morning and immediately ran into connection problems. Today there's this.
I'm regretting my purchase.
Posted from my CrackBerry at wapforums.crackberry.com05-17-11 02:41 PMLike 0 -
Probably at least 80% of the 99% of users are screwed due to the debacle that is carrier/manufacturer fragmentation.05-17-11 02:49 PMLike 0 - DenverRalphyRetired Network ModAs I search the interwebz for more info, it seems that services using OAuth aren't susceptible to the attack in the article. Which all apps and services seem to already be using.
The ClientLogin API is a tool that's only supposed to be used in a closed environment, like communication between your device plugged directly to your PC. Similar to the differences between using Telnet over SSH.
I'm still researching, but it seems (so far) to be more scare tactic journalism on a proof of concept. As it stands right now based on what I've been reading, no services or apps are using the ClientLogin API over OAuth in any case, rendering the point somewhat moot.05-17-11 03:12 PMLike 0 - DenverRalphyRetired Network ModWell after a lot more searching and reading, it seems that ClientLogin has for all intents and purposes been deprecated. Nobody seems to be using it anymore.05-17-11 03:56 PMLike 0
- I am quite certain a large number of people are using ClientLogin.... Otherwise there would not be a ton of code examples saying how to use or to use ClientLogin to authenticate stuff like GR...
Even the google calendar and contacts apps did not switch to https until 2.3.4, so why would all 3rd party applications automagically have switched already? I seriously doubt it...05-17-11 04:02 PMLike 0 - DenverRalphyRetired Network ModI am quite certain a large number of people are using ClientLogin.... Otherwise there would not be a ton of code examples saying how to use or to use ClientLogin to authenticate stuff like GR...
Even the google calendar and contacts apps did not switch to https until 2.3.4, so why would all 3rd party applications automagically have switched already? I seriously doubt it...
So what remains to be seen is which method is actively being used.
What I'm trying to nail down is whether the native apps (or 3rd party even) are actually using the ClientLogin API for calendar/contacts sync etc.Last edited by rmjones101; 05-17-11 at 04:49 PM.
K Bear likes this.05-17-11 04:46 PMLike 1 - here's more Android security woes that got unfolded on AC
http://www.androidcentral.com/more-a...ix-them-sophos05-17-11 07:46 PMLike 0 - Tre LawrenceBetween Realitiesrmjones, while I was initially dismayed, my research essentially led me to the same conclusion as yours.
In any case, I remember when "major" security breaches were found on BB. I remember when folks got all in an uproar over stuff that essentially was overblown.
As for the new set of malicious apps, give me a break. While it is not at all good or optimal, still... iCalendar? Really? You'd download that?
Peer review is a powerful tool, and I can live with openness and a good amount of feedback, which is the only way an app makes it on my device.
While the list of Permissions is a good deterrent, the all or nothing aspect is no fun. I would like the ability to nix particular permissions.K Bear likes this.05-17-11 10:41 PMLike 1 - 05-18-11 04:40 AMLike 0
- DenverRalphyRetired Network Mod05-18-11 12:36 PMLike 0
- Forum
- Other Platforms
- Android
99% of Android handsets vulnerable to account credential theft
LINK TO POST COPIED TO CLIPBOARD