11-21-17 09:54 PM
37 12
tools
  1. Invictus0's Avatar
    Vulnerabilities abound. Look here, or here for example. You can either live off the grid in a tinfoil house, or stay connected conscious that you need to apply some common sense in both security and behavior.
    Of course but OP is specifically referring to Android.

    The major vulnerabilities that were discovered this year hit Android particularly hard compared to iOS. All Android OEM's basically had to wait for Google to patch them.
    11-17-17 12:50 AM
  2. dastillero1975's Avatar
    Of course but OP is specifically referring to Android.

    The major vulnerabilities that were discovered this year hit Android particularly hard compared to iOS. All Android OEM's basically had to wait for Google to patch them.
    The real problem is not waiting for Google but to really apply the patches. Most makers don't have a monthly patching policy for their devices.
    That's why Google is trying to separate the "system" from the customized part (where the phone makers apply their changes) on Android so they can at least force the update of the core. You can have vulnerabilities at other level like GUI that depends on maker, but at least the core will be fairly safe.
    11-17-17 01:41 AM
  3. BigBadWulf's Avatar
    Of course but OP is specifically referring to Android.

    The major vulnerabilities that were discovered this year hit Android particularly hard compared to iOS. All Android OEM's basically had to wait for Google to patch them.
    Hit particularly hard in what way? The news has a habit of selective reporting. Comparing apples and droids, the potential is pretty equal.
    11-17-17 07:20 AM
  4. bb10adopter111's Avatar
    Hit particularly hard in what way? The news has a habit of selective reporting. Comparing apples and droids, the potential is pretty equal.
    In the Cybersecurity world, companies have long known that Android is inferior to iOS. Samsung, and now BlackBerry Mobile, are the only Android Manufacturers making a case for serious consideration by organizations with a focus on cybersecurity (which is quickly becoming everyone due to the big companies demanding their lower tier partners meet cybersecurity standards).

    The problem with generic Android manufacturers is that they really don't invest in cybersecurity, which affects every part of their process, from hardware design to the manufacturing supply chain to Android implementation and configuration to patching.

    There are 10s of thousands of enterprises who are targeted every day by armies of highly qualified hackers in criminal organizations, nation states. And non nation state actors. They are not just running known exploits they picked up in a hacker fanzine. To defend against these threat agents requires more than just having the right version of Android, even though that is obviously critical.

    If you are responsible for cybersecurity in one of those organizations, the only way to allow BYOD with generic Android is to lock down information assets so tight as to limit people's ability to work via their mobile phones.

    Posted with my trusty Z10
    Dunt Dunt Dunt likes this.
    11-17-17 09:30 AM
  5. tickerguy's Avatar
    The problem with Android lies in its design (things like Mediaserver, for example) and cannot be fixed without breaking backward compatibility with all existing Android apps.

    Google knows this and doesn't care. Google basically had a team of monkeys write Android in the first place; it's an ungodly mess by any standard, and if you've worked on the code and actually do coding for a living you know what I'm talking about. It sucks, period.

    But it is what it is -- and that both corporate and individuals users keep buying it tells you everything you need to know about stupidity in the marketplace, plus how the big companies have gamed the legal process as had they not both Google (and Microsoft, for that matter) would have been out of business a decade ago.
    11-17-17 10:45 AM
  6. Invictus0's Avatar
    The real problem is not waiting for Google but to really apply the patches. Most makers don't have a monthly patching policy for their devices.
    That's why Google is trying to separate the "system" from the customized part (where the phone makers apply their changes) on Android so they can at least force the update of the core. You can have vulnerabilities at other level like GUI that depends on maker, but at least the core will be fairly safe.
    That's only for OS updates (Project Treble), monthly patches are separate from it. Apathetic OEM's are certainly a problem for patches but it's also a problem that Google can't push hotfix updates for serious vulnerabilities outside of the monthly patch schedule (OEM's have to do that, BlackBerry and Essential did for KRACK last month IIRC).

    Google themselves are also kinda lax with patching,

    KRACK patch for Pixel and Nexus devices due in December | Pocketnow

    Hit particularly hard in what way? The news has a habit of selective reporting. Comparing apples and droids, the potential is pretty equal.
    If we just look at the past few weeks, BlueBorne didn't impact iOS 10+ and KRACK was mitigated to some extent before Apple patched it. Android had to patch both and KRACK was particularly bad on Android 6+ devices. There's also the seemingly never ending StageFright problem,

    https://www.androidheadlines.com/201...c-in-2017.html
    11-17-17 10:59 AM
  7. BigBadWulf's Avatar
    In the Cybersecurity world, companies have long known that Android is inferior to iOS. Samsung, and now BlackBerry Mobile, are the only Android Manufacturers making a case for serious consideration by organizations with a focus on cybersecurity (which is quickly becoming everyone due to the big companies demanding their lower tier partners meet cybersecurity standards).

    The problem with generic Android manufacturers is that they really don't invest in cybersecurity, which affects every part of their process, from hardware design to the manufacturing supply chain to Android implementation and configuration to patching.

    There are 10s of thousands of enterprises who are targeted every day by armies of highly qualified hackers in criminal organizations, nation states. And non nation state actors. They are not just running known exploits they picked up in a hacker fanzine. To defend against these threat agents requires more than just having the right version of Android, even though that is obviously critical.

    If you are responsible for cybersecurity in one of those organizations, the only way to allow BYOD with generic Android is to lock down information assets so tight as to limit people's ability to work via their mobile phones.

    Posted with my trusty Z10
    You're talking enterprise, and I understand. That's your field. Reality is though, I'm much more concerned about them hacking a server than my phone. I've taken a hit from Yahoo and Equifax. We've also seen Target, Sony, the DNC and Home Depot hacked, to name a few. It's all troublesome, but none of those attacks have come through a phone to my knowledge.

    Getting back to your original post, if a consumer properly sets up security on their phone, even if someone gains possession, are they going to be able to gain access?

    If we just look at the past few weeks, BlueBorne didn't impact iOS 10+ and KRACK was mitigated to some extent before Apple patched it. Android had to patch both and KRACK was particularly bad on Android 6+ devices. There's also the seemingly never ending StageFright problem,

    https://www.androidheadlines.com/201...c-in-2017.html
    And yet, what is the most infamous case of hacking in the phone world? Which again was not through the phones.

    I'm not saying there isn't reason to be concerned. Everyone should as I previously stated use common sense. Android definitely has it's share of vulnerabilities, and just like all other aspects of life, one should think before purchase. Same could be said for the lock they choose on their door, alarm system, quality of the tires on their vehicle, etc. You don't think I made my tinfoil hat out of cheap aluminum, do you?
    11-17-17 10:00 PM
  8. bb10adopter111's Avatar
    You're talking enterprise, and I understand. That's your field. Reality is though, I'm much more concerned about them hacking a server than my phone. I've taken a hit from Yahoo and Equifax. We've also seen Target, Sony, the DNC and Home Depot hacked, to name a few. It's all troublesome, but none of those attacks have come through a phone to my knowledge.

    Getting back to your original post, if a consumer properly sets up security on their phone, even if someone gains possession, are they going to be able to gain access?



    And yet, what is the most infamous case of hacking in the phone world? Which again was not through the phones.

    I'm not saying there isn't reason to be concerned. Everyone should as I previously stated use common sense. Android definitely has it's share of vulnerabilities, and just like all other aspects of life, one should think before purchase. Same could be said for the lock they choose on their door, alarm system, quality of the tires on their vehicle, etc. You don't think I made my tinfoil hat out of cheap aluminum, do you?
    Consumers aren't likely to be targeted by a nation state or organized crime, like Equifax, Target, etc. But most of those big attacks were hybrid attacks, where someone got a password here, and an IP address somewhere else until they penetrated all of the defenses and we're in a position to attack the target assets. Some of those intermediate steps almost certainly involved phones.

    As a consumer, the most important things to do are straightforward:

    Use unique and strong passwords for each account.

    Use multi-factor authentication

    Use a VPN

    Don't use Flash.

    Use antivirus

    Don't open emails from anyone you don't know, and don't click on attachments unless you're sure you know what they are.

    Use browser plug ins to block unwanted ads, cookies and scripts

    Set up a restricted account on PCS (don't use administration accounts for general use.)

    And, honestly, for most non-technical consumers, use an iPhone. (I really, really, really hate iPhones but they are more secure than Android for the average user.)


    Posted with my trusty Z10
    BigBadWulf likes this.
    11-17-17 10:22 PM
  9. BigBadWulf's Avatar
    And, honestly, for most non-technical consumers, use an iPhone. (I really, really, really hate iPhones but they are more secure than Android for the average user.)
    We both know the average user doesn't give a rat's rectum about security. They use weak passwords, tons of location based social media, download warez, post their email, phone number, IMEI, leave their babies in the car while running, get plastered and trust someone in an Uber to take them home, run red lights, and any number of other foolish things that put them in danger of a myriad of exploitations.
    11-17-17 11:16 PM
  10. bb10adopter111's Avatar
    We both know the average user doesn't give a rat's rectum about security. They use weak passwords, tons of location based social media, download warez, post their email, phone number, IMEI, leave their babies in the car while running, get plastered and trust someone in an Uber to take them home, run red lights, and any number of other foolish things that put them in danger of a myriad of exploitations.
    Exactly.

    Posted with my trusty Z10
    11-18-17 02:17 AM
  11. adonesc's Avatar
    Well if we are talking about security, on my BlackDroid I'm still on the September security patch...now at the end of November... So yeah, it seems like security is not high on the list of BlackBerry either, especially it's hollowed out incarnation of BlackBerry Mobile...
    11-21-17 08:09 PM
  12. Emaderton3's Avatar
    11-21-17 09:54 PM
37 12

Similar Threads

  1. Sales numbers for TCL made BlackBerry?
    By jgrobertson in forum News & Rumors
    Replies: 36
    Last Post: 02-20-18, 09:34 AM
  2. blackberry z10 bberror10 0015
    By Dranialz in forum BlackBerry Z10
    Replies: 7
    Last Post: 11-28-17, 05:32 AM
  3. Blackberry id registration
    By Kems1 in forum BlackBerry Passport
    Replies: 2
    Last Post: 11-24-17, 12:53 AM
  4. Alleged BlackBerry KEYone successor appears on GeekBench
    By FishhPoohh in forum BlackBerry KEYone
    Replies: 1
    Last Post: 11-22-17, 08:09 AM
LINK TO POST COPIED TO CLIPBOARD