Linked by Thom Holwerda on Tue 29th Jul 2014 18:28 UTC
Android

Dan Goodin, at Ars Technica, is writing about a security flaw in Android. It's got all the usual scary-scary language about doom and gloom, quotes from antivirus peddlers, and it wasn't long until sensationalist Apple site AppleInsider took it all one step further (relevant). So, is this a real security threat, or are we looking at sensationalism run amok?

This is the issue in a nutshell.

The Fake ID vulnerability stems from the failure of Android to verify the validity of cryptographic certificates that accompany each app installed on a device. The OS relies on the credentials when allocating special privileges that allow a handful of apps to bypass Android sandboxing. Under normal conditions, the sandbox prevents programs from accessing data belonging to other apps or to sensitive parts of the OS. Select apps, however, are permitted to break out of the sandbox. Adobe Flash in all but version 4.4, for instance, is permitted to act as a plugin for any other app installed on the phone, presumably to allow it to add animation and graphics support. Similarly, Google Wallet is permitted to access Near Field Communication hardware that processes payment information.

Sounds serious! Should you be worried? Is it time to stock up on canned beans and switch to a Nokia 3310? Of course, it's always time to switch to a Nokia 3310, but not really because of this "issue". Buried deep within the Ars Technica article is Google's response to the issue.

After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.

First, a patch been sent to OEMs and AOSP, but with Android's abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed. This means two things.

First, that there are no applications in Google Play that exploit this issue. If you stick to Google Play, you're safe from this issue, period. No ifs and buts. Second, even if you install applications from outside of Google Play, you are still safe from this issue. Verify Apps is part of Play Services, and runs on every Android device from 2.3 and up. It scans every application at install and continuously during use for suspect behaviour. In this case, an application that tries to exploit this flaw will simply be blocked from installing or running.

As a sidenote, you can actually disable Verify Apps, but unlike what some people seem to think, the dialog you get about sending data to Google when trying to sideload an application has nothing to do with this (that dialog just covers sending data about the application to Google, which is not required for Verify Apps to work). To actually completely disable Verify Apps, you need to go into the Google Settings application (or the Android settings application in 4.2 and up), navigate to Security, and disable it from there.

To get back to the matter at hand: this means that every Android user with Google Play Services is 100% protected from this issue. The only way an Android user can potentially be affected by this issue is if she, one specifically allows installation from unknown sources, and two, specifically disables Verify Apps - all accompanied by several warnings. Luckily, not a single application in or outside of Google Play is currently trying to exploit this issue.

While one can expect sensationalist nonsense from a site like AppleInsider - you don't blame TMZ for reporting on a fart by Miley Cyrus; you don't blame AppleInsider for spreading sensationalist nonsense - I'm very disappointed that a respected site like Ars Technica resorts to spreading this kind of fear, uncertainty, and doubt, especially since this isn't the first time the site has done so.

Recently, it has become very clear that the security industry - antivirus peddlers and similar companies - have focussed all their attention on Android, resorting to all sorts of dirty tactics to scare unsuspecting users into buying their useless software. Since I can't stress this often enough: do not install antivirus on Android (or iOS, for that matter). It is not needed in any way, shape, or form.

This is not the first time they have tried to spread and exploit fear, uncertainty, and doubt. Back when Windows started properly shoring up its security, Microsoft released MSE, and the mass infections of the early XP days became a thing of the past, they tried to use the exact same tactics to try and scare the rapidly growing number of OS X users into buying their junk.

I advocated against this practice then (more here), and I will advocate against it now. When you come across stories like this, you can almost always assume it's FUD, whether it covers Android, OS X, or iOS. They almost always originate from antivirus peddlers, who know full well that operating system security - on both desktop and mobile - has increased so much these past decade or so that their core business model is at stake, and as such, they have to drum up the FUD. I just wish respected websites would not dance to their tunes for clicks.

And yes, you should totally get a 3310.

Thread beginning with comment 593445
To read all comments associated with this story, please click here.
Thank you
by satan666 on Tue 29th Jul 2014 19:16 UTC
satan666
Member since:
2008-04-18

Thom, thank you for your sanity.
Quote: "one can expect sensationalist nonsense from a site like AppleInsider"
One should really expect the AppleInsider folk to mind their own Apple business... unless they are jealous.
I don't know where you got this idea that Ars Technica is an unbiased site. They've had an anti-Andoid agenda for quite a while. How about this piece of lying shit? http://arstechnica.com/information-technology/2014/02/neither-micro...

Reply Score: 4

RE: Thank you
by Carewolf on Tue 29th Jul 2014 19:32 in reply to "Thank you"
Carewolf Member since:
2005-09-08

Ars have multiple editors with different biases. You shouldn't assign a collective bias to them. Some are much worse than others. Fortunately Ars running truely incorrect stories are still not daily occurances, it just slowly starting to get weekly ;)

Reply Parent Score: 4

RE[2]: Thank you
by tidux on Tue 29th Jul 2014 19:35 in reply to "RE: Thank you"
tidux Member since:
2011-08-13

I stopped reading ars regularly a while ago. Now I mostly just pop over for the Siracusa OS X reviews. I don't even USE OS X, but they're engaging and well written, and keep me somewhat up to date in Apple desktop land.

Reply Parent Score: 4

RE: Thank you
by Hiev on Tue 29th Jul 2014 19:55 in reply to "Thank you"
Hiev Member since:
2005-09-27

I read that too and the article wasn't accurate, the question is, why is making you angry?

Reply Parent Score: 3

RE[2]: Thank you
by satan666 on Tue 29th Jul 2014 22:44 in reply to "RE: Thank you"
satan666 Member since:
2008-04-18

Uh... Let's see here... Because they spread lies about Android which is an OS I happen to like? Doh!

Reply Parent Score: 3

RE: Thank you
by tkeith on Tue 29th Jul 2014 20:54 in reply to "Thank you"
tkeith Member since:
2010-09-01

Yeah, I liked Ars because they had a content mix that many other sites lacked. But then they started running click bait headline stories, usually related to Android and it got annoying. Then they published that piece full of misleading and outright false information. Read the comments, the writer outright attacks some of the readers including a Google engineer. Sad.

Reply Parent Score: 5

RE[2]: Thank you
by WorknMan on Tue 29th Jul 2014 21:51 in reply to "RE: Thank you"
WorknMan Member since:
2005-11-13

Yeah, I liked Ars because they had a content mix that many other sites lacked. But then they started running click bait headline stories, usually related to Android and it got annoying.


Not only that, but just like pretty much every other 'general-purpose' tech site out there (including this one), it has been hijacked by liberals who basically use it as their political soap box. I see articles being put up about diversity, the death penalty, gun control, gay marriage, etc... not exactly tech-centric stuff, and they're ALWAYS biased, one-sided viewpoints.

Not that I always disagree with them, but it gets old seeing the same talking points being rolled out time after time.

Reply Parent Score: -1