Kitz Forum

Computer Software => Security => Topic started by: AArdvark on September 10, 2015, 12:57:09 AM

Title: Yet another Android vulnerability ...... this one is a doozy
Post by: AArdvark on September 10, 2015, 12:57:09 AM
Download the app to test your Android Phone/Tablet here
https://play.google.com/store/apps/details?id=com.checkpoint.capsulescanner&hl=en (https://play.google.com/store/apps/details?id=com.checkpoint.capsulescanner&hl=en)

Article in 'The Register':
Mobile device screens recorded using the Certifi-gate vulnerability
Vulnerable plug-ins have been installed on hundreds of thousands of Android devices, allowing screens to be recorded, according to data from the scanning tool which discovered that the so-called Certifi-gate vulnerability is already being exploited in the wild.

Gets worse, read article.
http://www.theregister.co.uk/2015/08/25/certifi_gate_vulnerability_exploited/ (http://www.theregister.co.uk/2015/08/25/certifi_gate_vulnerability_exploited/)
Title: Re: Yet another Android vulnerability ...... this one is a doozy
Post by: Ronski on September 10, 2015, 06:31:59 AM
The writer of that article is clearly into Apple and not Android, you jail break an iPhone and root an Android phone.

Nevertheless it's still yet another problem with Android. I really need to get around to updating the os on my phone. 
Title: Re: Yet another Android vulnerability ...... this one is a doozy
Post by: AArdvark on September 10, 2015, 08:05:51 AM
Quote
The writer of that article is clearly into Apple and not Android, you jail break an iPhone and root an Android phone.

I know  ;D

The real problem is hidden in the article.
The original apps have been removed from the Google & Amazon app stores but the methods they used are built into Android.
As stated all you need to do is emulate the apps and you get access.
It is the classic hack of misusing feature(s) for purposes never intended.

Why do developers and designers of these apps/OSes always assume that features will never be misused. ?

It is a bit like having a big button labelled 'Do not press' ...... it will always be pressed because it can be.
Title: Re: Yet another Android vulnerability ...... this one is a doozy
Post by: Chrysalis on September 10, 2015, 09:46:36 PM
I had my first stagefright hack attempt today, a picture message from a unknown contact.

Android needs fixing.  The whole eco system in how updates are distributed is broken.
Title: Re: Yet another Android vulnerability ...... this one is a doozy
Post by: sevenlayermuddle on September 10, 2015, 11:32:36 PM
I'm not trying to turn this into an Apple/Android debate, but worth pointing out one difference twixt the two that IMHO is relevant...

.. It is Apple's 'review' process.   For developers (I am one) it is a bit of a PITA, you submit your App and then wait some indeterminate time, usually a week or so but maybe more, while Apple's reviewers decide whether it is fit for the App Store.   One thing, among many, they may check is for linkage to undocumented APIs ('back doors') which would lead to rejection.

For sure, it may still be possible to get a dodgy App approved, if you catch them off guard.  But the fact that they actually check every submission in some detail is a strong disincentive against dev's attempting anything naughty.