18 comments

[ 3.6 ms ] story [ 42.1 ms ] thread
I hate fearmongering articles like this, which basically advocate the authoritarian user-oppressing position that's sadly so common these days:

“We believe that if you are a vendor you should not trust anybody else to have the same level of permissions as you within the system,”

The fine print here is that these are effectively local privilege escalation vulnerabilities, which is far less worrying than anything remotely exploitable.

The age-old advice of not installing applications you don't trust still applies.

> The age-old advice of not installing applications you don't trust still applies.

That's the one thing that seems to be a legitimate point in this article -- Android phones tend to come with bloatware from manufacturers and carriers, so you don't have the option not to install these applications you shouldn't trust.

And very often you can't uninstall them.
Maybe you shouldn’t trust an operating system that doesn’t properly sandbox apps or an ecosystem where the operating system maker doesn’t have control over it.

Even if the software maker is “trusted” they can still be incompetent.

First example Fortnite:

https://arstechnica.com/gadgets/2018/08/fortnites-android-vu...

Second example Chrome itself. If you turned off System Integrity Protection on the Mac, a Chrome bug completely hosed your system:

https://support.google.com/chrome/thread/15235262?hl=en

This is the year 2019. Apple has proven that it is possible to make an operating system that sandboxes apps so they can’t do stupid stuff. If an app can harm your mobile operating system or can install malware it is a system vulnerability.

I’m not claiming that iOS doesn’t have any security vulnerabilities but Apple treats them as a bug not as designed.

That being said, the only phone on the list that anybody in the US should even think about trusting are ones from Sony.

If an app can harm your mobile operating system or can install malware it is a system vulnerability.

I disagree. That's exactly the authoritarian viewpoint that the article has. You can't --- or perhaps shouldn't --- try to stop all "bad things" from happening, because it will inevitably also stop some good things and it's a perfect excuse to take away freedom.

most people want the “freedom” of being able to download an app and trust the operating system won’t harm their computer. I download all kind of random crap on my iOS devices being relatively sure that I know the limitations of what the app can and can’t do and knowing which permissions it has. On my computer - especially a Windows computer - not so much. I’m not claiming that Mac is more secure, it’s just not as much of a target.

That “freedom” has led to 3 decades of viruses, malware and ransomware on computers. Android/Google didn’t learn from any of those mistakes. The mere fact that you need antivirus for a phone is proof.

That “freedom” has led to 3 decades of viruses, malware and ransomware on computers.

It's also lead to great productivity and creativity, with people being able to extend the system as much as they want.

This reminds me of the "imagine a world without crime" people... that's a dystopia where everyone is already under strict control. Insecurity is freedom.

How many people just want to use their mobile device as an appliance as opposed to a few geeks that want an ssh server running on their phone?

How much more willing are people to buy and install random crap on an iOS device than a computer because they know that they don’t have to trust developers and that they can trust IOS to sandbox their apps and apps have to explicitly ask for permission to do many things?

I wish that there were more permissions around what apps could do. Specifically, access the network at all. Right now, you can deny an app permission to use cellular but not WiFi.

I get it when a "security" firm does a FUD article, it is in their interest to sell antiviruses and whatnot, but disappointed to see that this article is coming from wired.
News flash: All devices ever released have always came preinstalled with yet-to-be-discovered vulnerabilities.
Just opened the samsung ones. They all seem to be "app by manufacturer can use permissions of another app installed by manufactuer" Android 8. And even then only things like turning wifi on/off. if that's as bad as it gets now I'd say its more like things have come a very long way.
So it's yet another case of media writing misleading articles to drive an agenda? The amount of such content these days is getting pretty catastrophic.
I don’t know that I care if anyone can see the issue today or not. Specifically in this example, one app should not be able to influence the behavior of another app outside of normal channels just because the phone mfg made the app.

Backdoors, exploits, and all manner of existing CVEs exist because of mfg shortcuts, and we should be learning lessons even if the threat model isn’t immediately apparent.

Except - Android 8. We are already on Android 10.

I'd see an issue if these potential vulnerabilities hadn't apparently already been fixed, but since it looks like they have. Meh, clickbait.

Is there any rhyme or reason to which devices they choose to scan? I see Samsung asus Sony, what about Google or lg?