Results 1 to 17 of 17
Like Tree6Likes
  • 1 Post By Remy X
  • 1 Post By sledge007
  • 1 Post By sledge007
  • 1 Post By Alan Morford
  • 1 Post By Remy X
  • 1 Post By HelloNNNewman
  1.    #1  
    Given their track record, i don't think so...

    Researchers find trojanized banking app that exploits critical Android bug | Ars Technica


    Note:
    If you look in one of the comments halfway down the page, there's a tutorial on how to utilize this exploit for your own testing purposes... i won't post the links here for legal reasons, but if you care enough you'll see it
    RumoredNow likes this.
  2. #2  
    Sorry, that seems a little sensationalized to me because you forgot to include important information within that article (maybe you just missed the embedded link) , which states:

    By now, you've probably heard all about the changes introduced with Google's Android 4.3 release. But those fresh features and bits of polish are only part of the story. One of Google's biggest changes to the Android platform is actually happening outside of the operating system -- and it's affecting almost every Android device in the world.

    It's the widespread launch of a universal app-scanning system -- a system that watches your device for any new application, even one loaded directly onto the device ("sideloaded") from outside of the Google Play Store, and instantly checks the app for malicious or potentially harmful code.

    That's huge. And while we've been busy focusing on new devices and fun features, Google's been busy making sure every Android user has that system on his phone -- whether he realizes it or not.

    Google initially launched the feature, known as Verify Apps, with Android 4.2 last November (Android VP of Engineering Hiroshi Lockheimer discussed it with me exclusively at the time). Now, Google has pulled the program out of the OS and made it automatically available to every device running Android 2.3 or higher. That covers almost every phone and tablet out there -- about 95 percent of the actively running products, according to Google's latest platform measurements.

    How did that happen? Simple: Google made the code a part of Google Play Services, a standalone utility that's updated regularly behind-the-scenes by Google -- independent of any manufacturer or carrier rollouts. It's part of the ongoing deconstruction of Android that we've been talking about for a while now.

    The new system works alongside an automated scanning system that's been in place since early 2012 for all apps on the Google Play Store. With the new device-level scanning added into the picture, that means every app you put on your phone -- whether from the Play Store or from an unofficial third-party source -- is now scanned, analyzed, and compared to a massive database of malicious code, all in a fraction of a second.

    On the Play Store side, if something is flagged as problematic, it won't be published. On your device, if a red flag comes up -- even just for something as seemingly innocuous as an app that might send SMS messages on your behalf without your knowledge -- the system will warn you and recommend you avoid proceeding with the installation.

    "We wanted to make sure those protections were available even for users who were choosing to install applications from a source other than Google Play," Android Security Engineer Adrian Ludwig tells me. "It's always been a focus for Android to make sure that we're supporting an open ecosystem and that it's possible for users to get applications that developers, for any number of reasons, aren't distributing through [the official Play Store channel]."
    Link is in the third paragraph. Long quote, but figured it may alleviate some concerns if the entire article was there.
    Due to the cancellation of the penny, I no longer give 2¢ about anything. I may however, give a nickel
    HelloNNNewman likes this.
  3.    #3  
    I have read that.

    But...

    ACL isn't a normal OEM Android distribution...

    Companies like Samsung have no doubt updated their ROMs and released OTA updates to all carriers, they have a reputation to guard. Google has released an update to Google Play that also patched this from their end.

    But OpenMobile won't be able to license Google Play from the get-go (users will have to side-load), and furthermore, ACL is based off of AOSP (non-Google-equipped, vanilla Android), so they, as an "OEM", will have to bear the responsibility of patching their system. They cannot just sit and wait for the fix to trickle down to them.

    You just can't expect Google to reach out and update ACL, which is a lopped off chunk of Android removed from its predictable home environment.. even if they could, updates are most likely disabled for the above-stated reason.
  4. #4  
    Ah fair enough, I forgot Play wasn't going to be included in the package deal. RemyX 1 Sledge007 0
    Stay away from South Korean bank apps?
    Due to the cancellation of the penny, I no longer give 2¢ about anything. I may however, give a nickel
    RumoredNow likes this.
  5.    #5  
    **crickets**


    I guess they won't care to even make a statement for the sake of their customers, unless we umm... demonstrate the exploit.


    BTW, this might be a better article to describe the extent of this problem, especially when it comes to apps signed with the OEM key, which would allow malware to bypass the sandbox environment and install a system-wide rootkit...

    Vulnerability allows attackers to modify Android apps without breaking their signatures
  6. #6  
    Quote Originally Posted by Remy X View Post
    **crickets**


    I guess they won't care to even make a statement for the sake of their customers, unless we umm... demonstrate the exploit.


    BTW, this might be a better article to describe the extent of this problem, especially when it comes to apps signed with the OEM key, which would allow malware to bypass the sandbox environment and install a system-wide rootkit...

    Vulnerability allows attackers to modify Android apps without breaking their signatures
    Sounds pretty terrifying...where'd all the butterflies, puppies, and rainbows go? Oh, right, HP...So stay away from ACL until it's patched? Or is there another solution?
  7.    #7  
    Quote Originally Posted by alanmorford View Post
    Sounds pretty terrifying...where'd all the butterflies, puppies, and rainbows go? Oh, right, HP...So stay away from ACL until it's patched? Or is there another solution?
    OM should patch their stuff before sending it out to the general public. That's all. There's still time to do it, beta testers aren't idiоts, so i'm not worried about them.

    But the silence doesn't make a very good impression either way.
  8. #8  
    Quote Originally Posted by Remy X View Post
    OM should patch their stuff before sending it out to the general public. That's all. There's still time to do it, beta testers aren't idiоts, so i'm not worried about them.

    But the silence doesn't make a very good impression either way.
    Hmm agreed. We are used to full disclosure from the homebrew community. This silence and secrecy from a commercial entity is scary. But time will tell. #cliché
    Follow me on Twitter
    For the latest webOS news check out pivotCE
  9.    #9  
    Quote Originally Posted by alanmorford View Post
    Hmm agreed. We are used to full disclosure from the homebrew community. This silence and secrecy from a commercial entity is scary. But time will tell. #cliché
    Not scarry, but it does put a serious dent into OM's credibility. But that's okay. OpenMobile's credibility is already made of dents.

    Anyway, it looks like they simply don't visit the forum often enough. AnitaOM is not a webOS user, and PIC's DMeister has his own webOS Italia forum, brandongoeszoom goes to college, zukny has other stuff going on...
  10. #10  
    I am none of these people but I'm creeped out at your stalker-like level of knowledge of them. 8)

    -- Sent from my TouchPad using Communities
    Follow me on Twitter
    For the latest webOS news check out pivotCE
    RumoredNow likes this.
  11.    #11  
    Quote Originally Posted by alanmorford View Post
    I am none of these people but I'm creeped out at your stalker-like level of knowledge of them. 8)

    -- Sent from my TouchPad using Communities
    Photographic memory
    Alan Morford likes this.
  12. #12  
    Quote Originally Posted by Remy X View Post
    But OpenMobile won't be able to license Google Play from the get-go (users will have to side-load), and furthermore, ACL is based off of AOSP (non-Google-equipped, vanilla Android), so they, as an "OEM", will have to bear the responsibility of patching their system. They cannot just sit and wait for the fix to trickle down to them.

    .
    What about sideloading Amazon app store? then install apps from it. Possible?
    ----------------------------------------------------------------------------------------------------
    I am an AT&T employee and the postings on this site are my own and don’t necessarily represent AT&T’s positions, strategies or opinions.
  13.    #13  
    Quote Originally Posted by TopTongueBarry View Post
    What about sideloading Amazon app store? then install apps from it. Possible?
    I doubt that Amazon will provide the security fix to random users who sideload their app store, but sideloading it for the sake of its apps is definitely possible
  14. #14  
    Quote Originally Posted by TopTongueBarry View Post
    What about sideloading Amazon app store? then install apps from it. Possible?
    Not only doable but it's already "working".
  15. #15  


    (to proper forum)
    Alan Morford likes this.
  16. #16  
    OM originally suggested loading Amazons store when they said they couldnt include googles option, this was/is important as their own appstore/market looked pretty weak at the time of their statement as they had only 1 "app partner" back then so the quality of apps available would have been pretty dire without amazons option.
    Touchpad Keyboard Themes - >> Click Me <<
  17. #17  
    Quote Originally Posted by geekpeter View Post
    OM originally suggested loading Amazons store when they said they couldnt include googles option, this was/is important as their own appstore/market looked pretty weak at the time of their statement as they had only 1 "app partner" back then so the quality of apps available would have been pretty dire without amazons option.
    Yeah that probably made it an instant priority.

Similar Threads

  1. installing apk files on android touchpad(how?)
    By hotgirljulia in forum Android on webOS
    Replies: 2
    Last Post: 04/12/2013, 12:05 AM
  2. ACL. Running Android apps on WebOS
    By pepebuho in forum HP Pre 3
    Replies: 2
    Last Post: 06/11/2012, 08:32 AM
  3. APK files to Android on TP
    By Brian. in forum Android on webOS
    Replies: 7
    Last Post: 02/09/2012, 01:39 AM
  4. Android .apk & Pre .ipk
    By demetry14 in forum webOS Apps & Games
    Replies: 16
    Last Post: 06/19/2010, 01:29 AM
  5. Replies: 113
    Last Post: 06/26/2009, 09:09 PM

Posting Permissions