According to a group of computer scientists at North Carolina State University, a vulnerability exists within many Android devices that would allow hackers (or malicious apps) to bypass the permissions request process and tap into audio and location, wipe apps and data, or send unauthorized SMS messages, all without the user knowing.
This news may sound a bit sensational, but the researchers have created and tested a dummy app which effectively demonstrates the exploit:
Among the eight phones tested with the researchers' diagnostic app (Woodpecker), HTC's Evo 4G seemed to be the most vulnerable, able to "leak" eight different capabilities to their dummy app, which was not explicitly granted appropriate permissions by the user.
If you've received the new version of the Android Market on your phone, you might have noticed among the legion of additions to the app a very noticeable subtraction: the "Just In" section. Some people don't like this.
In fact, there is a growing thread over at Google Support with a number of complaints about this change. Of course, the complaints are pretty exclusively from developers. Now, some of these complaints are made from a legitimate perspective - new developers who want exposure.
Every year, Defcon brings about some new concepts, hacks, vulnerabilities, and other digital tomfoolery. Sometimes it's all in good fun, but other times it's all too scary, which happens to be the case with a new class of Android malware that could allow for phishing attacks and pop-up ads alike.
Thanks to a design flaw in Android, there is a "feature" that allows an application to steal focus and pull itself into the foreground, bypassing the notification system entirely.
Well, that was pretty fast, actually. The DROID Incredible 2 has successfully been unlocked by AlphaRev - that means 100% rooted and (soon) ROM-ready. Instructions and a download will follow soon - so hold tight, we'll keep you updated on this one.
If you've been watching the blogosphere over the last few days, you might have seen an article or two about a "complaint" filed with the FCC over Verizon's block on tethering applications in the Android Market.
The complainant's argument goes something like this: Verizon purchased the 700MHz spectrum ("block C" of the spectrum) back in 2007, and that spectrum is now used by Verizon for its 4G LTE service. That purchase, ala Google and other net neutrality lobbyists, came with one seemingly large caveat: Verizon (or AT&T, or anyone who bought in that spectrum) could not "deny, limit, or restrict" the phones using that spectrum in particular ways: phones must be carrier unlocked, able to access all parts of the web, and run any software.
Update: If you've somehow inexplicably ended up at this article, please note, HTC has since announced the 3D will be unlocked (at some point) and their future policy is to have unlocked bootloaders on all devices.
It seems HTC has finally caved to what are likely the security demands of wireless carriers with its newest phones, and is locking down its handsets Moto-style. Latest case in point: the EVO 3D - which sports the same sort of security we found on the Sensation earlier this month.
Well, that's the easy part done. The DROID X2 has been rooted, huzzah! The device was found to be vulnerable to one of the known root exploits out there (Gingerbreak) - apparently Moto couldn't be bothered to patch up the hole (the fix has been backported to 2.2 from AOSP, according to our own Justin Case.) This hasn't been fully confirmed yet, but it seems plausible, given that all previous Motorola Froyo builds have been susceptible to this exploit.
Well, that only took one media firestorm. Google, in response to widespread reports of a potential credential security hole in Android (which not only affects Android, but any OS using authTokens), is starting to roll out a fix for the public Wi-Fi vulnerability to all affected Android devices today. Google's statement, below:
Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts.
Regardless of where you sit in the tech world, there is one thing that affects us all: security vulnerabilities. Unfortunately, our little green robot is no exception this rule, and The Registerrecently dropped a report on a potentially bad exploit.
Apparently, in Android 2.3.3 and below, there is a vulnerability that would allow attackers to collect digital tokens that are stored on the device after users login to Google Calendar, Facebook, Twitter, and "several other accounts."
Here's how it works: when you login to an account, an authToken is stored locally on your device for 14 days, allowing you to re-access the service without hassle.
Well, that was fast. It hasn't been very long since thevold exploit was found that allowed root access to Gingerbread and Honeycomb systems, but Google has already patched it and moved the fix into the AOSP code (see these commits: , , , ). This means that once this update is pushed, we will need to find another route to achieve root access on devices running Gingerbread and Honeycomb.