The final round of Developer Preview images released on Friday left a number of users without root access on their devices, but a lightning fast quick-fix by Chainfire had them back in business the following day. Yesterday, he took to Google+ with a follow-up of how it works and the issues that are making it more difficult to acquire root on the latest version of Android.
Due to increasingly effective security measures and stricter enforcement of SELinux, it seems that many, or possibly all of the available methods for initializing the SuperSU daemon at startup have been rendered ineffective.
The Internet has been abuzz over the recently discovered Heartbleed bug. If you're not already familiar, Heartbleed is a vulnerability in the OpenSSL software library that allows an attacker to steal data directly from the memory space of an application and learn the private keys used to keep data securely encrypted as it travels over the Internet. The implications of this kind of leak are certainly severe, and it has everybody rushing to either install updates that fix the bug or implement workarounds to disable it.
Like most OEMs, HTC likes to lock down the devices it sells to the general public, but maybe you like a little more freedom. That means an exploit is required to get s-off status. The new Firewater S-Off tool can manage that for any (or at least very nearly any) HTC device, even newer HTC One phones.
The tool comes courtesy of developers beaups and fuses, and it's completely free for personal use.
Some Moto X owners weren't particularly happy to learn that a recent OTA with improvements to the camera also had the undesirable consequence of breaking root acquired through PwnMyMoto. Fortunately, the creator of PwnMyMoto, Justin Case, is back with an updated root method that works on the latest Moto X update and should be compatible with all recent Motorola firmwares.
Update: RockMyMoto is confirmed to also work on the latest firmwares for the Droid Maxx, Ultra, and Mini.
The security of our mobile apps and private data is a very serious matter. This is particularly true for high value targets like web browsers, which often store login credentials that can be used to access many of the websites we use on a regular basis. Unfortunately, browsers are also very complicated applications with an extensive set of features that are difficult to lock down completely. Sebastián Guerrero Selma of viaForensics recently posted a video demonstrating a newly discovered vulnerability in Firefox for Android which would allow hackers to access both the contents of the SD card and the browser's private data.
A very serious security hole has been discovered in Firefox for Android that allows a website to force the browser to download and run potentially damaging files, usually without the user's knowledge or interaction. The vulnerability was first described and demonstrated publicly on September 9th as part of a posting meant to advertise the attack as being for sale. The method for exploiting the weakness simply requires a webserver to instruct Firefox for Android to initiate a download, after which the downloaded file is automatically opened or executed (depending on the file type).
Hot on the heels of Bluebox's disclosure of the "Master Key" exploit, a Chinese blog has posted details of a similar vulnerability. This attack also sidesteps a bug in the signature verification step and allows seemingly innocent APKs to include a potentially dangerous payload; and like its brethren, Google has already patched the flaw and posted it to the Android Open Source Project (AOSP). The information comes to us from a China-based group (or possibly individual) calling itself the Android Security Squad.
Scary tales about Android malware have been told since before people started guessing what dessert name would start with the letter 'D' (it's "Donut," in case anybody has forgotten.) Most of those claims came and went, amounting to little more than ghost stories. Unfortunately, there are a few real ghouls and goblins for which we should be afraid. Back in February, one such monster was discovered lurking about that allowed modified APKs to be installed on your device while successfully side-stepping the cryptographic signature used to prevent that very thing.
A new piece of Android malware has been discovered by security researchers at Kaspersky Labs. That by itself wouldn't be big news, but this Trojan does things no other malicious app has done. It exploits multiple vulnerabilities, blocks uninstall attempts, attempts to gain root access, and can execute a host of remote commands. Backdoor.AndroidOS.Obad.a, as it has been dubbed, is the most sophisticated piece of Android malware ever seen.
There are two previously unknown Android vulnerabilities exploited by Obad.