OnePlus is something of a darling among Android power users, shipping phones that can be bootloader unlocked without any special permissions or codes. But security researcher Roee Hay found that the OnePlus 3 (and the revised OnePlus 3T) are rather more open than was probably intended. With two native fastboot commands, Hay found he could install unverified boot images and disable the verified boot feature, all without actually unlocking the bootloader with the familiar user-accessible command. Which is, well, bad: it basically means anyone can run malicious code on the phone without resetting the user's data. Read More
Samsung has been diligent about releasing its security patch bulletin along with Google at the beginning of every month, but this month, it took the lead and published the details before even Google got around to doing so.
The report lists the different Android Security Bulletin patches issued by Google to AOSP, which are quite numerous this month. There are 9 critical patches, 26 high-severity ones, 9 moderate, and no low severity patches. As for Samsung's Vulnerabilities and Exposures, 4 new ones have been patched with this release, but the bulletin keeps two a secret probably as to not compromise any devices that might be unguarded and have not already or will not receive the security update. Read More
Google and the various major Android device vendors and carriers are scrambling to patch the recently-discovered Stagefright exploit, a weakness in Android's multimedia processing that can allow remote access via a simple MMS message. Google has already begun patching Nexus devices, and Samsung is working its way through its extensive product range starting with flagships. Yesterday Motorola released its plans to update its phones.
So which devices will get the fix? Basically everything Motorola has made since 2013, including carrier variants and DROID models for Verizon in the US. Here's the full list:
- Moto X Style (patched from launch)
- Moto X Play (patched from launch)
- Moto X (1st Gen, 2nd Gen)
- Moto X Pro
- Moto Maxx/Turbo
- Moto G (1st Gen, 2nd Gen, 3rd Gen)
- Moto G with 4G LTE (1st Gen, 2nd Gen)
- Moto E (1st Gen, 2nd Gen)
- Moto E with 4G LTE (2nd Gen)
- DROID Turbo
- DROID Ultra/Mini/Maxx
Some third-gen Moto G phones (released late last month) have been patched from launch, but others will need an over-the-air update. Read More
So you might have heard about the Stagefright vulnerability that was published yesterday. While there's no evidence of a widely-used hack, the potential for malicious MMS attacks via Android's built-in media handling system (which could theoretically affect the majority of Android devices currently in operation) is certainly cause for concern. As reported on our original post, Google has known about the vulnerability since April and has been working on patches to fix the problem.
We've received a statement attributed to a Google spokesperson [emphasis ours]:
This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected.
While the experience isn't felt across the board, many OnePlus One owners have been plagued by touchscreen issues since making the decision to never settle. As a result, the company has pushed out update after update aimed at alleviating an issue that seems to have a tendency to resurface.
Now it has released another one, OxygenOS version 1.01. A link to download the firmware is available directly inside the announcement. The forum post doesn't contain a changelog, but it does mention "a patch for the touchscreen issue."
There's also a tool available for folks who have not yet installed OxygenOS that should let them flash the latest version directly from CyanogenMod 11 or 12 without data loss. Read More
Sprint is rolling out an over-the-air update to customers who own a Galaxy Note II that applies a security patch or two from Google. What vulnerability this update addresses isn't detailed, but it's the first OTA Sprint has sent out since the big KitKat update last May.
Once the goods arrive, they will leave your Note II running software version L900VPUCNK2. There's nothing else on the changelog, so don't go digging around looking for anything exciting.
You can check for the update manually, but do so knowing that you're making your phone just a little bit safer. Don't do it because it's fun. Read More
Blue Spark Technologies has introduced a new wearable device at CES, but it's not a smart watch or a fitness band or even a VR headset. It's a single-use skin patch called TempTraq that connects to your Android (or iOS) phone to track body temperature.
Blue Spark pitches the patch to parents with sick progeny, though it could conceivably be used on or by anyone. The patch affixes to the body under the arm, and transmits temperature information over Bluetooth to its dedicated app. Read More
Back in October, Google announced a rewards program that would give financial incentives for "down-to-earth, proactive improvements" to security across third-party open-source projects that Google deems "vital to the health of the entire Internet."
Starting with core infrastructure services, Chrome foundations and other "high impact libraries," Google vowed to expand the program soon. Today, in an entry to the official security blog, Google announced that the program has been expanded in scope to include open-source bits of Android, found in AOSP, and several other projects.
We started with a fairly conservative scope, but said we would expand the program soon. Today, we are adding the following to the list of projects that are eligible for rewards:
- All the open-source components of Android: Android Open Source Project
- Widely used web servers: Apache httpd, lighttpd, nginx
- Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot
- Virtual private networking: OpenVPN
- Network time: University of Delaware NTPD
- Additional core libraries: Mozilla NSS, libxml2
- Toolchain security improvements for GCC, binutils, and llvm
According to the patch rewards guidelines, rewards can range from $500 to $3,133.70, with higher rewards going to solutions with unusually high impact or solutions to exceedingly complex issues. Read More
Roughly four years ago, AOL bought a little company called Patch that focuses on local community news. More specifically, "everything you need to know about your town, from local government to school news to what to do with your family this weekend" according to Patch's homepage. Unfortunately it's not available in all areas (or even all states) so there are probably many users who haven't heard of the service (myself included).
Those who have, however, will be happy to know that there's now an official Android app. According to the Play Store listing, the app "delivers a beautiful browsing experience to Android users, with an emphasis on simplicity." Sound like something you'd be interested in? Read More
Second verse, same as the first. Two days ago the CyanogenMod ROM team announced a security update to the CM 10.1 platform, incorporating the "Master Key" security patch that Google had already issued back in February. Yesterday another, more intricate exploit in the same vein was posted by a Chinese blog, and again, Google has rapidly moved to patch the problem in Android... which won't be much comfort to those running an older release. Being the security-minded folks that they are, the CyanogenMod team has already patched the vulnerability in an even newer version of the ROM, CyanogenMod 10.1.2.
It's an easy fix if you know what you're doing: nine lines of code prevent malicious apps from skipping the signature verification built into Android. Read More