Google has thrown Android users under the bus

[codesplice]

Short of Google sending out reps to personally root and rom your phone, I'm not sure what you expect them to do?

Is that a service provided by the AF VIP membership program?

 

[EarlyMon]

I have a Samsung Galaxy Tab 7 running 4.1.2 and i use Boat Browser.

I have an LG phone running 2.3.5 but i only use it for talk and text.

Sorry that you are upset by my comments. But as one of millions of affected Android users, it bothers me when these issues arise. And without notice or warning from google or OEM.

The Android OS/Ecosystem starts at the top with Google. Google should take responsibility and deal with the fragmentation issue. I have been posting and telling friends for years, if you are going to buy an android device, stick with a Nexus. With any other android brand, you cannot trust that the device will be supported. Otherwise when problems arise, you have to go on the internet and try to test or fix, device by device, app by app, or in this case, browser by browser.

BTW, I tested the iPad 3 iOS 8.1.2 on the csc.cyberoam site. I pushed "test app", but nothing happens. Does that mean the ipad is not vulnerable or that the test does not work on the ipad?

Yeah, my objection was the charge that I was excusing Google - I was simply not excusing the sensationalism in the press. You don't have to like me or how I roll, but I got enough problems with what I do without being accused of things I don't do. You got a problem with the whole update scheme? You ought to, I agree.

This is but one vulnerability of many and it's a lose/lose game for us users of any system. The latest whatever always fixes all of the known bugs - but as evidenced here, can and usually does introduce new vulnerabilities that simply aren't discovered - yet.

The sensational press identified this as 1) all old Android (not true), 2) Google's fault (partially true) for not updating the past repository (there's a whole inconvenient side discussion about repository management required at that point), and 3) an Android-only issue (almost certainly false according to one security outlet).

That leaves us all being reactive.

The problem with security is that both Android/OEM and Apple (mobile) very often only provide security patches along with feature updates (I won't say 100% of the time, but it's the majority for all of them).

You may identify this as an "update-lagging/update-missing" issue and then say that Google ought to do something about fragmentation - and again - that's still going to miss that there is no system to simply access security patches, and in my opinion, the real reason includes that mobile devices are preshipped with admin access denied, and a warranty-breaker - something unheard of on a desktop, but somehow magically ok on a phone or tablet.

And even removing or reducing fragmentation in the desktop world - security patches lag, and they're not all available for all versions in use.

I agree it sucks that the press didn't tell and you had to find this on a forum - but at least you could - and that leads back to updates. The implications and promises of mothership-controlled security updates and the truth of them are often two different things in the real world, as we've seen time and time again.

In any case, thank you for your test - it is indeed valid on any device and the lack of popup isn't a test failure, it's a device pass.

Was your iPad previously vulnerable? Hard to say - according to one of the security (non-inflammatory) articles, Safari 5 was identified as a vulnerable browser.

Should you, as an iDevice owner, pay attention to alerts and tests on Android whenever you hear of WebView or WebKit vulnerabilities? Absofreakinglutely. Even though WebView is an Android API, it all comes down to how things get dispatched to common engines, and source codes have a way of moving in mysterious ways.


Why you might care if you hear of an Android browser problem - http://web.appstorm.net/general/opinion/the-history-of-webkit/

PS - for those looking for the test, I'll repost it here - http://csc.cyberoam.com/cyberoamsupport/webpages/android_vulnerability/index.html - and if concerned, according to Ghostery, that page contains NO trackers and according to ABP, contains no ads.

 

[Slug]

Or from now on, stipulate that non-Nexus devices should stick a warning on the box, like on cigarette packages: "This Android device may not receive full support or updates like a Nexus". That is the truth.

Please define "full support".

Mainstream OEMs tend to support a popular device for around two years, during which time it will have been updated/superceded at least twice. After that point it becomes increasingly expensive to maintain support on older devices in all likelihood no longer even being manufactured.

 

[Gmash]

Oh Lord, "fragmentation" FUD again? I'm not even much of a Google fan, but not those hysterics again.I need a beer...

 

[mikedt]

Why not let us know?

That I would like to see. Google through their own actions are not welcome in the country were many of our Androids come from.

If there is a safety issue with your car, the manufacturer should warn or recall. If we are warned, we can stop using the device, find an alternative or buy a new one. But if we are left in the dark and lose valuable personal info or suffer economic loss, who will be responsible? Or from now on, stipulate that non-Nexus devices should stick a warning on the box, like on cigarette packages: "This Android device may not receive full support or updates like a Nexus". That is the truth.

Well car manufacturers are much more like Apple in this respect, Ford designs and makes all their own engines, transmissions, bodies, wheels, brakes, airbags, ECU systems, everything they need to make a complete car. It would be like asking Linus Torvalds to warn everyone of a problem with Ubuntu.

 

[EarlyMon]

I wish I had ICS or Jellybean available.

I'm a browser freak, I always have about a half dozen installed.

I'd gladly go through and test as many as possible.

I'm especially interested in a Maxthon test. They were identified as having the problem some time back and they claim a big market share.

Hmmm. Maybe I can find a good update for my Gingerbread phone...

EDIT - OK, not perfectly stock but close enough, found an ICS one to try... Arg. SD card nearly full, no spares in the house. Logging in to Amazon...

 

[El Presidente]

I'm especially interested in a Maxthon test. They were identified as having the problem some time back and they claim a big market share.

Tested on an SGS3 Mini running 4.1 & a 2012 Nexus 7 running 4.2.2. Maxthon is still vulnerable.

 

[babygdav]

http://source.android.com/source/index.html
"The Android Open Source Project is led by Google, who maintains and further develops Android. Although Android consists of multiple subprojects, this is strictly a project management technique. We view and manage Android as a single, holistic software product, not a "distribution", specification, or collection of replaceable parts. Our intent is that device builders port Android to a device; they don't implement a specification or curate a distribution."

IF this doesn't point back to Google as the responsible party to fix their shit, then I don't know who's in charge of Android.

---

Why would you NEED carriers and mfg's to push out a patch? Root, patch, done. I'm sure if this was the ol' assembly days, it would be a few bytes pushed out in a patch and everyone would go on with their happy lives.

http://investor.google.com/financial/tables.html
http://www.statista.com/statistics/273744/number-of-full-time-google-employees/
But $13 billion in net income last year, sitting on $55+ billion cash, 47,000+ employees (and a ton of them smart programmers), CAN'T sit down for 1 MONTH, write up patches, and push them out?!?!??!?!

This merely means GOOGLE = LAME, or GOOGLE Doesn't Care About Your Sorry Butt After They've Stripped It Of It's Wallet. Even Microsoft does a better job at trying to fix it's many bugs.

 

[bjacks12]

Buy a Nokia then

 

[mikedt]

As long as it's not Windows Phone 7, Micro$oft threw them under the bus.

 

[EarlyMon]

Who can explain this...

View attachment 80521

Nexus 5 5.0.1 using Chrome.

I don't know what to make of that, it's a different popup from this -

Boat browser = vulnerable

At face value it says that Chrome on Lollipop is wrong.

What does your settings, About Chrome show?

 

[El Presidente]

IF this doesn't point back to Google as the responsible party to fix their shit, then I don't know who's in charge of Android.
.

They did fix it, they released KitKat 4.4.

 

[lunatic59]

I don't get the popup on s Nexus 6 running 5.0.1.

EDIT: I also testing this on a Nexus 4 running lollipop and got no popup. Just to establish a benchmark, I ran this on an old Samsung Captivate (the original Galaxy) running CM10 (4.2.2) and did get the vulnerability popup.

 

[mikedt]

Who can explain this...

View attachment 80521

Nexus 5 5.0.1 using Chrome.

Is there any proof that this is 5.0.1 Lollipop, are we just taking your word for it? Why is the notification bar obfuscated? Maybe because the notification bar icons is usually a give away as to what Android version it is?

I don't get a pop-up on an Oppo with 4.4.2, ColorOS 2.0, stock browser or Opera.

 

[El Presidente]

Is there any proof that this is 5.0.1 Lollipop, are we just taking your word for it? Why is the notification bar obfuscated? Maybe because the notification bar icons is usually a give away as to what Android version it is.

It often takes me a few attempts to press the screenshot combo successfully, so a lot of my screenshots have the volume bar in them too.

Also the volume icons/bar, the soft buttons a long the button and the toast show it's Lollipop.

 

[mikedt]

It often takes me a few attempts to press the screenshot combo successfully, so a lot of my screenshots have the volume bar in them too.

Also the volume icons/bar, the soft buttons a long the button and the toast show it's Lollipop.

Ah, I swipe three fingers on the screen for taking screen shots, don't press any buttons like volume. But then I've yet to get my hands on any 5.0 Lollipop devices, not available so far here, e.g. Nexus.

 

[EarlyMon]

I've asked him to show me the same screen I showed from Chrome, the about page. Notice how it asks everything.

 

[lunatic59]

Here's what it looks like on my N6

 

[EarlyMon]

Here's what it looks like on my N6

View attachment 80537

And that's the latest, same as I'm running.

I'd say that refutes the claim made earlier.

And CM 10 failure indicates that the problem spans ICS and Jellybean.

 

[AZgl1500]

I want to thank everyone for their input on this thread.

I have just now had a chance to read it all since my starting this thread... (health issues and forgot to put it in my "favorites".. darn that flu anyway)

A lot of very good detailed information has been explained in a reasonable manner and without flaming anyone.

I still have my first smartphone working and registered to one of my lines. It is a Samsung Galaxy S Fascinate (Verizon) and it has survived all of the paranoia without a single upgrade since the only upgrade VZW released for that phone. My niece is using it now until she can get a full time job and get a more up to date model. Still, it just proves that not every thing is dead in the water the instant someone discovers a "big hole" in the system.

My S5 with CMbrowser passed the test, sort of expected it to anyway.

____________________________________
Verizon Galaxy S5, KK 4.4.4, ART
MyPhoneExplorer saves your tailbone
Nova Prime, Textra, Blue Mail, Qi wireless equipped
MacroDroid senses Screen off, turns Wifi & Data OFF
MacroDroid senses Screen on, turns WiFi & Data ON

 

[codesplice]

I saw that Adrian Ludwig, Android's lead security engineer, posted some info on Google+ about Webkit and how to stay safe:

Following public discussion of vulnerabilities in versions of Webkit last week, I’ve had a number of people ask questions about security of browsers and WebView on Android 4.3 (Jellybean) and earlier. I want to provide an update on what we’re doing and guidance on steps that users and developers can take to be safe, even if your device is not yet running Lollipop.

Keeping software up to date is one of the greatest challenges in security. Google invests heavily in making sure Android and Chrome are as safe as possible and doing so requires that they be updated very frequently. With Google’s assistance, Android device manufacturers (OEMs) have been moving rapidly to improve the rate that devices are updated and to ship devices with the most recent versions of Android. We provide patches for the current branch of Android in the Android Open Source Project (AOSP)[https://source.android.com/] and directly provide Android partners with patches for at least the last two major versions of the operating system.

Improving WebView and browser security is one of the areas where we’ve made the greatest progress. Android 4.4 (KitKat) allows OEMs to quickly deliver binary updates of WebView provided by Google, and in Android 5.0 (Lollipop), Google delivers these updates directly via Google Play, so OEMs won’t need to do anything. Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier. But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely. With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices.

There are also steps users and developers can take to mitigate the risk of potential exploitation of WebKit vulnerabilities without updating to Lollipop. Using a browser that is updated through Google Play and using applications that follow security best practices by only loading content from trusted sources into WebView will help protect users.

When browsing on any platform, you should make sure to use a browser that provides its own content renderer and is regularly updated. For instance on Android, Chrome [http://goo.gl/elSkZX] or Firefox [http://goo.gl/Q5X6e3] are both great options since they are securely updated through Google Play often: Chrome is supported on Android 4.0 and greater, Firefox supports Android 2.3 and greater. Chrome has been the default browser for all Nexus and Google Play edition devices since 2012 and is pre-installed on many other popular devices (including Galaxy devices from Samsung, the G series from LG, the HTC One series, and the Motorola X and G), so you may already be using it.

Using an updatable browser will protect you from currently known security issues, and since it can be updated in the future it will also protect you against any issues that might be found in the future. It will also allow you to take advantage of new features and capabilities that are being introduced to these browsers.

If you are an application developer, there are also steps you should take to keep users safe. Application developers should make sure that they are following all security best practices[http://goo.gl/b6a3ta]. In particular, to resolve this issue when using WebView[http://goo.gl/FKeouw], developers should confirm that only trusted content (e.g. loaded from a local source or over HTTPS) is displayed within WebViews in their application. For maximum security when rendering content from the open web, consider providing your own renderer on Android 4.3 and earlier so that you can keep it up to date with the latest security patches.

He also linked to http://developer.android.com/training/articles/security-tips.html#WebView to provide some best-practice information to developers who need to use WebView in their apps.

 

[Kenneth Christiansen]

I would like to point developers using the WebView to check out the Crosswalk WebView: http://www.crosswalk-project.org


It is based on Chromium and updates just as regularly as Chrome on Android. It is possible to distribute the WebView with your app and thus decide when you are ready to upgrade.


Today it is used by Sencha Spaces, AppGyver, famo.us, Ionic and others, incl Google for their mobile ChromeApps on Android.


It works on Android 4.x and up (yay!! ) and is being developed by a group of engineers at the Intel Open Source Technology Center http://01.org but also sees contributions from Samsung (Tizen support etc).