Stagefright vulnerability (disable MMS auto-download)

[Thom]

I will pass it along ... thank you.

(I was on The Verge of saying something else but contained myself.)

... Thom

 

[Masterchief87]

I use Google messenger and it has an option to turn off automatically downloading mms attachments. It's in advanced settings.

 

[electricpete]

(I was on

The Verge of saying something else but contained myself.)

Thanks Thom for containing yourself to only mentioning the Verge three different times so far this thread ;-)

In my defense, it was an example of what was "all over" the media that first day...not the focus of my post (the recommendations were).

No worries though. If we can't laugh at the Verge, we're in trouble.

 

[Thom]

You're welcome.

I'll pass the information on in tomorrow's meeting.

Thanks.

... Thom

 

[Thom]

I use Google messenger and it has an option to turn off automatically downloading mms attachments. It's in advanced settings.

It is in four messaging apps I have installed ...
chompSMS (if auto save to gallery is the option)
Messaging
Messenger
Textra (if auto save to gallery is the option)

It is not in one of the messaging apps I have installed ...
Message+

... Thom

 

[1freedude]

Ok, so, does the setting to automatically retrieve mms content invoke stagefright?

 

[Blu8]

No it doesn't make you a victim to stage fright, disabling it is a simple counter measure against it because for it to work your sms app would have to process the mms, which won't get downloaded automatically if you have that setting off

 

[1freedude]

Where and when does stagefright get called? I read that FF uses it, but they patched it.
What other browsers, apps, Facebook (I don't use FB), twitter, etc. call/invoke/GOTO stagefright?
Edit I know Drake was exploiting (haha) the MMS vector with "just a phone number."

 

[AppleUser]

I understood 3.5% of the above.

 

[El Presidente]

I understood 3.5% of the above.

tl;dr version (and my take) -

1. There's been a potentially nasty security hole in Android since 2.2, which in 5-6 years, no one has exploited.
2. This isn't a big an issue as the blogspere or the security firm who initially discovered it are making it out to be.
3. Turn off auto MMS download in your messaging app and don't download messages from contacts/numbers you don't recognise and you'll be fine.

 

[1freedude]

Answering my own question a little...
https://quandarypeak.com/2013/08/androids-stagefright-media-player-architecture/
That's one hell of a firm!
Look at some of the comments, too

 

[1freedude]

Here is a little more reading.

http://www.forbes.com/sites/thomasbrewster/2015/07/30/stagefright-vulnerabilties-ready-for-testing/

 

[Thom]

chompSMS and Textra now have an update released that specifically guards against this exploit being used.

... Thom

 

[EarlyMon]

chompSMS and Textra now have an update released that specifically guards against this exploit being used.

... Thom

And once again, the entire blogosphere whining that Android users are screwed because they don't update from the mothership like Apple are proven wrong.

How many days did it take since the defect went public?

That's right, less than 4.

 

[EarlyMon]

The stagefright exploit can occur when any SMS / MMS app creates the MMS video thumbnail that it shows in the conversation bubble or notification or if a user presses the play button on the video or saves to Gallery.

We have provided a solution for 'StageFright' in Release 3.1 of Textra out now.

Very Important: In other SMS / MMS apps, turning off auto-retrieve is **NOT** enough as once you tap 'download' the exploit becomes active. Additionally you would not get any MMS pics or group messages. Not a good solution.

from https://textra.uservoice.com/knowledgebase/articles/673921-stagefright

 

[AZgl1500]

chompSMS and Textra now have an update released that specifically guards against this exploit being used.

... Thom

Yep, Textra sent me a Notification and it was done w/o any effort on my part.

 

[codesplice]

Very Important: In other SMS / MMS apps, turning off auto-retrieve is **NOT** enough as once you tap 'download' the exploit becomes active.

So how about we rephrase to "turn off auto-retrieve and don't open messages from numbers not in your contact list kind of like you don't open emails from unknown senders"? Happy now?

Additionally you would not get any MMS pics or group messages. Not a good solution.

I use Google Voice, so group messages are broken anyway. Need to send me a pic? Do it through Hangouts or some other service that's actually designed for high-quality media. Perfectly fine solution for me, thank you very much!

 

[electricpete]

So how about we rephrase to "turn off auto-retrieve and don't open messages from numbers not in your contact list kind of like you don't open emails from unknown senders"? Happy now?

If the exploit can take over a phone without the owner knowing, then it can probably spoof an mms to their contacts..recipient would recognize the sender and might manually download malicious mms. So all other things being equal, it's probably better IF the sms app like Textra or Chomp actually has something in there that protects you regardless of whether manually downloaded or autodownloaded. Then again I'm not running out to switch apps at the moment since there don't appear to be any attacks going on and we're still waiting for the dust to settle. So for folks like me still waiting for their sms app to get updated, it's probably good advice to also avoid mms from unknown sender as you say.

 

[Thom]

I converted to Textra a year or so ago after hearing about it at Android Forums. I think it is simply great.

I was then introduced to chompSMS at Android Forums and tried it. It is simply awesome.

Both come from the same developer.

I use chompSMS.

... Thom

 

[electricpete]

If chomp and textra could fix it that quickly, then I figure (hope) that most of the other sms replacement apps will not be far behind.

 

[EarlyMon]

Let's be clear -

Despite what some articles are claiming, the vulnerability is for video MMS and it occurs when the video thumbnail is created.

That strongly suggests that like most security exploits, an unprotected buffer overflow was discovered.

The chompSMS/Textra fix forces you to go through a two stage Stagefright warning before processing can occur.

Hypothetically, it may still be possible to get a bad video through.

Phandroid.com is testing it along with a bad video, hoping to see the story break soon.

And fwiw - I don't know of anyone using video messages with better phones - the carrier MB limit tends to exclude sending most any HD video. Not sure that's noteworthy and I know it's not the world - but for 3 years the forum answer to why can't I send a video from my new phone has been - place on YouTube, Dropbox or Drive and send a link, it works and saves friends and family from eating up mobile data.

But if this is a buffer overflow exploit that relies on a very large video, then a lot of people are going to be inherently hard to being part of the infection vector.

We'll know more soon.

 

[Curtis1973]

LG android 4.4.+ should have similar settings to this : just uncheck auto retrieve as mentioned before.

 

[EarlyMon]

http://phandroid.com/2015/07/31/stagefright-protection-feature/

I've confirmed through Phases that Textra did not create the dreaded thumbnail, so there's a lot of behind the scenes controversy on the story.

Love 'em or hate 'em, news blogs serve a public trust - us - and Phandroid takes the role seriously.

So, they're coming down hard on the skeptical side and we're waiting to hear more from the devs.

By the way, I want to stress that my personal opinion, not as a representative of the team, is that security is everyone's business and it's on us to look out for one another.

Good idea to not forward video texts until we know more ok.

And just because Textra might not create a thumbnail doesn't mean to go ahead and save questionable videos to your Gallery because it surely will.

Most of all - we're going by the original report from the security firm.

We have no idea how complete or accurate it really is.

Like previous serious problems, we need a trustworthy test site that will give us an app to let us know if we're really in trouble or what's up.

Remember that sign I've often talked about from one of the labs I've worked at -

One test is worth a thousand expert opinions.

 

[AppleUser]

Thanks, El President. Understood 100%!

So simply turn OFF MMS auto-retrieve on Samsung's/MetroPCS's messaging program.

 

[Krasher]

Whether or not you open the message isn't relevant here. The system processes the image regardless, thus the vulnerability. Turning of auto fetch for MMS is the only protection until a fix comes.

It is the same setting in Google Messenger under advanced. It also seems that anyone that has used email in the last ten years should have the common sense to not automatically open attachments from people you don't know.

It is the same setting in Google Messenger under advanced. It also seems that anyone that has used email in the last ten years should have the common sense to not automatically open attachments from people you don't know.