1. Are you ready for the Galaxy S20? Here is everything we know so far!

Stagefright vulnerability (disable MMS auto-download)

Discussion in 'Android Lounge' started by electricpete, Jul 27, 2015.

  1. I will pass it along ... thank you.

    (I was on The Verge of saying something else but contained myself.)

    ... Thom
     



    1. Download the Forums for Android™ app!


      Download

       
  2. Masterchief87

    Masterchief87 Android Expert

    I use Google messenger and it has an option to turn off automatically downloading mms attachments. It's in advanced settings.
     

    Attached Files:

  3. electricpete

    electricpete Android Expert
    Thread Starter

    Thanks Thom for containing yourself to only mentioning the Verge three different times so far this thread ;-)

    In my defense, it was an example of what was "all over" the media that first day...not the focus of my post (
    the recommendations were).

    No worries though. If we can't laugh at the Verge, we're in trouble.
     
    #28 electricpete, Jul 29, 2015
    Last edited: Jul 29, 2015
    EarlyMon and Thom like this.
  4. You're welcome.

    I'll pass the information on in tomorrow's meeting.

    Thanks.

    ... Thom
     
    El Presidente likes this.
  5. It is in four messaging apps I have installed ...
    chompSMS (if auto save to gallery is the option)
    Messaging
    Messenger
    Textra (if auto save to gallery is the option)

    It is not in one of the messaging apps I have installed ...
    Message+

    ... Thom
     
    #30 Thom, Jul 29, 2015
    Last edited: Jul 29, 2015
    Masterchief87 and Unforgiven like this.
  6. 1freedude

    1freedude Newbie

    Ok, so, does the setting to automatically retrieve mms content invoke stagefright?
     
  7. Blu8

    Blu8 Android Expert

    No it doesn't make you a victim to stage fright, disabling it is a simple counter measure against it because for it to work your sms app would have to process the mms, which won't get downloaded automatically if you have that setting off
     
    Unforgiven and 1freedude like this.
  8. 1freedude

    1freedude Newbie

    Where and when does stagefright get called? I read that FF uses it, but they patched it.
    What other browsers, apps, Facebook (I don't use FB), twitter, etc. call/invoke/GOTO stagefright?
    Edit I know Drake was exploiting (haha) the MMS vector with "just a phone number."
     
    #33 1freedude, Jul 30, 2015
    Last edited: Jul 30, 2015
  9. AppleUser

    AppleUser Android Enthusiast

    I understood 3.5% of the above.
     
  10. El Presidente

    El Presidente Beware The Milky Pirate!
    VIP Member

    tl;dr version (and my take) -

    1. There's been a potentially nasty security hole in Android since 2.2, which in 5-6 years, no one has exploited.
    2. This isn't a big an issue as the blogspere or the security firm who initially discovered it are making it out to be.
    3. Turn off auto MMS download in your messaging app and don't download messages from contacts/numbers you don't recognise and you'll be fine.
     
    #35 El Presidente, Jul 30, 2015
    Last edited: Jul 30, 2015
    Riotpump, RA_BH, AppleUser and 3 others like this.
  11. 1freedude

    1freedude Newbie

  12. chompSMS and Textra now have an update released that specifically guards against this exploit being used.

    ... Thom
     
  13. EarlyMon

    EarlyMon The PearlyMon
    VIP Member

    And once again, the entire blogosphere whining that Android users are screwed because they don't update from the mothership like Apple are proven wrong.

    How many days did it take since the defect went public?

    That's right, less than 4.
     
  14. EarlyMon

    EarlyMon The PearlyMon
    VIP Member

    from https://textra.uservoice.com/knowledgebase/articles/673921-stagefright
     
    codesplice likes this.
  15. AZgl1500

    AZgl1500 Extreme Android User

    Yep, Textra sent me a Notification and it was done w/o any effort on my part.
     
    Thom likes this.
  16. codesplice

    codesplice Elite Recognized Moderator
    Moderator

    So how about we rephrase to "turn off auto-retrieve and don't open messages from numbers not in your contact list kind of like you don't open emails from unknown senders"? Happy now?

    I use Google Voice, so group messages are broken anyway. Need to send me a pic? Do it through Hangouts or some other service that's actually designed for high-quality media. Perfectly fine solution for me, thank you very much!
     
    Krlypumaa likes this.
  17. electricpete

    electricpete Android Expert
    Thread Starter

    If the exploit can take over a phone without the owner knowing, then it can probably spoof an mms to their contacts..recipient would recognize the sender and might manually download malicious mms. So all other things being equal, it's probably better IF the sms app like Textra or Chomp actually has something in there that protects you regardless of whether manually downloaded or autodownloaded. Then again I'm not running out to switch apps at the moment since there don't appear to be any attacks going on and we're still waiting for the dust to settle. So for folks like me still waiting for their sms app to get updated, it's probably good advice to also avoid mms from unknown sender as you say.
     
    #43 electricpete, Jul 31, 2015
    Last edited: Jul 31, 2015
    EarlyMon likes this.
  18. I converted to Textra a year or so ago after hearing about it at Android Forums. I think it is simply great.

    I was then introduced to chompSMS at Android Forums and tried it. It is simply awesome.

    Both come from the same developer.

    I use chompSMS.

    ... Thom
     
  19. electricpete

    electricpete Android Expert
    Thread Starter

    If chomp and textra could fix it that quickly, then I figure (hope) that most of the other sms replacement apps will not be far behind.
     
    #45 electricpete, Jul 31, 2015
    Last edited: Jul 31, 2015
    Thom likes this.
  20. EarlyMon

    EarlyMon The PearlyMon
    VIP Member

    Let's be clear -

    Despite what some articles are claiming, the vulnerability is for video MMS and it occurs when the video thumbnail is created.

    That strongly suggests that like most security exploits, an unprotected buffer overflow was discovered.

    The chompSMS/Textra fix forces you to go through a two stage Stagefright warning before processing can occur.

    Hypothetically, it may still be possible to get a bad video through.

    Phandroid.com is testing it along with a bad video, hoping to see the story break soon.

    And fwiw - I don't know of anyone using video messages with better phones - the carrier MB limit tends to exclude sending most any HD video. Not sure that's noteworthy and I know it's not the world - but for 3 years the forum answer to why can't I send a video from my new phone has been - place on YouTube, Dropbox or Drive and send a link, it works and saves friends and family from eating up mobile data.

    But if this is a buffer overflow exploit that relies on a very large video, then a lot of people are going to be inherently hard to being part of the infection vector.

    We'll know more soon.
     
  21. Curtis1973

    Curtis1973 Android Expert

    LG android 4.4.+ should have similar settings to this : just uncheck auto retrieve as mentioned before.

    Screenshot_2015-07-31-17-31-45.png
     
    girolez, El Presidente and EarlyMon like this.
  22. EarlyMon

    EarlyMon The PearlyMon
    VIP Member

    http://phandroid.com/2015/07/31/stagefright-protection-feature/

    I've confirmed through Phases that Textra did not create the dreaded thumbnail, so there's a lot of behind the scenes controversy on the story.

    Love 'em or hate 'em, news blogs serve a public trust - us - and Phandroid takes the role seriously.

    So, they're coming down hard on the skeptical side and we're waiting to hear more from the devs.

    By the way, I want to stress that my personal opinion, not as a representative of the team, is that security is everyone's business and it's on us to look out for one another.

    Good idea to not forward video texts until we know more ok.

    And just because Textra might not create a thumbnail doesn't mean to go ahead and save questionable videos to your Gallery because it surely will.

    Most of all - we're going by the original report from the security firm.

    We have no idea how complete or accurate it really is.

    Like previous serious problems, we need a trustworthy test site that will give us an app to let us know if we're really in trouble or what's up.

    Remember that sign I've often talked about from one of the labs I've worked at -

    One test is worth a thousand expert opinions.
     
  23. AppleUser

    AppleUser Android Enthusiast

    Thanks, El President. Understood 100%!

    So simply turn OFF MMS auto-retrieve on Samsung's/MetroPCS's messaging program.
     
    El Presidente likes this.
  24. Krasher

    Krasher Newbie

    Whether or not you open the message isn't relevant here. The system processes the image regardless, thus the vulnerability. Turning of auto fetch for MMS is the only protection until a fix comes.

     
    electricpete likes this.
Loading...
Similar Threads - Stagefright vulnerability disable
  1. Burbankjim
    Replies:
    1
    Views:
    355
  2. muppidupp
    Replies:
    3
    Views:
    281
  3. Greenfing
    Replies:
    2
    Views:
    380
  4. Gareth123
    Replies:
    1
    Views:
    280
  5. connorhawke
    Replies:
    3
    Views:
    766
  6. rookiegunner
    Replies:
    2
    Views:
    536
  7. ZJU_SLM
    Replies:
    1
    Views:
    597
  8. MoodyBlues
    Replies:
    27
    Views:
    2,489
  9. The_Chief
    Replies:
    2
    Views:
    611
  10. mikedt
    Replies:
    5
    Views:
    1,633

Share This Page

Loading...