
Remote code execution on Android devices - ghosh
http://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/
======
ars
If your machine is rooted then you can install aftermarket apps that let you
block things.

If all you need is internet blocking then:
[https://play.google.com/store/apps/details?id=com.googlecode...](https://play.google.com/store/apps/details?id=com.googlecode.droidwall.free&hl=en)

It works great and very easy to use.

For more comprehensive blocking:
[https://play.google.com/store/apps/details?id=biz.bokhorst.x...](https://play.google.com/store/apps/details?id=biz.bokhorst.xprivacy.installer&hl=en)

It's more difficult to use but you can control everything.

~~~
aw3c2
If my device was rooted, wouldn't the attacker be smart enough to circumvent
this?

~~~
AgentME
The vulnerability is the attacker's way into your system. If you've rooted and
blocked that vulnerability, then the attacker can't use that way into your
system.

------
donniezazen
Remote code execution is least of the worries on Android. Today I downloaded
an app and I read their privacy policy. They will read my browser , all the
packages installed on my phone and my precise geolocation. Why did they need
those permission just to show you ads.

People don't really read terms and conditions. You can get pretty much any
information from users because they reading is inconvenient.

~~~
allegory
This.

I was going to install a torch app and it wanted access to my contacts and
call history?!?!

Took a while but I found one that just needed camera access (to activate the
LED). Not all apps are completely evil but the majority appear to be.

~~~
babuskov
I got so tired of testing all the flashlight apps. Some had ads, other
required too many permissions. In the end I wrote my own, in a couple of
hours. It's ad free, and doesn't require anything:

[https://play.google.com/store/apps/details?id=com.bigosaur.l...](https://play.google.com/store/apps/details?id=com.bigosaur.lampa)

~~~
allegory
I salute you. Have installed it and it works perfectly. I will recommend this
to anyone who needs such a thing.

Thank you for your efforts.

------
DCKing
This is very problematic for Android. It was a question of time before such an
issue crept up that left a large amount of legacy devices fully compromisable
remotely. This is the biggest problem of relegating software updates to a
complex and unwilling group of people, instead of a single party.

The biggest problem in solving this issue is: "who is going to solve it?". The
software fix should surely be made by Google's Android team, but a software
fix is not a solution. It needs to be distributed as well. And you can count
on that not going well at all.

------
userbinator
It appears that the equivalent of NoScript for Android WebViews could be quite
useful in protecting against this sort of thing, although no doubt there would
be a massive backlash against it since I'd bet most of the time this is being
used for showing ads...

------
mavdi
Security through obscurity. Don't worry the development tools for Android are
so shit I don't think hackers will bother with it.

------
chatman
Richard Stallman has been saying this all along. These non-free operating
systems are used for surveillance.

~~~
DCKing
Trying to spread Stallman's ideas by FUD does not help spreading Stallman's
ideas. Stop doing that.

I don't get why free software zealots hate Android so much. It is by far the
most "free" popular operating system ever made. Never has there been a user
facing operating system in the possession of 100s of millions of people, for
which you can readily download and study the large majority of code running
the system on these devices. It is even possible to purge some devices of non-
free code (including blobs) completely, if you so desire [1].

[1]: [http://www.replicant.us/](http://www.replicant.us/)

~~~
drdaeman
> Never has there been a user facing operating system in the possession of
> 100s of millions of people, for which you can readily download and study the
> large majority of code running the system on these devices.

This is going to be completely off-topic, but most Android installations don't
really qualify as "free" as they lack essential freedom to tinker with the
code and put it back on the device. Vast majority of Android-based phones are
purportedly severely tivoized, and many vendors actively fight any attempts to
work around those limitations. That is, having an ability to read the source
code doesn't make the software free.

So, on the contrary Android family of OSes (with the exception of AOSP and
Replicant) is one of the mostly tightly locked-down computing platforms that
has one of the core practices of not letting users accessing anything more
than device vendor had allowed. Unsurprisingly, this is frowned upon from many
zealots.

~~~
DCKing
That is why I put "free" in quotations. Furthermore, many devices sold _do_
allow you to at least put open source equivalents on them on these devices;
many flagship phones allow this with some know-how. On the scale of freedom
from 0 to 10 (0 being a Lumia, 10 being the computer that RMS uses), I'd say
most Android devices are a 3, with many devices being able to go up to a 6 and
some devices going up to an 8 with Replicant.

Nonetheless, people fail to recognize the freedoms that Android _does_ give
you, and only criticize the freedoms that it doesn't give - the reasons why
it's not a 10. If not for Android, I'd wager we would _not_ be able to go
beyond 2 (≈ iOS) on the freedom scale when buying mobile phones. That would be
bad, and it seems zealots fail to recognize this (that's probably why they are
zealots in the first place).

~~~
rational-future
Why is Lumia a 0? How about iOS and Blackberry?

------
ID_USER_TOKEN
Android is a clusterfuck of various platforms for supporting remote code
execution.

