
New Vulnerabilities All Come Preinstalled on Android Phones - elorant
https://www.wired.com/story/146-bugs-preinstalled-android-phones/
======
curiousgal
Just skip the bloat. Link to the actual post:
[https://www.kryptowire.com/android-
firmware-2019/](https://www.kryptowire.com/android-firmware-2019/)

Google and Huawei are not on the list. And Samsung's vulnerabilities are only
exploitable by system apps.

~~~
i_am_proteus
I'll add that Nokia is also not on the list. Most (all?) of their new phones
run Android One.

------
userbinator
I hate fearmongering articles like this, which basically advocate the
authoritarian user-oppressing position that's sadly so common these days:

 _“We believe that if you are a vendor you should not trust anybody else to
have the same level of permissions as you within the system,”_

The fine print here is that these are effectively _local privilege escalation_
vulnerabilities, which is far less worrying than anything remotely
exploitable.

The age-old advice of not installing applications you don't trust still
applies.

~~~
seandougall
> The age-old advice of not installing applications you don't trust still
> applies.

That's the one thing that seems to be a legitimate point in this article --
Android phones tend to come with bloatware from manufacturers and carriers, so
you don't have the option not to install these applications you shouldn't
trust.

~~~
pvorb
And very often you can't uninstall them.

------
DarkmSparks
Just opened the samsung ones. They all seem to be "app by manufacturer can use
permissions of another app installed by manufactuer" Android 8. And even then
only things like turning wifi on/off. if that's as bad as it gets now I'd say
its more like things have come a very long way.

~~~
izacus
So it's yet another case of media writing misleading articles to drive an
agenda? The amount of such content these days is getting pretty catastrophic.

~~~
SlowRobotAhead
I don’t know that I care if anyone can see the issue today or not.
Specifically in this example, one app should not be able to influence the
behavior of another app outside of normal channels just because the phone mfg
made the app.

Backdoors, exploits, and all manner of existing CVEs exist because of mfg
shortcuts, and we should be learning lessons even if the threat model isn’t
immediately apparent.

~~~
DarkmSparks
Except - Android 8. We are already on Android 10.

I'd see an issue if these potential vulnerabilities hadn't apparently already
been fixed, but since it looks like they have. Meh, clickbait.

------
on_and_off
I get it when a "security" firm does a FUD article, it is in their interest to
sell antiviruses and whatnot, but disappointed to see that this article is
coming from wired.

------
user_50123890
News flash: All devices ever released have always came preinstalled with yet-
to-be-discovered vulnerabilities.

------
Red_Leaves_Flyy
Is there any rhyme or reason to which devices they choose to scan? I see
Samsung asus Sony, what about Google or lg?

