Hacker News new | past | comments | ask | show | jobs | submit login

Can confirm this happened to me this afternoon on my android. Went into a full panic mode. I refused to type passwords since I was worried it might have been another app imitating Google and I had no recollection of any action that would have required me to sign in again. I made sure that my password was correct on my laptop browser to ensure that I was not fallen for a account compromise. Eventually restarted the phone, ran lookout security app and then typed it on smartphone.



> I refused to type passwords since I was worried it might have been another app imitating Google and I had no recollection of any action that would have required me to sign in again

Same for me! So follow-up question, how do we know if an android app is the real deal? I opened the app switcher and it certainly said "Google Play Services" on top of the window asking for my password, and had the correct logo, but could other app present itself in the same way?


If you long press on the notification, a little info icon pops up and tapping that will take you to the App details page. That's an easy way to verify the package name and version. If it is a sketchy app and not Google Play Services, kill it with fire! (FWIW it was Google Play Services for me)


This is exactly what I was looking for, thanks!


I had the same issue. First I wanted to check whether the password I was using was still valid. So I verified/signed-in on another machine in an incognito mode. Once I had verified that the password was correct and still working. I then restarted android. After scanning using Lookout (honestly not really sure how good they are.). Rather than going through the "Google Play Services" notifications, I opened GMail app and checked if the past emails could be opened, after confirming that it was a legitimate app. I intentionally entered a completely incorrect password twice assuming that if it went away it was a really well crafted phishing attempt. Eventually I entered the password.


> I intentionally entered a completely incorrect password twice assuming that if it went away it was a really well crafted phishing attempt.

That's a clever trick, I'll remember it for next time something similar happens.

I had the same paranoia as several other people in this thread (don't enter password if you're prompted unexpected or without clear reason). I had the fortune only a "trash" gmail account got locked out, not my main one. So I verified on another machine, password was unchanged, checked if I really hadn't registered any other important accounts with that email, and just gave in after an hour or so, to make the notification go away.


Guess what happened to me on my iPhone today in the morning when I put it out of the airplane mode. Same thing I didn't enter my password for the above mentioned reasons


> how do we know if an android app is the real deal?

You don't.

Not that it really matters, if you care about security you shouldn't be using Android in the first place.


Don't let the perfect be the enemy of good. Or in other words, I try to adjust my opsec/persec to a realistic threat model, not to my worst dystopian nightmares.


I think the point is that, Android is not what we would consider "good" security.


This is not about dystopian nightmares, this is about an OS where it's exceptional to EVER get an update, let alone get it in time.

If you go out to a shop and buy 100 Android phones, at least 99 will be running outdated OS versions with known security issues and no updates available.


But why aren't these Android phones getting hacked left and right, everywhere? Any idea?

Where I am (the Netherlands), Android is way more popular than iOS--I'm not attaching value judgement to popularity or otherwise, nor am I particularly doubtful of your claim that the average (cheap) Android phone is running an outdated version.

But if that's the case then what is going on?

Are they not juicy targets for hackers? (tons of personal information, botnet possibilities, seems valuable to me)

Or are they in fact being hacked quietly and we're not hearing much about it? Is everyone's cheap phone already part of a botnet and nobody realizes?

Is it perhaps that the exploits require physical proximity that hackers don't deem worth the risk?


Looking at active Android clients your claim might be correct (although I assume it is not 99%), but if he actually went out and bought a new "premium" phone which I assume most here would do it is most likely updated.


Is there a smart phone OS, that's actually usable, that is any better?


iOS.

BB10 would have been even better but they pulled the plug on that one.


Is iOS really that much better than an updated stock Android? Even if you find differences, they are not as big as you make it sound.

Comparing stock iOS with some old unupdated cheap phone with bloated Android is not fair.


I can't say if it's much better, but iOS devices does have some security features most Android devices don't have :

- hardware Secure Enclave (as time of writing, only Samsung devices and latest Google Nexus also have a similar hardware, as far as I know)

- strong sandboxing (again, only Samsung devices with Knox can really compare)

- restrictions on which apps you can get, that filters on malicious apps (ex: fake gmail app). It is void if you use jailbroken iOS or allow sideloading on Android.

- security updates are both more frequent (except Google devices, all Android manufacturers always lag behind for updates), and available to older devices (varies from manufacturer to manufacturer, but it's generally way less than Apple)

Of course, you need to factor in the delay to respond to security flaws (I don't have that kind of data), and other factors too, as well as decide if iOS suits you. That's for you to decide.


> Is iOS really that much better than an updated stock Android?

No, but updated stock android phones are not really a thing, are they ?


Same, got notification about both my Google accounts and was terrified it was some new phishing trick. Reading about Cloudbleed did not help matters either. At least I got extra motivated to secure up all my accounts, so there is that.


shit, you just opened my eyes a bit. I woke up, saw 2 notifications about logging in again (got 2 accounts registered on my phone), and just typed the passwords in without second thought. Never occured to me that it could be a fishing attempt


Happened to me an hour or so ago. Notification on phone suggesting I log in again. I ignored it like I ignore everything that doesn't seem pressing. Then hangouts refused to send a message, which made me think the login suggestion was legitimate. Must say, like you, I probably ought to have scrutinised it a bit more..


Turn on 2-stage authentication and use Last Pass or a similar password manager.

I can't really fathom how someone would have gained access to my account with those steps in place (and honestly if they did, I wouldn't even be mad because it's so impressive)... so I immediately assumed that Google was having a log-in problem.


I was signed out several times today. And I couldn't attach pdf-files bigger than 200Kb from Chrome. Then I logged in on Firefox and it worked again.


If you fear phishing, type the wrong password and see if it takes it. If yes, it's obviously a phisher app/site/whatever.


I've noticed that Facebook sometimes refuses to let me in the first time even though the password is correct. I try the same password again and viola!


Interesting. Are you using a password manager? How are you confirming that you've entered the password correctly the first time?


Same with me.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: