Hacker News new | past | comments | ask | show | jobs | submit login

> perhaps now is the time for us to begin holding Google to the same standard we applied to Microsoft a decade ago.

The triggering factor for this was the worms though. No such similar thing exists in the Android space.

Stagefright is trivially weaponizable as an MMS worm, in fact it may already have happened

So... where is it?

There clearly hasn't been any major deployment of this - especially at the scale of Blaster or Conficker.

It's "trivial" perhaps for a single device but every device is different and it'd require its own exploit code, exploit mitigation features cause it to be difficult to actually exploit too - making it quite problematic to deploy in practice.

Are we really so moronic that we need to wait for something to explode before we're ready to acknowledge the fire hazard that caused the explosion in the first place?

If it were so trivial it probably would have already happened. There's tons of cash to be made in SMS and MMS spam.

It's not trivial - there's a lot of devices and exploiting mitigation techniques to deal with, there's not even a reliable PoC that works on real-world devices with ASLR enabled.

These exploit mitigation techniques and differences in builds have basically saved it from becoming the disaster it sounds like at first glance.

I guess to answer your question, yes, yes we are that moronic. Not many people will care unless it's proven rapidly and readily exploitable.

You just stated that Stagefright was "trivially weaponizable". So why don't you answer their question and provide proof? Surely a "trivially weaponizable" exploit on over 1.4 billion devices would be a very attractive target to nefarious organizations and hackers.

It's been about 2 years since Stagefright was disclosed. Are we still waiting for it to explode? And if so, can you give a timeline for when this explosion will occur?

>Stagefright is trivially weaponizable as an MMS worm, in fact it may already have happened

No it's not. Where are all of the Stagefright exploits? This was supposed to be Android's security armageddon according to the scaremongering bloggers. And yet nothing happened. According to Google's telemetry of over 1.4 billion phones there has not been 1 case of a Stagefright exploit in the wild. So your assumption that Stagefright is "trivially weaponizable" is inconsistent with your knowledge of Android security and mitigations.

Sending an MMS is very expensive and many people don't even bother to configure their mobiles to send them because they've never used them.

Interesting perspective. Where is this coming from, geographically? It doesn't match my experience here in North America.

Yeah I recently learned from a Candadian friend that people in the US and Canada still text a lot? Outside of the US & Canada my estimate would be that 99% of people has switched to WeChat, Whatsapp and FB Messenger.

The only texts I ever recieve nowadays are automated (2FA etc...). Even though unlimited texts come with every SIM.

I am a rarity here in the U.K. as I still text, having got fed up of constantly switching IM apps. I mean, I remember when MSN Messenger was all the rage. Then Yahoo, ICQ, GTalk, Hangouts, various Jabber protocols, FaceAche, errr I mean FaceTime and Messenger, WhatsApp etc etc ad nauseum, Skype

SMS has remained the great constant throughout all these games. Turns out people don't get in touch if you don't use WhatsApp but shows how much they care eh!


If your GSM network is anything like Greece's (and I don't doubt it is, grey market devices from Spain sold here work without issue), Android automatically sets up the network settings for MMS and wireless networking. You don't have to do anything.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact