Hacker News new | past | comments | ask | show | jobs | submit login
Major Android Bug Is a Privacy Disaster (CVE-2014-6041) (rapid7.com)
543 points by mike-cardwell on Sept 15, 2014 | hide | past | favorite | 224 comments

If you haven't tried Firefox Fennec (android mobile) it is actually pretty good now.



They make it for arm and x86 android.

They used to make a windows version but sadly stopped that build.

Been using Firefox mobile for four months now, and forcefully removed both chrome and the vulnerable browser from my device about one month in. Slight battery drain issues, but those are almost all solved in recent releases. Definitely give it a try.

It crashes every time I hit the menu button. I sent in the crash report; I couldn't figure out where on mozilla's website to report mobile bugs though.

It's this sort of thing that puts me off Android as a platform. Even my mother got sold a 2.2 handset recently (Samsung Galaxy Ace) that hasn't been patched for the best part of 3 years. You never know when you're going to end up with a lemon on your hands.

Big jump to this conclusion but I'm more inclined to trust Microsoft at the moment as they have a better reputation for lifetime (unlike Android), have a very public security process and good industry comms and the devices are proven usable if not faster after recent updates (unlike iOS which starts to be terribly limiting performance-wise). Plus they're dirt cheap.

Yes, this continues to be a problem that I hope Google addresses somehow. I got the Samsung Galaxy Nexus because I assumed it would be kept up to date with the latest Android version, since it's using the Google brand 'Nexus' name.

I even asked the sales representative if it would be kept up to date (knowing I couldn't trust them, but was looking for any extra assurance), and they said yes.

Right now it's at 4.3 and wont upgrade...

Just switch to CyanogenMod or other custom compilation; there is a gain from Nexus brand in the ease of unlocking bootloader (;

I'm not convinced CyanogenMod (or any other variant) is actually that great; I have a Samsung Galaxy S2 (i9100 model), the last non-nightly CyanogenMod update was over a year ago now. There have been a number of CVEs issued for Android (and likely numerous others cover Android as a platform, covering OpenSSL for example) over that time period, so there's no way the phone is anywhere near up-to-date with security fixes.

CyanogenMod doesn't have any way to distinguish which phones are currently receiving security fixes in a timely manner and which are not; nor do they have any list of security advisories covering packages they distribute (go look at any notable desktop/server Linux distro — they all have public lists of security advisories and documentation of what release fixes them).

To my knowledge there is no Android distribution that has anywhere near the cohesive security story — and they're all miles behind any desktop OS.

CyanogenMod changed their release versioning. There are no more "stable" builds anymore, at all. You're supposed to run "monthly" or "milestone" or whatever they are called. Yes, I think they could have communicated this much better.

And anyone running the stable builds have therefore never been updated to an at all recent build… sighs

And looking at my phone, I have no idea how I'm meant to update to the milestone builds. The updater lets me select "stable" or "all (inc. nightly)", and nowhere do the milestone builds appear…

None of this is helping me believe there's really any decent security story. Abandon all users who don't check the website (or whatever) to find out about releases, trusting the built-in updater to provide updates. Never publish any security advisories that cover your distribution…

> I have a Samsung Galaxy S2 (i9100 model), the last non-nightly CyanogenMod update was over a year ago now.

Same. The newest version which supports my phone is years old, and there are major usability issues, particularly in the dialler interface. The manufacturer (HTC) UI was miles better (i.e., actually usable).

Are you sure? My Galaxy S 1 (one) still gets updates, as does my S3. They're monthly milestones now.

Maybe you need to install CM 11 first, so the system has a base to work with.

I think you can see if your phone gets updates if it's listed as CM11-supported.

It looks like there were snapshot builds in august and july. (although how they differ from nightlies, I don't know) I thought I was on a snapshot from April, but it turns out I'm on a nightly.

There was a monthly in August something, and I just installed the latest one which is from today. It may not yet be built for all supported devices though.

Same situation here. I could put up with outdated Android version, gradually deteriorating performance, and bloating of apps leading to very little free space, but it's very disappointing to find out that even to remain secure, we're expected to shell out at every stage of Google's 12-month release cycle...

Try ShinyROM, it's an almost-exactly AOSP build of 4.4: http://shinyrom.goofball.org/

Android One is meant to make it simple for lo-end OEMs to ship high quality implementations of up-to-date Android and keep up with new releases. It's hard to migrate a huge OEM ecosystem to that kind of program quickly.

And Nexus was meant to make it simpler for Google to ship updates directly to users, rather than having to go through OEMs. If Google can't keep their own phones up to date, do you expect Android One to be any different?

The only Nexus phones here that don't already have a fix available is the phone they announced as being end of life. 4.4 is not affected and is available for the Nexus 4, 5, both generations of 7 and I believe the 10.

Dear Galaxy Nexus users... It's time to let go.

The Galaxy Nexus was released only 3 years ago. Since when was that beyond the expected lifespan of a flagship product from one of the world's largest tech companies?

Don't think I've ever owned anything with such a serious planned obscolence issue. Windows supports its OS releases for 12 years (and doesn't lock you in, so you can usually follow official upgrade procedure anyway). And anything "dumber" than a smartphone doesn't really open itself up to these gaping security flaws, so still operates fine after many years.

The GN wasn't planned obsolescence so much as "Google doesn't actually own the hardware, so they can't update drivers"

Do the drivers need updating? There is a kernel ABI and API that should isolate that from the rest of the OS so the OS should continue to evolve.

> The Galaxy Nexus was released only 3 years ago. Since when was that beyond the expected lifespan of a flagship product from one of the world's largest tech companies?

It became beyond the expected lifespan when it became normal to buy a new one every 2 years thanks to contract pricing and carriers pushing people to upgrade.

That works apart from in Europe. We do a lot of non contract pay as you go stuff where the handset may last 4-5 years. I have a couple of Nokias that are still good after 8 years and Microsoft have a 11-12 year lifecycle for desktop OS for example.

2 years is just a cost cutting exercise and inexcusable.

Since when has anything over 2 years, for a phone, had support? Anything over that is the exception, not the rule.

Apple has better support than most, but even their phones degrade with features missing on older phones AND included new features run like ass (every time my fiance upgrades old phone to new iOS she hate life until upgrade).

A 2 year old phone really is ancient... much less three or four... Who actually supports phones that old CONSISTENTLY?

Well yeah with smartphones really short release cycles are "the rule" - because Google/Apple dominate the industry and set the rules - that's what I'm complaining about.

There's no fundamental reason a 2 year old phone should be seen as ancient. Hardware can last many times longer than that, and software can be updated. Google is just not making the effort to support its older devices.

For people like me who don't want to buy a new phone every 18 months (both a wasteful use of my money, and the earth's natural resources), Android is looking like a pretty bad choice.

Well, honestly, it's not just Android.

iPhones have built in time lines (more or less replaceable anything. Need a new batter? Have fun...).

And then there is the face that if you want ANY kind of app support - not just OS. Facebook, Twitter, etc... - then you can't use old phones. Years old Windows phones. Look at Blackberry phones. Palm OS. No one supports them because well... no one supports them anymore.

I think it's more a function of the rapid change and growth of complexity that makes smartphones obsolete so quick. Screen density, cpu, graphics capabilities, hard drive space, antenna speeds, etc. EVERYTHING is increasing so quick that it's hard to compare a new phone to a 2 year old phone.

It'll most likely be years before it slows down enough that you can treat a smart phone like a PC - keep it for YEARS and expect most stuff to simply run on it.

My 2 year old Lumia 820 just got Windows Phone 8.1 and is as good as new in every way even though it has been dropped hundreds of times. It's getting the next 8.1 update next month as well.

That's what I expect.

But at least there is the choice with Apple. You don't have to upgrade, but if you want the new security fixes, you have them.

With Android, if you find a beloved phone by many, you will be supported for YEARS. My gTablet was being updated by the community for 4 years after the last official update. My Galaxy Note has nightlies from multiple different projects. My wife's Sony Xperia Arc S has consistent updates still. You find a phone that people fell in love with and you will have your updates until the hardware is dead.

I doubt that will happen. At $100 a handset where is the return and motivation for an OEM to bother pushing updates out for firmware/integration testing etc (that the telcos require)? Look at the aforementioned Galaxy Ace in my last comment which is exactly where this will end up, yet again.

Also, they say 2 years' support. If you look at the phone recycling business, there is 4-5 years life in a franken-handset shipped abroad.

Google's providing the OS support -- they make money on you using their services. Even if the revenue per user is only ¢10/year, when you get 100's of millions to billions of users that adds up.

And I bet Samsung still won't use it for their terrible low-end phones because of their darned skin.

The continuing sales of the Galaxy Ace should be criminal. If you buy one and update all apps it comes with, bam: you're out of space. Not to mention even if you apply all updates available you're still a walking target for every Android exploit that's come out in the last 3 years. It is completely unfit for purpose, but even when replacements came out (Y, Ace 2) the shops near me were still pushing the Ace. Why??

Probably warehouses full of them still.

Microsoft may update their older devices (well, once we moved to WP8 anyway, WP7 can go jump apparently), but my girlfriend's HTC 8X is half broken because her carrier refused to let the update go through. Absolutely frustrating... that's one thing I am happy about with my 4S, for sure. Screw carriers.

WP7 was a different OS (CE vs NT kernel). The NT kernel wasn't portable to a couple of the SoC's they used on those devices. I suspect that's why it went and jumped.

You're right though about carriers. I always buy non-carrier locked devices here in the UK for that precise reason. Nokia sell "country variant" devices which are usually updated first.

Microsoft upgraded WP7 to WP7.8 Mango when WP8 was released. It backported many of the new features to existing devices. including my Dell VenuePro.

So Windows Phone is updated at the will of the carriers as well? Basically the only way to get updates to your smart phone is either -

1. iPhone 2. Custom Rom and you're on your own.

> So Windows Phone is updated at the will of the carriers as well?

You can register for the Preview for Developers program [1] and get timely OS updates regardless of the carrier.

With the 8x the lack of updates is an HTC issue tho as far as I know. They look to roll out 8.1 on some of the 8Xs in October [2].

[1]: http://www.wpcentral.com/preview-for-developers

[2]: https://twitter.com/htc/status/509409362100879361

I don't understand why people are surprised they might be sold an inferior product if they don't do a minimum of research.

That's not how salespeople work...

If you aren't familiar with SOP, this is about the worst "stupid web vuln" that can happen. SOP is the glue that kind of almost makes the web secure. The attack DOES work if X-Frame-Options is enabled (thanks joev. The msfmodule says so clearly). ALL sites with or without XFrameOptions can be loaded in an iframe, and sent to a bad guy.

If you would like to test on your device/browser, you can on ejj.io/SOP.php . If you click on the button and you see an alert box, you're vulnerable (I doubt many on HN will....)

Many other browser's also seem to be vulnerable. So if you use something else best be safe and check yourself

Actually X-Frame-Options does not save you here. There is a BYPASS_XFO datastore option in the module that turns this into a one-click exploit. This allows the attack to work against sites with the XFO header.

Absolutely critical to know. Thanks joev_. I see that now after reading the msfmodule. This is a good one!

good old blacklist instead of whitelist.

why forbid javascript: and some other thing that you know know, if you know for sure you only want http or https?

always allow what you know for sure how to handle instead of denying what you think you know that you don't want.

While good advice, I suspect that isn't what's going on.

My guess would be that the URL is being validated with code which relies on null-terminated strings, and it's being processed/executed with code that uses a separate length value.

The empty string "" will pass a same-origin check as it refers to the current page. "\0javascript:alert()" looks like the empty string to validation code expecting null-terminated strings. However, it's a valid URL and is executed as JavaScript by code that knows the true length.

One easy way this could happen is if the same-origin check happens in C++ (eg. WebKit) and the URL fetch happens in Java.

The same problem can happen in reverse and has before. Java had a file path vulnerability where Java code would see the full path and the OS calls Java passed to would only process up to the first null. This opened up bypasses in application logic designed to validate paths.

However, it's a valid URL

I doubt "\0javascript" is a valid URI scheme since they must begin with a letter, and any code that uses 0-terminated strings would just see it as an empty string. The fact that the \0 somehow seems to be ignored completely is most disturbing.

Edit: I double-checked the spec ( http://www.w3.org/TR/html5/browsers.html#dom-open ) just to make sure there's no weird "skip nulls" behaviour, and there isn't.

This is one of those cases where browsers are different from the spec. (BTW, the spec you are looking for is here https://url.spec.whatwg.org/)

It really depends on the browser. Here are a few test cases to consider. http://jsfiddle.net/8e525ne9/

Leading nulls used to work in common browsers. Most recent browsers don't support it. However, most do continue to support fun things like newlines and tabs in the middle of URL schemes.

The alert did not appear on an Android 2.3 device (HTC Desire), or a 2.2 emulator (via BrowserStack.com) - not vulnerable, or not compatible with the exploit test?

I didn't test back this far; I should have, it's about 10% of android users. I tested back to 4.0 (not that 4.0-4.1.2 being vulnerable matters much, since you can get remote code execution easily through the addJavascriptInterface vulnerability). I tried out 2.1 in the emulator just now and got the same results as you, so it looks like 2.x is not affected by this.

I tried it myself also a few minutes ago, on an old Droid Eris/HTC Hero (IIRC) running CM7, Android 2.3.2. It does do an odd double-loading thing, but it doesn't show the alert.

Also, damn this thing is slow and tiny compared to my current phone.

Tried again with a Galaxy Nexus on 4.3. Sure enough, it duplicates fine on the stock browser, and works correctly in Chrome.

I would think this means you are not vulnerable. The js begins with a null byte and works on a lot of different versions.

I think the vuln probably just had not been introduced at that time, but I obviously can't be certain without digging through the git log (and even then...all I can do is corroborate commits with release dates).

I have a browser called InBrowser and it gives an alert on your test page. Maybe it wraps AOSP? I don't have "Browser" in my list of apps though, it came with Chrome instead and I installed InBrowser myself. (Android 4.1.2)

Almost all third-party browsers on the Play Store wrap the Android WebView, which is vulnerable. You'll need to use a browser that includes its own rendering engine, such as Firefox, to remain secure.

The Android WebView uses since quite some time the same rendering and javascript engines as Chrome. Thus I would expect third party browsers to be no more vulnerable with regard to this bug than Chrome.

Edit: since 4.4 [https://developer.chrome.com/multidevice/webview/overview]

Hi YeahForbes,

TomPod, the creators of InBrowser, here.

We're unable to reproduce this error on a oneplus and a HTC M8 running the latest version of InBrowser. But rest assured, we'll check this with our suite of devices and Android version during the day.

Since version 2.11 (43), 2014-03-09 we limit the usage of JavaScript: due to another bug in Android. Hopefully it'll fix this issue as well. So please make sure that you're on latest version from Google Play.

If we can fix this on our side we'll push a fix asap. If not, we unfortunately need to wait for Google to address this. We'll post any updates on this issue at @tompodapps.

Thanks for reporting it!

What's the expected response when clicking the button in Chrome on Android 4.4.4? I'm on a Nexus 5, on 4.4.4 and I see an alert box in Chrome 37.0.2062.117.

This is absolutely not the expected response, which is really odd. I am running android 4.4.4 on a nexus 5 on Chrome 37.0.2062.117 (it just so happens) and I don't see an alert box.

Expected is no alert box

I can no longer reproduce this on my Nexus 5. The first time I tried it (yesterday), I saw an empty alert box. The second time I tried it (today), the button pops in and out ineffectively.

Replaced by Chrome ("that giant hog").

I'm on a slightly older phone, but I actually removed Chrome from it not long ago. I started having problems with updating apps due to insufficient space, and while I have a fair amount of crap installed, I also have ~2.5GB of "Phone" storage for apps so I started investigating (this is separate from "sdcard" data storage which is ~8GB). Turns out Chrome, at least on the HTC Amaze 4G with 4.0.3, takes up about 250MB - my largest installed app by about a factor of 4 (next largest was ~80MB). This was not cache or data, this was the app itself.

I don't know what all they've moved into there as part of their push to cripple Android except as a host for the "Google Play Ecosystem," but crap like this is not endearing.

I am running out of space because Play Store and Google Framework get bigger and bigger. It fills me with rage how Google actively makes my old phone less capable over time for no benefit to me.

Yeah. I was using a Nexus One for a long time until I had to prune so many apps due to space that it wasn't worth using. I got a new phone, HTC One S (I needed a t-mobile branded phone for wifi calling) with several gigs of system partition space, and now I have to play that game again.

I recognize that there are a bunch of features now that I get to enjoy, but now I have to choose which ones I want to keep.

When I switched, 20MB was a big app. Now I have at least 30 apps that are bigger. Chrome in particular seems bogus. The desktop version isn't even this big.

   Chrome : 211MB
   Facebook: 116MB
   Google search: 70MB
   Google+: 65MB
   Amazon: 60MB
   Mantano Reader: 54MB
   Dropbox: 50MB
   Google Play services: 50MB
   Google Text-to-speach engine: 45MB
   Hangouts: 35MB
   t-mobile my account: 33MB
   SwitftKey: 33MB
   Kindle: 30MB
   Evernote: 30MB
   BaconReader: 28MB
   twitter: 25MB
   Hulu: 25MB
   Google Maps: 24MB
   Google Drive: 24MB

I do recognize that these apps balance the data differently. Chrome is 189MB app, and facebook is 80MB data.

I have the latest Chrome for Android and it's 65MB for the app. Still large, but nowhere near 190MB.

Likewise on my Moto G running 4.4.4.

65Mb app

22Mb data

= 87Mb total

Cache is recorded separately, currently at 205Mb. I wonder if it is a question of how the figures are being displayed in different versions of Android.

did you disable cache somehow?

open a bunch of ssl pages and see app data space explode. same happens with firefox

The cache doesn't seem relevant but I could test that. Presently my breakdown is 189MB+21MB , App+data, and 13MB Cache.


   Reinstalled.  (play store reports 30MB download)

   Before opening the app  65MB+4KB, 0MB cache

   First launch (no sync sign-in) 65MB + 10MB, 60KB cache

   Browsed Noisy SSL page (google plus feed):  65MB + 14MB, 13MB cache
   Signed into sync: no change  ( 10min later, no change)

   Browsed image heavy site (imgur): 65MB + 14MB, 25MB cache

Does chrome store the old versions on upgrade? That would perfectly explain why my fresh install is 64MB, and my older isntall was 3x that size.

It does on the desktop: Omaha, a.k.a. Google Updater, follows a "keep a few recent versions around and just symlink the current one" model to enable atomic upgrades and rollbacks of failed upgrades. If Android Chrome manages its own updates, it's likely using Omaha for them.

I did not disable cache and it shows a large amount of cache data. But the post I responded to claimed 189MB of app data.

I'm reinstalling right now to test, it shows as a ~28MB download. I feel pretty confident it's not cached data in my case, as I don't use the Chrome browser on my phone (I prefer Dolphin with gestures & LastPass integration), and on a tablet I only use it for logging into wifi hotspots.

.... And after the reinstall it shows up as 65MB of app.

Dolphin is affected too.

Checking.... Dolphin is a little weird on its own with the separate browser and "Dolphin Jetpack" (basically its own custom-built webkit engine).

Looking before removing Dolphin, Dolphin is showing 13.82MB of App plus 42MB of Data (which I believe could mostly be moved to phone storage). Also 2.3MB of cache. Jetpack is showing 18.67MB of App, 4k of Data.

After reinstalling both and a first run of Dolphin (and restoring a slightly out of date backup for bookmarks, etc.), Dolphin is using 13.80MB of App and 4.66MB of Data, while Jetpack is using 18.67MB of App.

I'm not seeing the same thing happening with Dolphin as with Chrome.

used nexus one until couples months ago. even with all ext sd card hacks, i couldn't install firefox on a clean install.

app space is the only reason i generated more garbage in the world even though my current device only lacked the software to use the memory i had available.

For what its worth, the chrome Mac OS X version of google chrome is 331.9 MB on disk. Doesn't seem bogus to me.

The OSX "show info" dialog block shows the file size in disk blocks, as opposed to the actual bytes of file content. There might be a misunderstanding between people because the "real" file size is different than the "actually occupied" disk size. This is of course aggravated by lots of small files.

Just to be sure:

    $ du -h -d 0 /Applications/Google\ Chrome.app               
    317M	/Applications/Google Chrome.app

    $ tar -c -f - /Applications/Google\ Chrome.app | wc -c      
    tar: Removing leading '/' from member names

    $ find /Applications/Google\ Chrome.app -type f -print0 | xargs -0 cat | wc -c

On win8, the total Chrome dir is 450MB, but that includes two versions, and a backup of the installer of the latest. Excluding those and the flash plugin, the running Chrome's (37.0.2062.120) contents are 115MB.

I lost the ability to write to my external sdcard when I got the kitkat upgrade. Of course rooting allowed me write access again. This is why the "rooting voids the warrant" policies are bullshit. When an upgrade is forced on a user, and removes critical functionality for no good reason, what is the user to do? I, for one, am never buying a locked down phone again. I'd rather not even have a phone.

Don't get too raged, this has been happening on almost every computer for the last 20 years. The more you use it, there more there is to store, the more apps you use, the more data is placed everywhere.

That's not what I said. I actually use my phone less as I found the apps and data I "need". Google is forcing software updates (silently even!) that leech away significant amounts of space away from me.

Yea, don't they know 128 mb should have been enough for anyone?


I don't see why shiny progress should be held up because you can't be arsed keeping up with new generations of tech. If you don't like it, go install a rom and some of the many many many alternate applications which keep sizes small.

Mobile phones began, much like desktops began, extremely limited. We are simply seeing the same thing happen, we're now getting up to sizes of around 32 gb, yes, it happened much faster this time, and that may be why many feel the pinch much more - I'm sorry for that - however it is the price to pay for being an early adopter like yourself.

Yet thankfully,it has also now reached a level where it is now almost impossible to fill with application data. Storage and processing may continue to increase but I highly doubt you will feel quite the same pain of running low on space with nothing but chrome and facebook installed.

Installing a ROM is actually why it's unlikely that my next phone will be an HTC. I made the mistake of buying what was basically their flagship phone for a little while, which was promptly dumped for the HTC One.

Take a look at the ROM situation for the HTC Ruby platform, aka the Amaze, aka the only phone in its product line. Despite what Wikipedia says, there isn't a huge mass of aftermarket ROMs because the phone itself had such a relatively small distribution and was discontinued.

FWIW, on my Moto X running 4.4.3, Chrome takes only 65MB for the app itself. I would imagine the "bloat" comes from them including compatibility frameworks that allow Android apps to ship supporting features from newer Android releases and SDKs on older Android devices. But I also would have expected those frameworks to be handled by the Google Play Services app, rather than be bundled into every single app on your phone that needs them...

Having built my own custom Chromium for Android several times on a project, 250MB is out of line for stock Chromium. My builds for my custom browser with Chromium content-shell were ~70-80MB. Chrome, indeed, adds a bit of extra "google chrome", and probably some additional internationalization, but 250MB does not seem square, in my experience.

I guess I'm going to be forced to switch to Chrome now for safety's sake, but I've been avoiding it because it has some major usability problems that Android Browser doesn't. In particular, not reflowing a web page when you zoom in is infuriating because I invariably end up zooming in order to be able to read an article, then I have to pan side to side for every line of text. Font sizing is bizarre too. Web pages suddenly have font sizes increasing and decreasing seemingly at random, and to the point of illegibility. I just tried loading this page up on Chrome for Android and the header text (new | threads | comments ...) is absolutely microscopic.

I'm no browser snob -- I'm perfectly happy to use the stock AOSP browser even though it's got some stuff I don't like about it -- but I really can't understand how anybody uses Chrome for Android at all.

I suppose it's probably time to re-try-out some of the 3rd party browsers again.

> Font sizing is bizarre too. Web pages suddenly have font sizes increasing and decreasing seemingly at random, and to the point of illegibility

I haven't tried Chrome, but I see this in CyanogenMod's stock browser (probably close to AOSP) and Firefox. In Firefox's case at least, my research pointed to "font boosting" being the cause of increasing/decreasing, but I haven't found a good fix.

Amazing! Now that I know the term to search for, I'm certain that this is the misfeature that aggravates me so. My AOSP browser (which is 4.0.3) doesn't have this problem. I like the comment in the webkit bug discussing it: "In terms of status, this is shipping in stable Chrome for Android with acceptable quality." Ugh.

I thought it was something wrong with my CM build, or maybe because I didn't install gapps (Google's proprietary apps). I'm amazed to find the developers call this acceptable.

Recent (CM11?) versions of the Cyanogenmod browser are actually based on Chromium.

google is learning how to be evil with offline tech.

online they just shutdown the old system. offline now they leave holes and announce them when they want you to upgrade. "for security"

Just an update from the Google side: As discussed below, any Android users on 4.4+ or running Chrome are not affected. For earlier versions of Android, we've shipped patches for AOSP:

https://android.googlesource.com/platform/external/webkit/+/... https://android.googlesource.com/platform/external/webkit/+/...

These are in the AOSP branches for jb-dev, jb-mr1-dev, jb-mr1.1-dev, and jb-mr2-dev.

Does this mean that there will be an update for the Galaxy Nexus?

OS updates for $SPECIFIC_PHONE are generally reliant on the carrier to decide to push out a patch, even after AOSP itself is patched. So an answer "from the Google side" can't really answer your question.

The regular carrier-independent versions (Yakju/Maguro and Takju/Maguro) which are directly supported by Google.

is android kitkat 4.4.x safe from this bug regardless of whether chrome browser exists (not installed or uninstalled) in the phone or not? please enlighten. thanks.

My understanding is that Chrome replaced Webkit in WebView's internal implementation in 4.4, so the bug should never appear in 4.4.

Yup correct. Completely different WebView. And the bug is technically in the WebView.

Android has its merits, but more and more I am reminded of this aptly titled article (proudly mentioned by Tim Cook during the WWDC keynote): "Android Fragmentation Turning Devices Into a Toxic Hellstew of Vulnerabilities" [1]. These kinds of incredibly serious, system level issues are a significant competitive disadvantage, and they keep happening. Google needs to build fast security update requirements into their Android license agreements with device makers. At least then, when these things are discovered and publicized, tens of millions of people won't be left vulnerable.

[1] http://www.zdnet.com/android-fragmentation-turning-devices-i...

Note that this isn't an "incredibly serious system level issue." This is an issue with a browser that Google hasn't supported for several years, since they replaced it with Chrome. It also doesn't affect alternative browsers like Firefox or Opera.

Note that if Apple had a similar vulnerability, you likely couldn't work around it by using an alternative browser, because all browsers are required to use Safari's rendering engine.

My LG G2 (12 months old) shipped with an App called "Browser" and no Chrome.

Is this not the app you're talking about?

I would guess a great many Android users (if not the majority of Android users) are not using Chrome.

In fact, that's exactly the case according to this: http://www.netmarketshare.com

Chrome has made some strides this year, but the Android Browser still leads by a point. That'll probably change next month or two I'd guess. But unless I'm entirely off base and talking about the wrong thing, I think your comment is very misleading.

If this happened with Safari, you'd likely see a patch pretty quickly, and it would be available to almost everyone at the same time.

In addition to the Browser app that is still widely use in devices with less-than-latest Android versions, It's present in every app that uses WebView. And you only get fixes to WebView via OS updates. (x)

(x) Maybe. Assuming someone bothers to incorporate them into to the OS update for your device and they make it through the hurdles between the engineer and OTA update certification.

WebView uses Chrome as of 4.4 as well. Also many apps that use WebView show only their own content in it. There are only a couple apps that show user specified content in app via WebView, like Reddit and HN.

Even if I were to go back to the old Internet app instead of Chrome, this bug is irrelevant to me since I use an app for GMail, Twitter, Facebook and anything else important. I can't remember the last time I used the mobile browser for anything that matters.

It's still a copy of the browser code that comes with the base OS, even if it dodges the bullet on this bug. The Chromium-based WebView doesn't receive updates like the Chrome app so will generally contain unpatched vulnerabilities, so the system level issue remains.

(Note that the rare-to-nonexsistent OS updates are still a problem, this WebView issue nonwithstanding. They are running old vulnerable Linux kernels which compromises the app sandbox)

> The Chromium-based WebView doesn't receive updates like the Chrome app

We hope to see that change very soon. http://thenextweb.com/google/2013/11/12/google-says-working-...

Yes, I was referring to the WebView issue when I said "system level".

Android 4.4 and up use Chrome in their webviews, rather than the AOSP browser.

Think of it the way Apple abandoned Safari for Windows without letting the users know. They're still using Safari for Windows, it's just completely insecure and they have no idea.

Even if they do fast vuln updates, what about older devices? Even Google only offers 2y of support.

Even worse than that: They've been variously been saying "18 months from device release" and "up to 2 years" lately. So if you buy a device that's been out for a year you may be out of luck in 6 months.

I think Google needs to change that as well. Android is seen as a second class OS by a large percentage of people, and these kinds of revelations only increase that percentage. Google can do better, but for whatever reason they aren't.

I think the large percentage of people that see Android as 2nd class don't know what an OS is, nor are they likely to become aware of this issue.

This kind of thing, without a way to update hundreds of millions of older devices (mostly owned by laypeople that aren't going to be loading custom ROMs/rooting their phone), makes Android a second-class OS. They'll become aware of the issue when their bank account gets emptied or any of the other thousands of ways this could be exploited.

> Google can do better, but for whatever reason they aren't.

s/aren't/choose not to/

This is simply bad management – we're talking, what, a single engineer to backport critical fixes and some testing support. Contrast that against the damage this has done to Android's competitiveness – even the non-nerds I know talk about how they bought an iOS device because Android never gets updates – and increases the likelihood that they'll have a major security problem at some point when someone creates widespread exploit affecting all of those abandoned phones and the headlines talk about how many millions of people are at risk for a problem which was reported years ago.

The phone vendors and carriers had a large part in creating this problem but most of the reputation sticks to the platform and, as with the more general fragmentation problem, Google has been very slow to take it seriously.

>> we're talking, what, a single engineer to backport critical fixes and some testing support.

Understatement of the day? :) There is absolutely no way a single developer will be able to support huge/complex codebases like web-browsers across platform versions.

Also keep in mind that most of the original developers would have moved on from the project - due to lack of interest, greener pastures etc. I am wondering what kind of engineer would be willing to babysit a project like this - and if somebody is willing (for whatever reasons), would they be competent enough?

> Understatement of the day? :) There is absolutely no way a single developer will be able to support huge/complex codebases like web-browsers across platform versions.

Possibly but I wasn't talking about upgrading to the latest WebKit or the actual patch development – only the work required to backport a critical fix which has already been identified and fixed upstream. That's a fairly normal part of the support process at most places so I wouldn't expect it to be a huge amount of work unless you hit something which required an architectural change to fix.

Edit to add a link to the diffs which were posted earlier today:



Obviously not every patch is like that but there also aren't that many critical bugs – I'd be surprised if the engineer:tester ratio was anywhere near even on this kind of work.

> "...what kind of engineer would be willing..." The kind that ends up on a layoff list when the inevitable slowdown occurs. This is a zero-glory, zero-thanks task, with plenty of risk.

> "...support huge/complex codebases like web-browsers > across platform versions..." What could go wrong ?

I am a big Linux fan and appreciate the openness and control that I can get with Android as opposed to Apple and Microsoft products, but...

My Android experience has been shit, and I'm really getting sick of it.

Admittedly, much or even most of the problem for me is the OEMs screwing things up and not sending out updates.

What does Android has to do with Linux? Do you also praise TiVo for the "openness and control" by using the Linux kernel?

You make a good point, though you present it in an awkward manner. Android has everything to do with Linux in its usage of the Linux kernel, but its userspace offers none of the actual advantages of using a Unix-like kernel.

The GNU/Linux terminology is actually quite relevant here, seeing as Android is Linux, but not GNU/Linux. Hell, Android's libc comes from OpenBSD, so...

For instance, I can mount the filesystems on my Android phone on my laptop running Linux and copy music over.

Can I do that with an iPhone? Maybe, but probably have to put up with a lot of Apple garbage, trying to make things "easy" for non-technical people and/or keep you in their ecosystem.

I also like that Android uses Linux because I think the proliferation of Linux is good for me. (For various reasons, not that I have a financial stake in it, although I do indirectly due to my technical areas of competence.)

In that sense, I prefer that it uses Linux marginally over, say, using FreeBSD, which I would still prefer infinitely more than a proprietary OS.

I find Android's a lot nicer if you stick to Nexus and GPE devices, and don't root or otherwise hack them. Yeah, carriers and OEMs are mostly terrible about updates and support, but it's not like this is some big secret.

You're not the only one. I'm sorry, but the Android issue has devolved into a holy war but...

.. support is terrible on the Android side. Really terrible.

People need to stop buying terrible phones. Consumers keep rewarding companies who don't keep up with their promises and thus no one ends up giving a crap.

In my opinion if you're not going to buy a Nexus device or a Moto E/G/X then you might as well buy Apple. The Android One program will hopefully add more to that.

You can only know if it is a "terrible" phone until long after you have bought it.

Most people don't have the ability to make an informed decision about a phones purchase (or they want to buy an iPhone or Nexus but they simply can't afford it).

I bought a Google Nexus at USD650 retail - a perfect counterexample to your advice.

I recommend iPhones to those who can afford it (purchase price, insurance, screen replacements etc.).

I recommend Huawei Y310/320/330 for those who don't have much.

In between there are too many other factors to make a straight recommendation (e.g. buy second hand iPhone versus a Moto G).

My one year old Nexus 4 is on KitKat. I guess you're talking about the Galaxy Nexus. While I agree with you that they dropped the support a way too soon, being the reference phone you'll have no problems in updating it with CyanogenMod, which is a really good distribution btw.

But as a slight counterpoint, given the fast release cycle, you can't expect them to support a phone forever. You mentioned iPhones. Well I have an iPhone 3GS. It's a perfectly capable phone that still works and that was still sold as the low-price alternative after iPhone 4 happened, yet Apple stopped supporting it as well. But I can understand that, because these OSes get more bloated with stuff and it leads to a shitty experience. I was able to upgrade an older Galaxy S (first generation, shipped originally with 2.1) to 4.3 by means of CyanogenMod and it was unusable due to the less than capable hardware.

Google did drop the support too early for the Galaxy Nexus, but try out CyanogenMod. I'm even thinking of installing it on my Nexus 4 because the Android on this device is bloated with Google-stuff that I cannot uninstall and it pisses me off. It's also enlightening to install CyanogenMod without Google Play, for an all open-source experience ;-)

Ouch. The issue seems to be with "the OMAP processor from Texas Instruments" that makes support difficult. Haven't seen that coming.

But the Nexus devices are just as bad as the others. If you had bought the latest model last year you'd be screwed on updates by now.

I'd love to buy an iPhone but I want to run Android software so Android it is.

There's test builds of Android L for the Nexus 4 available, so it looks like it will also officially get that release. It's still got 2GB of RAM and a quad-core 32-bit ARM, so it's not too different from the Nexus 5 in that sense. It is really a question of how long Qualcomm will support the S4 Pro board support package. If we've all moved to 64-bit ARM cores, then that'll be a bigger problem for these older 32-bit phones.

> .. support is terrible on the Android side. Really terrible.

Buy a Windows Phone, then.

I've got an iPhone 5.

As Firefox saved us from dangerous browsing circa 2004m from IE5,6,7, now I may save us from obsolete Android stock browsers. At least that's what I use.

Unfortunately a lot of apps embed the Android browser as well, and you can't change that.

Does anyone know if WebView is similarly susceptible?

I wish I had tested this sooner, but yes, Webview is vulnerable (use document.write(document.domain) instead of alert() to test). So afaict apps that embed webview/ads on < 4.4 are at risk.

How would this be exploited? Can you read the contents of a webview in another process? Your users would have to navigate somehow to an exploited page (via an ad)?

>While the AOSP has "been killed off" by Google, it...

I do not follow android closely, but this refers to the browser only, right?

The author is also slightly mistaken on that. The AOSP browser is just a UI shell for WebView, and WebView has absolutely not been killed off. The WebView in KitKat sits on top of Chromium, for example, so installing an AOSP browser on KitKat will likely not have this vulnerability.

But it will still have vulnerabilities that have been fixed in current Chromium.

(In the Chromium WebView FAQ they say they're working on fixing it, but there are major difficulties. https://developer.chrome.com/multidevice/webview/overview)

he's missing the word browser. It should read:

> While the AOSP browser has "been killed off"...


It was a mistake to put Webkit as an operating system level component in the first place. It would be better if the solution wasn't to push Chromium but a storage framework style pluggable component, mainly since they can't get stuff like text sizing right.

Luckily since most vital user info is going to be in apps this doesn't have nearly the same impact as it would on desktop, but it does represent yet another demonstration that having the web as a sort of super-platform-on-a-platform doubles your attack surface.

Android really is comparable to 90s era Windows, in every possible sense. For better or worse Chrome OS is clearly being positioned as the NT equivalent as well, but it's hard to see how you can recreate the functionality of Android without adopting the flaws too.

So the bug is only for a browser that isn't supported by Google? No surprise that it hasn't been patched. If security is such a big deal to a user they should use a browser that is supported by a strong development team. Firefox and Opera Mobile work fine on low end phones.

"a browser that isn't supported by Google"

But still a browser that was created by Google and was bundled with the OS until 12 months ago, never mind how long it takes OEMs to roll it out. Android <=4.3 accounts for 75% of Android users:


Just because Google decided not to support it any more doesn't mean they shouldn't. Pointing out Firefox and Opera is all very well, but this is the default browser on Android <=4.3, and very few users explore alternative browsers (Chrome being the exception, to a point).

It's also the browser engine used in embedded webviews, don't forget.

Could they update it, though? I thought part of the reason they went to Chrome is that the AOSP browser is baked into the OS and so not updateable without updating the whole OS. So to patch it, they'd have to update the OS, but if you're doing that, then why not just move to the latest OS, which is already fixed?

Chrome only supports Android 4.0+ (Ice Cream Sandwich), so people with older Android devices don't have that choice. OTOH, Firefox supports Android 2.3+ (Gingerbread). Mozilla only recently dropped Froyo support.

Yes they can update it. Android provides an update mechanism for system apps.

They can update the "Android Browser" app, but the flaw is in a system level component (the Android WebView). They might be able to mitigate the flaw with an update to the app, but all other applications (including any OEM shipped browser that utilises the system web view) would still be vulnerable.

I imagine this would be fixable with an Android OS patch, no? I think this is critical enough to warrant that.

Very few people explore other browsers? Alt browsers are often the first app that people download. Chrome is included in gapps.

Alt browsers are often the first app the people download.

Which people? I'll grant that Chrome is an exception, given that it's bundled, but I've never seen usage number of other alternative Android browsers hit any meaningful numbers.

Who, engineers? Certainly not my wife or anyone else I have ever met who isn't technical.

My grandmother managed to switch entirely to Chrome on her PC without the help of anyone in our family. Anecdotal evidence works both ways. It isn't 1998. Most people know what a browser is and which one they are using on their desktop. Making the leap to a second browser on a phone (where they can easily get it from Google Play) isn't that ridiculous.

Who's talking about PC? We're talking about phones here, and it is different. Also, it's not anecdotal; we have data. The only reason that IE still has such a large share of the browser market is because people are unaware of and/or don't care about other (better) options.

Not sure what fantasy land you're living in. But most people are not downloading alternate browsers en masse for their phone. Especially not when there isn't a compelling reason to do so.

Chrome on Desktop has adapted several malware techniques to get installed without the user noticing. Bundled by default in many installers, including Flash, installs with user permissions only.

Example? I worked quite hard to get my grandma to install Chrome.

>Bundled by default in many installers, including Flash, installs with user permissions only

Not saying I agree with the Malware comment, though the bundling is annoying.

Isn't that what you are for, if you're computer-literate?

The first thing I install on my gf's computer or phone is Firefox and configure it to sensible settings (turn off third-party cookies, install ABP and Ghostery and stuff like that).

Haha, I'm sure we've all had tunnel vision moments at one point or another.

I've played tech support to many people in my circle of friends and family who have no idea that alternate browsers even exist. The vast majority of users use what comes on the phone by default.

Most "normal" people assume whatever browser comes with Android is "Google's Browser" (right or wrong), so this could be a very big deal to A LOT of people. How many Android handset manufactures have shipped units with the AOSP browser as the default?

So on 90% of phones when someone opens "the web" using the browser installed on their device, they are using an unsupported browser. How would they know this?

Only 20% of mobile web traffic comes from ASOP browser.

According to these people, Chrome and Safari also have ~20% each.


That's 1 in 5 mobile users! How can you argue that 20% is small?

> How can you argue that 20% is small?

where did they argue that? They were just correcting the 90% claim above.

"90% of phones" and "20% of Web traffic" are two different claims; there is no correction.

This just keeps getting better. "Only 20% of mobile web traffic", wow.

Back in my times browsers would kill for a 20% market share...

both are chrome. just different versions.

google ridicules microsoft with IE6, and the first offline platform they release they made the exact same mistake!

bundle a integrated browser just so the use cant uninstall... and decide to not patch it.

not the exact same mistake, as you can install chrome...and now those can at least be disabled. Un-installable system apps...another place where the microsoft and apple default is a mistake.

I fail to understand your point. you can also install browsers on windows that ship with IE6.

your other arguments, maybe on your fancy phone. 99% of the phones still stuck on 2.3.3 or older, you

- can't disable system apps

- can't uninstall system apps

- usually have 60mb or less for apps.

- can use the SD card for apps.

that leaves ANY browser out of the option. chrome and firefox, both install on around 20 to 40mb... and then consumes an additional (non-configurable) 100+mb of cache on the app data partition. leaving any older phone crippled (you can't fetch background data when the low storage space warning is showing).

That's because most web traffic comes from iOS. AOSP Browser represents about half of the Android traffic.

Well, not everywhere. Here in Brazil, Androids have the (by a huge margin) biggest share of the market and of the mobile traffic.

They are clearly talking about normalized global metrics.

Obviously things aren't the same everywhere...

Pretty much the tone-deaf reaction I was expecting. Thanks!

(Of course, these devices will still be counted by those touting Android's market share. Surprise surprise)

And this is where platform evangelism/favortism morphs from the merely annoying to the (potentially) dangerous.

Even if we accept your dismissal of this issue, and I sure don't, this is indicative of Android's issues as a platform. Massive vulnerability affecting huge proportion of installed base is ignored by vendor.

"So the bug is only for a browser that isn't supported by Google?"

Wait, what ? I'm not an android user, but I am a chrome user on all of my desktops ... can someone enlighten me ? How is chrome not a browser supported by google ?

This is not a bug in Chrome, but a bug in AOSP which was the browser shipped with android before Chrome became the default.

AOSP Browser is the unsupported one. Google deprecated it in favor of Chrome.

But AOSP is still a core part of the android OS because it's used by every app that wishes to render a page.

In 4.4, WebView is backed by Chromium.

"deprecated" while there are still millions of consumers whose products only run 2.3.3 with enough memory for aosp browser (which they cant even uninstall)

google logic. ...or better yet, san francisco dev logic

>. If security is such a big deal to a user they should use a browser that is supported by a strong development team.

Recalls happen in older cars still. Maybe since it is 2014, we think about a similar idea with software involving millions of users.

Is anyone familiar with the code that allows this vulnerability to be present and where I can find it(I believe this project is open source)? I understand the exploit is adding a nullbyte at the beginning of some javascript due to some bad handling in the parsing code. So I'm looking here: https://android.googlesource.com/platform/packages/apps/Brow...

I don't know the exact location, but it is probably somewhere in the webview tree, since it affects apps that embed webviews as well:


Since it's both webview and browser itself, I'd suspect some kind of common denominator object at fault... like...https://android.googlesource.com/platform/frameworks/base/+/...

Especially with a method called "public static class IllegalCharacterValueSanitizer".

The general lack of updates is exactly why I use/install/recommend Firefox. That and the automatic syncing w/ Desktop and the regular performance improvements. (Chrome isn't an option. I can't even turn off third-party cookies. In 2014.)

Too bad it uses quite a few resources and may be too heavy for low-end phones.

This is nuts. On a sidenote, any suggestions for an equivalently fast, secure browser for Android 4.2 on a relatively old phone? Not gonna use AOSP anymore!

I use Firefox on my Android phones, it's come a long way since its first release and is pleasantly stable and comparably quick to chrome.

Firefox mobile works great, give that a look.

Chrome/Firefox. Not AOSP stock browser.

Just tested all browsers installed on Android 4.2.1 tablet:

    Opera Classic  OK
    Opera Mini     OK
    Tint           Vulnerable
    Default        Vulnerable
Opera has usually worked OK, though sometimes rendering is a bit off. Better than the default browser, especially now.


Opera Classic is great. The new Opera works very much like Chrome, since it's based on Chromium.

You can try Opera Mobile Classic, it's important to use classic version since the new Opera Mobile uses the same engine as chrome so it might have the same vulnerabilities.

AOSP != Chrome, right? ...

Correct. Chrome is a separate project from the AOSP.

That said, Android 4.4 and later use Chromium for their WebViews, the source for which is developed along with Chrome as a part of the Chromium project - it does not live in AOSP.

Presumably the stock browser that is in AOSP 4.4+ wraps Chromium, which more or less means the AOSP browser is Chrome...but not the other way around. :)

Right, the AOSP browser is not Chrome. The AOSP browser is deprecated and is not installed by default on recent versions of Android.

This leaves us with little alternatives. Tint is affected. Dolphin is affected. Firefox is just horrible on mobile, come see this page and you'll understand why (they can't get font inflation right). Chrome and Opera are what's left. Anything else?

I'm using Firefox on Android 4.4 as my full-time browser, it is rather good most of the time. TBH HN is the only site I can think of that gives me trouble... and knowing the authors' attitude to HTML I'm prepared to accept the fault is not Firefox's.

There are many font inflation bugs open on Firefox mobile. One of them was opened about HN https://bugzilla.mozilla.org/show_bug.cgi?id=707195 in 2011. Others are about reddit. Others are about other sites. Firefox didn't grok a way to handle font inflation in a reasonable way. All the other browsers did. I quote a Firefox developer:

------ From a UX perspective, we should really try to fix this somehow. Reddit and ycombinator look terrible in our browser right now. Some examples:

ycombinator http://cl.ly/0l2f2v0p3v0e290J0A0W

Reddit http://cl.ly/1M452m2a2D3D04070S1I

These pages look perfectly fine in stock Browser -- they are a little wonky in Chrome but still better than us ------


That was 2012-05-01.

1) reddit renders fine for me now, zoom is consistent (Firefox 32, Android 4.4)

2) HN uses HTML straight out of 90s (tables nested three deep, spacer images to indent threads) so I don't mind them not focusing on trying to salvage it. Also from the comments thread: "to fix this we'd want to know the widths of the containers of all the text, which requires doing layout on the whole subtree (or at least a decent part of it), but we need to know the inflation numbers before we do layout. (It's probably doable by constructing reflow states for the entire subtree as we walk it, but that would be a significant performance hit that I don't think we want to take.)" Don't abuse tables and you won't have a problem.

Use Chrome.

Use Firefox.

Why? Chrome isn't open source, if you care about that kind of thing. And personal preference also.

That's not chrome.

It is very very close: https://code.google.com/p/chromium/wiki/ChromiumBrowserVsGoo...

tl;dr: Chromium is Chrome minus:

1. Crash/usage reporting to Google.

2. Proprietary video format support

3. Embedded Flash implementation (which doesn't exist on mobile anyway).

4. Google API keys.

If what you care about is security auditability, that's pretty good. If you care about running only open source software, that's going to be very hard to do in the Android/Google-Play ecosystem.

> If you care about running only open source software, that's going to be very hard to do in the Android/Google-Play ecosystem.

yet, the main advertisement google trhows for android is "open source" "community driven" yadda yadda

Main advertisement? I just went to android.com and developer.android.com; android.com advertises "Google built in" and lots of platforms, with a very small link to AOSP at the bottom of the page; developer.android.com has an AOSP link buried in its menus.

oh sorry. advertised.

we have already been baited and switched. but marketing takes a long time to dissipate...

here, i just clicked 2010 and clicked a random day for android.com


the 1st block is about the nexus one (market as open, but not on this page) and look! the second item on the page reads "Access to the entire platform source and information on how to contribute."

guess they forgot an asterix there saying that the "entire platform" means some of the platform.

It's been years since Google switched away from that claim.

I believe only Chrome has built-in PDF viewing too, which can be nice. The page you linked has people saying there are Chromium plugins for it, or you can install a dedicated PDF viewer and it will probably embed itself in the browser when downloading PDFs.

No longer true. The PDF viewer's been open-sourced a couple months ago. Source: https://news.ycombinator.com/item?id=7781878

Cool! Thanks.

> 3. Embedded Flash implementation (which doesn't exist on mobile anyway).

Firefox for Android still supports Adobe's Flash plugin for Android.

I've built it using these instructions before and it's not that difficult at all.

Is the Android chrome (in the UI sense) now open source as well? If that is the case, we could finally get the option to disable third-party-cookies...

open source.

has extensions.

allows you to control the web, where chrome allows google to control the web for you (e.g. no way to disable referrer for one thing)

That, and you can actually turn off third-party cookies.

There's absolutely NO reason you should have them on, and I've been surfing the web just fine this way for 15 years.

Won't protect you from apps embedding WebView.

What protects you in that scenario is those apps aren't really vulnerable to leaking anything in the first place. Malicious ads in games can only see what other ads you've viewed, it's not like you're signed in to your bank website in Angry Birds.

And if your banking app with its embedded webview has its site compromised, you're already fucked without even opening the app.

If only Meego took off.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact