SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
Oxford researchers [...] (Vincent Taylor, Alastair Beresford and Ivan Martinovic) [...] [looked] at how the same library in two different apps could expose information from a higher-privilege app to one with lower privilege.
They write that this “intra-library collusion” (ILC) happens “when individual libraries obtain greater combined privileges on a device by virtue of being embedded within multiple apps, with each app having a distinct set of permissions granted”.
As the paper explains, shared libraries can borrow permissions an app doesn't have [...] That's a threat, because library re-use across different apps isn't a bug, it's a feature: it makes app development more efficient and keeps apps small by letting them use code pre-loaded to a device.
While noting that attackers are standardising their own libraries, the researchers focussed their effort on advertising libraries [...] handling location, app usage, device information, communication data like call logs and messages, access to storage (including, for example, a user's files which can indicate their interests), and the microphone.
Of more than 15,000 apps with more than a million downloads, the researchers went to work decompiling apps to identify the libraries they linked to. Those they successfully decompiled, they analysed for their intra-library collusion potential.
The 18 most popular libraries include familiar names:
Library % of apps com/facebook 11.9 com/google/android/gms/analytics 9.8 com/flurry 6.3 com/chartboost/sdk 5.9 com/unity3d 5.2 com/applovin 3.5 com/mopub 3.1 com/inmobi 3.0 com/google/ads 3.0 com/google/android/gcm 2.7 com/tapjoy 2.4 org/cocos2d 2.4 com/amazon 2.0 com/millennialmedia 1.6 org/apache/commons 1.4 com/heyzap 1.4 com/nostra13/universalimageloader 1.3 com/adobe/air 1.0 “The main catalyst that allows ILC to happen is the failure of the Android permission system to separate the privileges of libraries and their host apps”, they write, and this at least offers opportunities for an underhanded ad network to improve their data collection without seeking extra permissions from users.
[...] Digging deeper into how advertiser libraries behaved, they found on average those libraries “leak sensitive data from a device up to 2.4 times a day and that the average user has their personal data sent to 1.7 different ad servers per day”.
-- submitted from IRC
(Score: 2) by BasilBrush on Sunday August 20 2017, @05:08PM (7 children)
The Title says smartphones. It doesn't become clear to nearly the end that this is specifically an Android problem. Not iOS.
Hurrah! Quoting works now!
(Score: 2) by Pino P on Sunday August 20 2017, @09:52PM (6 children)
If an iPhone user has installed apps that use a particular library that total 1 GB, and there's a security update for that library, how much data does the App Store have to download on the user's behalf through a metered connection to apply this security update to all such apps?
(Score: 2) by BasilBrush on Monday August 21 2017, @12:12AM (5 children)
Really? You're trying to make up a scenario for saving some bandwidth in order to excuse an Android security flaw? LOL.
The answer is that 1GB is not a realistic size for a library. The only shared libraries are those built in to iOS. Each app is separate and has it's own libraries. And app upgrades are deltas, so the bandwidth is not easily predictable. But any updates over 100MB will only happen over WiFi. And if you want you can set it so all updates are done over wifi.
- There's nothing there that justifies the Android security flaw.
Hurrah! Quoting works now!
(Score: 2) by Pino P on Monday August 21 2017, @06:10PM (4 children)
This at least means 33 different apps averaging 30 MB won't cause 990 MB of downloads. Thank you for clarifying.
A home Wi-Fi network's upstream connection to the Internet is also metered. Satellite and home cellular tended to run $5/GB last I checked.
(Score: 2) by BasilBrush on Monday August 21 2017, @10:10PM (3 children)
Metered WiFi? Where do you live? You are getting ripped off.
Hurrah! Quoting works now!
(Score: 2) by Pino P on Tuesday August 22 2017, @03:28PM (2 children)
I live in the service area of Xfinity Internet by Comcast has a 1000 GB/mo cap. But someone in another online community I'm in lives on a mountain and is thus stuck with satellite. Satellite and fixed cellular Internet tend to have a cap on the order of 10 to 20 GB/mo, as does DSL in some rural areas [communitynewspapergroup.com] (via the green site [slashdot.org]).
Agreed. The U.S. ripped off its citizens by handing out subsidies to last mile ISPs without attaching strings of universal coverage. This left rural areas and markets with restrictive utility right-of-way ordinances (such as Seattle) with inferior home Internet connections.
(Score: 2) by BasilBrush on Tuesday August 22 2017, @07:58PM (1 child)
That sucks.
I'm in the UK. Broadband is unlimited data.
Cellular data will be metered for cheaper deals, but pay about £35 a month ($45) and you can get unlimited data, even with no contract.
Hurrah! Quoting works now!
(Score: 2) by Pino P on Monday August 28 2017, @06:32PM
Some U.S. cellular carriers offer unmetered data, but as I understand it, the plan applies to a single device rather than tethering. So you get unmetered data on your iPhone, but not on the iPod touch, iPad, or Mac that uses it as a hotspot. And unmetered plans give minimum priority to a subscriber's packets or even cut the subscriber back to EDGE starting at 25 GB or so.
From "LTE Internet Installed" by Verizon Wireless [verizonwireless.com]: 10 GB/mo is $60/mo, 20 GB/mo is $90/mo, 30 GB/mo is $120/mo, and 40 GB/mo is $150/mo, with overages at $10/GB.
This is one reason why Apple's delta updates are so important.