SoylentNews is people
SoylentNews
from the no-money-in-fixing-the-problem dept.
Pre-installed apps on low-end Android phones are full of security holes
In what has become an annual reckoning, security research company Kryptowire recently published its 2019 report on the state of manufacturer-installed software and firmware for Android devices and, to no one's surprise, they found more than 140 bugs which could be exploited for malicious purposes.
The DHS-funded report uncovered 146 apps, which come pre-installed on inexpensive Android handsets, would pull shenanigans like eavesdropping through the microphone, unilaterally changing their permissions or surreptitiously transmitting data back to the manufacturer without ever notifying the user.
Kryptowire found these bugs on phones from 29 different manufacturers from relatively unknowns like Cubot and Doogee to marquee companies include Sony. And given that the average Android come with anywhere from 100 to 400 apps pre-installed, often bundled as part of larger app suites, these vulnerabilities pose a growing threat to users.
(Score: 4, Interesting) by jmichaelhudsondotnet on Monday November 18 2019, @05:08PM (3 children)
A black box device by definition cannot be secured by the user to whom it is nothing but a black box.
Low end black box, high end black box, you cannot secure it because you not only do not understand it, but are not allowed to understand it.
Powerful devices that are poorly understood very frequently hurt people.
These 'phones' are hurting people. Calling a modern 'smart' phone a phone is very misleading, you don't know what the device is capable of, so you not only do not know what the device is named, you couldn't figure it out if you had a year to try.
This just demonstates very well the mathematical logic layed out in this essay I wrote on the topic, consider,
https://jmichaelhudson.net/smart-phones-and-wild-bears-2/ [jmichaelhudson.net]
Equations are at the bottom. To my knowledge I discovered them, if I am mistaken I would like to find out sooner rather than later.
(Score: 1, Informative) by Anonymous Coward on Monday November 18 2019, @05:27PM (1 child)
Some people, who care enough to try, are figuring them out. It doesn't appear to take a year, either. Given the resources are in place, and ready to be used, it seems to take a couple days to capture data, then a couple weeks to interpret and test the data, then some time to publish and circulate the data.
(Score: 2) by jmichaelhudsondotnet on Tuesday November 19 2019, @02:16PM
Are they hiring lol
I feel the need, the need for auditing!
(Score: 2) by krishnoid on Monday November 18 2019, @06:58PM
The impossible? Like, mail the corporate headquarters for all these carriers with the list of vulnerabilities and say they're knowingly distributing exploitable software on a freshly delivered phone to their customers, and: