Got a link to info on that? That would be in direct conflict with Steve Job's view on privacy and location sharing.
In Apple's own words:
If Location Services is on, your device will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple, to augment the crowd-sourced database of Wi-Fi hotspot and cell tower locations. In addition, if you are traveling (for example, in a car) and Location Services is on, a GPS-enabled iOS device will also periodically send GPS locations and travel speed information in an anonymous and encrypted form to Apple, to be used for building up a crowd-sourced road traffic database. The crowd-sourced location data gathered by Apple does not personally identify you.
It's not about tracking you though, which is what another FM suggests.
"The vulnerability stems from discrepancies in how Android apps are cryptographically verified, allowing an attacker to modify application packages (APKs) without breaking their cryptographic signatures."
That's quite a security hole there :eek: It makes digital signing meaningless.
To clarify. The exploit would allow an app to be approved for the app store. Maliciously modified but still appear to the app store as the non malicious version.
It would be pertinent in situations like when sky had their play account hacked.
I still think the risk is minimal. Too many things have to come together for it to be a significant threat in the near term.
Google version of digital signing can only guarantee that once upon a time an owner of the certificate a file is signed with had signed some version of that file. Nothing else. Maybe chances of the exploit are not big, but the question is where else they used this.
It can and should be fixed, it's embarrassing and dangerous.
more scaremongering. Hands up who has ever, or even personally knows anyone who has, had malware on their Android device?
so for it to actually work, the exploiter would need to take control of the developer account of a reputable app, replace the app with a malicious one, get users to manually update it (as extra permissions would likely be needed to do anything malicious, so auto-update would require a user confirmation), hope that the user didn't spot that Angry Birds now needed full permission to do anything with your phone, all before either Google or the app dev pulled the plug?
As someone posted elsewhere, its like saying if there was a hacked malicious version of Adobe Photoshop on Pirate Bay it would indicate a security flaw with windows.
more scaremongering. Hands up who has ever, or even personally knows anyone who has, had malware on their Android device?
Well you can look at it like that, but focus is moving to mobile computing. OS writers could get away with anything, but that does not work anymore. Hackers are very inventive, MS has stories to tell about that. Any known problem should be dealt with and not marginalised. Because sooner or later somebody will find a way to exploit it. People store sensitive information on their phones, because they think it's safe there. I think a future of malware is in mobile phones and tablets.
more scaremongering. Hands up who has ever, or even personally knows anyone who has, had malware on their Android device?
so for it to actually work, the exploiter would need to take control of the developer account of a reputable app, replace the app with a malicious one, get users to manually update it (as extra permissions would likely be needed to do anything malicious, so auto-update would require a user confirmation), hope that the user didn't spot that Angry Birds now needed full permission to do anything with your phone, all before either Google or the app dev pulled the plug?
As someone posted elsewhere, its like saying if there was a hacked malicious version of Adobe Photoshop on Pirate Bay it would indicate a security flaw with windows.
So you think this is not a problem and google should do nothing about it? I wonder why samsung bothered to fix it on the S4.
So you think this is not a problem and google should do nothing about it? I wonder why samsung bothered to fix it on the S4.
I don't think its a big enough problem to be covered on the BBC, or to start a thread on, no. Of course it should be fixed, but in the meantime users should carry on as usual.
Update: According to a report in CIO, Google has already modified its Play Store’s app entry process so that apps that have been modified using this exploit are blocked and can no longer be distributed via Play.
People store sensitive information on their phones, because they think it's safe there. I think a future of malware is in mobile phones and tablets.
TBH, more information is stored in the cloud than on phones, I think phishing attempts will remain the biggest threat to people's data for a good while to come. Thankfully even Facebook gives the option of two-step verification nowadays...
That update was actually made known yesterday, but it was conveniently ignored. Every platform is going to have its fair share of bumps and kinks along the road, but Google have shown that they're swift to act on these things, Apple have had one recently with the hotspot password fiasco.
I don't think its a big enough problem to be covered on the BBC, or to start a thread on, no. Of course it should be fixed, but in the meantime users should carry on as usual.
Do you think its particularly newsworthy?
It being newsworthy is a result of the popularity of android.
I would have thought it is very worthy of a discussion on this forum. After all, are we only meant to discuss positive news?
As I said earlier, my interest is how quickly google can go about fixing issues like this.
Yeah, that information was actually reported in most of the articles yesterday that covered the issue. The problem wasn't with distribution through Google Play.
Funny, I remember the thread where everyone was pointing out the massive advantage of all the app stores available. I hope they have all updated there process:)
That update was actually made known yesterday, but it was conveniently ignored. Every platform is going to have its fair share of bumps and kinks along the road, but Google have shown that they're swift to act on these things, Apple have had one recently with the hotspot password fiasco.
Interesting that this is a non-issue but the Apple wifi hotspot thing was a 'fiasco'.
Funny, I remember the thread where everyone was pointing out the massive advantage of all the app stores available. I hope they have all updated there process:)
I think tighter app stores are an advantage, but it means more pressure on the central authority as we can see here.
Funny, I remember the thread where everyone was pointing out the massive advantage of all the app stores available. I hope they have all updated there process:)
as the risk is theoretical I'll continue using the other app stores. Malware tends to target the least informed users, who will, on the whole, only use Google Play. Additionally some stores, like Amazon's have a their own checking processes to prevent malware.
So I don't see how this perceived risk would prevent me continuing to save money
Interesting that this is a non-issue but the Apple wifi hotspot thing was a 'fiasco'.
Nowhere in my post did I suggest that it was a non-issue. As I have said, both platforms have had their fair share of issues.
However, at least Google have acknowledged the issue and have already begun applying fixes. I'm unsure as to whether Apple have even addressed the flaws in their system.
I don't think its a big enough problem to be covered on the BBC, or to start a thread on, no. Of course it should be fixed, but in the meantime users should carry on as usual.
Do you think its particularly newsworthy?
It may mean nothing for a casual computer user, but it is a huge thing technically. You can use as long encryption keys as you like when all is compromised by such a cockup.
Comments
Got a link to info on that? That would be in direct conflict with Steve Job's view on privacy and location sharing.
In Apple's own words:
It's not about tracking you though, which is what another FM suggests.
"The vulnerability stems from discrepancies in how Android apps are cryptographically verified, allowing an attacker to modify application packages (APKs) without breaking their cryptographic signatures."
That's quite a security hole there :eek: It makes digital signing meaningless.
Do side loaded apps use a signature?
It seems quite a bigger security hole when no one understands it.
It would be pertinent in situations like when sky had their play account hacked.
I still think the risk is minimal. Too many things have to come together for it to be a significant threat in the near term.
Assuming it can be fixed.
It can and should be fixed, it's embarrassing and dangerous.
so for it to actually work, the exploiter would need to take control of the developer account of a reputable app, replace the app with a malicious one, get users to manually update it (as extra permissions would likely be needed to do anything malicious, so auto-update would require a user confirmation), hope that the user didn't spot that Angry Birds now needed full permission to do anything with your phone, all before either Google or the app dev pulled the plug?
As someone posted elsewhere, its like saying if there was a hacked malicious version of Adobe Photoshop on Pirate Bay it would indicate a security flaw with windows.
Well you can look at it like that, but focus is moving to mobile computing. OS writers could get away with anything, but that does not work anymore. Hackers are very inventive, MS has stories to tell about that. Any known problem should be dealt with and not marginalised. Because sooner or later somebody will find a way to exploit it. People store sensitive information on their phones, because they think it's safe there. I think a future of malware is in mobile phones and tablets.
So you think this is not a problem and google should do nothing about it? I wonder why samsung bothered to fix it on the S4.
I don't think its a big enough problem to be covered on the BBC, or to start a thread on, no. Of course it should be fixed, but in the meantime users should carry on as usual.
Do you think its particularly newsworthy?
panic over.
TBH, more information is stored in the cloud than on phones, I think phishing attempts will remain the biggest threat to people's data for a good while to come. Thankfully even Facebook gives the option of two-step verification nowadays...
That update was actually made known yesterday, but it was conveniently ignored. Every platform is going to have its fair share of bumps and kinks along the road, but Google have shown that they're swift to act on these things, Apple have had one recently with the hotspot password fiasco.
It being newsworthy is a result of the popularity of android.
I would have thought it is very worthy of a discussion on this forum. After all, are we only meant to discuss positive news?
As I said earlier, my interest is how quickly google can go about fixing issues like this.
Funny, I remember the thread where everyone was pointing out the massive advantage of all the app stores available. I hope they have all updated there process:)
Interesting that this is a non-issue but the Apple wifi hotspot thing was a 'fiasco'.
I think tighter app stores are an advantage, but it means more pressure on the central authority as we can see here.
as the risk is theoretical I'll continue using the other app stores. Malware tends to target the least informed users, who will, on the whole, only use Google Play. Additionally some stores, like Amazon's have a their own checking processes to prevent malware.
So I don't see how this perceived risk would prevent me continuing to save money
Ah right. I hope they release it soon.
Nowhere in my post did I suggest that it was a non-issue. As I have said, both platforms have had their fair share of issues.
However, at least Google have acknowledged the issue and have already begun applying fixes. I'm unsure as to whether Apple have even addressed the flaws in their system.
So we seem to be at the point that the only digital signature in question was a Play store one that has been corrected anyway.
It may mean nothing for a casual computer user, but it is a huge thing technically. You can use as long encryption keys as you like when all is compromised by such a cockup.