"
This conflict of interest between vulnerability disclosure and the ability for people to fully control their own device poses a great security issue. Once a vulnerability being used to root or jailbreak devices becomes public knowledge it may also be used by malicious attackers, like DroidDream. Until all mobile devices allow users to gain full control without resorting to exploits, this conflict of interest between control and safety is likely to continue.
"
I really like this part. They identify the conflict of interest then point out that it is altimately up to the device manufacturers to fix it; stop locking device owners out of there own personal property! An opt-in easter-egg to unlock the device would allow users to choose to remain under wing while enabling users who choose make more complete use of the hardware.
Discussion on:
View:
Show:
... is not possible programmatically in Android. The ability to do so was removed in Android 1.5. So that comment about being able to "remotely turn on GPS" is BS
I thought the same. I turned it off and then proceeded to move my location several miles. Did not touch my phone. The website had my new location designated.
I would think the ability to turn on/off would have to be disabled within hardware. If it's simply removed from the OS then someone with intent needs only to write there own driver call?
Even if you wrote a driver an app could not install it dynamically without the phone being rooted. However...there are apps in the market that exploit a bug in the power widget that ships on Android phones. My understanding is that it has only been fixed in the most recent versions (2.3 and possibly 2.2). Up until that point, on some phones it was possible to turn on the GPS remotely via an intent to the power widget itself rather than accessing the location service. If you note the phrasing on Lookout's website the claim is they will enable the GPS remotely "if possible". Interesting!
I have an app called GPS Test (It cannot start GPS on its own).
Tried test again.
..Made sure GPS was unchecked.
..Went to the website and started a locate.
..Minute later, the website located my phone correctly.
..GPS Test was green and showing several satellites it was receiving data from.
..Stopped the location process.
..GPS Test then determined GPS was now shut off..
It somehow is turning the GPS receiver on and off remotely.
Tried test again.
..Made sure GPS was unchecked.
..Went to the website and started a locate.
..Minute later, the website located my phone correctly.
..GPS Test was green and showing several satellites it was receiving data from.
..Stopped the location process.
..GPS Test then determined GPS was now shut off..
It somehow is turning the GPS receiver on and off remotely.
...except by not instructing it to use them.
Like neon said, if it's wired in correctly, then it can also be called.
The GUI has a way to tell the OS to turn on the GPS (the check box in the GUI), so with enough permissions it's not conceivable that an OS could deny this power from everything else than the GUI.
The GUI is not the OS.
Like neon said, if it's wired in correctly, then it can also be called.
The GUI has a way to tell the OS to turn on the GPS (the check box in the GUI), so with enough permissions it's not conceivable that an OS could deny this power from everything else than the GUI.
The GUI is not the OS.
Except that having been around a good many years has taught me to never say no way.
The way an OS protects / restricts access to its hardware has to do with operating in user vs kernel space. To say if its wired correctly it can also be called is not accurate. A way to think of it that makes it easier is to consider the entire Android OS as it is delivered by Google on a phone as one uber-application. The only parameters that can be added outside of what was delivered on your phone are the APKs, or apps. These don't run native on the OS but rather inside of the environment Google provided and thus can only exercise certain parts of the OS, just like WORD docs can only perform certain actions inside of MS WORD. Yes, people find ways to exploit holes in MS Office, and when they do, they are able to get some unintended behavior, but an app downloaded to a stock phone can no more call a driver directly than you can make a document for WORD call a driver on your Windows PC. In short, while I have no doubt that Lookout is turning on the GPS remotely, I am confident they don't accomplish this by calling the driver or poking the hardware address as APKs don't have a way to access kernel mode operations directly. The software must be exploiting a security flaw in one of the pre-compiled applications that shipped with the phone, such as the power widget I mentioned previously.
Do we agree that a user can use an input device to manipulate the GUI?
If so, then an app with the right permissions can also emulate user input in the GUI, say emulating a double-tap on a specific option in the GUI (GPS : On).
If so, then an app with the right permissions can also emulate user input in the GUI, say emulating a double-tap on a specific option in the GUI (GPS : On).
Even if Lookout turns out not to be the best solution in the long run, at least someone is innovating in this space. Competition will surely follow.
Lookout (free) is my security app of choice. That is because I am paranoid about security. On the other hand, what problems exist besides phishing? I do not do any real work on my phone - it s first and foremost a phone. Please enlighten me as to what threats may endanger a plain user doing some applications that query data bases and navigate.
And maintain a data base, albeit anonymized about you after you remove your membership.
I am working on a new article that will go into details about the permissions aspect.
Just thought I would mention that I use Lookout as well.
I am working on a new article that will go into details about the permissions aspect.
Just thought I would mention that I use Lookout as well.
Lookout will not install on tablets (at least not on my XOOM).
Tablets need protection too. I have Lookout on my phone and its great.
I'd like to have the same protection for my tablet but its presently not available...why???
Tablets need protection too. I have Lookout on my phone and its great.
I'd like to have the same protection for my tablet but its presently not available...why???
I have used and tested Lookout and its Antivirus protection has been useless! I would recommend Bluepoint Security over it. Bluepoint serves strictly as antivirus but tested and works well. It can scan realtime and actually will find intrusions. Also recognizes windows based viruses, great and important!
Interested in learning what made you think that about Lookout. Did it miss some malware?
I have been using lookout since the very early beta, and have never had any issue with it, although it has never found anything either... I was a bit disappointed there was not a discount or year free when they launched the paid service, for beta users.
I was a bit concerned after I decided to root my phone that there was not even a warning for any apps requiring or requesting root access, nor any warning that it detected the phone had been rooted.
I was a bit concerned after I decided to root my phone that there was not even a warning for any apps requiring or requesting root access, nor any warning that it detected the phone had been rooted.
To learn what a rooted phone does with the app we created in this article:
http://www.techrepublic.com/blog/security/androids-permission-system-does-it-really-work/6322?tag=mantle_skin;content
http://www.techrepublic.com/blog/security/androids-permission-system-does-it-really-work/6322?tag=mantle_skin;content
I typed up a really nice response, but have no idea what I said... I'll just have to create something else...
I installed the app, it found the vulnerability, was able to turn on my GPS, and lookout never once complained. But I do have to note, I have a 900KB redirecting hosts file and I am looking/hoping for the ability to add a PAC filter to Android. I do not understand why this is not an available option in the Operating System like it is in EVERY desktop and server OS.
from what I understand Opera Mobile (not mini) supports a proxy (thus allowing a PAC filter), but this does not enable or require it for the OS. So all other connections still access the internet un-filtered.
for more information on host files and PAC filters, including constantly updated files you can use on any desktop OS, go to http://www.securemecca.com (not directly affiliated with that site, but I do communicate directly with the "webmaster" on a weekly basis over the last 6-8 months and provide testing services)
I installed the app, it found the vulnerability, was able to turn on my GPS, and lookout never once complained. But I do have to note, I have a 900KB redirecting hosts file and I am looking/hoping for the ability to add a PAC filter to Android. I do not understand why this is not an available option in the Operating System like it is in EVERY desktop and server OS.
from what I understand Opera Mobile (not mini) supports a proxy (thus allowing a PAC filter), but this does not enable or require it for the OS. So all other connections still access the internet un-filtered.
for more information on host files and PAC filters, including constantly updated files you can use on any desktop OS, go to http://www.securemecca.com (not directly affiliated with that site, but I do communicate directly with the "webmaster" on a weekly basis over the last 6-8 months and provide testing services)
Thanks Michael for sharing this info with us.
I recently bought my first smartphone and was concerned about all the talk of malware. I found my way to the Lookout website and decided to give the paid version a try as it seemed to have all the protective features I wanted. Now, based on some of the previous comments, I'm wondering if Lookout really scans for viruses. So far, my phone hasn't done anything funny.
I recently bought my first smartphone and was concerned about all the talk of malware. I found my way to the Lookout website and decided to give the paid version a try as it seemed to have all the protective features I wanted. Now, based on some of the previous comments, I'm wondering if Lookout really scans for viruses. So far, my phone hasn't done anything funny.
I have continued my research and it seems that there is an advantage to using a product like Lookout, even if it's just "peace of mind". I still have it on my phones.
Wondering if Lookout has expanded to include tablets yet or if it is in the works. Haven't read or seen anything on the web about it.
Mike, did you put the question to them as you mentioned in your post on 8-20-11 and if so did they have an answer for you?
Mike, did you put the question to them as you mentioned in your post on 8-20-11 and if so did they have an answer for you?
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
