Update your Android phones soon. New vulnerability named "Janus" allows attackers to modify apps without changing signatures

[captain_to_fire]

@iamdarkyoshi I was waiting for someone to complain about fixing for dark theme users. Dang It! 

 

[Drak3]

18 minutes ago, hey_yo_ said:

I was waiting for someone to complain about fixing for dark theme users. Dang It!

I can still bitch about it.

 

 

Damn day theme losers, not formatting like the losers they are.

 

 

Happy?

[captain_to_fire]

2 minutes ago, Drak3 said:

I can still bitch about it.

 

 

Damn day theme losers, not formatting like the losers they are.

 

 

Happy?

#DayThemeUsersMatter ?

[Drak3]

Just now, hey_yo_ said:

#DayThemeUsersMatter

No they don't.

 

 

Kappa.

 

 

Fa fa.

[captain_to_fire]

2 minutes ago, Drak3 said:

No they don't.

 

 

Kappa.

 

 

Fa fa.

Night Theme Supremacist ?

Edited December 10, 2017 by hey_yo_

[Drak3]

5 minutes ago, hey_yo_ said:

Night Theme Supremacist ?

There's a few things Drak3 thinks needs to die off:

Carrier controlled security updates

The day theme

Google's stranglehold on Android

 

[Matu20]

1 hour ago, hey_yo_ said:

Hopefully project treble changes that

Yeah, hate having my options limited to devices that will get support post launch.

[captain_to_fire]

26 minutes ago, Drak3 said:

There's a few things Drak3 thinks needs to die off:

Carrier controlled security updates

The day theme

Google's stranglehold on Android

 

The last two ain’t gonna happen anytime soon bruh 

[Drak3]

3 minutes ago, hey_yo_ said:

The last two ain’t gonna happen anytime soon bruh 

Damn, those are the two that need to happen the most.

[captain_to_fire]

45 minutes ago, Matu20 said:

Yeah, hate having my options limited to devices that will get support post launch.

OnePlus unfortunately just announced that they’re not supporting Project Treble. I hope the likes of Samsung, HTC, LG and others support it to their current and upcoming Android 8.0 devices. Tbh part of the reason why many Android phones are fragmented and don’t receive updates that often is because of Qualcomm. Qualcomm only releases drivers up to two years and this is one of the reasons why Google is becoming a bit like Apple by adding an in-house custom machine learning SoC to the Pixel 2/2XL and was enabled by the 8.1 update. I hope Google decides to ditch Qualcomm in fsvor of their own SoCs. 

20 minutes ago, Drak3 said:

Damn, those are the two that need to happen the most.

The only thing that Google controls is the Google Play Services but AOSP remains open source. That’s why Amazon Fire tablets are actually Android devices but doesn’t have the Google Play Services which is proprietary. 

[Froody129]

10 hours ago, DrMacintosh said:

"update your Android phones" 

 

Ahahahaha

Remember when iOS 11.2 caused people's phones to simply shut down randomly? Apple isn't magic and also have flaws

[DrMacintosh]

Just now, Froody129 said:

Remember when iOS 11.2 caused people's phones to simply shut down randomly? Apple isn't magic and also have flaws

No, I don't actually. 

[captain_to_fire]

1 minute ago, Froody129 said:

Remember when iOS 11.2 caused people's phones to simply shut down randomly? Apple isn't magic and also have flaws

As much as I scathingly criticized Apple especially the iOS 11 and iPhone X design, I didn’t experienced random shutdowns on my iPhone with iOS 11.2. 

[Froody129]

36 minutes ago, hey_yo_ said:

As much as I scathingly criticized Apple especially the iOS 11 and iPhone X design, I didn’t experienced random shutdowns on my iPhone with iOS 11.2. 

It was some date bug, and just like Janus it didn't affect everyone

[Not_Jony_Ive]

[Not_Jony_Ive]

18 hours ago, WereCat said:

Update on Android?

You mean... buy a new phone?

YES.

 

[mrchow19910319]

out of so many news that says: "new vulnerability  found in android" has anyone been attacked on their android device???? I think very little people have. 

[captain_to_fire]

2 minutes ago, mrchow19910319 said:

out of so many news that says: "new vulnerability  found in android" has anyone been attacked on their android device???? I think very little people have. 

I think it’s because Android apps are restricted by a sandbox.

 

Even though there are more mobile devices connected to the internet than PCs, most in-the-wild zero day attacks happen on PCs. Has there been a mobile version of the Wannacry or NotPetya/ExPetr global pandemic on Android? None. Most malware on Android is pretty much only a handful. 

[Trixanity]

1 hour ago, mrchow19910319 said:

out of so many news that says: "new vulnerability  found in android" has anyone been attacked on their android device???? I think very little people have. 

No, because it seems very few people, despite many devices being vulnerable, can be hit by it if you get your apps from safe sources. It seems to be the classic "you're vulnerable if you download app APKs from freepaidapps.com and downloadmoreram.com". I haven't seen any indication you're vulnerable if you stick to the play store or secure third party sites.

6 hours ago, hey_yo_ said:

OnePlus unfortunately just announced that they’re not supporting Project Treble. I hope the likes of Samsung, HTC, LG and others support it to their current and upcoming Android 8.0 devices. Tbh part of the reason why many Android phones are fragmented and don’t receive updates that often is because of Qualcomm. Qualcomm only releases drivers up to two years and this is one of the reasons why Google is becoming a bit like Apple by adding an in-house custom machine learning SoC to the Pixel 2/2XL and was enabled by the 8.1 update. I hope Google decides to ditch Qualcomm in fsvor of their own SoCs. 

The only thing that Google controls is the Google Play Services but AOSP remains open source. That’s why Amazon Fire tablets are actually Android devices but doesn’t have the Google Play Services which is proprietary. 

There are many parties at fault for lack of updates it's both hardware vendors and device makers and then we get carriers and other parties.

 

To get Treble you need a vendor partition. No one wants to risk bricking devices by changing partitions during an update. I'd say the risk is relatively small but big enough to scare off companies. It's small if done right that is.

 

OnePlus didn't partition their software. Why? Because they're morons. Google told OEMs to start partitioning it years ago but since it's a guideline, not a requirement, they ignored it. They don't do things properly if they don't have to. That's the biggest problem with Android. They give you freedom that Apple don't but developers don't appreciate the freedom and tend to ignore the guidelines in favor of sticking to whatever they're doing now even if it's bad practice.

 

If you want to know if your device might get Treble with Oreo update, then find out if it's partitioned already. Even if it is I don't think it's a given that they'll enable support if only to kill support early like OnePlus does.

8 hours ago, Matu20 said:

I know that, but stock androids get most frequent updates due to having low overhead and less changes to be applied with each update.

I also think that's part of the misconception. Each and every device right now needs to be rebuild with every update regardless of your changes to the system. Even heavy-handed system changes like Samsung does should allow a similar update speed.

 

It makes little sense that updating your Broadcom driver will break something on your Samsung device but not on a Motorola or Nokia device unless Samsung's developers are absolute morons (which, granted, might be the case given their track record).

 

There's still a lot of compliance OEMs need to adhere to which should prevent something like I mentioned from breaking anything.

 

I'm a little more uncertain about fixes to Android itself. I'd still think such fixes should be simple to merge and/or adapt to whatever system changes. I think the biggest problem might in fact be the bugs OEMs introduce by changing system files and having to discover and fix them on their own but a company such as Samsung should have the resources to do that.

 

So I think the guideline should be if you don't have the resources to maintain your shit don't change shit. That way you can merge the fixes the big boys make.

[RyanEsau]

I was on KitKat (4.4.4) for the longest while but switched to Nougat (7.1.1) a few months ago.

 

Guess it came with a benefit aside from just being on a more recent android version.

 

Regardless though, just be careful where you get APKs from and you should be fine. I imagine there'll probably be some apps to test apks for this hitting the play store for this vulnerability. Just like the previous stuff. (Stagefright for example. I specifically remember that one.)

[captain_to_fire]

24 minutes ago, Trixanity said:

If you want to know if your device might get Treble with Oreo update, then find out if it's partitioned already. Even if it is I don't think it's a given that they'll enable support if only to kill support early like OnePlus does.

With the exception of the obvious one which is the Pixel, which Android OEMs have partitions enabled? 

[Trixanity]

16 minutes ago, hey_yo_ said:

With the exception of the obvious one which is the Pixel, which Android OEMs have partitions enabled? 

Huawei did it on their Mate 9 (I'm not sure if their other models have it but one would think they stick to the same practices across the board). I'm not sure if Sony has done it. I feel like they would given their contributions to AOSP.

 

Other than that I honestly have no clue. It seems like if you mount your device's storage you can see the partitioning in the system file structure but I can't remember what specifically to look for. XDA had an article about it. I'll see if I can dig it up.

 

One would think it would be smart to partition it in the first place if only to make it easier to maintain the device but I'm guessing the thought process was "this requires us to do some work and change things which would improve our workflow and give us forwards compatibility but it does require actual work so let's not do it". Yes, I'm awfully cynical about OEMs at this point. This might be hindsight but it seems it was a very bad case of procrastination. I think the guideline to partition was made with Marshmallow and the requirement obviously came with Oreo and Treble. That's a two year window to get it up and running. And I don't think Google made the guideline without any forethought of future changes and I don't think Google didn't inform OEMs of their intentions with doing the partitioning. So if we consider that companies have had to build software specifically for each device (although they probably have somewhat generic source code like AOSP with their own code added) then they have had every opportunity even just with Nougat to make the switch during development and they would then be prepared for Oreo or even if Treble came with Android P it would still have been the best practice to get it done.

[AlTech]

9 hours ago, Crunchy Dragon said:

So I'm running some version of Android 4, am I safe?

no. OEMs aren't patching anything older than Lollipop.

[MyName13]

16 hours ago, SpaceGhostC2C said:

There could, but that's overhead for that company already, and I'm supposed that why updates become typically less likely the more you move into cheapo phones. I mean, making it depend on each device manufacturer is the problem in itself (imagine PCs only getting security updates depending on the OEMs pushing those. Microsoft segmenting who gets an update and who doesn't is already a problem, but imagine the scale if you had the additional step of HP, Dell, or whoever sold the parts for your custom build or sold you windows to provide a patch....)

And why is it like that?While PCs need new motherboard drivers for each new OS, they don't need anything from OEM to get security updates, why can't all android devices receive at least security updates?

[Trixanity]

1 hour ago, hey_yo_ said:

With the exception of the obvious one which is the Pixel, which Android OEMs have partitions enabled? 

Here's how it looks on the new Honor V10:

Spoiler

As you can see all the vendor stuff gets its own separate space.

 

7 minutes ago, MyName13 said:

And why is it like that?While PCs need new motherboard drivers for each new OS, they don't need anything from OEM to get security updates, why can't all android devices receive at least security updates?

Because the operating systems are fundamentally different. Until Oreo, each device and each software iteration needed to be build for each other. Also, every OEM make changes to the system files. If Google pushed an update to your device overwriting modified system files you could potentially look at a paperweight. Windows is a closed operating system and the ecosystem relies on drivers tailored for your hardware that you download and install. Android is becoming more like Windows but will take more than the changes to Oreo to make it Windows-like.

Besides, Windows updates fix issues with the operating system primarily. Microsoft have gotten better (and in some ways worse) about pushing updates to hardware which reduces the need to venture onto third-party sites to get updates.