Flaws in Pre-Installed Apps Expose Millions of Android Devices to Hackers

[79wjd]

1 minute ago, DrMacintosh said:

That's what I remembered. It might have changed in iOS 11 and might also change in iOS 12. But the result is the same, the app is disabled. 

That's pulled from the iOS 11 page, and it's highly unlikely anything will be different in iOS 12.

[DrMacintosh]

8 minutes ago, 79wjd said:

That's pulled from the iOS 11 page, and it's highly unlikely anything will be different in iOS 12.

More than likely right. Either way, the second point I made still stands. The effective result is the same. You just don't gain the few MB that each app is worth. 

[Sniperfox47]

Ultimately this is a good thing since it means they'll hopefully be fixed for that if nothing else. Android System APKs can be updated through the Google Play Store (even a number of critical system components as of the newer versions).

 

App updates don't solve against manual attacks against the apps at the firmware /system/ level but at that point you have bigger issues since that means the attacker already has root on your device.

 

For all the people who bitch about updates for bloatware apps that they don't care about, this is why those are important and you should do them even if you don't care about the app.

 

3 hours ago, DrMacintosh said:

Was expecting to see more people saying "Oh well I can just root my device so I don't have to worry about this" or something along those lines. Was disappointed in the lack of that. 

 

No bloatware=good

bloatware=bad

 

I'm glad to seen people aren't that dumb and likewise glad to see that Huawei and Samsung devices don't have affected apps (except on affected carriers). 

 

3 hours ago, DrMacintosh said:

That's what I remembered. It might have changed in iOS 11 and might also change in iOS 12. But the result is the same, the app is disabled. 

The apps on both iOS and Android are both stored in a signed system partition that's normally Read Only. You couldn't actually remove the app without breaking the signing on the system partition, causing an unmodified device to pitch a bitch fit and refuse to boot due to being a compromised system.

 

That doesn't change in iOS 12 unless they roll back a lot of their existing security measures which would be dumb because it doesn't really help anybody. As I said in order to attack a disabled app on Android or hidden app* on iOS you need root access anyways in which case RIP phone, you've already got bigger problems.

 

*Note that the iOS behavior behind removing system apps doesn't really seem consistent. Like the contacts and FaceTime app just seem to hide the icon without actually disabling any feature access so they still might be an attack surface. Books, stocks, Apple watch and a number of others appear to be completely disabled/frozen just like disable on Android. I don't have a rooted iPhone to play around with ATM so I can't determine for sure this behavior though.

[Mihle]

8 hours ago, firelighter487 said:

rooting and stuff void warranty of loads of phones i believe.. and yeah you can't delete preinstalled apps on iOS but at least there isn't loads of them. 

 

so you can't uninstall them without voiding the warranty. only hide them. 

In my country the consumer law can not void warranty as long as the manufacturer can't actually prove the fault is the rooting fault.

 

In reality, most cases rooting removes software warranty, but not hardware warranty.

[LAwLz]

7 hours ago, DrMacintosh said:

More than likely right. Either way, the second point I made still stands. The effective result is the same. You just don't gain the few MB that each app is worth. 

Well no, the result is not the same.

If a vulnerability was found in one of the iOS stock apps then removing the shortcut would not protect the user.

Removing a shortcut and disabling a program are two very, very different things.

 

Disabling/Removing the vulnerable app = Fixing a crack in the wall.

Removing the shortcut to the app = Putting some wallpaper over the crack so that you can't see it anymore.

[AlTech]

10 hours ago, DrMacintosh said:

Was expecting to see more people saying "Oh well I can just root my device so I don't have to worry about this" or something along those lines. Was disappointed in the lack of that. 

 

No bloatware=good

bloatware=bad

 

With my LineageOS 15.1 ROM, I can remove any app I want.

 

Even the bloatware known as the Google Play Store.

[mrchow19910319]

god damn android... 

[Jito463]

9 hours ago, Sniperfox47 said:

For all the people who ***** about updates for bloatware apps that they don't care about, this is why those are important and you should do them even if you don't care about the app.

My Samsung S7 Active recently got updated to Android 8, and now the "Galaxy Apps" such as e-mail, photo gallery and the like want to update, but in order to do so they require access permissions to my contacts and my phone.  They absolutely will not update unless I grant them access.  Why does e-mail or photos need access to my phone?  Contacts I can maybe see (at least for e-mail), but phone?

[Jtalk4456]

Quote

Other major Android handset brands include Vivo, Sony, Nokia, and Oppo, as well as many smaller manufacturers such as Sky, Leagoo, Plum, Orbic, MXQ, Doogee, Coolpad, and Alcatel.

wait are those major brands??  I know nokia WAS big, and not sure about sony with phones. The rest I've never heard of...

[bcredeur97]

On 8/13/2018 at 5:55 PM, TheGlenlivet said:

INB4 Iphone fans arrive laughing...

im really hoping whatever google is doing with Fushcia solves all these stupid android issues that shouldnt exist in the first place

 

On 8/13/2018 at 7:02 PM, RorzNZ said:

The rest are fairly integrated apps that will cause instability of iOS if you remove them - so Apple doesn't let you, but if you jailbreak you can easily. You can see with these screenshots most default apps can be removed. iOS 12. 

-snip-

pre iOS 10 I would jailbreak basically to do this:

login as root
cd /Applications

rm -rf Tips.app

 

lol

[Brick1026]

I dislike macs simply because of their horrible gaming optimization but when it comes to security Apple products have it down to a T. Despite my love hate relationship with Apple, this makes me happy to know I own a iPhone xD.

[PlayStation 2]

20 minutes ago, Brick1026 said:

I dislike macs simply because of their horrible gaming optimization but when it comes to security Apple products have it down to a T. Despite my love hate relationship with Apple, this makes me happy to know I own a iPhone xD.

You can blame bad gaming performance on lack of optimization from devs on macOS rather than on Apple themselves.

Also, not many modern macOS ports are made by the original devs. The Valve games were ported by a team within the company and those tend to be one of the best multiplatform ports on both macOS and Linux.

[rcmaehl]

14 hours ago, DrMacintosh said:

Was expecting to see more people saying "Oh well I can just root my device so I don't have to worry about this" or something along those lines. Was disappointed in the lack of that. 

 

No bloatware=good

bloatware=bad

 

Yep. Rooted, Modded, LineageOS with Custom Kernel and Mods. 

[Sniperfox47]

1 hour ago, Jito463 said:

My Samsung S7 Active recently got updated to Android 8, and now the "Galaxy Apps" such as e-mail, photo gallery and the like want to update, but in order to do so they require access permissions to my contacts and my phone.  They absolutely will not update unless I grant them access.  Why does e-mail or photos need access to my phone?  Contacts I can maybe see (at least for e-mail), but phone?

Because they're Samsung they're probably making a call to "SystemInfo.deviceUniqueIdentifier" which is associated to your IMEI and forces that permission because reading your phones IMEI, Phone Numbers, or other associated data is gated behind the Read Phone State permission, part of that permission group.

 

It may not even be intentional. A lot of older third party libraries make calls to those permissions because in the pre-5.0 days of Android that was an accepted way to get a device unique identifier that would survive a reinstall.

 

Android 8.0 has a lot of strengthened policies with regards to how permissions are handled, particularly for apps that target Android 8.0 which the updated email and photos app likely do.

 

25 minutes ago, Brick1026 said:

I dislike macs simply because of their horrible gaming optimization but when it comes to security Apple products have it down to a T. Despite my love hate relationship with Apple, this makes me happy to know I own a iPhone xD.

Eh. As an OS Apple's platform is not really more or less secure than Android as an OS.

 

Dumb manufacturers making dumb bloatware with no consideration for security? Sure. Manufacturers not keeping up with security patches? Sure. But the OS itself is really solid. 

 

 

2 minutes ago, Dan Castellaneta said:

You can blame bad gaming performance on lack of optimization from devs on macOS rather than on Apple themselves.

Also, not many modern macOS ports are made by the original devs. The Valve games were ported by a team within the company and those tend to be one of the best multiplatform ports on both macOS and Linux.

Nah that you can absolutely blame on Apple. Their OpenGL implimentation interface is abyssmal.

 

Their laptops only support up to OpenGL 2.1 or 3.2 depending on the laptop. Some of them claim to support 4.1 but don't actually expose most of the required features to be 4.1 compliant.

 

Even for the laptops with 3.2 support MacOS doesn't properly upgrade OpenGL 2.1 instances to 3.2 when requested so you need to do workarounds if you want to target both versions.

 

And even if you go to all that hassle to get proper openGL 3.2 instances up the performance is abyssmal compared to the exact same code running on Linux or Windows... On the same machine...

 

And the worst part is that AMD uses the same driver base across Windows/Linux/Mac, so their drivers on MacOS should be absolutely capable of matching Linux Performance and beating out Windows performance.

 

Metal only looks like such a massive upgrade over OpenGL on Apple platforms because OpenGL implimentation on their platform is totally crippled. It makes no sense because in 2012 their OpenGL was on par to Ubuntu and Windows:

 

2012 benchmarks with good MacOS OpenGL:

https://www.phoronix.com/scan.php?page=article&item=intel_sandy_threesome&num=1

 

2017 benchmarks with terrible OpenGL (In some cases less than 1/5th the performance of Ubuntu... Ouch...):

https://www.phoronix.com/scan.php?page=article&item=mbp-1013-gaming&num=1

[EarthWormJM2]

15 hours ago, MrUnknownEMC said:

at least is not like window that reinstall them back after a window updates.

Right?    ....no, I would not like to play candy crush or use Edge browser, now please be gone!

[Peter S]

Thanks for exposing these different vulnerabilities on default apps that are pre-installed and mostly non-removable. These flaws on pre-installed app can create a huge problem to most of the android users.  I hope that manufacturers will take action to resolve this alarming report.

[ScratchCat]

22 hours ago, TheGlenlivet said:

T Minus 5....4....3....2....

Houston the Dr has landed

[D13H4RD]

Quote

and the Essential Phone

So much for that "bloat-free" experience.

[LAwLz]

18 hours ago, bcredeur97 said:

im really hoping whatever google is doing with Fushcia solves all these stupid android issues that shouldnt exist in the first place

It won't, because the issue here is that manufacturers and carriers are pre-loading the devices with unsecure apps. It's the same problem that exists on Windows computers, where companies such as Lenovo installs unsecure software.

The only way to stop that would be to not allow any additional software to be installed on stock devices, but that's throwing the baby out with the bathwater.

[Sniperfox47]

2 hours ago, LAwLz said:

It won't, because the issue here is that manufacturers and carriers are pre-loading the devices with unsecure apps.

It might. If the plan with Fuschia is to keep it more locked down akin to Android Wear, it could work a lot better. From what I understand there are a lot of restrictions on what apps can be bundled with an Android Wear device, and even outside of those restrictions not just anyone can go "I'm loading Android Wear on this device!" like they can with normal Android.

 

The trouble is if they did that they'd have tons of OEMs screaming "Anticompetitive! Fine them! Gouge their eyes out!" So it's a juggling act between doing what's best for the user and not pissing off their OEMs.

[LAwLz]

3 minutes ago, Sniperfox47 said:

It might. If the plan with Fuschia is to keep it more locked down akin to Android Wear, it could work a lot better. From what I understand there are a lot of restrictions on what apps can be bundled with an Android Wear device, and even outside of those restrictions not just anyone can go "I'm loading Android Wear on this device!" like they can with normal Android.

 

The trouble is if they did that they'd have tons of OEMs screaming "Anticompetitive! Fine them! Gouge their eyes out!" So it's a juggling act between doing what's best for the user and not pissing off their OEMs.

Well like I said, that approach would be throwing the baby out with the bathwater.

Third party additions such as skins might have been cancerous at times, but they are what introduced a ton of great features to Android.

[Castdeath97]

On 14/08/2018 at 2:30 AM, MrUnknownEMC said:

edit: All you can do it move them into a folder in iOS while at least in android you can remove it after some googling or in most case you can disable it via apps.

Are you sure about that??? I can remove the weather, reminder, notes and yada yada easily and install alternatives in iOS since 9/10.

[Castdeath97]

It's shocking how some Android device OEMs don't grasp basic concepts such as system confinement and the principle of least privilege when developing some of their silly duplicate applications. Does your application REALLY need these sort of privileges? If not, then restrict it. 

 

Google should force them to send their applications for review ... 

[Firewrath9]

On 8/13/2018 at 7:33 PM, firelighter487 said:

rooting and stuff void warranty of loads of phones i believe.. and yeah you can't delete preinstalled apps on iOS but at least there isn't loads of them. 

 

so you can't uninstall them without voiding the warranty. only hide them. 

for apple you get a 90 day warranty anyways so it doesn't matter unless you pay extra.

If you go into restrictions, you can remove any app except settings.

[Sniperfox47]

3 hours ago, Castdeath97 said:

Are you sure about that??? I can remove the weather, reminder, notes and yada yada easily and install alternatives in iOS since 9/10.

 

1 minute ago, Firewrath9 said:

for apple you get a 90 day warranty anyways so it doesn't matter unless you pay extra.

If you go into restrictions, you can remove any app except settings.

Has been said before and I'll say it again, that does nothing more than "disable app" on Android does. It hides it from you (out of sight, out of mind)cand disables user access to it but the app is still there on your system. 

 

You can't remove any apps from the root partition on iOS without modifications to the kernel to allow mounting the partition and to disable the iBoot Security Verification. You can't remove any apps from the system or vendor partitions on Android without disabling Verified Boot/DM-Verity.