On Thu, Jun 13, 2013 at 11:43 AM, seattleandrew <[email protected]> wrote: > ... > > Fine... tl;dr Samsung's built-in apps (i.e. the non-stock apps Samsung > bundles in) allow any application installed on the device to leverage their > permissions, content providers, etc. Thus leaving a huge gap in the Android > security model. In other words, I can create an app that appears to have no > permissions, but rather uses the permissions from apps already installed on > the device. That's one of two problems. Its either a Confused Deputy or Permission Re-delegation. The paper should tell you which.
> Okay, so what's up with my sensationalist title-- As security researchers, > professionals, enthusiasts, what can we do about this? For users I imagine > flashing a custom ROM or sticking with a Nexus device would suffice, but > what about government and corporate implications? Android is a tough sell for the Enterprise. Its hard to bring them into an organization safely (barring split role phones with technologies like BlackBerry Balance and Knox). > One of the biggest issues for me have been the speed at which Android > updates to other devices, often referred to as fragmentation. In this case I > think the groups largely responsible for delaying security patches are the > carriers. This is because some of them take months/years to deploy patches > and updates and by then, exploits will have been in the while for a long > time. Can carriers be held responsible for willingly delaying security > patches to their customers devices? Even if the intentions are good, e.g. > "we want to retain a high QA standard that's associated with our brand." I > can't help but feel we need a different update model for these mobile > connected devices. Yes, this is a well known problem. I [personally] believe we - consumers and users - need legislative relief. Waiting for a corporation to "do the right thing" is futile. The risk equations need to be unbalanced because the current state is nearly all carrot, and almost no stick. > Why aren't Security updates completely separate from Usability updates? WIndows Phone requires OEMs and Carriers to make available updates in a timely manner. Its a contractual obligation (http://channel9.msdn.com/Events/TechEd/Europe/2012/WPH304). How about the illegal tying - you have to have Gmail account to get bug fixes and security updates for a defective product Where's the FTC when you need them? As soon as you use a Gmail account, data cross pollination occurs because Google feels like your data is their data. Confer: see how well your weather widget works on the homescreen when you refuse to share data with Google. Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
