How to face security Issues on Android 4.2

The main part of that is constantly updating the OS; and that’s exactly what we can’t…

Just like I can’t update Windows XP, yet it’s still the fastest Windows for all recent PCs…

1 Like

Dear all,

one thing remains still a little unclear to me:

[quote=“Stefan, post:3, topic:4991”]
Even if the FP team’s ambition is to provide patches at least till the end of 2016, these issues won’t be addressed instantly.[/quote]

Alright, so patches won’t be provided instantly. But will they ever? How do things look with serious security issues. Will the UXSS issue ever fixed for my fairphone?

My bet is that it won’t. Ever. So if you want undisturbed sleep my suggestion is that you
a) stop using the default android browser.
b) avoid apps that make use of android’s WebView function. I have no idea which apps we are dealing with (anyone having a list?). Apparently Facebook is one of them, but you can disable the FB app’s built-in browser and use your chosen third party browser instead.

1 Like

Dear kgha,

As pointed out earlier, a) is easy to follow but b) isn’t. How would you be sure (or can find out) that an app is / is not using WebView? I suppose that avoiding such apps might be an option for tech-savvy users but not for just-the-average user with limited tech knowledge.

Apparently the UXSS bug is not a threat for the Fairphone:

PS: I checked this in Firefox mobile 36, but not in the default browser.

Indeed, using Firefox is safe. But that doesn’t mean your phone and other apps are. Firefox does not use the WebView component and was never affected. Try to run the test with the default android browser.

I’m blocking the Internet access of the default browser with AFWall+, and I don’t want to unblock it. I believe you that it’s affected. I’m pretty sure, some other apps I use are too… If someone could find a way to disable webview generally…

Has nothing to do with security, does it?

The default browser is vulnerable according to my check with the linked test page. I immediately switched to Firefox, and see the hoped-for longevity of my FP go down the drain…

Once I cannot rely on security issues be fixed, I eventually have to replace my device. It’s like holes in a barrel: If you don’t fix them properly, you are eventually running out of hands to seal them, and then you run out of beer, and THEN you are in trouble…

Hello,

If this is the case We will fix it. Webview is a different beast because of the lack of existing patches. At the time of Towelroot we tested the device and found it not vunerable.

2 Likes

Thanks, that’s good to hear. To be honest I only “tested” my phone using this tool, so it may as well be that their detection method for Towelroot is flawed.
Will you also fix the newer CVE-2014-7911?

Hello we will look at integrating the changes and will look at towelroot again.
http://seclists.org/fulldisclosure/2014/Nov/51

2 Likes

There’s an old Swedish saying: ‘It’s easy to say “Tulip Rose”, but hard to make one’.
Let’s face it. What makes the internet a wonderful invention is also what makes life on the web vulnerable.
If you want to be able to do everything, everywhere, at any time, you are vulnerable. If you want to make use of any app ever found in Google Play Store (or maybe downloaded from an obscure website), if you want to be constantly updated through various RSS feeds, if you find it essential to get real time updates from a plethora of communities such as Facebook…
…then you are vulnerable.
You can never get a 100 % guarantee that security patches will reach your phone (and install themselves) in time to block each and every potential threat. (Incidentally, enabling for automatic updates of each and every app you installed will probably cause you more trouble and more security risks than if you update manually with afterthought).
You’ll have to make a choice. Either you put safety first. For one reason or another, you have to handle sensitive inormation using your phone. Then you’d better get a Blackberry. Create a profile (e-mail address and so forth) that you never, never, never link to facebook or instagram or reddit or whatever. And connect to the internet only when you really need a connection, and only through encrypted networks. Then use a second phone for leisure activitites. And if you must do banking stuff on your phone, make sure that your bank offers a reasonable level of security, e.g. using a card reader that generates 1-time login and signature codes. Not even these are 100 % safe, though.
Or you acknowledge that the internet is risky. You use your phone with reasonable prudence, but you also realise that sh*t happens. It’s a tedious toil having to create new accounts and passwords replacing the compromised ones, just as it’s tedious having to replace bank cards, driving license &c when your wallet gets lost. But it’s part of life.
Or you get a tinfoil hat and a few carrier pigeons.
Please note before replying: I’m not saying that security patches and updates are unimportant or superfluous. And I’m grateful to the FP developers doing their best to patch the biggest holes. All I’m trying to say is that even if we live in the best of worlds it is far from perfect. The great thing about being human is that we can develop strategies for handling this lack of perfection, which in my humble opinion is a wiser strategy than hoping to achieve perfection

4 Likes

Sh#t doesn’t ‘happen’; it needs a as*hole to be produced :smile:

Actually the production of feces initiates more cranially in the gastrointestinal tract than in the canalis analis, but I think we’re getting off topic here…

3 Likes

There is a way to disable the Android Browser and it is quite easy. You only need adb installed on your PC. I followed this guide http://android.stackexchange.com/questions/56620/enable-and-disable-system-apps-via-adb. I will see how it works and if i encouter any serious side effects. If not i will update here with a short guide how to do it and what happens. See you soon.

5 Likes

A week i go i shared this great guide from StackExchange on how to disable System Apps via Adb (Android Debug Bridge).
With this method you can easily disable the build in browser. You need a PC with Linux, Mac or Windows and with Android Debug Bridge installed (on Ubuntu simply run sudo apt-get install android-tools-adb) and set allow developer remote access to your fairphone (Settings -> Developer Settings).

Open a Terminal (Hit Super (Ubuntu) or CMD+Space (Mac), then type Terminal on Ubuntu) (or Cmd Prompt on Windows).

  1. Open the ADB shell by typing adb shell (You are now working on the device)
  2. Gain super user rights with su.
  3. Use the build in package manager to disable the browser: pm disable com.android.browser
  4. Leave the ADB shell with: exit

Use your Fairphone and see that Browser has magically disappeared from your Apps. And the best think is: If you ever need it again, you can replace “disable” in step 3 with “enable” and the browser is back!

If been using my Fairphone without the Android Browser since week with no problems at all.

Source

6 Likes

Hi,

I wounder if this affects the WebView Component of Android. As far as I understood it is based on the default browser and was replaced with Android 4.4, too.

Have you noticed some changing at Apps? For example that they couldn’t display there “changes” texts anymore or something like this?

regards,
Shiny

No, it does not affect the WebView (at least if it did i did not notice it). That is good because apps requiring the WebView component still work and bad because they are still affected by the security issues.
So this is more of a cosmetic fix, which prevents you to use the insecure Browser out of convenience or habit. A use case i would think of is giving the Fairphone to not so tech-savy people who do not want to think about which browser to use for example.

2 Likes