How to face security Issues on Android 4.2

Hi everyone,

I am also very disappointed by the fact, that fairphone will not provide any support on upgrading to android 4.4 or 5 for the first fairphone versions.
New security issues are popping up every now and then and it is of highest importance to the users that those bugs are fixed immediately to prevent potential threats.
The maintenance of the existing android versions or the ability to upgrade to safer versions are the key to preserve user’s security and privacy - unfortunately it needs to be done by the manufacturer.
The latest issues by today for android =<4.3 is described here (german): http://www.heise.de/newsticker/meldung/UXSS-Sicherheitsluecke-in-Android-Jetzt-Geraete-testen-2569003.html

I am worried about using the fairphone because of the lack of support from the fairphone team facing the severity on security issues on android which definitely will become a even bigger problem in the future.
Bottom line, fairphone needs to continuously provide security patches as centralized desktop environments like linux, osx or windows.
Android might be not the platform of choice considering the fact, that the manufacturer is responsible for taking measures, which of course will use a lot of resources that were favored to develop new features or new phones.
Please take this post as a food for thoughts and discussions.

Fabian

Hi, just to address the question if Android itself is hit by the mentioned security issue: It isn’t. It’s only the stock browser.

If you use Firefox or Chrome you’re fine. :smiley:

1 Like

Did you consider reading this thread?

1 Like

That is not entirly true: (see the thread mentioned by @Stefan) Android contains a component called WebView which is used by many apps to display web-content, portions of web-sites and ads. While following the tips from that thread and using Chrome or Firefox for browsing is certainly a good idea, you will still be vunerable to attacks to the WebView (if you use such apps as described above).

1 Like

Thanks for pointing that out Ben. Wasn’t aware of the WebView issue…

How to face security Issues? Just like you should do on a windows:

  1. Full-featured Firewall (AFWall+ on Android)
  2. Do not install programs at random.
  3. Use behavior based restrictions for programs (XPrivacy on Android)
  4. Do not use insecure or broken parts of the OS (WebView on Android)
2 Likes

The only thing I as a user can do to “protect” myself from third party software that includes, for example, this code to gain full root access to my device, is to stop installing any third party software, including updates to software that is already installed.
In other words: I can stop using my device.

I don’t think responsibility for dealing with such an issue lies with the user. It’s up to the manufacturer to ship software updates that include publicly available fixes for vulnerabilities like the one mentioned above, or e.g. for CVE-2014-3153 (“Towelroot”, also still exploitable with version 1.8).

1 Like

I didn’t say you’ll be 100% safe if you follow this guide.

The main part of that is constantly updating the OS; and that’s exactly what we can’t…

Just like I can’t update Windows XP, yet it’s still the fastest Windows for all recent PCs…

1 Like

Dear all,

one thing remains still a little unclear to me:

[quote=“Stefan, post:3, topic:4991”]
Even if the FP team’s ambition is to provide patches at least till the end of 2016, these issues won’t be addressed instantly.[/quote]

Alright, so patches won’t be provided instantly. But will they ever? How do things look with serious security issues. Will the UXSS issue ever fixed for my fairphone?

My bet is that it won’t. Ever. So if you want undisturbed sleep my suggestion is that you
a) stop using the default android browser.
b) avoid apps that make use of android’s WebView function. I have no idea which apps we are dealing with (anyone having a list?). Apparently Facebook is one of them, but you can disable the FB app’s built-in browser and use your chosen third party browser instead.

1 Like

Dear kgha,

As pointed out earlier, a) is easy to follow but b) isn’t. How would you be sure (or can find out) that an app is / is not using WebView? I suppose that avoiding such apps might be an option for tech-savvy users but not for just-the-average user with limited tech knowledge.

Apparently the UXSS bug is not a threat for the Fairphone:

PS: I checked this in Firefox mobile 36, but not in the default browser.

Indeed, using Firefox is safe. But that doesn’t mean your phone and other apps are. Firefox does not use the WebView component and was never affected. Try to run the test with the default android browser.

I’m blocking the Internet access of the default browser with AFWall+, and I don’t want to unblock it. I believe you that it’s affected. I’m pretty sure, some other apps I use are too… If someone could find a way to disable webview generally…

Has nothing to do with security, does it?

The default browser is vulnerable according to my check with the linked test page. I immediately switched to Firefox, and see the hoped-for longevity of my FP go down the drain…

Once I cannot rely on security issues be fixed, I eventually have to replace my device. It’s like holes in a barrel: If you don’t fix them properly, you are eventually running out of hands to seal them, and then you run out of beer, and THEN you are in trouble…

Hello,

If this is the case We will fix it. Webview is a different beast because of the lack of existing patches. At the time of Towelroot we tested the device and found it not vunerable.

2 Likes

Thanks, that’s good to hear. To be honest I only “tested” my phone using this tool, so it may as well be that their detection method for Towelroot is flawed.
Will you also fix the newer CVE-2014-7911?