Quadrooter - is the Fairphone 2 vulnerable?

A new severe android vulnerability on devices with qualcomm chips has been presented at Defcon on Sunday:

Does this affect the Fairphone 2?

If you have Google Play, you can check it with the following app and post the result here:

3 Likes

Well, as so often, the biggest security flaw is the user:

An attacker would have to trick a user into installing a malicious app

So no need to panic! Just don’t install apps from unknown sources …

So no need to panic! Just don’t install apps from unknown sources …

I tend to disagree - users have a hard time to know what a trusted source is (for me, F-Droid is). As for the play store, I doubt that Google checks whether apps exploit this vulnerability, so the only protection is to not install new apps…

In any case, it’d be interesting to know whether the FP is affected in the first place or not.

1 Like

Yes, but in F-Droid you only find open source apps, so you can know what you install (thus I agree with you, I also trust it; and since it is open source, I wouldn’t call it unknown sources).
In any case, FP regularly implements the monthly Android security fixes, so I wouldn’t be too worried. After all it comes back that people who randomly install anything they find are more vulnerable than people who don’t use install from unknown sources. According to the articles you posted, this is the case also for this bug.

If you want to know if your device is affected, you may test the app you posted.

1 Like

I don’t have Google Play installed and I generally avoid installing non-free software, so I can’t. But I assume others are less strict and would be interested in this as well. I don’t particularly need this information for myself, but it’d be nice if FP users just could look up this information in this forum thread.

1 Like

After all it comes back that people who randomly install anything they find are more vulnerable than people who don’t use install from unknown sources.

It cannot be stressed enough how important this statement is. I did a test and captured the network traffic of a phone after I installed some of the free (as in free beer, not as in freedom) apps you get on Google Play and I can only say “holy sh*t !”. My advice when choosing apps is always:

  • Use open source apps if available.
  • If you cannot find an open source app that suits your needs, then go for a payware app with a good recommendation and good support.
  • Be extremely careful with free (as in free beer), but no open source apps (in particular games). In Germany we have a saying: Nichts ist umsonst bis auf den Tod - und der kostet das Leben! (Nothing’s for free except death and death costs life!). Do not use such apps unless the software has been tested and reviewed and recommended on multiple sources.

Alles muss man selber machen …

Remark: My OS is 1.4.2 !

1 Like

Same in latest FP Open OS (16.06)

1 Like

With 1.5.1 at least the first entry in the list (CVE-2016-2059) is gone…

2 Likes

Same again here @swiehr I’m running 1.5.1.

My friend has a Nexus 5X, which only shows the code CVE-2016-5340.

2 Likes

It’s not a remote exploit. It’s annoying (and it shows how broken the whole Android/SoC model is) but it’s not as critical as it may sound. With this, “normal evil” apps that don’t try to get a lot of rights, can do evil stuff if you install them. So don’t install apps you don’t need.

Here are some details (link below). I have not really read it, but it once again points out the standard Android issues pretty well.

Update: I’m not a security expert. Strange scenarios that can still exploit such a bug are possible! Best read the report and judge by yourself. I’m just a forum member.

2 Likes

Thanks for checking!

well, even assuming that someone read the code to check that it’s clean, you still need to trust the guy who compiled it. Unless you compile on your own.

Apps posted to google play need to pass through an automated security check on a virtual machine. As everything it should not be taken 100% safe, but since this vulnerability is well documented, it should now be quite hard for a pirate to keep it unnoticed.

On F-Droid most of the apps are directly compiled on their build server. This reduces the risk of a binary package with a hidden exploit landing there. Google on the other side allows the publication of binary packages, but although they are automatically tested there is still the problem of hidden (intentional or unintentional) and unidentified (so called zero-day) exploits. On top of that while Google considers a lot of privacy violating stuff ok, F-Droid excludes such apps from their repository or gives an explicit warning.
Yes in theory F-Droid could be hacked and someone could try to modify the build system to inject some malicious code into the packages, but you have the same risk on Google Play.

1 Like

That’s interesting ! F-Droid is really great.

The F-Droid build server/process is also open-source, which means that if you set up an F-Droid server and compile the .apk yourself, it should be exactly the same. So you can (theoretically, haven’t done it yet) verify package integrity or just compile yourself instead of relying on their servers.

2 Likes

The long discussed debate are the different security models related to the chain of trust created by the apk that get signed with a key. Do you trust the developer (play store) or the builder (f-droid) more? Which machines are easier to compromise? But if you don’t want to use the play store, the decision is pretty straight forward.

I’m not sure if this has changed. I’m somehow getting less and less interested in Google’s Android.

1 Like

I think you have to trust the developer here, too. There was one case (not on F-Droid) where a malware was included in a downloadable source code package (for compiling yourself).

For the German speakers:
An interesting article about the limited danger of Quadrooter and how well the organization who discovered the bug marketed it:

My question is : why Fairphone didn’t fix this vulnerability if Qualcomm communicate about this to manufacturers in past months.