Skip to content

Monthly Archives: February 2016

Rooting your Android phone? Google’s rumbled you again

do-evil-google

Quote

Google’s crackdown on rooted Android devices continues. Citing security reasons, Google doesn’t want rooted ‘Droid phones to use mobile payments via the Android Pay infrastructure.

This is a standard not required by Pay’s predecessor, the now-deprecated Google Wallet.

In turn, this has led to a cat-and-mouse game with Android’s substantial global enthusiast community. Now a door that modders opened slightly a few months ago has been slammed shut.

A developer last year found a way of rooting Android without disturbing the /system partition (aka “systemless root”).

A Google engineer acknowledged last year that if it had to scan and verify every file on the partition, the phone would be “bogged down for tens of minutes”.

Respite was temporary. Systemless rooting will now fail to fulfil an Android Pay transaction. Pay now introduces an additional check, performed by Android’s SafetyNet framework.

This post at XDA Developers explains that several further tweaks are required to work around the latest security check.

Ah if it was only that simple. Google fears malware, but the real reason is that is that it looses the ability to hoover up all your private information. One of the comments in the article was spot on:

The trouble with that is if Google Pay refuses to work, then Google Play (with an L) refuses to work *even for free apps*.

And you can’t uninstall Google Play Services without it taking all your downloaded apps with it. It uninstalls them when you turn it off in the settings.

This is the linkage game no different than when Microsoft did it.

Google Play Services is one of the most virulent spyware apps ever. Tracking, surveillance, access to cameras, microphones the lot. It has no purpose doing that, yet it does it for Google’s benefit.

You probably don’t know its tracking your location, and monitoring your app usage and all the other things “Carrier IQ” was doing. Sadly it is.

We need a true open source phone (which is what Anrdoid was supposed to be) away from the spying eyes of Google, the carriers and their ilk. Google is a monopolist. Why root? to get rid of the crapware, and spyware installed on the phones and to get security fixes faster and for longer. But if your entire life is on the phone (and then hoovered up and sold on), rooting is not for you. Just bend over for the likes of Google.

Popular 3G/4G data dongles vulnerable, say hackers

Quote

Cellular modems from four vendors have been popped by security researchers, who have documented cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution (RCE) and integrity attacks on the products….Because so many of the vulnerabilities – whether it’s via firmware or XSS/CSRF forgery attacks – allow remote code execution, the paper states, it’s easy to track devices. An attacker can read out the Cell ID or the connected WiFi base station.

The vulnerabilities also enabled a range of traffic interception attacks:

Devices could have their DNS redirected to an attacker-controlled domain.
Attackers can plant their own certificates into the devices’ trusted root list.
Some devices allow command-line access (via AT commands) to SMSs.

Other possibilities the research explored included using devices as PC attack vectors, attacks on SIM cards via binary SMS messages, and even upstream attacks directed at carrier networks.

The researchers conclude that the Huawei kit they tested was the least-worst.