P3Droid Reporting a Possible Patch For Root Exploit - Motorola Droid Bionic

"P3Droid
PSA: THERE IS STRONG EVIDENCE THAT THE BLIS EXPLOIT HAS BEEN PATCHED. NO ETA OF WHEN UPDATES WILL ROLL OUT FROM MOTOROLA, BUT BE WARY OF ALL FUTURE UPDATES."
He has also stated buying a Bionic early may be a big plus if you still want to root.

Related

Froyo for Milestone OFFICIALLY HAS A GO!

We're pleased to announce that Milestone will receive a free upgrade to Android 2.2
(FroYo) in Europe with an initial roll-out
beginning at the end of this year. For
other software updates please check our software update site:
https://supportforums.motorola.com/community/manager/softwareupgrades
Source: http://www.facebook.com/motorolaeurope
LOL....end of 2010?...silly....
ginggerbread 2.3 phone is everywhere at that time..lol
I can be wrong but beginning of the end of the year means Q4 (quater 4, the last three months of the year), that would be the beginning of October, wouldn't it? . But it doesn't matter now. Motorola doesn't care about the European market and they think they can mock us. Let them think that way. They probably do not give damn about 100 people not buying their phones now, but if the number of customers steadily goes down they will be like "OMFG WHY THEY ARE NOT BUYING OUR GREAT PRODUCTS??!?!?!". I think Milestone was the only GOOD phone ever released by Motorola, but after that signed bootloader and this delayed 2.2 release I'm saying "No, thanks" and I'm going to get something from HTC or muster up some money and buy Nexus One now.
Please discuss in existing thread:
http://forum.xda-developers.com/showthread.php?t=730882&page=4

Want custom kernels??

Well I believe that we all want to free our Bionics from moto's lockdown. The knowledge and talent to bypass the bootloader is here and now. There are many that have signed petitions, started threads, and took there voice to the top of Verizon and motorola. Hopefully we can keep all that enthusiasm, and focus that energy to Kholk with Eternityproject. So why no love for the Bionic, the "red headed step child"? Why does the Razr already have a bootloader bypass?
I just talked to Kholk.....The issue is that these talented individuals behind developing the bypass for other moto phones simply don't have a Bionic to develop it on which makes things very difficult. So the question is....what can we do about it? How bad do you want this? If you have a Bionic to spare or some extra$ send me a PM for a direct link. You can also go to Eternityprojects website and give there. Just make sure you state that it's for the Bionic. I hope the moderators of this forum can understand the importance of this developement and NOT kill this thread. This is a great leap in development.
Here's the donate page for EternityProject:
http://www.eternityproject.eu/donate
As much as I wish this was true look at the past. There are far and few who have been with and only with Motorola for a reason, and ashamed I am one. Other than the device that was no longer supported by Motorola there is only one that got lucky due to an internal source. If any one truly wants to donate money it might as well be in another manufacturer. I'm not hating on any external developers I'm just saying we all should learn the lesson that rings true. Motorola wants us all to blame the service provider but the truth is they just don't have the balls to stand up to them like other manufacturers do (Samsung). We all paid and own this device yet we are still told what we can and cannot do with it. To me this sounds like a lawsuit and yes we have heard arguing view points from both sides for for years now need not it be now. Long story short, you have lost one more customer Motorola....
Sent from my DROID BIONIC using Tapatalk
I think we should just look into the future of the moto bypass.
This isn't about moto...it's about us!
[mbm] started the work on the kexec bypass on the Bionic and gave his code base to kholk, who then adapted it for his GSM RAZR with success. He then sent that back to [mbm] to try to make it work on the CDMA/LTE Razr. That has not worked unfortunately and they are both still working on it. It does not work as is on the D4 or Bionic either.
My point is that this exploit originated on the Bionic as an extent ion of the Milestone kexec project and the principal dev who did it already has the device. I am not against donating to devs for devices but I also don't think throwing money at a problem is always the best route to a solution either.
Just an FYI about some of the history here.
Maybe Motorola will wake up due to their slumping sales. I still prefer Motorola to Samsung though. But I will seriously look into going back to HTC this winter.
Sent from my DROID BIONIC using XDA

Cant wait for Monday (15April)

http://www.androidcentral.com/droid-bionic-update-android-412-coming-monday
Droid Bionic gets JB on Monday! :good: :highfive: :laugh: :victory:
:victory:
Is it Monday yet? (said nobody, lol)
-- Signature expired.
one thin ive learned about this phone since its first intended launch date is just keep waiting......and waiting. I really hope it does come out but i wouldnt get my hopes up
It's a done deal. Verizon has already updated their support site and they themselves have released the official announcement. It's gonna happen starting Monday.
ETA: the soak is starting tomorrow. I guess the soak is part of the phased rollout. Stay tuned for the zip, or just wait a day or two for the OTA for everyone.
SCFirefighter said:
It's a done deal. Verizon has already updated their support site and they themselves have released the official announcement. It's gonna happen starting Monday.
ETA: the soak is starting tomorrow. I guess the soak is part of the phased rollout. Stay tuned for the zip, or just wait a day or two for the OTA for everyone.
Click to expand...
Click to collapse
guessing the soak is 1-2 days before rollout but at this point i don't think the soak is even really to test the software it's more of a formality. stupid if you ask me why not have rolled soak last week. actually bug test it before giving to masses
Agreed
-- Signature expired.
Blur_Version.6.7.246.XT875.Verizon.en.US.zip
https://docs.google.com/file/d/0B7Wh-noN9fNRNTYzSnNyblNrYWs/edit?usp=sharing

S5 update coming to AT&T variant?

Anyone know anything about this?
http://www.goandroid.co.in/samsung-galaxy-s5-update-brings-performance-tweaks/37180/
quordandis said:
Anyone know anything about this?
http://www.goandroid.co.in/samsung-galaxy-s5-update-brings-performance-tweaks/37180/
Click to expand...
Click to collapse
I'm curious about this too. I've been checking the updater and theres no software update available.
The screenshots in that article are for the Canadian variant -- G900W8.
It'll probably take a while for any update to get "certified" by the big @, plus I think I'm going to avoid doing software and security policy updates in case an exploit for this current version is found.
smknutson said:
It'll probably take a while for any update to get "certified" by the big @, plus I think I'm going to avoid doing software and security policy updates in case an exploit for this current version is found.
Click to expand...
Click to collapse
I have to wonder how many full-time employees AT&T and Samsung have that do nothing but monitor the web (mostly XDA) for whatever goes on here at XDA so they can react to any potential important discoveries, mods, or developments.
scott14719 said:
I have to wonder how many full-time employees AT&T and Samsung have that do nothing but monitor the web (mostly XDA) for whatever goes on here at XDA so they can react to any potential important discoveries, mods, or developments.
Click to expand...
Click to collapse
For the longest time I have thought this..............
I thought I was the only one...
I too also thought this....it had occurred to me that it would be particularly clever and prudent to have your finger on the pulse of your "power users", but then it occurred to me that because it's such a smart idea, they're guaranteed NOT to do it (keeping in line with they're history). So that's my logic....
As nefarious as that sounds, it's almost guaranteed that the engineering portions of Sammy/AT&T that are responsible for security monitor forums and social media such as this. Probably even have moles portraying themselves as ignorant users.
smknutson said:
As nefarious as that sounds, it's almost guaranteed that the engineering portions of Sammy/AT&T that are responsible for security monitor forums and social media such as this. Probably even have moles portraying themselves as ignorant users.
Click to expand...
Click to collapse
I'm sure that engineers look at XDA and other developer/user forums out of interest or even as part of the job; but unless something directly affects Samsung or AT&T in a manner that is costing them a significant amount of money I doubt any action is made in response. Remember these are corporations, money/time is not spent chasing a relatively few users who choose modify their phones, even if it is to evade fees and/or modify a locked feature. It just doesn't make a large financial difference.
Apple certainly pursued a cease and desist strategy but I think that was mostly out of a control freak corporate culture. Other than tethering for free,what do rooting and custom ROMs actually cost AT&T or Samsung? We still buy their phones loyally and pay for the service. If it mattered enough they would take greater steps to lock stuff down, or routinely push updates to secure their devices when exploits are found.
Just my take on it - I'm a pretty paranoid dude but not in this regard. We just don't matter much to them.
http://forum.xda-developers.com/showthread.php?t=2721505
I know the qualcomm guys look. Lol
Sent from my SAMSUNG-SGH-I317 using Tapatalk
TOA Duck said:
http://forum.xda-developers.com/showthread.php?t=2721505
I know the qualcomm guys look. Lol
Sent from my SAMSUNG-SGH-I317 using Tapatalk
Click to expand...
Click to collapse
the sad thing is all those files and scripts wouldn't have provided us any solution to root or unlocking the boot loader, those were qualcomm scripts and files but only for signing the mbr/mbl nothing unfortunatley to do with unlocking it or rooting the device in any manor, the certs may have been helpfull in tricking odin in to believing a custom rom was official is the only thing that i could actually see coming out of that.
and I was a little leary of the member in the first place, he offered no tangible proof that the scripts did anything all he did was list a directory of files, and when he was asked to provide proof that he actually rooted or unlocked a bootloader he refused to respond.
delawaredrew said:
I'm sure that engineers look at XDA and other developer/user forums out of interest or even as part of the job; but unless something directly affects Samsung or AT&T in a manner that is costing them a significant amount of money I doubt any action is made in response. Remember these are corporations, money/time is not spent chasing a relatively few users who choose modify their phones, even if it is to evade fees and/or modify a locked feature. It just doesn't make a large financial difference.
Apple certainly pursued a cease and desist strategy but I think that was mostly out of a control freak corporate culture. Other than tethering for free,what do rooting and custom ROMs actually cost AT&T or Samsung? We still buy their phones loyally and pay for the service. If it mattered enough they would take greater steps to lock stuff down, or routinely push updates to secure their devices when exploits are found.
Just my take on it - I'm a pretty paranoid dude but not in this regard. We just don't matter much to them.
Click to expand...
Click to collapse
One thought. Samsung and Apple are both making big enterprise plays. My company in it's BYOD program is pushing Samsung hard over other Android phones because they are more locked down with corporate policies mandating encryption and forbidding rooting/jailbreaking coming soon to my employer, I can see how a locked down phone is more attractive to them and could lead to more sales, not yet.
We're not their only market, and in the grand scheme of things, there may be more money for them going this path.
stoobie-doo said:
One thought. Samsung and Apple are both making big enterprise plays. My company in it's BYOD program is pushing Samsung hard over other Android phones because they are more locked down with corporate policies mandating encryption and forbidding rooting/jailbreaking coming soon to my employer, I can see how a locked down phone is more attractive to them and could lead to more sales, not yet.
We're not their only market, and in the grand scheme of things, there may be more money for them going this path.
Click to expand...
Click to collapse
What they should be doing is making business/gov contracted phone deals locked down, and leaving the consumer phones as is, that's what they should be doing. Honestly TW is pretty good now and wouldn't bother me if I couldn't flash a rom (obviously I want to), however not having root and not being able to actually delete (not just disable) bloatware is f'n annoying lol.
TOA Duck said:
http://forum.xda-developers.com/showthread.php?t=2721505
I know the qualcomm guys look. Lol
Sent from my SAMSUNG-SGH-I317 using Tapatalk
Click to expand...
Click to collapse
Huh thats interesting. I had argued it was worthless since QC hadn't sent a takedown. May have to take another look.

XDA ToS designed to shield Motorola's poor security patch cycle?

Information available on Reddit seem to show that several of Motorola's phones have not had any security patch levels applied since after January. It also seems like as long as the known security issues are just documented as theoretically possible that Lenovo/Motorola seem happy to keep reiterating the same lie that they make security a "top priority" while not actually addressing these problems. It is also frustrating that Motorola seems unwilling to release a version of the Motorola One that is intended to be used in the USA.
It would be nice to have a proof of concept repository similar to Rapid7's metasploit but for the Motorola G-series. Please keep in mind, I am *NOT* talking about violating responsible disclosure. This would not include any unpatched vulnerabilities. Instead, this would be known issues were AOSP has provided fixes to Motorola for over a month and Motorola has selected to still notify it's customers that their device is "up to date" without having addressed the known issues.
I believe only by showing customers what is possible with this exploits can enough pressure be put on Lenovo/Motorola to make "top priority" mean actual action instead of empty posturing.
However, based on my careful reading of the XDA ToS, it seems anything that facilitate the creation of malicious content is not allowed. This seems vaguely worded enough to exclude all proof of concept exploit discussion. But several of the issues left unaddressed by Motorola seem to be fairly easy to exploit. So, is XDA really improving the situation or avoiding transparency in favor of shielding Motorola's poor behavior?
It would be really nice if someone could provide some clarification behind the wording of this ToS and XDA's position on vendors that make security a "top priority" leaving months of patches outside of the scope available to customers if the device is to remain under warranty.
This is what I already said.
Motorola is just a retarded company.
I don't know in which universe this is acceptable.
Someone needs to sh*t in a bag and address it at Motorola, so they see what they sell.
The G6 was my last Motof**k phone.
F**k Motorola. F**k Lenovo and f**k all the retards which work in this companies.
I hope the company dies and never sells a f**kphone again.
I completely understand your level of frustration ThisIsRussia but please don't get the thread locked.
If I were to mail something to Motorola to make a statement, it would probably be a finger-print reader attached to swiss cheese. They keep using user facing features to give the illusion of security while leaving the rest of the product full of security holes.
Yeah, sorry I was a little upset because they are always responding with phrases like "soon it will be updated" etc.
Since February. Its May now.
I just don't use Motorola phones anymore and if someone asked me for opinion I didn't recommend Motorola/Lenovo.
They are a bunch of liars. period.
I picked up the g6 on Fi just to have a cheap phone. I thought it was just the Fi version not getting security updates.. luckily I don't keep financials, etc on. Only good as a glorified phone and music streaming device, but for $99?
Not many budget phones get monthly patches on time. None that are under$150 anyways.
$99 or $150 isn't what I was charged for the Moto G6. It was released for a price of $200.
The Federal Trade Commission has fined D-Link, TP-Link and ASUS for marketing *BUDGET* wireless routers that sold for much less than $200 or $150 or $99 for misrepresenting their products as providing security while "failing to take reasonable steps to secure."
According to David Kleidermacher, Google's head of security for Android, ""Android security made a significant leap forward in 2017 and many of our protections now lead the industry" and also "as Android security has matured, it has become more difficult and expensive for attackers to find high severity exploits."
Google owned Motorola, they should have been able to established policies and procedures for Motorola to make good on David Kleidermacher's statements. Or they should have made establishing those part of terms of the sale to Lenovo.
Lenovo and Motorola also market themselves as providing security even for budget devices with statements as:
* "Prevent unauthorized access with secure biometrics"
* "keeping your devices and systems secure and your digital privacy intact is a top priority"
At no point do they put any exclusionary statement such as "but only if it is not a budget device."
Also, while Motorola One is also a budget device, it does get more frequent updates. However, the Moto One is clearly not intended for purchase in the USA market and is missing support for several LTE bands.
And the Moto G6 is supposed to be a Treble/GSI device were any effort Motorola put into providing updates to flagship GSI devices should also apply to being able to also update the G6 for almost no additional effort.
So, I reject the claim no one should expect Feb 2019 security updates by May 2019 because it is simply a budget device.
Then let's also look at the claim that if financials or similar are not stored directly on the phone then it is not really a big issue.
To respond to that I am going to focus on just one Feb 2019 patch. There have been plenty of other security issues in Jan 2019 to now but for purposes of this discussion, I will just focus on one. The CVE-2019-1988 seems to still apply to still apply to any Motorola phone that is "up-to-date" but has a Jan 2019 security level. This vulnerability as a high impact score of 10 out of 10 and an easy exploitability score of 8.6 out of 10. The attack complexity is low and "could lead to remote code execution in system_server with no additional execution privileges needed."
What would need to result from this for it to be considered a violation of Lenovo and Motorola's marketing of making security a top priority?
What if an email or MMS ("text message") or instant message could do any of the following:
* Open and stream the microphone while the phone is locked
* Take and transmit pictures from either the front or rear camera while the phone is locked
* Send and receive text messages while the phone is locked
* Transmit phone location while the phone is locked
* Access and transmit email and files/documents on Google Drive and Google Docs while the phone is locked
Would any of this be disturbing? Is Lenovo/Motorola really delivering on "[preventing] unauthorized access with secure biometrics" if this is possible while the phone is locked?
I get this is all theoretical and I sound like I have been wearing a tin foil hat (maybe I am ). Anyone want to find out? Anyone want to give me the phone number to a Moto G6? Anyone want to give me the email address that they use with their Moto G6? How confident are people that not having financials stored directly on the phone means CVE-2019-1988 is not a major issue?
So far, people's reactions have been similar to this forum that there is still things people can do to maintain their privacy while using a device in this state. No one wants to believe that a major company would leave them so exposed. Lenovo/Motorola seems to be banking on no one understand the full scope of the problem. But what if a Proof of Concept of a Remote Access Trojan launched not via installing an application but simply from viewing a PNG really happened, would anyone be interested that? Would being able to actually demonstrate a PoC RAT have any positive value in holding Motorola accountable to their marketing claims or simply feed "hackers" with an exploit? If it is already known to be easily exploitable, shouldn't it be safe to assume any criminal that wanted it already has created their own implementation?
What exactly is XDA's stand on a real PoC RAT full disclosure? Is XDA taking on the stance that a RAT disclosure is always only harmful? Or is it that Motorola's actions are harmful?
@chilinux
Relax, you don't need to attack me. I can see you're feeling very hostile.
I didn't say you or anyone should accept it. I said it's common on low end devices. Even low to midrange devices.
I don't care what you paid for it. I have the g6 play and paid $99 for it. And it has been updated to pie with March security patch.
Moto is not great at supplying updates the way they were when they were under Google. Not many companies in China that are shopping phones to other countries are good at it.
It sucks, I was agreeing with you.
So rant at someone else. Geez
madbat99 said:
@chilinux
Relax, you don't need to attack me. I can see you're feeling very hostile.
Click to expand...
Click to collapse
I am very sorry you feel personally attacked. I do admit that I have taken a hostile stance but I wasn't trying to attack you.
My point is that I have already heard from users that the issue is not really that bad. It really seems like a demonstration is the only way to change the Lenovo/Motorola business model of leveraging customer misconception. At the same time, the XDA ToS seems to be at odds with using this forum as the method of giving such a demonstration. To me, this means XDA is passively contributing to Motorola's clearly invalid marketing of using product security to protect against unauthorized access.
Allowing remote unauthorized access is very much part of how the Moto G6 functions.
chilinux said:
I am very sorry you feel personally attacked. I do admit that I have taken a hostile stance but I wasn't trying to attack you.
My point is that I have already heard from users that the issue is not really that bad. It really seems like a demonstration is the only way to change the Lenovo/Motorola business model of leveraging customer misconception. At the same time, the XDA ToS seems to be at odds with using this forum as the method of giving such a demonstration. To me, this means XDA is passively contributing to Motorola's clearly invalid marketing of using product security to protect against unauthorized access.
Allowing remote unauthorized access is very much part of how the Moto G6 functions.
Click to expand...
Click to collapse
XDA needs to cover their butts. They walk a fine line on many things.
To provide members the most information, useful guides, and general Android knowledge; they do have to remain, for lack of a better term, "neutral".
They allow us access to guides, knowledge, and even files, that allow us to take back some semblance of "ownership" of our devices. And that is despite many OEM, and country, restrictions, regulations, and "ownership", be it proprietary or what have you, that threaten their voice.
We, in turn, try to adhere to their rules to maintain an even keel, so to speak. So as not to make it harder, or impossible, to do the good work they are doing.
That said, this may not be the platform to achieve the ends you seek. Even if others share your view, in part, or otherwise.
Make sense?
madbat99 said:
XDA needs to cover their butts. They walk a fine line on many things.
To provide members the most information, useful guides, and general Android knowledge; they do have to remain, for lack of a better term, "neutral".
They allow us access to guides, knowledge, and even files, that allow us to take back some semblance of "ownership" of our devices. And that is despite many OEM, and country, restrictions, regulations, and "ownership", be it proprietary or what have you, that threaten their voice.
We, in turn, try to adhere to their rules to maintain an even keel, so to speak. So as not to make it harder, or impossible, to do the good work they are doing.
That said, this may not be the platform to achieve the ends you seek. Even if others share your view, in part, or otherwise.
Make sense?
Click to expand...
Click to collapse
I understand what it is you are trying to saying that XDA sees it to their advantage to not rock the boat too much. That doesn't mean it makes sense to me.
Here is how I view how the world works when people don't speak out:
https://www.cnn.com/2019/01/12/middleeast/khashoggi-phone-malware-intl/index.html
If Motorola wants to specify that security and safety simply is not part of this product, then I can understand them making that part of their *stated* business model. But Lenovo/Motorola has decided they can market a product as preventing authorized access without doing the work required to actually provide that feature. There should be moral and ethical issues raised when knowingly letting a company mislead their customers to that extent.
There should be room someplace on the XDA forum to create a penetration/vulnerability to put customers of Motorola in a better position for informed consent. The idea that the average person can take the April and May 2019 security bulletins and understand what that really means just doesn't work out. They know what the word "critical" means but usually don't know what RCE is and largely take it as being someone else's problem. The level of conflict of interest on the part of Motorola is not made clear.
Instead, the average person still focuses on if when they are going to see the latest Avengers movie. "CVE-2019-2027" means nothing but if you show them April/May gives criminals all of the infinity gems such that at a click of their fingers half of customers of Motorola have their privacy turn to dust, then that is something they can at least understand. Then they can more meaningfully decide if it is reasonable/safe to use that device without leaving airplane mode permanently on.
chilinux said:
I understand what it is you are trying to saying that XDA sees it to their advantage to not rock the boat too much. That doesn't mean it makes sense to me.
Here is how I view how the world works when people don't speak out:
https://www.cnn.com/2019/01/12/middleeast/khashoggi-phone-malware-intl/index.html
If Motorola wants to specify that security and safety simply is not part of this product, then I can understand them making that part of their *stated* business model. But Lenovo/Motorola has decided they can market a product as preventing authorized access without doing the work required to actually provide that feature. There should be moral and ethical issues raised when knowingly letting a company mislead their customers to that extent.
There should be room someplace on the XDA forum to create a penetration/vulnerability to put customers of Motorola in a better position for informed consent. The idea that the average person can take the April and May 2019 security bulletins and understand what that really means just doesn't work out. They know what the word "critical" means but usually don't know what RCE is and largely take it as being someone else's problem. The level of conflict of interest on the part of Motorola is not made clear.
Instead, the average person still focuses on if when they are going to see the latest Avengers movie. "CVE-2019-2027" means nothing but if you show them April/May gives criminals all of the infinity gems such that at a click of their fingers half of customers of Motorola have their privacy turn to dust, then that is something they can at least understand. Then they can more meaningfully decide if it is reasonable/safe to use that device without leaving airplane mode permanently on.
Click to expand...
Click to collapse
Nope. Nobody is "honest" in marketing. They would sell nothing. Is it right....? No. Is it going to continue? Of course.
There are places to speak out. This isn't IT. Period.
You want a Google device that updates with every patch, you're gonna have to get a Pixel. Flat out. No company truly cares about you're security. They start companies to make money. The end. Right or wrong. Sorry bro. It is what it is.
Unless a company specifically spelled it out in the laws of the country their marketing in they don't have to do it. They can skirt rules and regulations anyway they possibly can. And they have lawyers to make sure they get around that crap. Marketing gimmicks do not equal legal regulation obedience.
if you have a medium to carry out the plan you intend to, find it and do it. just make sure no consumers are harmed in the process. because then the line has been crossed where you're not helping anyone but hurting people.
companies are going to sell their products at the greatest profitt imaginable and that's just the way things are going to be until some company proves that profits lie somewhere else. There isn't much you or I can do about it.
Again, this is not the medium for you to carry out such a vision. the most we hope to do here is to give users the keys to find a way to pick the lock for themselves. Not a way to circumvent the rules, punish the guilty, or vindicate innocence. There are places for that.
I'm going to bed now because I get up for work early. Good luck dude. hope you feel better in the morning.
how many people in the budget phone range are still using phones that haven't even been updated past kit Kat. Just a bit of a reality check. Up-to-the-minute security patches don't mean much to those who are struggling just to have a device to communicate with.
Infinity gems be damned, level-headed decisions with your device make all the difference in the world
madbat99 said:
just make sure no consumers are harmed in the process. because then the line has been crossed where you're not helping anyone but hurting people.
Click to expand...
Click to collapse
I can not no consumers would ever be harmed by anything I ever released. TeamViewer has been weaponized to performing scams. UPX was weaponized to help hide malware from detection. Cerberus antitheft app for Android has the potential to be weaponized. Magisk can be weaponized for malware to avoid detection on Android. To claim any of those projects is "not helping anyone" is really a stretch.
The security audit PoC suite would be similar to previously publicly released project. It would have a method of install via exploit similar to JailbreakMe and it would provide demonstration on what privileged level access provides similar to Back Orifice 2000. Both of those previous project had the potential to weaponize but also helped customers make a better informed decisions about the products they use.
madbat99 said:
how many people in the budget phone range are still using phones that haven't even been updated past kit Kat. Just a bit of a reality check. Up-to-the-minute security patches don't mean much to those who are struggling just to have a device to communicate with.
Click to expand...
Click to collapse
Just a bit of a reality check, I know a medical doctor that discusses information that should be legally protected under HIPAA in the same room as a Moto G6. When a vendor misrepresents the degree to which unauthorized access to a device's microphone is prevented, then more than just people struggling to communicate are impacted. That level of misplaced trust also means the privacy impact extends beyond just owners of the phone.
It is also a level of mistaken trust that was contributed to by people like Ronald Comstock with the XDA Developers sponsorship team which recommended this phone. It might be possible to make an excuse that at the time the recommendation was made it wasn't known how far behind security updates for the product would go. However, the XDA sponsorship team never posted a retraction and the XDA ToS makes it hard to effectively counter the vendor's misrepresentations of the XDA recommended product.
chilinux said:
I can not no consumers would ever be harmed by anything I ever released. TeamViewer has been weaponized to performing scams. UPX was weaponized to help hide malware from detection. Cerberus antitheft app for Android has the potential to be weaponized. Magisk can be weaponized for malware to avoid detection on Android. To claim any of those projects is "not helping anyone" is really a stretch.
Just a bit of a reality check, I know a medical doctor that discusses information that should be legally protected under HIPAA in the same room as a Moto G6. When a vendor misrepresents the degree to which unauthorized access to a device's microphone is prevented, then more than just people struggling to communicate are impacted. That level of misplaced trust also means the privacy impact extends beyond just owners of the phone.
.
Click to expand...
Click to collapse
It can be said that security and privacy are separate issues.
But your insights are well stated.
I remember when a "researcher" seemingly died right before demonstrating how security flaws in insulin pumps could kill a man. (We know who did it Jack) so security is a real concern. And big money will always try to silence what is too expensive to fix. So I get your point. Just goes a little beyond XDA is all I meant. No hard feelings intended, so I hope you didn't take it that way.
madbat99 said:
And big money will always try to silence what is too expensive to fix. So I get your point. Just goes a little beyond XDA is all I meant. No hard feelings intended, so I hope you didn't take it that way.
Click to expand...
Click to collapse
I have hard feeling about this issue but not about what you have said.
I also have a much less issue with "big money" not spending money were it does not need to. But they need to be transparent about that.
What I have hard feelings about is this:
https://androidenterprisepartners.withgoogle.com/device/#!/5659118702428160
And statements from Google related to that page such as:
"Organizations can then select devices from the curated list with confidence that they meet a common set of criteria, required for inclusion in the Android Enterprise
Recommended program ... Mandatory delivery of Android security updates within 90 days of release from Google (30 days recommended), for a minimum of three years"
As appears in this document:
https://static.googleusercontent.co...droid_Enterprise_Security_Whitepaper_2018.pdf
Ninety days from the February 5, 2019 security update bulletin was May 6, 2019. Choosing from that list does not result in mandatory delivery of security updates within 90 days. Google and David Kleidermacher are drowning consumers with willfully misleading information to put trust into devices that aren't held to the criteria they claim they are.
am i the only one who doesn't give a crap about security patches? i just want my phone to work, which my G6 does, just fine.
Dadud said:
am i the only one who doesn't give a crap about security patches? i just want my phone to work, which my G6 does, just fine.
Click to expand...
Click to collapse
You are far from the only one who doesn't care about security patches. I would agree with you that you should not have to care. Addressing problems that are over 90 days old are stated to be the responsibility of Google and Motorola to have taken care of.
In terms of it working just fine, my point is while it appears to normally be fine there is known ways that unapproved behavior can be applied to the product without the owners being aware of them. To me that is not working as advertised and is also not really working fine.

Categories

Resources