Stagefright is very serious issue on android devices not known to many android users.
Currently I am using CM12 Nightlies on my N5.
I read about Stagefright sometime back and found that my phone has been sending and receiving thousands of SMS and MMS. So i blocked all access to CM12 Messaging app using Privacy Guard. Privacy Guard is one reason why i love CM12, loved slimrom too...
Attached are screenshots of my Messaging app and a report by Stagefright Detector.
1. How android phones are really hacked by simple SMS/MMS
2. More about Stagefright
3. XDA on Stagefright
Did google really fix this and did CM do anything about this??? I believe majority of the testing is done on N5 and other nexus devices.
this is frightening!!!
How many of you have been exposed to this???
Lordificated said:
Did google really fix this and did CM do anything about this??? I believe majority of the testing is done on N5 and other nexus devices.
Click to expand...
Click to collapse
Yes, it did. With official release of Marshmallow (build MRA58K), all CVE's, that Stagefright Detector is checking, are fixed, and device is not vulnerable. Your issue is on CM side, not Google's.
First of all, blocking MMS access on Messaging will only prevent a small portion of the exploit. Stagefright is a large library, it basically plays *every* media file (based on my knowledge). This includes stuff that browser plays (for example : webm video, like YouTube) all of these are handled by Stagefright and FFmpeg library.
But, the good thing is, the library is not exploited widely. This means there's no wide range attack (based on reports online). No need to worry, the issue is internally fixed on Google side, if you can update to latest CM nightly release the issue might be fixed.
Srandista said:
Yes, it did. With official release of Marshmallow (build MRA58K), all CVE's, that Stagefright Detector is checking, are fixed, and device is not vulnerable. Your issue is on CM side, not Google's.
Click to expand...
Click to collapse
I guess they did, on Android M...
as you said, Stagefright detector says there are no vulnerable CVEs on my N5...
Moved from CM to Stock 6.0... But I am not sure if I love the App Permissions settings of 6.0 over the Privacy Guard in CM12...
still :good:
F4uzan said:
First of all, blocking MMS access on Messaging will only prevent a small portion of the exploit. Stagefright is a large library, it basically plays *every* media file (based on my knowledge). This includes stuff that browser plays (for example : webm video, like YouTube) all of these are handled by Stagefright and FFmpeg library.
But, the good thing is, the library is not exploited widely. This means there's no wide range attack (based on reports online). No need to worry, the issue is internally fixed on Google side, if you can update to latest CM nightly release the issue might be fixed.
Click to expand...
Click to collapse
yes, i read the same about Stagefright... being a large library used for almost all media access, most of the apps we use triggers Stagefright... but as you said, now that nobody knows the extend of vulnerabilities of Stagefright, we can only prepare for what we know!
Related
"cupcake" development branch
A link to this was posted on the G1-Hackers mailing list. I haven't seen it here yet so I figured I would share. You can find the original post at http://source.android.com/roadmap/cupcake.
---------------------------------------------------------------------------------
"cupcake" development branch
From http://source.android.com/roadmap:
During Android's transition to anopen-source project, some development has continued to happen in aprivate branch. We are working to move the rest of these changes intothe open as soon as possible, and all future open-source work willhappen in the public git repositories. All changes that have alreadybeen submitted to the public repositories will be merged into the newercode base, so nothing should be lost.
The Android team has begun pushing these changes to the public git repositories, in the "cupcake" branch.
About this code drop:
The "cupcake" branch is a read-only mirror of the private Android branch.cupcake is still very much a work in progress. It is a development branch, not a release.
Thefirst drop is a large roll-up commit of all of the changes sincerelease-1.0. We will transition to regular, smaller roll-up drops,ultimately pushing individual commits.The cupcake branch willbe merged into the master branch, so that all of the public patches canbe used with the new code base. None of the commits in the publicrepositories will be lost, unless they no longer make sense or areobsoleted by the new code base. Due to the United States' holidayseason, though, this may not be finished until early January.
To check out the cupcake branch:mkdir cupcake # create a new client directory
cd cupcake
repo init -u git:/android.git.kernel.org/platform/manifest.git -b cupcake
repo sync
Notable changes introduced in cupcake:
Applications
MMS
New features
Save attachments from MMS.
Significant bug fixes
Faster conversation list scrolling
Email
Significant bug fixes
Accounts that were marked "never check" are not auto-checked.
Date & time displayed using user preference (e.g. 24 hr vs. AM/PM).
cc: displayed in message view.
Relaxed POP3 parser rules so it works with non-compliant email servers.
Password quoting bugs in IMAP. Makes it work for users with funny chars in their password (e.g. spaces).
Various sources of errors in auto & manual account setup.
Improvements on how we report various connection errors. Makes it much easier for user to diagnose failed account setups.
New-mail notifications for POP3 accounts.
Properly recover from POP3 connection failures, so that the next connection has a chance of working properly.
Remove automatic accounts setup entries that were broken or nottestable. Minor fixes to a few of the remaining entries. Improvementsto warning dialogs used for a few special cases.
New accounts are now set to check every 15 minutes (instead of defaulting to "never").
Fixed a bug causing approximately 1 in 25 outbound messages to freezeup the IMAP connection (to a Gmail based server) when transferred tothe Sent folder. This broke the entire connection so new messagescould not be downloaded either.
Unit test framework so Email can be extended & tested more reliably.
Fix IMAP manually-created accounts so message delete works properly.
Alarm Clock
Significant bug fixes
Alert now plays audio/vibe directly, rather than through AlarmManager.AlarmClock alert starts playing audio/vibe in its IntentReceiver,rather than on activity start. These changes should prevent alarms frombeing blocked by modal dialogs.
Package Installer
Significant bug fixes
Bugs related to replacing existing applications.
Settings
New features
New menu option to list running processes in Settings->ManageApplications.
Music
New features
Music playback fades in after suspending for phone call.New media search intent allows for 3rd party apps to launch or respondto media searches based on artist, album, or title.
Affects: MusicPlayer, YouTube, Browser applications.
Browser
New features
Updated WebKit browser core, synced with Nov 2008 WebKit version.
Support for new, optimized JavaScript engine (SquirrelFish).
Copy/ paste is enabled in the browser. To copy with touch, press and holdthe shift key and select the text. Releasing the shift key or endingthe touch drag copies the text. To copy with the trackball, press andhold the shift key, move the cursor to the selection start, click thetrackball, and move the trackball to the extend the selection.Releasing the shift key, or clicking the trackball a second time,copies the text.
Find is enabled in the browser. To find text, choose it from the menu and type the text to find.
Drawinghas been sped up substantially by supporting partial contentinvalidates and partial screen invalidates. Pages with animations are5x faster.
VoiceDialer
New features
VoiceDialer supports 'open app' command
Camera/Gallery
New features
Video recorder mode
Share intent for videos
Video thumbnailsLocal file playback
Download manager
New features
Support for HTTP codes 301, 302, 303 and 307 (redirects).
HTTP code 503 is now handled, with support for retry-after in delay-seconds.
Downloads that were cleanly interrupted are now resumed instead of failing.
Applications can now pause their downloads.
Retry delays are now randomized.
Connectivity is now checked on all interfaces.
Downloads with invalid characters in file name can now be saved.
"cupcake" development branch continued
Framework
New features
Support of touch events in WebView.New JavaScript engine (SquirrelFish) in WebView.
Input method framework, for soft keyboards and other on-screen inputmethods. Includes new APIs for applications to interact with inputmethods, and the ability for third party developers to write their owninput methods.
Access to the raw audio data for playback and recording from application code.
New PendingIntent.FLAG_UPDATE_CURRENT option.
Support for top-level boolean resources.
Tactile feedback to the LockPatternView. Tactile feedback can beenabled/disabled by going to Settings > Security & location andthen checking/unchecking "Use tactile feedback". Note that this can beused independently of the visual feedback of the lines ("Use visiblepattern"). Thus it gives users a middle ground between showing thelines on the screen and having no feedback at all.
PackageManager changes to support un-installation ofpartially installed applications. Added new flagPackageManager.GET_UNINSTALLED_PACKAGES to include partially installedapps in all relevant PackageManager api's. ManageApplications screennow lists such partially installed apps and the user can uninstallthese applications completely.
Support third party updates of system applications. Newmenu options in Settings->ManageApplications to list updated systemapplications.
Framework support to list current running processes. New API in ActivityManager.
Framework feature to declare required configurations by applications.New manifest attribute uses-configuration in android manifest.
Hardware accelerated video encode (video recorder) in opencore.
Simplified SREC speech recognition API available.
Streaming audio I/O for applications.
Significant bug fixes
Fixed issues with saving state in the view hierarchy, so that you canproperly subclass from something like TextView and create your ownstate that inherits from that provided by TextView.
TextView now implements onKeyMultiple(), so that flinging the trackballwill result in accelerated scrolling. This required some changes tomovement methods, and included some improvements to the accelerationcomputed when flinging.
Framework bug fixes in PackageManager to share/un-share permissions for applications with shared uid's.Significant rework of Settings->ManageApplications Performance and UI enhancements.
Anumber of settings in android.provider.Settings.System were moved toandroid.provider.Settings.Secure. Only system software can modify thesesettings. Additionally, a new permission, WRITE_SECURE_SETTINGS, isrequired to access these settings. The old constants in Settings.Systemhave been deprecated. It is possible to read settings values viaSettings.System using the deprecated constants. However, attempts tomodify these settings via Settings.System will result in a log messageand the setting value will be left unchanged.Many bug fixes in the media framework
Bluetooth
New features
Support for A2DP & AVRCP profiles.
Significant bug fixes
First connection after pairing always fails on many carkits.
Mini Cooper and some late model BMW cars fail to use Bluetooth or take 2 minutes for Phone Book transfer.
System software
New features
New kernel based on Linux 2.6.27.
Improvements to the wakelock API.
Work to transition to the USB Gadget Framework underway.
Basic x86 support.
Radio & Telephony
New features
SIM Application Toolkit 1.0.
Green CALL button is no longer a shortcut for "add a new call". Thishas been a rarely used feature and confusing if triggered accidentally.
Longer in-call screen timeout when using the speakerphone.
"Show dialpad" / "Hide dialpad" item added to the in-call menu, to make it easier to discover the DTMF dialpad.
Significant bug fixes
An obscure case where the Phone UI could cause the device to not go tosleep on its own. This would happen if user bails out of the in-callscreen by hitting HOME, followed by the call disconnecting remotely. Don't allow a single tap to open the in-call dialpad. Itis now required to touch and drag it. This makes it much harder toaccidentally open the dialpad by touching the screen with your face.
Developer Tools
New features
Enable handset manufacturers to extend the Android SDK with add-ons. SDK add-ons will include:
systemlibraries to let developers use additional APIs provided by handsetmanufacturers or from other 3rd party vendors that handsetmanufacturers chose to include
emulator system images,skins, and hardware configuration to let developers test theirapplications on their Android implementation
This is work-in-progress. Please note that the latest Android SDK (Android 1.0 SDK, Release 2) is not compatible with the SDKplugin in the new branch, please use ADT 0.8.0. SDK add-on support is planned for future SDK release.
Build System
New features
The functions in build/envsetup.sh should be much more useful
nice, this is some secret undercover stuff that is much needed!! you all rock!
hbguy
I'm wondering would it be available to install for non-jailbraked phone?
worry said:
I'm wondering would it be available to install for non-jailbraked phone?
Click to expand...
Click to collapse
We are talking about Android source code here. It would need to be compiled appropriately to even flash to any phone. Your phone would still subject it to the same key test before it will flash it. So, No this won't work... Yet. Hopefully we will find a way to sign these images with the OTA keys instead of just test keys as we do now.
"Chicken Soups for Andy Phones"
Yes, I am aware of you should compile it first.
So you are saying, since it is not officially signed by google, you'll be able to install it only on dev or has-proper-boot-image phones?
wait, how do we get all these updates in the future though? sdk?
also what you mean as finding a way to sign these images with ota keys instead of just test key? meaning with jf's mod rc30 we could get these update?
hbguy
man, well these were a few of the things that i wanted to see changed its good that they are keeping in touch with the ppl runnin the app. this is very compelling information. can i suggest and addendum to the title, something alluding to the "update" nature of this dev team. i dont think theres a date, but ill def be willing to pick a G1 back up for that, esp if they managed to make a few of the processes faster.
hbguy said:
wait, how do we get all these updates in the future though? sdk?
also what you mean as finding a way to sign these images with ota keys instead of just test key? meaning with jf's mod rc30 we could get these update?
hbguy
Click to expand...
Click to collapse
Cupcake can't be built to run on Dream hardware yet. Not to worry as an OTA RC with the cupcake code drops should be available by year's end or early Jan 09.
Support third party updates of system applications. New menu options in Settings->ManageApplications to list updated system applications.
Click to expand...
Click to collapse
I haven't had a chance to look into it too much but, depending on the applications and files made accessible, this looks very promising. Things like the autorotating browser, maybe even skinning, could potentially be "legitimized" and no longer require root.
so how would one go about compiling to run on the dream?
korndub said:
so how would one go about compiling to run on the dream?
Click to expand...
Click to collapse
Right now...... You wait. There isn't 100% of the code here. Nothing specific to the dream hardware etc. I am hopeful we will be seeing things come soon though.
As far as what I meant about the keys... Right now in order to be able to flash an update that is signed with test keys, aka the keys we have right now, you need to use an exploit to gain root access and modify the keys the system looks for when updating. There are two possible ways that I see to get OTA RC30 flashed with with an unofficial image. The first way is for some ingenious person to find an exploit that can be used to obtain root again and therefore be able to change the keys the system looks for. The other option would be for someone to come up with a way to sign the image with the OTA keys.
kronarq said:
Right now...... You wait. There isn't 100% of the code here. Nothing specific to the dream hardware etc. I am hopeful we will be seeing things come soon though.
As far as what I meant about the keys... Right now in order to be able to flash an update that is signed with test keys, aka the keys we have right now, you need to use an exploit to gain root access and modify the keys the system looks for when updating. There are two possible ways that I see to get OTA RC30 flashed with with an unofficial image. The first way is for some ingenious person to find an exploit that can be used to obtain root again and therefore be able to change the keys the system looks for. The other option would be for someone to come up with a way to sign the image with the OTA keys.
Click to expand...
Click to collapse
kronarq is there a way to merge the existing source with the cupcake to fill in the parts that are missing?
Anyone else having problems pulling the source with repo?
hbguy said:
nice, this is some secret undercover stuff that is much needed!! you all rock!
hbguy
Click to expand...
Click to collapse
This was not "undercover" work. Google wanted to be able to work on stuff, yet release the G1 with a semi-stable firmware.
kronarq said:
We are talking about Android source code here. It would need to be compiled appropriately to even flash to any phone. Your phone would still subject it to the same key test before it will flash it. So, No this won't work... Yet. Hopefully we will find a way to sign these images with the OTA keys instead of just test keys as we do now.
Click to expand...
Click to collapse
This won't be the case. This is an official Google release, meaning when they merge them together in January, they will release an OTA update with all of these features.
I'm hoping there will be an OTA update with all these new goodies, but just because google is rolling "cupcake" into the open-source project, that does not mean that it will get rolled out to our G1's. That's up to T-Mobile and HTC. Let's just keep our fingers crossed.
Ok, maybe I'm missing something, but where are people getting the idea that this is not dream specific? From how I read it these are all things that are being built into the main source and as such will be compiled as an ota as other updates have been done in the past. Someone enlighten me here as I'm just not seeing the "specific" requirements people are putting on this? I'm no coder, but it doesn't look like anything more then just enabling what was already there or planned on being there. [/rant?]
MMTest97 said:
Ok, maybe I'm missing something, but where are people getting the idea that this is not dream specific? From how I read it these are all things that are being built into the main source and as such will be compiled as an ota as other updates have been done in the past. Someone enlighten me here as I'm just not seeing the "specific" requirements people are putting on this? I'm no coder, but it doesn't look like anything more then just enabling what was already there or planned on being there. [/rant?]
Click to expand...
Click to collapse
Agreed... everything that is dream specific is either on the android git repository or can be extracted from stock G1 Firmware
MMTest97 said:
Ok, maybe I'm missing something, but where are people getting the idea that this is not dream specific? From how I read it these are all things that are being built into the main source and as such will be compiled as an ota as other updates have been done in the past. Someone enlighten me here as I'm just not seeing the "specific" requirements people are putting on this? I'm no coder, but it doesn't look like anything more then just enabling what was already there or planned on being there. [/rant?]
Click to expand...
Click to collapse
Everything in the open source repository should be non-device specific (with the obvious exception of stuff like binary drivers). The repo will build an emulator image. To build for dream, there are some additional instructions. However the cupcake branch cannot be built for Dream at this time, so it is definitely not Dream-specific.
Datruesurfer said:
Agreed... everything that is dream specific is either on the android git repository or can be extracted from stock G1 Firmware
Click to expand...
Click to collapse
The differences between G1 and the repo extend beyond just Google-proprietary apps. There are subtle differences in the framework too.
Hi guys,
anyone got an idea why it itsn't possible AT ALL with Android 4.4 to post a picture on Facebook or other sites that allow uploading content?
The maximum reaction i get out of it is "failure opening file",it just doesn't work with any browser (tried Dolphin,Chrome,Firefox,Stock)
This happens on every 4.4 based ROM somehow,can't thank you enough for any input about this matter
edit: 85 views and not a single "yeah,i face the same problem" or "no problem on my side at all",whats up with that
edit2: it tested every 4.4 ROM now,not only CM11&CyanFox.Nowhere is the upload working trough Browser
Tlailaxu said:
Hi guys,
anyone got an idea why it itsn't possible AT ALL with Android 4.4 to post a picture on Facebook or other sites that allow uploading content?
The maximum reaction i get out of it is "failure opening file",it just doesn't work with any browser (tried Dolphin,Chrome,Firefox,Stock)
This happens on every 4.4 based ROM somehow,can't thank you enough for any input about this matter
edit: 85 views and not a single "yeah,i face the same problem" or "no problem on my side at all",whats up with that
edit2: it tested every 4.4 ROM now,not only CM11&CyanFox.Nowhere is the upload working trough Browser
Click to expand...
Click to collapse
Google made changes in KitKat replacing webkit with chromium webview and broke file upload, text reflow, etc. Basically web browsing is awful in KitKat, Google is aware but won't revert the changes. The only workaround at present is to use Opera Beta, or Firefox nightlies, there are other browsers with file upload but I would not recommend them at all if you don't want spyware. CM just implemented some changes on last night's nightly to fix file upload, but it's done nothing for me so far, still broken. At least the CM team is aware and willing to fix things.
http://review.cyanogenmod.org/#/c/58210/
http://review.cyanogenmod.org/#/c/58211/
Thank you for passing that info,this problem was/is driving me nuts and not reading anything about it other than my ramblings was the icing on the cake.
Maybe they can make it work again on CM
Tlailaxu said:
Thank you for passing that info,this problem was/is driving me nuts and not reading anything about it other than my ramblings was the icing on the cake.
Maybe they can make it work again on CM
Click to expand...
Click to collapse
I'd blame developers just as much as Google though. I understand it makes sense for them to use a web engine that Android provides for free and save time and money, but this is what happens when Google breaks something, suddenly 90% of browsers are broken. Firefox uses its own gecko engine and thus is unaffected, Opera shows a bit of spirit and patches chromium to fix these things, on the other hand. And then most people use apps instead of a browser to do things, so if some of us protest, it's not relevant.
Anyway, know that there are lots of complaints over at AOSP, but Google's reply is that these changes are intended and won't be reverted, so that's that.
Edit : "From what I understand the following is what is broken in KitKat webview :"
• text wrap no longer works
• cannot upload files
• cannot save passwords
• cannot force enable zoom
• no inverted rendering
• cannot play Flash videos (broken in 4.3 too)
Woa,the rabbithole goes deeper & deeper.I thought this was a weird bug that just happens with custom ROMS of not officially supported devices but reading that it comes from Google (and they saying "deal with it") pushes this to a whole new level.
Tlailaxu said:
... reading that it comes from Google (and they saying "deal with it")...
Click to expand...
Click to collapse
KitKat is such a kick in the ... for anyone developing on Android or just using it. Here's another jewel.
It looks like they're trying to restrict more and more things. The very reason many of us choose android over ios....
Sent from my GT-I9305 using xda app-developers app
Ultramanoid said:
KitKat is such a kick in the ... for anyone developing on Android or just using it. Here's another jewel.
Click to expand...
Click to collapse
This whole KitKat issue transforms to a scandal of some sort.If Google doesn`t change its current course,we will be on full lockdown like iOS in 2 or 3 revisions (Android 6 for example).This roadmap doesn`t make me happy at all
I have an lg gpad, and I keep getting the crash of system ui. The tablet is unusable until I do a restart of the device. It happens every time I cast either YouTube or other casting apps and I pull the notification panel down. That starts the crash right away. I've factory restored my Chromecast, factory reset tablet, with fresh install of all apps. I am stumped and getting really annoyed at this issue. Any help in a resolution would be greatly appreciated.
Make sure your apps and Google Play Services are updated. They work hand-in-hand.
bhiga said:
Make sure your apps and Google Play Services are updated. They work hand-in-hand.
Click to expand...
Click to collapse
Updating them did not help. There is a work around, at least for YouTube. Go find the APK for an app called OG YouTube and use the OLD version (4.x)
There's no cue, but you can Chromecast without crashing the entire planet.
I bought the Note Pro with the intent to Chromecast. I feel so ripped off right now, especially since it worked for a little while when I got it. Then an update came down and broke it all. I've read elsewhere that the devs don't seem to give a crap about it, claiming there is no report of the issue even though many many many users are online complaining about it.
hellomiakoda said:
I bought the Note Pro with the intent to Chromecast. I feel so ripped off right now, especially since it worked for a little while when I got it. Then an update came down and broke it all. I've read elsewhere that the devs don't seem to give a crap about it, claiming there is no report of the issue even though many many many users are online complaining about it.
Click to expand...
Click to collapse
That's a bit unfair to the devs, IMO. Chromecast is dependent on so many moving parts that things go haywire when major updates roll out. It's much like when Facebook does back-end updates, unfortunately.
The major moving parts are:
Cast SDK
Chromecast firmware (build number)
Google Play Services
App
Not to mention the individual devices running the Chromecast-enabled app(s).
Until they're all synced up with the correct version "set" things tend to be wacky, and because the Chromecast app whitelist is essentially "live" and I don't think Chromecast has a defined way to know the service or device properties...
tl;dr - give it a few days. Likely it will magically all start working - unless there's something else at fault in the configuration.
Being that it seems the prior version of YouTube works, it may simply be a bug introduced in the update.
Say hello to this bug affecting some LG and Samsung devices:
https://code.google.com/p/android/issues/detail?id=70783
bubbleguuum said:
Say hello to this bug affecting some LG and Samsung devices:
https://code.google.com/p/android/issues/detail?id=70783
Click to expand...
Click to collapse
Thanks Bubble... Argh, I just upgraded to 4.4.2, but this may explain why the recent Netflix update disabled hardware volume control even on 4.3
Since at lease back in the 4.4 days of AOSP, the nexus 5 (and probably others) has had an issue with the camera when in video mode. There's a nasty green line that appears on the side of the video during playback.
It's an easy fix; just replace the file /system/lib/libmmcamera_interface.so with the one from the factory nexus image.
I have poured over the source code for this library, but I can't find out what it is that causes this anomaly nor why it is fixed in google's image, but not in the AOSP source. How can this have been an issue for so long? Am I the only one who runs self-compiled AOSP on my N5?
Anyway, does anybody have any idea what the cause is, or how to fix it in the source?
Hello!
I started searching to fix that issue this morning and i ran in to your post. Ive been building a while from aosp sources with minimal editing only, and i think this hasnt happened with 5.0.2 for me. Now that ive merged 5.1 into the source, i saw it happening again.
I checked few trusted developers vendors, blobs, etc. And i managed to make this:
https://github.com/sicknemesis/android_vendor_lge/commit/de6831773e3e083cef8d53f344f0a03f6a604268
As i write, im flashing and bootin a rom build with this commit and it seems its working correctly now.
All credits to original authors as seen in original commit! Hope this was the thing we are looking for and i see not lot of people check this Developer Discussion forum . I DO!
Gene Poole said:
Since at lease back in the 4.4 days of AOSP, the nexus 5 (and probably others) has had an issue with the camera when in video mode. There's a nasty green line that appears on the side of the video during playback.
It's an easy fix; just replace the file /system/lib/libmmcamera_interface.so with the one from the factory nexus image.
I have poured over the source code for this library, but I can't find out what it is that causes this anomaly nor why it is fixed in google's image, but not in the AOSP source. How can this have been an issue for so long? Am I the only one who runs self-compiled AOSP on my N5?
Anyway, does anybody have any idea what the cause is, or how to fix it in the source?
Click to expand...
Click to collapse
Wow, so the N5 was never intended to use the AOSP version of that library. I never checked the qcom binaries nor noticed that it was included there.
Thanks for this!
The Boot2Gecko people have a source fix for it:
https://bugzilla.mozilla.org/show_bug.cgi?id=1117662
https://github.com/mozilla-b2g/device-hammerhead/commit/c37663f828891cf7a49451a04f3f1ce7f7e5c054
Thanks. It appears that the same lack of patch exists in the M source. I'll try it when I get a chance.
A few days ago, I started getting random apparently blank MMS messages from unknown urls in Hangouts. Looks like my phone / number is being targeted by someone trying to leverage one of the recent Stagefright vulnerabilities. I've got auto-downloading of MMS messages disabled in Hangouts and the stock Sony Messaging client, so probably (?) no immediate danger. But I am only on the last Kit Kat rom because I've been bitten before by abysmally bad battery life in Lollipop.
So options...
5..1.1 - sounds like battery life is better now than it was originally in LP. Can anyone verify that all the Stagefright vulnerabilities are even fixed in the latest for the Z3c? I have a Z1C test phone around the office here, and last I checked its latest 5.1.1 rom did not resolve all of those issues.
6.0 Concept - looks promising....but early MM wasn't immune to Stagefright problems either. Can anyone check if whatever anyone not part of the early program can install is free of this vulnerability?
Unfortunately, I need to run a secure app platform / email app for work, which means that I can't root or run xposed - stock roms only.
johdaxx said:
A few days ago, I started getting random apparently blank MMS messages from unknown urls in Hangouts. Looks like my phone / number is being targeted by someone trying to leverage one of the recent Stagefright vulnerabilities. I've got auto-downloading of MMS messages disabled in Hangouts and the stock Sony Messaging client, so probably (?) no immediate danger. But I am only on the last Kit Kat rom because I've been bitten before by abysmally bad battery life in Lollipop.
So options...
5..1.1 - sounds like battery life is better now than it was originally in LP. Can anyone verify that all the Stagefright vulnerabilities are even fixed in the latest for the Z3c? I have a Z1C test phone around the office here, and last I checked its latest 5.1.1 rom did not resolve all of those issues.
6.0 Concept - looks promising....but early MM wasn't immune to Stagefright problems either. Can anyone check if whatever anyone not part of the early program can install is free of this vulnerability?
Unfortunately, I need to run a secure app platform / email app for work, which means that I can't root or run xposed - stock roms only.
Click to expand...
Click to collapse
The whole stagefright vulnerability affects a huge percentage of devices running LP, while Android has claimed to have "fixed" most of the vulnerabilities some still remain in 5.1 but they are really not that impactful when it comes to using the phone.
With regards to security, you are never really "safe". The very fact you download apps like Facebook or Youtube already makes your internet life an open book, probably right now your phone sends anonymous data to Sony at set intervals.
True enough - no phone anyone really wants to hack into is 100% secure, and the more popular, the more they're going to be targeted. Specifically, I was wondering if anyone had run this tool:
https://play.google.com/store/apps/details?id=com.zimperium.stagefrightdetector
on either 5.1.1 or 6.0 Concept? I have access to a few different phones that pass all these checks, but several that don't. The standard 4.4.4 on the Z3c fails all but one. A small comfort - but figured it was worth checking.
As for PI leakage, true, but different issue. I'm personally much happier with Google's methods where we have a dashboard that shows what information they're slurping up by the second, than others (like many manufacturers) that bury it in a massive T&C. We at least have some control over that vs. exposure to these security holes.