Would it be that the bad guys have become smarter and there is more money in silently p0wning devices? Or is network management able to stop such events from happening nowadays?
10-15 years ago everything was on the same LAN except for the handful of web servers you might have plugged into the DMZ port of your firewall and every client was implicitly trusted. Today we have VLANs for everything and segmentation is done purely for organization aesthetics. Switches can dynamically provision ports based on the client connected. Wired clients and wireless clients reside in different segments with different restrictions. Open network ports in unsecured areas, like conference rooms, are on highly restricted VLANs. I've even seen segmentation based on client MAC addresses where unknown devices were just routed back to themselves for everything.
Back then Email servers accepted connections from anyone and would relay just about anything no questions asked, today email servers are locked down and very suspicious of one another with DNS records (SPF, PTR) for verification.
There are security appliances sitting on the edges of network monitoring all inbound and outbound traffic as well as appliances in the network watching the too and fro. We have software clients sitting on desktops monitoring traffic and blocking malicious or harmful requests as well. Software firewalls are now standard and turned on by default.
On top of all that, Mobile Networks are distributed with each cell tower being it's own insular network with a secure WAN connection over an ISP back into the central network with all manner of port filtering in place.
This is also part of the reason a frequently updated Android distribution (Nexus or CyanogenMod) might in fact be more secure than iOS, where you are forced to be vulnerable to Apple's Webkit engine.
The same reasoning also applies to such updated versions of Android: the vast majority of people use outdated Android versions, so it's less likely that people would bother developing exploits for the latest Android version, as opposed to the latest version of iOS.
Obviously this is a self-defeating prophecy, but hopefully a proper securely isolated mobile OS will become available before things change.
I could use Chrome or Chrome Beta all day long and my phone doesn't get hot and the display is the biggest battery hog, I run up Firefox and the thing turns noticeably hot and Firefox overtakes the display for battery usage.
But that was his point - he was referring to Nexus-only (or CyanogenMod), not "Android", where 87% of the devices are vulnerable to least one of the 11 vulnerabilities tested below, because of their lack of (fast) updates:
if you're on 4.4 with Firefox+no script you're fine. IOS won't let you have a setup like that...
What makes me think so is that they claim to have installed a "BMX Game" (which I guess is on the Play Store), and I don't see any claim of it being automatically launched after the installation (Android >2.3 should block that).
That would be much better for Android than the alternatives. As far as I can tell, applications can only install stuff in the background if they are system applications (live into some /system subfolder, which Chrome does when preinstalled/installed from a GAPPS package) AND declade the "INSTALL_PACKAGES" permission in their manifest (Chrome doesn't).
That should be the only way, apart from getting root (but I guess they would have just said "we got root" then).
EDIT: Obviously all of this is just a guess. I'm just happy that there is no Chrome on my phone :) (but the WebView on Android 5.1 is based on Chromium - so i wonder if that's exploitable as well?)
Edit: I had this in mind https://jon.oberheide.org/blog/2011/03/07/how-i-almost-won-p...
vendor toolbars and bundled applications? check. saved logins on banks and everything else? check. no firewall? check. ads everywhere? check.
get your crap together, everyone.
Being that this a one-shot exploit that the author believes will work on any Android with the latest Chrome makes it doubly so.
I'd also be more concerned that the exploit is described as targeting V8 specifically, considering how widely it is being used out of the browser these days.
Also Symbian had a relatively good security architecture, with its micro-kernel and the permissions model introduced in S60 v3.
Android security lags behind, because Google doesn't want to force OEMs and providers to provide updates. Additionally the OS architecture makes it pretty easy to extract an APK and reverse engineer it, even if written with the NDK.
But in any case, the best exploits are social and there isn't any help there.
Most of the users get p0wned trying to find stuff for free in dubious sites, and installing it, instead of paying for the real deal.
What do OEM updates have to do with a security hole in Chrome? Despite all the merger chatter, Chrome isn't an OS-level part Android the way it is with ChromeOS.
The exploit sounds serious, but once the Chrome team understands it and comes up with a fix, all Google needs to do to deploy it is publish a new version of Chrome on the Play Store. I suppose they could add a nudge or two via Play Services (or otherwise) if people aren't installing the new version, but, in any case, that's nowhere near the effort required to get an OS update out (and neither OEMs nor carriers can block the fix).
I think you're assuming a lot about the relationship's power dynamics and what contracts are at play that may have been written quite a while ago. Also forgetting that more often than not it's the telco that's blocking or bottlenecking updates. The reason Apple was able to do what it did is because they provided the software and hardware and were able to leverage the demand for it against the likes of Verizon (probably the most notorious blocker of updates no matter how critical they might be).
My Nexus is still safe :)
However, the desktop Firefox regularly tops my 'Apps using significant energy' list, even when idling.
What does the OS X Activity Monitor’s “Energy Impact” actually measure? | Nicholas Nethercote https://blog.mozilla.org/nnethercote/2015/08/26/what-does-th...
Chrome vs Safari vs Firefox web browser efficiency http://blog.getbatterybox.com/which-browser-is-the-most-ener...
On Android anyone can implement a browser, have users download it, and make it the system default. On Android you don't need to end up with a Google monoculture, like you on iOS do have to accept the Apple monoculture.
The bug report says "all Android devices affected", which is factually incorrect. Mine never was, because mine never ran Chrome in the first place. And this was a Chrome bug.
On Android users have a choice. Whoever wrote this article does not seem understand that, nor the implications of it.
Thus my post. Does that sound more reasonable?
