Android 4.3 has dangerous, but difficult to exploit, security flaw

Android 4.3 has dangerous, but difficult to exploit, security flaw
Whenever there is a security flaw found in any mobile platform, people tend to go a bit overboard, but that is never more apparent than when dealing with Android. Android has the reputation of being a haven for malware (which is only true if you have to rely on un-trusted sources for apps), so when IBM reported a security flaw in Android 4.3, the response was unsurprisingly alarmist.

The problem started with IBM itself. IBM security researchers found the flaw back in September, and reported it to the Android Security Team at Google. Somehow, although IBM found the flaw nine months ago, the company mistakenly thought that the flaw affected all Android versions up to 4.3, but that wasn't accurate (although it has been reported that way from various outlets). In fact, the flaw only affects Android 4.3 and doesn't cause problems with any versions before or after. So, the flaw is only a problem for about 10% of the ecosystem.

The security flaw itself is a relatively dangerous one, which could allow malicious hackers to gain access to the Android KeyStore and uncover user banking and virtual private network credentials, PINs, and unlock patterns. That sounds pretty bad, but it turns out that there are fail-safes built into Android, like data execution prevention and address space layout randomization, which make exploiting the flaw very difficult. And, a hacker would also have to get a helper app installed on the target device in order to fully exploit the flaw. Of course, any flaw in the KeyStore is a serious matter; so, if you're stuck on 4.3, you should start bugging your manufacturer to update. And, as usual, be careful about side-loading apps because that's your best defense. 

source: IBM via Ars Technica

FEATURED VIDEO

28 Comments

1. zennacko unregistered

"And, a hacker would also have to get a helper app installed on the target device in order to fully exploit the flaw" Have you ever seen how many permissions the most used flashlight apps (to say the most basic stuff that the companies don't bundle among their usual bloatware tools) require? Why would the phone use something like caller IDs and call logs to turn on a damn LED? Like they say around here, "the devil lies on the details", luckily, my Z1 Compact is already at 4.4.4 so I shouldn't have to worry about that (and also, I found a flashlight app that requires only camera access and disables device sleep, far more reasonable than the most popular ones, right?)

6. vincelongman

Posts: 5723; Member since: Feb 10, 2013

Just don't install apps with suspicious permissions Or block the permissions when you install them (unfortunately you need need a xposed module or custom ROM for this on 4.4, because Google removed it, but its coming back in L)

23. jroc74

Posts: 6023; Member since: Dec 30, 2010

Post 6 has good advice....and your post itself is a good example of why its important to pay attention to permissions, educate yourself on them.

2. Vexify

Posts: 570; Member since: Jun 16, 2014

only affects Android 4.3 and doesn't cause problems with any versions before or after. So, the flaw is only a problem for about 10% of the ecosystem." Lol

3. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

Those that do side loading need to have anti-malware detection such as Clean Master or 360 Security. https://play.google.com/store/apps/details?id=com.qihoo.security&hl=en https://play.google.com/store/apps/details?id=com.cleanmaster.mguard&hl=en

4. Mxyzptlk unregistered

Unfortunately it's not just from side loading. The play store has had a few rogue malware apps in the past.

5. vincelongman

Posts: 5723; Member since: Feb 10, 2013

Same as the AppStore And the rest of the internet Yet I've still never had a virus or malware Even though I used to pirate on Windows and jailbreak my iPhone Now, I'm rooting and install xposed modules on my Nexus 5, still haven't had any issue

8. Mxyzptlk unregistered

Cydia app store ≠ App Store

11. PapaSmurf

Posts: 10457; Member since: May 14, 2012

Mxyz give it a rest....

17. Mxyzptlk unregistered

Why? I'm quite surprised in your change of attitude.

14. Vexify

Posts: 570; Member since: Jun 16, 2014

Just got an iPhone 5s a little while back. Loving Cydia and all its power way more than anything I achieved on Android OS. Definitely worth the switch for now.

18. Mxyzptlk unregistered

It's a very versatile platform Cydia is

22. T.Law

Posts: 423; Member since: May 10, 2014

Who are you kidding? You need to jailbreak your iphone to get basic features Android has out of the box. Not to mention that even with Cydia, you will never have half of Android features. Troll harder next time.

16. Whateverman

Posts: 3295; Member since: May 17, 2009

19. Mxyzptlk unregistered

This is a very isolated incident. Apple is able to easily patch up any vulnerabilities.

7. ChandlerBing

Posts: 35; Member since: Feb 17, 2014

Android users boast about how they can root their phones even they don't get official updates. We iPhone and Windows Phone users should start boasting to them the security that our OS has compared to their buggy little pOS.

10. o0Exia0o

Posts: 903; Member since: Feb 01, 2013

Yes and when Apple releases a new phone the only way to get all of the "WONDROUS NEW FEATURES" is to buy the newest hardware. Windows phone does not have most of the apps that Android or ios has which is their biggest issue. Oh yes then there are the little things like being able to change your background that make the difference to Android users, try doing that on ios or windows phone. So yes Android is completely a pOS as you put it. TRY TROLLING HARDER!

13. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

Excuse me remember desktop windows and viruses are common and yet you don't hear me complaining. Its user responsibility to manage such problems and I am putting little to no effort on Android devices comparing to my desktop windows. Remember its always the user fault not OS, not machine. Because only you can think and make active corrections!

24. boosook

Posts: 1442; Member since: Nov 19, 2012

LOL! Live in your dream.

25. jojon

Posts: 435; Member since: Feb 11, 2014

you right, am so glad i went Lumia WP now, my g/friend android is just simply not acceptable, given all the bugs etc she has

9. WinC76 unregistered

Ah great, my Galaxy Note 3 is still stuck on 4.3. :/

12. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

You shouldn't be using Note 3 if all you can do is complain. Stick to WP that's design for specie with lower mental capacity.

20. NokiaFTW

Posts: 2072; Member since: Oct 24, 2012

Then how come you aren't using WP if it is for species with "lower mental capacity"?

28. WinC76 unregistered

Right, so I should be happy about how long Samsung is taking to update this phone to kitkat when the update is out in just about every country.

15. PapaSmurf

Posts: 10457; Member since: May 14, 2012

How is that even possible? Samsung rolled out 4.4.2 months ago.

27. WinC76 unregistered

I have the Australian model, which is still stuck on 4.3. The only phone with kitkat here is the s5. However, the note 3 is the only one being tested so far. The s4 and etc still has to wait even longer.

21. enthasuium

Posts: 150; Member since: Nov 21, 2013

Galaxy Note 3 is knox enabled, no problem

26. JunitoNH

Posts: 1946; Member since: Feb 15, 2012

Thanks for the warning and great advise. However, hackers breached banks, Target stores, and highly sensitive US sites. If they wanted to hack any OS, they can do it, period.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.