LightBlog

lundi 2 mars 2020

How Monthly Android Security Patch Updates Work

Google has been publishing monthly security bulletins since August of 2015. These security bulletins contain a list of disclosed security vulnerabilities that have been fixed which affect the Android framework, Linux kernel, and other closed-source vendor components. Every vulnerability in the bulletins was either discovered by Google or disclosed to the company. Every vulnerability listed has a Common Vulnerabilities and Exposures (CVE) number, along with associated references, the type of vulnerability, a severity assessment, and the AOSP version affected (if applicable). But despite the seemingly simplistic process behind how Android security patches work, there’s actually a somewhat complicated back-and-forth behind the scenes that allows for your phone to get monthly or (hopefully) near-monthly patches.

What actually makes a security patch?

You may have noticed that every month, there are actually two security patch levels. The format of these patches is either YYYY-MM-01 or YYYY-MM-05. While the YYYY and MM obviously represent the year and month respectively, the “01” and “05” confusingly does not actually signify the day of the month in which that security patch level was released. Instead, the 01 and 05 are actually two different security patch levels released on the same day every month – the patch level with 01 at the end contains fixes to the Android framework but not vendor patches or upstream Linux kernel patches. Vendor patches, as we defined above, refer to fixes to closed-source components such as drivers for Wi-Fi and Bluetooth. The security patch level signified by -05 contains these vendor patches as well as patches in the Linux kernel. Take a look at the table below which may help in understanding.

Monthly Security Patch Level 2019-04-01 2019-04-05
Contains April Framework Patches Yes Yes
Contains April Vendor + Kernel Patches No Yes
Contains March Framework Patches Yes Yes
Contains March Vendor + Kernel Patches Yes Yes

Of course, some OEMs may opt to roll their own patches and updates into security updates as well. Most OEMs have their own take on Android, so it only makes sense that you may have, for example, a vulnerability on a Samsung phone that doesn’t exist on a Huawei. A lot of these OEMs also publish their own security bulletins.

The timeline of a security patch from Google to your phone

Security patches have a timeline roughly spanning about 30 days, though not every OEM can avail of the full length of that timeline. Let’s take a look at the May 2019 security patch for example, and we can break down the entire timeline behind the creation of this patch. Companies like Essential manage to get out their security updates on the same day as the Google Pixel, so how do they do it? The short and simple answer is that they’re an Android partner. The May 2019 security bulletin was published on the 6th of May, with both the Google Pixels and the Essential Phone getting near-immediate updates.

What it means to be an Android Partner

Not just any company can be an Android Partner, though admittedly basically every major Android OEM is. Android Partners are the companies that are granted a license to use the Android branding in marketing material. They are also allowed to ship Google Mobile Services (GMS – refers to pretty much all Google services) so long as they meet the requirements outlined in the Compatibility Definition Document (CDD) and pass the Compatibility Test Suite (CTS), Vendor Test Suite (VTS), Google Test Suite (GTS), and a few other tests. There are distinct differences in the security patch process for companies that aren’t an Android Partner.

  • Android framework patches are available to them after being merged into AOSP 1-2 days before the security bulletin is released.
  • Upstream Linux kernel patches can be cherry-picked once available.
  • Fixes from SoC vendors for closed-source components are available depending on agreements with the SoC vendor. Note that if the vendor has given the OEM access to the source code of the closed-source component(s), then the OEM can fix the issue(s) themselves. If the OEM does not have access to the source code, then they must wait for the vendor to issue a fix.

If you are an Android Partner, you immediately have it a whole lot easier. Android partners are notified of all Android framework issues and Linux kernel issues at least 30 days before the bulletin is made public. Google provides patches for all issues for OEMs to merge and test, though vendor component patches are dependent on the vendor. Patches for the Android framework issues disclosed in the May 2019 security bulletin, for example, were provided to Android partners at least as early as March 20th, 2019*. That’s a lot of extra time.

*Note: Google can, and often does, update the patches for the latest security bulletin all the way until the public release. These updates can happen if new vulnerabilities and bugs have been found, if Google decides to remove certain patches from the monthly bulletin due to it breaking critical components, if Google updates a patch to resolve a bug created by the previous version of the patch, and other reasons.

Why do I need to wait so long to receive a security patch on my phone?

While it’s true that Android Partners (read: all major OEMs) received security patches well in advance of their release, many are painfully aware that they possibly won’t receive a security update for months after its release. This is generally down to one of four reasons.

  • OEMs may need to make heavy technical changes in order to accommodate a security patch, as it may conflict with existing code.
  • The vendor is slow at providing update source-code for closed-source components.
  • Carrier certification may take time.
  • Companies may be unwilling to release a security update without also releasing a feature at the same time.

While all of these are valid reasons for a business not to release a security patch, the end-user doesn’t always care about any of those. Admittedly, the end-user doesn’t always care about security patches either, though they should. Initiatives like Project Treble, extended Linux LTS, and Project Mainline are helping to eliminate the technical difficulties of merging these security patches, but it’s not enough to make OEMs consistently strive to put out updates. With a Generic Kernel Image, or GKI, SoC vendors and OEMs will have an easier time merging upstream Linux kernel patches, though we likely won’t see the first devices with GKI until next year.

But an interesting piece of information that most don’t know is that major OEMs must provide “at least four security updates” within a year of a device’s launch, and 2 years of updates overall. Google has not confirmed these specific terms, but the company did confirm that they “worked on building security patching into [their] OEM agreements”. As for Android Enterprise Recommended (AER) devices, devices are required to get security updates within 90 days of release for 3 years. Rugged AER devices are required to get 5 years of security updates. Android One devices are supposed to get security updates every month for 3 years.

What’s in a security patch?

A security patch is just another update, though generally a lot smaller with changes to individual frameworks and system modules rather than system-wide improvements or changes. Each month, Google provides device OEMs with a zip file that contains patches for all major Android versions currently still supported, along with a security test suite. This test suite helps OEMs catch gaps in security patches, to ensure that they don’t miss anything and that the patches were merged appropriately. As the month goes on, Google may make minor revisions such as deciding that one specific patch is optional, specifically if there are troubles implementing it.

What about custom ROMs?

If your smartphone doesn’t get many security updates, that doesn’t necessarily mean you’re better off switching to a custom ROM. While true that you will get security updates that you would not have gotten otherwise, that’s only half of the story. Unlocking your bootloader leaves you susceptible to physical attacks on your device, even if on the software side, security is hardened. That’s not to say you shouldn’t use custom ROMs, it’s just that there are other concerns when it comes to using them that don’t apply if your bootloader is kept locked. If you’re more worried about the software side of things, then you’re still better off with a custom ROM that gets frequent security patches.

But remember we talked about the difference between YYYY-MM-01 and YYYY-MM-05 patches? The -05 patch level contains Linux kernel patches as well as vendor patches – patches applied to closed-source software. This means custom ROM developers are at the mercy of whatever OEM they’re developing for, and if the OEM releases update blobs or not. This is fine for devices that are still updated by the manufacturer, but for devices that aren’t, the patches applied can only be applied to the Android framework and the Linux kernel. This is why LineageOSTrust Interface shows two security patch levels – one being platform, the other being vendor. Even though custom ROMs for unsupported devices can’t fully integrate all of the latest patches, they’re going to be more secure than the older, outdated ROM.

The post How Monthly Android Security Patch Updates Work appeared first on xda-developers.



from xda-developers https://ift.tt/38dexPX
via IFTTT
Publié par à Aucun commentaire:
Libellés : ,

New Pixel Feature Drop adds Dark Mode Scheduling, Cards & Passes to Power Menu, and more

Two months after announcing the Pixel 4, Google announced the first Pixel Feature Drop. Instead of rolling out major new features individually, Google decided to wait to unveil new features and drop them all at hence in the same update. Hence, Pixel “Feature Drop.” The first one only added a few features such as auto-framing in Google Duo, post-snap Portrait Mode in Google Photos, and automatic call screen in the Google Phone app, but the second Feature Drop is adding a dozen new features. Here’s a chart from Google that lists the new features arriving on Pixel devices with the March update:

You might be already familiar with many of these features since we’ve either documented them in the Android 11 Developer Preview or manually enabled them ahead of release. If you aren’t familiar, though, here’s a summary to get you up to speed:

  • Cards & Passes: This feature lets you quickly access your debit or credit cards, event tickets, boarding passes, or any other cards stored in Google Pay, simply by pressing and holding the power button. The feature will be available to users in the following countries: U.S., U.K., Canada, Australia, France, Germany, Spain, Italy, Ireland, Taiwan, and Singapore. On Pixel 4, you can also quickly access your emergency contacts and medical information stored in the “Personal Safety” app. For non-Pixel owners, this feature will arrive in Android 11 as “Quick Access Wallet.”
  • Screenshot a boarding pass to add it to Google Pay: This does exactly what it says it’ll do. Simply take a screenshot of a boarding pass with the barcode showing, and then you can add the boarding pass to Google Pay by tapping on the notification that’s shown. Google Pay will then give you real-time updates on your flight, and on the day of departure, you can quickly pull up your boarding pass by long-pressing the power button to show the Cards & Passes menu. Oddly, this feature isn’t available on the Pixel 2 or Pixel 2 XL even though both devices support Cards & Passes. For the Pixel 3, Pixel 3a, and Pixel 4, the feature will gradually become available in all countries where Google Pay is available, so long as you’re on the March Pixel Feature Drop update.
  • Tap to pause with Motion Sense: You can now pause and resume music playback on Pixel 4 by doing a “tap” gesture above the phone. This feature was first added to Motion Sense in the Android 11 Developer Preview, but it’s good to see it show up in the Pixel Feature Drop since few people are on the Developer Preview.
  • Dark theme scheduling: One of the best new features in the Android 11 Developer Preview is the ability to schedule the dark theme. This feature is now available for all Pixel devices in the March Pixel Feature Drop, though it’s not as robust as the feature in Android 11. While you can schedule dark theme to coincide with the day/night cycle, you can’t customize the time for when you want to toggle dark mode.
  • Rules: This is a new feature that lets you automate when you want your phone to enter Do Not Disturb mode, be silent, vibrate for notifications, or alert you for notifications. You can set triggers based on the Wi-Fi network or physical location. The feature has already started rolling out to most Pixel users.
  • Emojis 12.1 Update: Google has added 169 new emoji to choose from, many of which have variations in gender and skin tones to be more accommodating.
  • Duo AR Effects: During a live video call, you can show augmented reality characters that react to your facial expression and move with you around the screen. To use effects during a call, tap the menu button and then “Effects” to choose an effect. This feature isn’t available for the Pixel 2 or Pixel 3a as it might be too computationally intensive for these devices.
  • Better selfies: On Pixel 4, the front-facing camera can now create images with depth, improving Portrait Mode and color pop. (The Pixel 4 only has a single front-facing camera unlike the Pixel 3 with its secondary wide-angle camera.) You can now create 3D Photos in Facebook using the single camera on Pixel 4, though this feature is broadly rolling out to devices with single cameras. To enable this feature, open the Google Camera app and go to Settings > Advanced > Social Media Depth Features.
  • Car crash detection: Google is rolling out car crash detection, a feature in the Personal Safety app that detects when you’re in a motor vehicle accident and alerts emergency services if you’re unresponsive, to more areas. In addition to the United States, car crash detection is now available for Pixel 4 users in Australia and the United Kingdom with the latest Pixel Feature Drop update. Although the feature is still only officially available for Pixel 4 owners, the Personal Safety APK from the Android 11 Developer Preview can be sideloaded onto other Pixel devices to enable the feature.
  • Live caption: This feature transcribes audio being played back on your phone and displays the transcriptions as floating captions on-screen. This feature debuted on the Pixel 4, came to the Pixel 3 and Pixel 3a in the first Pixel Feature Drop, and landed on the Pixel 2 for many users with an update to the Device Personalization Services app. If you haven’t gotten the feature yet, then it should definitely arrive in the March update. Live caption is still limited to English and also doesn’t work with music, phone calls, or VOIP.
  • Long press improvements: According to Google, the Pixel Launcher will have “improved long press options.” Google says that “you can now firmly press to get more help from your apps more quickly.” We aren’t sure exactly what has changed here, but it sounds like Google is making use of the “Deep Press” API introduced in Android 10. Google trained an ML model to recognize when the user is pressing more forcefully on the screen. If that sounds like Apple’s now-abandoned Force Touch, then that’s exactly what they’re aiming for.
  • Adaptive brightness improvements: One of the flaws of the Pixel 4 is how disappointingly dim the display gets when you’re using the phone outdoors. We found out that Google wasn’t using the Pixel’s High Brightness Mode for outdoor use even though it can massively improve sunlight visibility. In the new Pixel Feature Drop, Google has updated Adaptive Brightness on the Pixel 4 so your screen brightness temporarily increases in extremely bright ambient lighting (like under direct sunlight).
  • Increased touch sensitivity: This feature wasn’t documented by Google in their official blog post, but XDA Senior Member cstark27 informed us that the “increase touch sensitivity” option is no longer exclusive to the Android 11 Developer Preview. This feature improves touch sensitivity, which could be useful if you’re wearing gloves. For Pixel 4 owners on the latest March update, you’ll find the new toggle in Display settings.

That’s all the information that Google shared in their official blog post announcing the second Pixel Feature Drop as well as the announcement thread on the Pixel support forums. Here’s a short video showing off the key features of this big update:

The post New Pixel Feature Drop adds Dark Mode Scheduling, Cards & Passes to Power Menu, and more appeared first on xda-developers.



from xda-developers https://ift.tt/32NogeH
via IFTTT
Publié par à Aucun commentaire:
Libellés : ,

March 2020 security patches rolling out with fixes for Pixel devices

Today is the first Monday in March, a relatively uneventful day in most cases. In the technology world, however, the first Monday of a new month means new Android security updates. The March 2020 Android security patches include the usual bevy of fixes along with some specific fixes for Pixel devices. The update is rolling out now for the Pixel 4, Pixel 4 XL, Pixel 3a, Pixel 3a XL, Pixel 3, Pixel 3 XL, Pixel 2, and Pixel 2 XL.

This month’s Android security update includes quite a few “notable fixes and improvements.” There’s something for every Pixel from the Pixel 2 all the way up the Pixel 4. There are a few fixes specific to Camera, Face Unlock, and Motion Sense on the Pixel 4 series. Google has also announced the second “Feature Drop” with new features for Pixel devices. Check out the chart below to see what fixes are in tow for your Pixel.

Build Numbers
  • Pixel 2 (XL): QQ2A.200305.002
  • Pixel 3 (XL): QQ2A.200305.002
  • Pixel 3a (XL): QQ2A.200305.002
  • Pixel 4 (XL):
    • Global: QQ2A.200305.003
    • AT&T: QQ2A.200305.004.A1

Download Factory Images | Download OTA Images

Android Security Bulletin | Pixel Update Bulletin

The post March 2020 security patches rolling out with fixes for Pixel devices appeared first on xda-developers.



from xda-developers https://ift.tt/39isVb9
via IFTTT
Publié par à Aucun commentaire:
Libellés : ,

Critical MediaTek rootkit affecting millions of Android devices has been out in the open for months

On the first Monday of every month, Google publishes the Android Security Bulletin, a page that discloses all the security vulnerabilities and their patches submitted by Google themselves or other third-parties. Today was no exception: Google just made public the Android Security Bulletin for March 2020. One of the vulnerabilities that are documented in the latest bulletin is CVE-2020-0069, a critical security exploit, specifically a rootkit, that affects millions of devices with chipsets from MediaTek, the large Taiwanese chip design company. Although the March 2020 Android Security Bulletin is seemingly the first time that CVE-2020-0069 has been publicly disclosed, details of the exploit have actually been sitting openly on the Internet—more specifically, on the XDA-Developers forums—since April of 2019. Despite MediaTek making a patch available a month after discovery, the vulnerability is still exploitable on dozens of device models. Even worse, the vulnerability is actively being exploited by hackers. Now MediaTek has turned to Google to close this patch gap and secure millions of devices against this critical security exploit.

The Origin of MediaTek-su

For any readers who aren’t familiar with XDA-Developers, we’re a site that’s home to the largest forums for Android software modifications. Usually, these modifications center around attaining root access on devices in order to delete bloatware, install custom software, or tweak default system parameters. Amazon’s Fire tablets are popular targets for hobbyist hackers on our forums—they’re full of uninstallable bloatware, lack access to basic software applications like the Google Play Store, and, most importantly, are very cheap. The challenge with rooting Amazon Fire tablets is that they’re heavily locked down to prevent users from stepping outside of Amazon’s walled garden; Amazon does not provide an official method to unlock the bootloader of Fire tablets, which is usually the first step in rooting any given Android device. Therefore, the only way to root an Amazon Fire tablet (without hardware modifications) is to find an exploit in the software that allows the user to bypass Android’s security model. In February of 2019, that’s exactly what XDA Senior Member diplomatic did when he published a thread on our Amazon Fire tablet forums. What he didn’t immediately realize is that he stumbled upon an exploit that was far wider in scope than just Amazon’s Fire tablets.

After a bit of testing from XDA Member diplomatic and other community members, it was discovered that this exploit works on a large number of MediaTek chips. The author states that the exploit works on “virtually all of MediaTek’s 64-bit chips,” and they specifically name the following as being vulnerable: MT6735, MT6737, MT6738, MT6739, MT6750, MT6753, MT6755, MT6757, MT6758, MT6761, MT6762, MT6763, MT6765, MT6771, MT6779, MT6795, MT6797, MT6799, MT8163, MT8167, MT8173, MT8176, MT8183, MT6580, and MT6595. Because of how many MediaTek chipsets were affected by this exploit, the exploit was given the name “MediaTek-su,” or “MTK-su,” for short. On April 17th, 2019, diplomatic published a second thread titled “Amazing Temp Root for MediaTek ARMv8” on our “Miscellaneous Android Development” forum. In this thread, he shared a script that users can execute to grant them superuser access in shell, as well as set SELinux, the Linux kernel module that provides access control for processes, to the highly insecure “permissive” state. For a user to get root access and set SELinux to permissive on their own device is shockingly easy to do: All you have to do is copy the script to a temporary folder, change directories to where the script is stored, add executable permissions to the script, and then execute the script.

The simple steps to get root access using MediaTek-su. Source: XDA Senior Member Diplomatic

XDA community members confirmed the exploit worked on at least the following devices:

Devices the community confirmed were exploitable by MediaTek-su

  1. Acer Iconia One 10 B3-A30
  2. Acer Iconia One 10 B3-A40
  3. Alba tablet series
  4. Alcatel 1 5033 series
  5. Alcatel 1C
  6. Alcatel 3L (2018) 5034 series
  7. Alcatel 3T 8
  8. Alcatel A5 LED 5085 series
  9. Alcatel A30 5049 series
  10. Alcatel Idol 5
  11. Alcatel/TCL A1 A501DL
  12. Alcatel/TCL LX A502DL
  13. Alcatel Tetra 5041C
  14. Amazon Fire 7 2019 — up to Fire OS 6.3.1.2 build 0002517050244 only
  15. Amazon Fire HD 8 2016 — up to Fire OS 5.3.6.4 build 626533320 only
  16. Amazon Fire HD 8 2017 — up to Fire OS 5.6.4.0 build 636558520 only
  17. Amazon Fire HD 8 2018 — up to Fire OS 6.3.0.1 only
  18. Amazon Fire HD 10 2017 — up to Fire OS 5.6.4.0 build 636558520 only
  19. Amazon Fire HD 10 2019 — up to Fire OS 7.3.1.0 only
  20. Amazon Fire TV 2 — up to Fire OS 5.2.6.9 only
  21. ASUS ZenFone Max Plus X018D
  22. ASUS ZenPad 3s 10 Z500M
  23. ASUS ZenPad Z3xxM(F) MT8163-based series
  24. Barnes & Noble NOOK Tablet 7″ BNTV450 & BNTV460
  25. Barnes & Noble NOOK Tablet 10.1″ BNTV650
  26. Blackview A8 Max
  27. Blackview BV9600 Pro (Helio P60)
  28. BLU Life Max
  29. BLU Life One X
  30. BLU R1 series
  31. BLU R2 LTE
  32. BLU S1
  33. BLU Tank Xtreme Pro
  34. BLU Vivo 8L
  35. BLU Vivo XI
  36. BLU Vivo XL4
  37. Bluboo S8
  38. BQ Aquaris M8
  39. CAT S41
  40. Coolpad Cool Play 8 Lite
  41. Dragon Touch K10
  42. Echo Feeling
  43. Gionee M7
  44. HiSense Infinity H12 Lite
  45. Huawei GR3 TAG-L21
  46. Huawei Y5II
  47. Huawei Y6II MT6735 series
  48. Lava Iris 88S
  49. Lenovo C2 series
  50. Lenovo Tab E8
  51. Lenovo Tab2 A10-70F
  52. LG K8+ (2018) X210ULMA (MTK)
  53. LG K10 (2017)
  54. LG Tribute Dynasty
  55. LG X power 2/M320 series (MTK)
  56. LG Xpression Plus 2/K40 LMX420 series
  57. Lumigon T3
  58. Meizu M5c
  59. Meizu M6
  60. Meizu Pro 7 Plus
  61. Nokia 1
  62. Nokia 1 Plus
  63. Nokia 3
  64. Nokia 3.1
  65. Nokia 3.1 Plus
  66. Nokia 5.1
  67. Nokia 5.1 Plus/X5
  68. Onn 7″ Android tablet
  69. Onn 8″ & 10″ tablet series (MT8163)
  70. OPPO A5s
  71. OPPO F5 series/A73 — Android 8.x only
  72. OPPO F7 series — Android 8.x only
  73. OPPO F9 series — Android 8.x only
  74. Oukitel K12
  75. Protruly D7
  76. Realme 1
  77. Sony Xperia C4
  78. Sony Xperia C5 series
  79. Sony Xperia L1
  80. Sony Xperia L3
  81. Sony Xperia XA series
  82. Sony Xperia XA1 series
  83. Southern Telecom Smartab ST1009X (MT8167)
  84. TECNO Spark 3 series
  85. Umidigi F1 series
  86. Umidigi Power
  87. Wiko Ride
  88. Wiko Sunny
  89. Wiko View3
  90. Xiaomi Redmi 6/6A series
  91. ZTE Blade A530
  92. ZTE Blade D6/V6
  93. ZTE Quest 5 Z3351S

With the exception of MediaTek-based phones from Vivo, Huawei/Honor (after Android 8.0+), OPPO (after Android 8.0+), and Samsung, XDA community members found that MediaTek-su works more often than not when attempted on devices with affected chipsets. According to XDA Member diplomatic, Vivo, Huawei/Honor, OPPO, and Samsung devices “use kernel modifications to deter root access via exploits,” which means the developer would need to dig into the kernel source code of these devices to create “tailored version[s]” of the exploit. That wasn’t worth the added effort, so the developer chose not to add support for these devices even though, “in theory,” the exploit could still work.

By now, it should be clear that this exploit affects a large number of devices on the market. MediaTek chips power hundreds of budget and mid-range smartphone models, cheap tablets, and off-brand set-top boxes, most of which are sold without the expectation of timely updates from the manufacturer. Many devices still affected by MediaTek-su are thus unlikely to get a fix for weeks or months after today’s disclosure, if they get one at all. So what makes MediaTek-su earn its “Critical” severity with a CVSS v3.0 score of 9.3?

Why MTK-su is a Critical Security Vulnerability

To reiterate, the typical way to achieve root access on an Android device is to first unlock the bootloader, which disables verification of the boot partition. Once the bootloader is unlocked, the user can introduce a superuser binary to the system and also a superuser management app to control which processes have access to root. Unlocking the bootloader is intentionally disabling one of the key security features on the device, which is why the user has to explicitly allow it to happen by typically enabling a toggle in Developer Options and then issuing an unlock command to the bootloader. With MediaTek-su, however, the user does not have to unlock the bootloader to get root access. Instead, all they have to do is copy a script to their device and execute it in shell. The user isn’t the only one that can do this, though. Any app on your phone can copy the MediaTek-su script to their private directory and then execute it to gain root access in shell. In fact, XDA Member diplomatic highlights this possibility in their forum thread when they suggest an alternative set of instructions using either the Terminal Emulator for Android app or Termux rather than ADB.

With root access, Android’s security model basically falls apart. For example, permissions become meaningless in the context of root as an app with access to a root shell can grant itself any permission it wants. Furthermore, with a root shell, the entirety of the data partition—including files stored in the typically inaccessible private data directories of applications—is accessible. An app with root can also silently install any other app it wants in the background and then grant them whatever permissions they need to violate your privacy. According to XDA Recognized Developer topjohnwu, a malicious app can even “inject code directly into Zygote by using ptrace,” which means a normal app on your device could be hijacked to do the bidding of the attacker. These examples only touch on a few ways that an app can violate your trust in the background without your knowledge. However, malicious apps can wreak havoc on your device without hiding what they’re doing. Ransomware, for example, is extremely potent with root access; if you don’t pay up, a hypothetical ransomware app could totally and irreversibly make your device inoperable by wiping the entire device clean.

The only “weakness” in MediaTek-su is that it grants an application just “temporary” root access, which means that a process loses superuser access after a device reboot. Furthermore, on devices running Android 6.0 Marshmallow and above, the presence of Verified Boot and dm-verity block modifications to read-only partitions like system and vendor. However, these two factors are mostly only hindrances to modders on our forums rather than malicious actors. To overcome the limitation of temporary root, a malicious app can simply re-run the MediaTek-su script on every boot. On the other hand, there’s little need to overcome dm-verity as permanent modifications to the system or vendor partitions are unlikely to interest most malware authors; after all, there are already tons of things a malicious app can do with a root shell.

If you’re wondering on a technical level what MediaTek-su is exploiting, MediaTek shared the below chart with us that summarizes the entry point. The flaw apparently exists in one of MediaTek’s Linux Kernel drivers called “CMDQ.” The description states that, “by executing IOCTL commands in [the] CMDQ device node,” a local attacker can “arbitrarily read/write physical memory, dump [the] kernel symbol table to the pre-allocated DMA buffer, [and] manipulate the DMA buffer to modify the kernel settings to disable SELinux and escalate to ‘root’ privilege.”

MediaTek-su vulnerability description

MediaTek’s Security Vulnerability Summary of CVE-2020-0069

According to the chart that MediaTek shared with us, this vulnerability affects MediaTek devices with Linux Kernel versions 3.18, 4.4, 4.9, or 4.14 running Android versions 7 Nougat, 8 Oreo, or 9 Pie. The vulnerability is not exploitable on MediaTek devices running Android 10, apparently, since “the access permission of CMDQ device nodes is also enforced by SELinux.” This mitigation likely comes from an update to MediaTek’s BSP rather than from Android itself. Android 10’s only mitigation for this vulnerability is its restriction on apps executing binaries in their home directory; however, as XDA Recognized Developer topjohnwu notes, a malicious app can simply run the MediaTek-su code in a dynamic library.

Even though MediaTek has patched this issue in all the affected chipsets, they can’t force device makers to implement the patches. MediaTek told us they had patches ready all the way back in May of 2019. Amazon, unsurprisingly, immediately patched the issue across its devices once they were made aware. However, 10 months have passed since MediaTek made a fix available to its partners, yet in March of 2020, dozens of OEMs haven’t fixed their devices. Most of the affected devices are on older Android releases with outdated Android Security Patch Levels (SPLs), and the update situation is even worse when you consider the hundreds of lesser-known device models using these MediaTek chips. MediaTek has a serious issue on its hands here, so they’ve turned to Google for help.

Unlike MediaTek, Google can force OEMs to update their devices through license agreements or program terms (such as Android One). For an OEM to declare that a device is in compliance with the 2020-03-05 Security Patch Level (SPL), the device must include all framework, Linux kernel, and applicable vendor driver fixes in the March 2020 Android Security Bulletin, which includes a fix for CVE-2020-0069, or MediaTek-su. (Google doesn’t actually seem to enforce that OEMs actually merge all patches when declaring a certain SPL, though.) Now that the March 2020 bulletin is out, this story should be over, right? Unfortunately, we have to also hold Google’s feet to the fire for dragging their feet on incorporating the patches.

The flaw in the security patch process

In case it isn’t clear already, not every security vulnerability needs to end up in an Android Security Bulletin. Many vulnerabilities are discovered and patched by vendors without them ever showing up in the monthly bulletin. MediaTek-su should have been one of them, but for multiple reasons, several OEMs failed to integrate the patches offered by MediaTek. (There are a lot of potential reasons why, ranging from a lack of resources to business decisions to a failure in communication.) When I previously stated that MediaTek “turned to Google” for help, it implied that MediaTek actively sought help from Google to get OEMs to finally fix their devices. However, that might not actually have been the case. It is my understanding that Google was unaware of MediaTek-su until it was incidentally brought up in a security report from TrendMicro published January 6th, 2020. In the report, TrendMicro was documenting another security vulnerability, dubbed the “use-after-free in binder driver” vulnerability, that was actively being exploited in the wild. TrendMicro noted how three malicious apps attained root access using one of two methods, either the “use-after-free in binder driver” vulnerability or MediaTek-su.

Alleged Play Store apps abusing MediaTek-su. Source: TrendMicro.

In the code that TrendMicro shared, we can clearly see how the malicious apps were targeting specific device models (eg. Nokia 3, OPPO F9, and Redmi 6A) and employing MediaTek-su on them.

I can’t speak for TrendMicro, but it seems that they were unaware that MediaTek-su was a yet-unpatched exploit. Their focus was on the “use-after-free in binder driver” exploit, after all, and the discovery of the use of MediaTek-su seems to have been an afterthought. (I’m sure that if TrendMicro were aware of the situation surrounding MediaTek-su, they would have coordinated their disclosure efforts with Google.) We were only made aware of this exploit ourselves on February 5th, 2020, and after investigating for ourselves how bad it was, we contacted Google about it on February 7th, 2020. Google was so concerned about the repercussions of publicizing MediaTek-su that they asked us to hold off on publishing this story until today. After considering the irreparable harm that can be inflicted on users targeted by malware using MediaTek-su, we agreed to put a hold on this story until the announcement of the March 2020 Android Security Bulletin. Still, considering how long it’ll take many devices to get the latest security update, if they ever get it at all, there is bound to be a ton of devices still vulnerable to MediaTek-su a few months from now. That should be horrifying to anyone with a vulnerable device.

Even though this very serious, “critical” severity vulnerability is actively being exploited in the wild, Google only slotted in the fix for this issue into the March 2020 bulletin, which is about 2 months after they were made aware of the issue. While Google does inform its Android partners about the latest Android Security Bulletin a full 30 days before the bulletin is made public (ie. OEMs were made aware of what’s in the March 2020 bulletin in early February 2020), Google can, and often does, update the bulletin with changes or new fixes. Why Google didn’t choose to expedite the inclusion of a patch for such a serious issue is beyond me, especially when MediaTek had a fix for it 10 months ago. If such a bug were discovered in Apple’s devices, I have little doubt they would have issued a fix much, much faster. Google essentially banked on the risky bet that MediaTek-su would remain as seemingly low-profile as it already was until the March 2020 bulletin. While Google seems to have gotten lucky in that regard, we have no idea how many malware authors already know about the exploit. After all, it’s been sitting in a random XDA forum thread for nearly a whole year.

There’s one more party in this debacle that I haven’t addressed much, and it’s the author of the exploit, XDA Member diplomatic. To their credit, I don’t think they had any malicious intent in publishing MediaTek-su. We can clearly trace the exploit’s origin to diplomatic’s desire to mod the Amazon Fire tablets. Diplomatic tells me that their “main motivation for searching for a method like this was to help the community.” Customizing your device is what XDA is all about, and diplomatic’s efforts in the community are what people enjoy about the forums. Although diplomatic’s refusal to open source the project raises some concerns, they explain that they wanted the community to enjoy this “amazing temp root for MediaTek” project for as long as possible. When I first contacted diplomatic, they did admit that they were involved in some kind of “business transaction with the project’s source and research” that they insisted was “all legit.” While I was unable to get more details about this “business transaction,” I do wonder if diplomatic would have chosen to go this route if MediaTek offered a bug bounty program. I can’t imagine that a vulnerability of this magnitude wouldn’t pay out a hefty sum of money if MediaTek actually had such a program. Diplomatic claims that this exploit “has been possible since the days of MT6580” which was announced near the end of 2015, so one has to wonder if diplomatic is even the first person to find this exploit.

How to check if you’re affected by MediaTek-su?

If you want to check whether your device is vulnerable to MediaTek-su, then manually run the script posted by XDA Member diplomatic in this XDA forum thread. If you enter a root shell (you’ll know when the symbol changes from $ to #), then you’ll know the exploit works. If it works, then you’ll need to wait for the manufacturer of your device to roll out an update that patches MediaTek-su. If your device reports the Security Patch Level of 2020-03-05, which is the latest March 2020 SPL, then it is almost certainly protected against MediaTek-su. Otherwise, you’ll have to just check whether your device is vulnerable.

The post Critical MediaTek rootkit affecting millions of Android devices has been out in the open for months appeared first on xda-developers.



from xda-developers https://ift.tt/38mcfON
via IFTTT
Publié par à Aucun commentaire:
Libellés : ,

[Update: Rolling out widely] Android 10 “Rules” automation feature rolls out to some Pixel devices

Update (3/2/20 @ 11:25 AM ET): The Android 10 “Rules” feature is finally rolling out more widely to Pixel devices.

Back in May, we discovered the first signs of a new feature in Android Q Beta 3, code-named “Routines”. Strings in the SettingsIntelligence APK showed that the feature would be presented to users as “Rules”, but it wasn’t live for any Pixel user. Rules are Google’s take on Bixby Routines, and much of the same functionality can also be found in Google Assistant Routines. In July, Mishaal was able to fully activate the feature on a Google Pixel 2 XL running Android Q Beta 5, but the feature still hadn’t rolled out. At that time, we thought that the feature would be shown off as part of the Google Pixel 4’s launch Android 10 software, as it was a bit too late for Google to add the feature in the first stable Android 10 release. However, the Pixel 4’s launch came and went last week, and we noted that Rules was not present on the launch software, which was strange as the feature had been in development for at least five months already.

Rules is an Android 10 feature that helps “automate changes that you regularly make in Settings,” according to Google. It doesn’t match dedicated automation apps such as Tasker and Automate by a long shot in terms of functionality, but it offers useful basic functionality, nonetheless. Google also isn’t the first to offer this feature in an Android phone as Samsung and LG also have similar phones in their custom user interfaces. Google’s Rules feature is specifically designed to let users change the sound mode to Ring, Vibrate, Silence, or Do Not Disturb when a) they either connect to a Wi-Fi network of their choice or b) they are near a location they have selected on a map. Users can silence the phone when reaching college, for instance, and then set it to the Ring mode as soon as they connect back to their home Wi-Fi network.

Now, Google appears to have started rolling out the “Rules” feature to a select group of Google Pixel users on Android 10. Reddit user /u/NeXt3D3 reported that he saw the new setting under the System tab of the Settings app on his Pixel 2 XL. Four other users in the Reddit thread have also reported getting the feature on their Pixels. For now, it doesn’t seem to be a widespread release as many users still haven’t received the feature yet – Google is, as expected, doing a staged rollout. Regardless, it’s good to see the functionality being separated from Google Assistant and offered as a standalone feature. It seems likely that Rules will be a Pixel-exclusive feature for now.

Via: /u/NeXt3D3

Update: Rolling out widely

After appearing to roll out late last year, Android 10’s “Rules” feature is now more widely available. First reported by Android Police, many people now have the Rules feature on their Pixel device. Several of us here at XDA also have the feature now. You can find Rules by going to the “System” section of the Settings or simply doing a search for “Rules” in the Settings. The feature is still not super powerful, but this shows Google is at least preparing it for more users.

The post [Update: Rolling out widely] Android 10 “Rules” automation feature rolls out to some Pixel devices appeared first on xda-developers.



from xda-developers https://ift.tt/2Bv2P5t
via IFTTT
Publié par à Aucun commentaire:
Libellés : ,

Huawei exploring IndusOS’s AppBazaar app store in India as a Google Play Store alternative

It is no secret that Huawei has been having a rough time dealing with the fallout from being placed on the U.S. Commerce Department’s Entity List. While their operations within China remain unaffected by this, their operations outside of China have been massively affected, especially in the smartphone market. The Entity List prevents U.S. companies from doing business with this Chinese company, which in turn prevents Google from licensing its Google Mobile Services and accompanying suite of apps to Huawei for new devices. Google has applied again for an exemption, but while that takes its own sweet time to get sorted, Huawei is in the market looking for options. And it may have settled on IndusOS’s AppBazaar for its app distribution needs in the Indian region, according to a report.

If the name IndusOS sounds vaguely familiar, you may have heard about them in connection with Indic support in app stores like the Samsung Galaxy App Store. Back in early 2019, Samsung had partnered with IndusOS’s AppBazaar to allow Samsung Galaxy users in India to browse apps in their native languages instead of just English. Currently, IndusOS’s AppBazaar app store has more than 400,000 regional apps in 12 local languages, namely Assamese, Bengali, Gujarati, Hindi, Kannada, Malayalam, Marathi, Odia, Punjabi, Tamil, Telugu, and Urdu.

According to a report from Economic Times, Huawei is looking to sign a deal with IndusOS to offer a curated Android app store on Huawei and Honor smartphones. The report suggests that the deal is within the context of the Indian market, but both the companies are exploring whether the partnership can be expanded globally. This does not mean that we will directly see AppBazaar being included on EMUI devices in India, but we can expect solutions employed within AppBazaar also be employed in other fashions on these devices.

Huawei faces the steep challenge of convincing average users to use its smartphones without Google apps, which also breaks down the entire chain of connected apps and APIs in other non-Google apps. Huawei does have its own AppGallery alternative for the Play Store, but since the company has approached an alternative app store for its business in India, one can presume that the store is not doing too well. Partnering with IndusOS might just be what Huawei needs to stay in the Indian and global market for longer. Though, it is still difficult to find convincing reasons to purchase a non-Google Huawei smartphone when hundreds of other options exist, even with Indic language support.

Source: Economic Times

The post Huawei exploring IndusOS’s AppBazaar app store in India as a Google Play Store alternative appeared first on xda-developers.



from xda-developers https://ift.tt/32Iqc8d
via IFTTT
Publié par à Aucun commentaire:
Libellés : ,

Prep to get your project management certification with this PMP training

From technology to finance, project managers are worshipped. Businesses need leaders, and they are willing to do whatever it takes to attract talent. As a result, top pros can take home up to six figures for their services. If you want to get into this lucrative niche, the Complete 2020 PMP Training Bundle should be your starting point. This learning library contains 150 hours of content, working towards key certifications. You can get it now for just $59.99 at the XDA Developers Depot.

There are many different ways to run a team. In order to keep everyone on the same page, most companies choose a framework. Popular examples include Six Sigma, Lean, and Agile. If you want to build a career as a project manager, you need to know these systems inside out.

As the name suggests, the Complete 2020 PMP Training Bundle helps you master every major framework. The bundle includes 10 different courses, each working towards a particular exam. 

The most important is probably the Project Management Professional (PMP) course. According to the Project Management Institute, people with this certification earn 22% more on average than those without. The bundle also helps prepare you to gain your Six Sigma Yellow and Green Belts, your Scrum Master title, and two ITIL certificates. 

The bundle includes lifetime access, so you can learn at your own pace. You also get access to extensive exam prep, along with real-world knowledge.

Worth $999 in total, the bundle is now just $59.99 for a limited time.

 
The Complete 2020 PMP Training Bundle – $59.99

See Deal

Prices subject to change 

The post Prep to get your project management certification with this PMP training appeared first on xda-developers.



from xda-developers https://ift.tt/2VEGL3I
via IFTTT
Publié par à Aucun commentaire:
Libellés : ,
Inscription à : Articles (Atom)