• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Android popularity creating Linux problems

K

kevincott

Android Expert
My understanding is that Android is Linux based, so ...

Wondering how Android popularity will cause hackers/pharmers to create more Linux based malware and viruses?



Linux users have enjoyed the advantages of having an OS that is not widely adopted but it seems that is changing.


Not only Android phones, but tablets, game consoles (Ouya in development), stand-alone PCs ... there seems to be a craze right now. A relatively untapped market for molestation.
 
I believe you bring up an interesting point. But I think there may be more to the issue where it would more so affect android devices than linux PCs, but that is just an uneducated guess.
 
Lots of devices use the Linux kernel. Just having Linux as your OS isn't enough to compromise a machine. Most embedded devices, including Android, have few to no entry points for malware to get in, unlike general purpose computers. My Android phone keeps a popular brand malware scanner always loaded that would stop any exploits from making it onto the phone...if there were any. Keeping the setting to prevent installing software from places other than Google is a big help that requires no extra software.

Probably the biggest defense against Linux exploits is a large and widespread community of Linux users, software developers, pen testers and white hat crackers who find and fix Linux exploits on a daily basis. It's not uncommon for a patch to come out just hours after an exploit is found.

I can't speak for the Google/Android end of things. But it seems that the Android part has been pretty secure so far.

Time will tell how well the current system works. In the meantime, keep sharp, and don't install things that don't look right, like a 3rd party game called "Angry Angry Nerds". ;)
 
Linux not widely adopted? I think you'll find it's very widely adopted. A very high percentage of popular sites use it. Which is just for a start. A big but tough target.
 
I think Linux (PC) wise is much more stable and virus free because of its open nature and tight community. There vary smart knowledgeble people who take care of problems in the linux community. Fixing gaps in security and other places where the code allows exploits. With windows and Mac it is much more more the illusion of cyber security - what you are really paying for). Problems and security holes are not widely discussed, shared and fixed by many people but only by the company its self.

With Linux based devices I believe it is totally different since they are widely used people will want to find exploits and get someone's personal information or other personal data. Motivation really comes from the wide use. Now that android devices are locked and also not very accessible and fragmented with roms it is much easier to develop malware. Anyway hopefully the world would move toward a bit more open source with android phones as they have done now and take the advantage of what linux has really created.
 
alextop30 said:
I think Linux (PC) wise is much more stable and virus free because of its open nature and tight community. There vary smart knowledgeble people who take care of problems in the linux community. Fixing gaps in security and other places where the code allows exploits. With windows and Mac it is much more more the illusion of cyber security - what you are really paying for). Problems and security holes are not widely discussed, shared and fixed by many people but only by the company its self.

With Linux based devices I believe it is totally different since they are widely used people will want to find exploits and get someone's personal information or other personal data. Motivation really comes from the wide use. Now that android devices are locked and also not very accessible and fragmented with roms it is much easier to develop malware. Anyway hopefully the world would move toward a bit more open source with android phones as they have done now and take the advantage of what linux has really created.
Click to expand...

you must not read the changelogs in linux updates u get ;)
why do you think there are so many patches to web-end softwares liek apache and such, sploits are written faster than the devs can patch em, still more secure than crapdoze though. it all depends on the kernel..
 
nasstyrome said:
you must not read the changelogs in linux updates u get ;)
why do you think there are so many patches to web-end softwares liek apache and such, sploits are written faster than the devs can patch em, still more secure than crapdoze though. it all depends on the kernel..
Click to expand...
Yeah, but apache is huge. It's all over the place, so it makes sense that it'll have more exploits written for it....
---
Now, as far as this bringing new attacks to linux, I'm not sure. It'll depend really. Will the attackers go for applications (buffer overflows for example) or will they go for the OS itself? Time will tell. ;D

But there are linux exploits, tons of them. And you could argue that the open nature of linux isn't always an advantage... instead of having to decompile the software - you can just take a gander through the source.

That being said, a quick look through msf shows over 650 windows exploits to less than 50 on linux ... granted, I am a month out of date.

---

I would still say that you're probably safer on a linux box than a windows box.

Wooo... netsec!
 
Buffer overflows are generally the result of lazy programming. If your buffer is (say) 512 bytes, you read in 512 bytes (count 'em) and stop, maybe returning and 'invalid argument' error message.
Most web SQL exploits could/should be prevented by PROPER validation of input.
E.G Name field - check for length, can only contain upper/lower case alpha, hyphen and single quote.
(Yes, my son really is called 'Peter; select * from systables;')
malformed URLs should be parsed and validated in a similar manner. Secure development practice should be standard practice.
 
Davdi said:
Buffer overflows are generally the result of lazy programming. If your buffer is (say) 512 bytes, you read in 512 bytes (count 'em) and stop, maybe returning and 'invalid argument' error message.
Most web SQL exploits could/should be prevented by PROPER validation of input.
E.G Name field - check for length, can only contain upper/lower case alpha, hyphen and single quote.
(Yes, my son really is called 'Peter; select * from systables;')
malformed URLs should be parsed and validated in a similar manner. Secure development practice should be standard practice.
Click to expand...
I actually had a programmer tell me that it's not worth his time to write good code. His excuse was that it's the job of the next guy down the line to clean up his mess. Unfortunately this sentiment is one I hear more often than not. It's sad when people don't strive for excellence, or at least take pride in their work. No wonder most of the software products that I use were coded by German or ex-Soviet programmers.
 
I wonder if android will ever get to a point where it's mostly 'untouchable' by viruses like full blown computer OS based on unix (mac, ubuntu....)? It seems a bit odd that we don't get root permission out the box, but still are unsure about installing apps because of the permissions descriptions are a bit vague? It's like unhooking the latch of the door to let someone in, but we don't have the actual keys.... :confused: .
 
There's more to this than just viruses. Malware continues to be a concern, more so on a phone. At least your desktop can't be made (at least these days) to make calls to expensive numbers just to pacify the bad guys and keep the change rolling in.

It's a mistake to think that Unix based OS's are invulnerable to malware. The bigger the target the more likely it is for black hat hackers to try and exploit it.

Never think anything is secure - I once had the pleasure many years ago of being tasked to find exploits in the military grade version of HP-UX (9.08BLS). We found several. Granted this was 15 odd years ago (gawd, that makes me feel old) but the point still stands. That was the thing with BLS - I ended up having an account more powerful than the root account was...
 
!on said:
I wonder if android will ever get to a point where it's mostly 'untouchable' by viruses like full blown computer OS based on unix (mac, ubuntu....)? It seems a bit odd that we don't get root permission out the box, but still are unsure about installing apps because of the permissions descriptions are a bit vague? It's like unhooking the latch of the door to let someone in, but we don't have the actual keys.... :confused: .
Click to expand...
Android always has been at the point where it has a "full blown computer OS based on unix [sic]". That OS is called Linux. Ubuntu is a Linux distribution.

FYI Mac OSX is not based on the original AT&T UNIX
 
Speed Daemon said:
The most common exploit these days occurs within virtual environments (like Java) running inside web browsers and other applications programs.
Click to expand...
:D

Java is just easy pickings. Not only does it make almost every web browser vulnerable to tons of sploits, one of their DLL files makes ROPs available in like, 20 some lines of code.... :rolleyes:

... and it's a dll file that is used all over the place.... :eek:
 
9to5cynic said:
:D

Java is just easy pickings. Not only does it make almost every web browser vulnerable to tons of sploits, one of their DLL files makes ROPs available in like, 20 some lines of code.... :rolleyes:

... and it's a dll file that is used all over the place.... :eek:
Click to expand...

Think the best thing to do with Java, if you're not using it is to remove it.

On my PCs with Chrome, if there's some website with Java, it goes something like "This page has Java, do you wish to run it?" Usually the answer is NO.
 
linux was DOA on arrival for the general public.

no mater how fancy they make a windows like GUI, it still takes allot of effeort to get things set up right.

And its been to long to make any sort of change in the gen public eye.

Its only for the tech savvy and rightfuly so, keep it in the PC rooms running the back end stuff, let the gen public dummies use windows.
 
I can put two non techie people in a room together (same hardware) and give one a Windows disc and the other a Linux disc and let's see who get up & running first. I would bet it would be the Linux user.
 
mikedt said:
Think the best thing to do with Java, if you're not using it is to remove it.

On my PCs with Chrome, if there's some website with Java, it goes something like "This page has Java, do you wish to run it?" Usually the answer is NO.
Click to expand...
Hahha. True. I can't remember the last time I felt the need to use Java on a website... ??? :D
350X said:
linux was DOA on arrival for the general public.

no mater how fancy they make a windows like GUI, it still takes allot of effeort to get things set up right.

And its been to long to make any sort of change in the gen public eye.

Its only for the tech savvy and rightfuly so, keep it in the PC rooms running the back end stuff, let the gen public dummies use windows.
Click to expand...
I don't know.... maybe a while ago. But linux is getting so user friendly now. My mom was having tons of issues with Vista on her computer, so much so that it would only boot ever few times. I looked around online for a while trying to find a solution. Popped in Ubuntu and that was that. Got her set up with software that replaces anything that she'd been using... But it probably does come down to the person.

I think the reason linux won't likely catch on is that it's not installed by default at best buy. ;) You can't buy it at best buy.... It's all about availability and know-about. The general population doesn't know about linux. And it's kind of confusing, there are tons of linux distros to choose from. :eek:
saptech said:
I can put two non techie people in a room together (same hardware) and give one a Windows disc and the other a Linux disc and let's see who get up & running first. I would bet it would be the Linux user.
Click to expand...
Installation is a Linux win. Especially in the 2008 era. I installed XP on my laptop around that time. So many little things to watch out for. Something I wouldn't trust a non-techie to do. But with the 2008 ubuntu (I wanna say 8.04) it was easy. The only tricky part would be partitioning, and it had that awesome auto-partition feature that'd take care of everything.

Different strokes for different folks I suppose. :)
 
I don't know anything about Java so what are the alternatives to using it if I delete it. I get these requests for Java updates on occasion. Should I install the updates. WTF does Java do anyway?
 
ndex477 said:
WTF does Java do anyway?
Click to expand...

It gives programmers headaches. That's about it.

It used to be used all the time, as it was the go-to language for coding cool stuff into web pages. Since then, the HTML standard (now on HTML5) as well as other coding languages have superseded it.
 
Where does this idea come from that Java is insecure? Try Googling "is Java secure?" instead of listening to and regurgitating old wives' tales. There are no buffer overruns or similar weaknesses to exploit and the runtime engine checks pretty well everything to maintain its integrity. This slows things down but I'd rather go for reliability than speed; I can always buy a faster computer.

The trouble is, 90% or more of malware relies on user stupidity. Promise nude pictures of Russian tennis players and people will download and install anything without asking questions. The operating system is irrelevant.

As for Linux, there are two main reasons it doesn't get attacked at a system level. First, it has proper file permissions (unlike Windows, which promised it years ago then failed to deliver). Second, users run in user space with no access to the system. Windows is getting better but many people still give themselves permanent administrator permissions because it's not easy to do it temporarily (the Linux way) when you want to install something. It's like leaving your house key under the doormat or your car keys on the sun vizor.
 
The "zero day" exploit allows an attacker to delivers a Trojan to Windows, though "there is little indication of a successful exploit of this vulnerability". The advice is to disable Java "in your browser" until a patch is released (October). This means that as an application language there is little to fear, so Android users can sleep easily.

The gripe I do agree with is the time it takes Oracle to get round to issuing patches. And it's unfortunate that there are so many Windows trojans in the first place, without which there'd be nothing for the zero day exploit to deliver. Anyone who is truly concerned about security should ditch Windows.

BTW, the main use for Java - apart from Android - is in servers and big commercial systems, where it enjoys an enviable reputation for reliability. Nothing else comes close.
 
Tramontana said:
Where does this idea come from that Java is insecure? Try Googling "is Java secure?" instead of listening to and regurgitating old wives' tales. There are no buffer overruns or similar weaknesses to exploit and the runtime engine checks pretty well everything to maintain its integrity. This slows things down but I'd rather go for reliability than speed; I can always buy a faster computer.
Click to expand...
When's the last time you heard an old wife talking about java ;) :D
I think the idea of java being insecure comes from security researchers finding ROP chains in java dlls that allow for universal ASLR & DEP bypasses. :eek: So when an application opens up, and needs this particular dll file for whatever reason, an attacker can just send bad data your way and get into the box.

As far as java is concerned in regards to android, I think time will tell. I was reading this post a while back where someone was claiming to have a 0day on an android device. When they realized that's worth some serious $$$, they stopped talking about it. Didn't mention what they did, what app it was for or anything. If I recall correctly, each android application is sandboxed from another, which would help in terms of security. Though, I'm sure some exploit writer is out there working on a way to abuse our devices. :(

I do have sources for the ROP chain mentioned above, but I'm going to err on the side of caution with posting links on this topic... ;) I don't recall where I was reading that android 0day post from... *shrugs*
The trouble is, 90% or more of malware relies on user stupidity. Promise nude pictures of Russian tennis players and people will download and install anything without asking questions. The operating system is irrelevant.
Click to expand...
nekkid pictures?! where!? ;) Yeah. People are the biggest threat to a security policy.
As for Linux, there are two main reasons it doesn't get attacked at a system level. First, it has proper file permissions (unlike Windows, which promised it years ago then failed to deliver). Second, users run in user space with no access to the system. Windows is getting better but many people still give themselves permanent administrator permissions because it's not easy to do it temporarily (the Linux way) when you want to install something. It's like leaving your house key under the doormat or your car keys on the sun vizor.
Click to expand...
Agreed (or maybe like leaving the key in the doorknob :eek: ). ;)
 
You must log in or register to reply here.
Back
Top Bottom