Google has thrown Android users under the bus

[mikedt]

Opera Mini is OK, that doesn't use WebView.

Boat browser = vulnerable

Think it's any browser that's using the built-in WebView and is JB 4.3 or older. Just about all the free Chinese browsers like Boat, Dolphin, UC, Baidu, etc. do use it.

 

[Lordvincent 90]

Can you confirm Firefox or Chrome on yours?

Dl'ing now

 

[Lordvincent 90]

Dl'ing now

Neither browser caused a pop-up, so i assume that means not vulnerable

 

[EarlyMon]

Neither browser caused a pop-up, so i assume that means not vulnerable

Exactly. Excellent.

A lot of people accelerate mobile browsing by using a central server - Opera and UC Browser are the best known examples.

Can you try with either of those, set for accelerated mobile browsing? UC calls it Cloud Boost.

EDIT - stupid cache, I missed that Mike confirmed Opera is ok.

Still curious about UC though, don't think that Chinese is an issue.

 

[Lordvincent 90]

Exactly. Excellent.

A lot of people accelerate mobile browsing by using a central server - Opera and UC Browser are the best known examples.

Can you try with either of those, set for accelerated mobile browsing? UC calls it Cloud Boost.

UC = no popup with Cloud Boost enabled

Opera = no popup (although i did not enable a 'central server' option... I did not see one)

 

[EarlyMon]

UC = no popup with Cloud Boost enabled

Opera = no popup (although i did not enable a 'central server' option... I did not see one)

OK, exactly as I expected from UC - despite it being a WebKit browser.

And for many budget users, cloud accelerating browsers - that save mobile data costs - that's an attractive option over stock.

Once again, we begin to see what happens when you strip away the sensationalism - this bus that "everyone" is being thrown under - is getting smaller and slower.

And Google - who's done nothing about the problem, because oh my god a patch is the only solution - has in fact provided an entire browser without the problem.

Along with other devs with immune browsers, I say bravo.

Article says that Safari 5 is vulnerable.

Anyone with an iDevice to run the test on?

I ask because - http://www.netmarketshare.com/browser-market-share.aspx?qprid=1&qpcustomb=1

 

[EarlyMon]

Also curious about Dolphin, they use their own modified rendering engine.

 

[Lordvincent 90]

Also curious about Dolphin, they use their own modified rendering engine.

Dolphin = no popup

 

[EarlyMon]

OK, many thanks, also what I expected.

So Google is throwing Android users under the bus.

Except it's not a problem if you browse with -

Chrome

Firefox

Opera

Dolphin

UC Browser (with Cloud Boost on)

You still have to worry about apps using WebView. Carrier bloatware does. Anyway, what did Froyo teach us - you don't need a per-service WebView app for everything like iOS - your browser works.

Now, use a safe one if you're worried about this problem, the top choices are - boom - done - the bus breaks down.

 

[funpig]

Why make excuses for google?

What a pain in the ass this is to have to search forums to find a web browser that is not vulnerable... or for a fix for some other problem not dealt with by google.

And getting a safe web browser for your pre-4.3 device is still not enough. That just takes care of your web browsing. If i read that article correctly, any app that uses Webview is vulnerable including the FaceBook app. What other apps using Webview are vulnerable and how do you deal with it?

The problem is that the whole Google-Android OS-OEM hardware-service provider-software app developer ecosystem is fragmented. As the article says, "updates are a crapshoot". I like to borrow a phrase from Forrest Gump: android is like a box of chocolate, you never know what you are going to get.

We all should criticize google. Hold their feet to the fire to do a better job supporting their android devices. If not, the 4.4 devices of today will quickly become the 4.3 devices of tomorrow. I can see migration to Apple which supports their products (we use both; we have a 3 year old ipad 3 which is running up to date iOS 8.1.2 no problems and with 15 hours battery life!) OR to Chinese branded Android devices which are way cheaper with very good specs. At least with the latter, if it becomes obsolete with lack of support, i can afford to buy the newest replacement.

 

[EarlyMon]

Do you own a Google device or a variant made by an OEM?

Why single out one of them?

Righteous indignation is a great thing.

It empowers you to say that I shouldn't make excuses for Google.

Who in the hell do you think that you are?

I didn't make any excuses for Google, I attacked the press for not giving you the information that you need and together with a few buds, tracked down a solution.

Really sorry that you had to come to a forum where you could get the answer. The whole answer because you'll actually be able to live without the Facebook app.

Instead of, hey thanks for working on this for me, I have to listen to your bs accusations?


Ever heard the saying, if you're not part of the solution, you're part of the problem?

Well pal, you ain't part of the solution.

Hope you're happy!

PS - I noticed in your defense of Apple, you didn't follow that up with the test results I asked for.

 

[chanchan05]

Why make excuses for google?

What a pain in the ass this is to have to search forums to find a web browser that is not vulnerable... or for a fix for some other problem not dealt with by google.

And getting a safe web browser for your pre-4.3 device is still not enough. That just takes care of your web browsing. If i read that article correctly, any app that uses Webview is vulnerable including the FaceBook app. What other apps using Webview are vulnerable and how do you deal with it?

The problem is that the whole Google-Android OS-OEM hardware-service provider-software app developer ecosystem is fragmented. As the article says, "updates are a crapshoot". I like to borrow a phrase from Forrest Gump: android is like a box of chocolate, you never know what you are going to get.

We all should criticize google. Hold their feet to the fire to do a better job supporting their android devices. If not, the 4.4 devices of today will quickly become the 4.3 devices of tomorrow. I can see migration to Apple which supports their products (we use both; we have a 3 year old ipad 3 which is running up to date iOS 8.1.2 no problems and with 15 hours battery life!) OR to Chinese branded Android devices which are way cheaper with very good specs. At least with the latter, if it becomes obsolete with lack of support, i can afford to buy the newest replacement.

The Nexus 2012 is also about 3yo and is running the latest Lollipop version of Android. Sure there were glitches on the first release but 5.0.2 has fixed that. So yeah, your iPad argument is invalid.

We're not making excuses. We're saying they're not to blame, because well they fixed it with 4.4 and up. As for support, well my Note 2 has already been announced to get Lollipop, and it's about 2 and a half years old. That iOS argument is crapshoot. Android flagship devices get 2-3 years of support mostly, and the only devices not getting timely updates are those who are carrier bound, or not flagship devices. Both of which aren't Google's responsibility.

I really can't see how it is that Google is to blame here.

 

[El Presidente]

Dolphin = no popup

Could you try Atlas? https://play.google.com/store/apps/details?id=nextapp.atlas&hl=en_GB

 

[EarlyMon]

Google, the OEMs, Apple and Microsoft are all to blame.

Of course the real blame belongs on a system that allows cyber crime to flourish without punishment - but makers have to take responsibility too.

We're all still vulnerable.

Including the Holy iDevices.

No one can prove that now, all vulnerabilities everywhere are fixed - that would be stupid. Forever stupid.

And the Verizon Galaxy Nexus was abandoned - it can't get 4.4 officially.

The real point here is really simple - if you have an Android with this vulnerability, there are options today that will protect you.

Free, no waiting.

Just as the article from FIVE MONTHS ago said - use Firefox or Chrome.

I remembered it. I care about security, it affects me personally, so I take the time to read up.

But wait almost half of a year, throw some flame bait around and boom, it's Apple vs Android all over again.

Because God forbid you should pay attention, take responsibility, and get an app for this.

Not when there's all this great rage to vent.

Thank God we have the insane bullshit called Apple vs Android.

Now - someone tell me if the latest iOS and Safari has the problem or not, I would appreciate it. I know people who would need to know if they still have this problem or if Apple has fixed it now.

 

[EarlyMon]

Could you try Atlas? https://play.google.com/store/apps/details?id=nextapp.atlas&hl=en_GB

I'm firing up Gingerbread, will do.

The test is in one of my posts on the first page if you can beat me to it.

EDIT -

Not available for my Gingerbread HTC - sorry.

 

[EarlyMon]

Now this is interesting.

HTC Evo 3D, Gingerbread, stock browser - safe.

So is Boat Browser on that old phone.

And I know for a certain fact that the 3vo / Gingerbread is very much the plain WebView / WebKit of its day.

What does this tell us?

OK - simple.

The claim that this vulnerability has existed in all of Android all along is FALSE.

It was introduced after Gingerbread some time.

This just in - the sky, as reported by the sensationalist press, is still not falling for everyone.

Now I'd love to see someone with ICS chime in. Would be interesting to narrow down when the problem started.

And I don't know how they do it, but I've seen the stock Samsung browser render differently than anything else. Let's see a stock Samsung test result from someone.

 

[zuben el genub]

Pale Moon is a clone of FX - Windows users prefer it since it doesn't use Australis like FX and you don't have to put in an extension for tool bars. Mozilla 5.0

I just tried Pale Moon and FX. Very annoying to try and get them to look like Boat with a tool bar. Neither one has a home button, you have to install an extension. I started browsing with Netscape and I prefer the toolbars.

Think I'll look at Dolphin - just tried it. That wanting to sync everything to cloud is a pain. At least you can find the home icon.

 

[Lordvincent 90]

Could you try Atlas? https://play.google.com/store/apps/details?id=nextapp.atlas&hl=en_GB

Vulnerable

 

[zuben el genub]

About plain language - using the site you posted, and seeing all the browser tests would have been helpful from the get-go instead of just explaining how the exploit works. This posting has become a lot more informative and helpful.

 

[funpig]

Do you own a Google device or a variant made by an OEM?

Why single out one of them?

Righteous indignation is a great thing.

It empowers you to say that I shouldn't make excuses for Google.

Who in the hell do you think that you are?

I didn't make any excuses for Google, I attacked the press for not giving you the information that you need and together with a few buds, tracked down a solution.

Really sorry that you had to come to a forum where you could get the answer. The whole answer because you'll actually be able to live without the Facebook app.

Instead of, hey thanks for working on this for me, I have to listen to your bs accusations?


Ever heard the saying, if you're not part of the solution, you're part of the problem?

Well pal, you ain't part of the solution.

Hope you're happy!

PS - I noticed in your defense of Apple, you didn't follow that up with the test results I asked for.

I have a Samsung Galaxy Tab 7 running 4.1.2 and i use Boat Browser.

I have an LG phone running 2.3.5 but i only use it for talk and text.

Sorry that you are upset by my comments. But as one of millions of affected Android users, it bothers me when these issues arise. And without notice or warning from google or OEM.

The Android OS/Ecosystem starts at the top with Google. Google should take responsibility and deal with the fragmentation issue. I have been posting and telling friends for years, if you are going to buy an android device, stick with a Nexus. With any other android brand, you cannot trust that the device will be supported. Otherwise when problems arise, you have to go on the internet and try to test or fix, device by device, app by app, or in this case, browser by browser.

BTW, I tested the iPad 3 iOS 8.1.2 on the csc.cyberoam site. I pushed "test app", but nothing happens. Does that mean the ipad is not vulnerable or that the test does not work on the ipad?

 

[lunatic59]

Google should take responsibility and deal with the fragmentation issue.

They have. Some silent system updates to Google services framework, the play store, gmail and G+ have started the ball rolling to pull out a lot of these services where they can be updated through the play store and no longer have to be baked into the ROM. Even the web services now can be updated through play, taking a lot of this out of the hands of the manufacturers and carriers. And it's version neutral for the most part. When the service updates in play, ALL android versions (that are currently supported) get it at the same time.

 

[Hadron]

I don't see how Google can "deal with" fragmentation if by fragmentation you mean manufacturers or carriers making their own choices of which devices they will update. If Google allowed nobody else to make an android device (the Apple model) then yes, but then you would have Nexus or nothing.

As for lack of notice, can you name an OS vendor who is more open about vulnerabilities? Linux fans can take a bow now, but MS and especially Apple cling strongly to "security through obscurity", so the user is the last person to find out what vulnerabilities the vendors are aware of. Not being a Google apologist here, just saying that you shouldn't trust any of the big players to warn you of vulnerabilities.

 

[bjacks12]

The Android OS/Ecosystem starts at the top with Google. Google should take responsibility and deal with the fragmentation issue. I have been posting and telling friends for years, if you are going to buy an android device, stick with a Nexus. With any other android brand, you cannot trust that the device will be supported.

LOL WUT.

DONT TRUST GOOGLE BECAUSE THEY AREN'T UPDATING THEIR PHONES.

and in the same paragraph

BUY ONLY A NEXUS BECAUSE ONLY GOOGLE IS UPDATING THEIR PHONES.

Make up your damn mind and stop with the sensationalism.

Google writes Android OS. It makes the OS open source and tells the OEMs that they are free to take it and do as they will. The onus is on the OEMs who receive free open source software to make sure it is suitable for their product. Be angry at Samsung. Be angry at LG. Whine at HTC or Sony. Because it's the assholes at these companies that decide whether or not your phone gets updates. Google does not own the OEMs. They can't make them provide updates. And you know what would happen if Google tried to force Samsung to update their phones? Tizen. Tizen would happen.

 

[funpig]

Lunatic and Hadron:

Google IS STARTING to deal with the fragmentation problem. IMO, that is a good thing. The irony is that by taking back more control from the manufacturers and service providers, Google is becoming more like Apple over time.

What i like about apple is their support, even if it is "security through obscurity". They still support the very old ipad 2. When a problem arises (yes, many issues do arise), i have confidence that they will work on a solution and make it available. On these very technical issues, I may not know how it works, but i just want it to work.

In this case, i had to read about this vulnerability in the news and that google is not going to do anything about it for me. Google has all my info, my email, the type of device and OS. Millions of users not on Android Forums living in ignorance with a security vulnerability.

Why not let us know? If there is a safety issue with your car, the manufacturer should warn or recall. If we are warned, we can stop using the device, find an alternative or buy a new one. But if we are left in the dark and lose valuable personal info or suffer economic loss, who will be responsible? Or from now on, stipulate that non-Nexus devices should stick a warning on the box, like on cigarette packages: "This Android device may not receive full support or updates like a Nexus". That is the truth.

I'm not an apple fanboy. I use both Android and Apple depending on the situation or how i feel. There are pros and cons to both... I drive a convertible in the summer and an SUV in the winter, etc.

 

[lunatic59]

In this case, i had to read about this vulnerability in the news and that google is not going to do anything about it for me. Google has all my info, my email, the type of device and OS. Millions of users not on Android Forums living in ignorance with a security vulnerability.

Google's policy is to notify the developers/manufacturers of any discovered vulnerability 90 days before making it public so they have a chance to patch it. That's what all the Microsoft Brouhaha was about ... Microsoft took 92 days to patch it and they accused Google of throwing their customers under the bus by releasing the information 2 days before the patch was released.

As for not notifying the public, it's to keep that out of sight of the bad guys, too. Many times these vulnerabilities are discovered by legitimate developers and fixed before any harm is done.

And Google DID put out a fix. It's called Android 4.4. If your phone would support it and you don't have it, cry foul to the carriers and manufacturers for keeping the fix in their pockets. If they don't want to do R&D for the updates, they could still write their own patch. Google has even said if someone else does that, they'll gladly distribute it. You'd still need the carriers and mfg's to push it out though.

Short of Google sending out reps to personally root and rom your phone, I'm not sure what you expect them to do?