Android’s Leaky Sandbox | Tech Talk Today 35

Android’s Leaky Sandbox | Tech Talk Today 35

An Android flaw from 2010 allows any app to break out of the Android sandbox. But is it really a threat in practice? We’ll dig in.

The Podcast patent troll takes it on the nose, and some highlights from the Gnome development conference this week.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:


Show Notes:

Android crypto blunder exposes users to highly privileged malware | Ars Technica

This is the issue in a nutshell.

The Fake ID vulnerability stems from the failure of Android to verify the validity of cryptographic certificates that accompany each app installed on a device. The OS relies on the credentials when allocating special privileges that allow a handful of apps to bypass Android sandboxing. Under normal conditions, the sandbox prevents programs from accessing data belonging to other apps or to sensitive parts of the OS. Select apps, however, are permitted to break out of the sandbox. Adobe Flash in all but version 4.4, for instance, is permitted to act as a plugin for any other app installed on the phone, presumably to allow it to add animation and graphics support. Similarly, Google Wallet is permitted to access Near Field Communication hardware that processes payment information.

The App simply needs to claim its Adobe flash, and it gets to break out of the sandbox.

The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.

Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.

Google’s Response to Ars

After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.

The Reality of the Situation

First, a patch been sent to OEMs and AOSP, but with Android’s abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed. This means two things.

First, that there are no applications in Google Play that exploit this issue. If you stick to Google Play, you’re safe from this issue, period. No ifs and buts. Second, even if you install applications from outside of Google Play, you are still safe from this issue. Verify Apps is part of Play Services, and runs on every Android device from 2.3 and up. It scans every application at install and continuously during use for suspect behaviour. In this case, an application that tries to exploit this flaw will simply be blocked from installing or running.

A new Android design error discovered by Bluebox Security allows malicious apps to grab extensive control over a user’s device without asking for any special permissions at installation. The problem affects virtually all Android phones sold since 2010.

The vulnerability in the Android code that allows “Fake ID” in was first noticed in the now dormant Adobe Flash integration, which had been present since 2010 and was only patched with the arrival of Android 4.4 Kitkat earlier this year. The flaw is so deeply embedded in Android that it can affect all forks of the Android Open Source Project including Amazon’s Fire OS.

Dubbed “Fake ID,” the vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. For example, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM.

Podcasting patent troll: We tried to drop lawsuit against Adam Carolla | Ars Technica

In a statement released today, Personal Audio says that Carolla, who has raised more than $450,000 from fans to fight the case, is wasting their money on an unnecessary lawsuit. The company, which is a “patent troll” with no business other than lawsuits, has said Carolla just doesn’t care since his fans are paying his lawyers’ bills.

Adam Carolla’s assertions that we would destroy podcasting were ludicrous on their face,” said Personal Audio CEO Brad Liddle. “But it generated sympathy from fans and ratings for his show.

According to Personal Audio, they’ve lost interest in suing podcasters because the podcasters—even one of Adam Carolla’s size—just don’t make enough money for it to care.

[Personal Audio] was under the impression that Carolla, the self-proclaimed largest podcaster in the world, as well as certain other podcasters, were making significant money from infringing Personal Audio’s patents,” stated the company. “After the parties completed discovery, however, it became clear this was not the case.”

Personal Audio also says it has a patent covering playlists.

Personal Audio has already dropped its lawsuits against two other podcasting defendants from the case (Togi Net and How Stuff Works) apparently without getting paid anything.

The patent company is charging ahead with its patent case against the big three television networks, CBS, NBC, and ABC. Personal Audio is trying to wring a royalty from those companies for releasing video “episodic content” over the Internet.

In response, Carolla sent Ars a statement saying he’ll continue to pursue counterclaims against Personal Audio, seeking to invalidate the patent “so that Personal Audio cannot sue other podcasters for infringement of US Patent 8,112,504.” Lotzi (Carolla’s company) has already “incurred hundreds of thousands of dollars in fees and expenses to defend itself” against the Personal Audio patents.

GUADEC 2014, Day Four: Hardware, New IDE for GNOME | Fedora Magazine

The fourth day of GUADEC was devoted to hardware and its interaction with desktop. The first talk was “Hardware Integration, The GNOME Way” by Bastien Nocera who has been a contributor to GNOME and Fedora for many years.

Performance Testing on Actual Hardware

Owen Taylor talked on continuous integration performance testing on actual hardware. According to Owen, continuous performance testing is very important. It helps find performance regressions more easily because the delta between the code tested last time and the code tested now is much smaller, thus there are much fewer commits to investigate.

He noted that desktop performance testing in VMs is not very useful which is why he has several physical machines that are connected to a controller which downloads new builds of GNOME Continuous and installs them on the connected machines. The testing can be controlled by GNOME Hardware Testing app Owen has created. And what is tested?

Here are currently used metrics:

  • time from boot to desktop
  • time redraw entire empty desktop
  • time to show overview
  • time to redraw overview with 5 windows
  • time to show application picker
  • time to draw frame from test application, time to start gedit.

Tests are scripted right in the shell (javascript) and events logged with timestamp. The results are uploaded to In the future, he’d like to have results in the graph linked to particular commits (tests are triggered after very commit), have more metrics (covering also features in apps), assemble more machines and various kinds of them (laptops, ARM devices,…).

Builder: a new IDE for GNOME

The last talk of the day was “Builder, a new IDE for GNOME” by Christian Hergert. Christian started the talk by clearly stating what Builder is not intended to be: a generic IDE (use Eclipse, Anjuta, MonoDevelop,… instead). And it most likely won’t support plugins. Builder should be an IDE specializing on GNOME development.

Here are some characteristics of Builder:

  • components are broken into services and services are contained in sub-processes,
  • uses basic autotools management,
  • source editor uses GtkSourceView,
  • has code highlighting, auto-completation,
  • cross-reference, change tracking,
  • snippets,
  • auto-formatting,
  • distraction free mode.
  • Vim/Emacs integration may be possible.
  • The UI designer will use Glade and integrate GTK+ Inspector.
  • Builder will also contain resource manager, simulator (something similar to Boxes, using OSTree), debugger, profiler, source control.

After naming all Builder’s characteristics Christian demoed a prototype.

For Later Reading Pick:


Hey Guys at Jupiter Broadcasting. Just wanted to put a bit more info to you that I saw on Tech Talk Today about the Copyright Act that’s being brought into Australia. Someone mentioned that “Netflix could come in” and make some serious mone. Netflix would be awesome if our Internet Infrastructure wasnt at a maximum of 12Mbps speeds (If you are lucky).

On a good day (and ive got some of the best net here) i get around 8mbps down. Netflix wouldn’t be viable because it wouldnt be available to even 30% of the country. We have Foxtel (like SKY / Cable) which is Premium Paid TV and costs a FORTUNE. It’s still not viable.

In regards to the Copyrighting, the Government also has it all wrong. The number one reason that I am always told by people I know as to why they pirate TV shows, movies and Games, is that the pricing of this stuff over here is unbelievable. For instance, the box set of Star Trek : The Next Generation will cost you over US$250 if you convert the costs, depending if its on special / discount or not.

Either way, you guys were spot on. Keep up the great work, Love the show, and a big shoutout from Australia! CRICKEY! ( we dont actually say that, so don’t get fooled by the stereotype). And no I don’t have a pet Kangeroo (not anymore).

Question? Comments? Contact us here!