Twitter To Open Source Android Security Tech

itwbennett writes "Following last month's acquisition of Whisper Systems, Twitter is open sourcing 'some' of the company's Android security products. First up: TextSecure, a text messaging client that encrypts messages. Souce code is on GitHub now. 'Offering the technology to the community so soon after the acquisition could indicate that Twitter made the acquisition primarily for the developer talent,' writes IDG News Service's Nancy Gohring."

Maybe it was required?

[migla]

Offering the technology to the community so soon after the acquisition could indicate that Twitter made the acquisition primarily for the developer talent.

So, apparently whispersystems has to do with that Moxie Marlinspike character, who strikes me as someone who might have some open souring as a requisite for the acquisition?

Re:Maybe it was required?

[Anonymous Coward]

Q: Are there business or technical reasons you do not want to open the source code for WhisperCore or any of the sub-projects like WhisperMonitor?

A: (Moxie Marlinspike) Same reason most enterprise software vendors' products aren't OSS, harder to sell software that way. =)

So I guess you're saying he wanted it open since he no longer has to worry about selling it? If you are, that's part of what burns me about open source... so many are on the band wagon until it means that they're the ones producing software while not standing a great chance to profit from their work.
 
Not far from the "IP doesn't really exist crowd"... they're all too happy to take what they want and claim that artists can make money elsewhere yet few, if any, produce a quality product themselves and even less of them give it out 100% free.

Re:Maybe it was required?

[Anonymous Coward]

What about those like me? I release my software closed source, but after a short period I open source it under the AGPLv3 (A license that ensures the most end user freedoms, AFAICT).

Yeah, it's artificial scarcity, but I can't seem to get people to fund my development as the program is in progress, IN ADVANCE of the project actually being usable. This leaves me with the only option being to release it as closed source and charge for access after the program is complete. In 4 years I haven't yet drummed up enough donation support to fund development without a paywalled & closed source initial release. Now I use a "help free ProductX" progress bar indicating the amount of funds I require in order to fund the next iteration or program. When the gauge is full I open source the product.

Either by donation or paywall you're still paying only for the work I'm doing only once, not the act making infinitely reproducible copies. This is the hardest part to wrap your mind around I suppose. I only want to get paid when I'm doing work, or offering a service (that requires expenditure of time or money on my part). Traditional closed source software development only pays their devs when they work, but attempt to charge for every single copy.

Copying takes far less work than coding. Copies aren't scare. My work is scarce. I only want funding for my efforts. I need to have funding for my work because I'd like to continue doing it instead of digging ditches or busing tables.

The fallacy people like you fall into is the belief that people like me can actually release our products as 100% FLOSS software and still EAT. Closed and open sources can play in the same sandbox, in the same way that labor unions prove that Socialism and Capitalism can work together. At the end of the day, I want my users to have freedoms, but the truth is that most people don't put their money where their freely eating mouths are.

In the future, I may gain enough of a user base that the donations will be able to completely meet my financial prerequisites for the development... However, realize that I must bring in a bit MORE funding than merely enough to actually develop the product. I must have enough funding to have a bit of financial security. Else, I'm living "paycheck to paycheck" and risk one bad release causing me to end all development.

I call people like you software extremists. As any extremist you're likely immune to reason: Anything that's not white is 100% black. No Gray Allowed!!! Gray is THE DEVIL! (Failing to realize that the entire world is a beautiful place predominantly because it's made of many shades of many colors, including gray.)

You need a reality check: Absolutes are a rarity in nature, in fact, they don't exist naturally. To say FLOSS isn't about pushing an ulterior agenda is denialism; The same can be said of closed software.

Re:

[johny42]

What you described is one of the best methods to monetize open-source software that I have heard about. I'd like to see more, could you post a link?

I'll gladly contribute towards open-sourcing something, if there's anything I need!

Re:

[trawg]

This is a great model and I applaud it. I would much rather pay for software knowing that the end game is open source, rather than continually filling the coffers for the duration of a copyright period.

What software do you make; I would be interested in keeping an eye out?

This is really good news

[Mr_Plattz]

This makes a lot of sense. Twitter is and has always been a facilitator of open communication, particularly from censoring governments. This is just an extension of that.

I have always kept an eye on Whisper Systems and specifically TextSecure (and WhisperCore) but they never became really "usable". I would (and I think many people) love to be able to securely text message (or via iMessage or Facebook) knowing it's safely encrypted but still highly usable (similar to Pidgin + OTR).

Will they try to use this for corporate evil? Maybe. But at the same token WhisperSystems never had enough power/traction to develop what they really wanted and we (the people) needed.

Re:

[hyc]

On that topic, i guess it would be a really good idea to write an OTR plugin for the vanilla Android SMS app. Something for my todo list if it hasn't already been done. (PS, you can find my OTR plugin for Finch/libpurple here https://gitorious.org/purple-otr [gitorious.org] )

N9(xx)

[muckracer]

Here's to hoping for a MeeGo port...

And good job, Twitter. Somehow you're becoming far more sympathetic than that 'other' big social network player...

Re:

[AJH16]

While yes, TextSecure is similar in nature to PGP, it isn't the tech, so much as the interface, that makes it a great app. While I can agree with some of your objections to what Web 2.0 heralds as new and I believe there are legitimate questions about the wisdom of the direction we are going with technology, I think your rant may be misplaced here. TextSecure is a local Android SMS client that smoothly integrates key exchange and secure messaging with SMS so that the user doesn't have to concern themselve

Re:More "Web 2.0" crap that we had years ago?

[Gr8Apes]

The truly funny part is Web 2.0 is back to classic Client/Server programming, utilizing an HTML engine as the client. I believe that existed since the 60s with dumb terminals, but certainly no later than the early 80s with the current modern thick client/server model (think X11 and the like)

Regarding the open sourcing of the encryption code, generally self-written encryption routines are inadequate at best. If you're not leveraging one of the well vetted encryption libraries, odds are that your solution is weak and will only stand up to cursory inspection. Otherwise, you're using PGP, RSA, Blowfish, etc, and your code is merely a light wrapper around those libraries. (No, I did not review the code)

As for chat clients and the like connecting to each other with encryption, this has been around and open sourced a long time, one implementation is Off-the-Record [cypherpunks.ca]. And of course there's the PGP solution that has been around since the early 90s.

Re:

[Gr8Apes]

Apparently you haven't played with X11 at all if you think we're doing more now than in the 80s.

I distinctly recall using SGI machines to run PATRAN modeling software that was backed by a Cray YMP-16. If you think a little Web 2.0 app comes anywhere near the intricacy of visualizing stress results on a 300K 3D element model, you need to revisit what existed back in the late 80s. It might just shock you back into the future. (and no, it wasn't real time either, you submitted commands and went to get a cup of

Don't confuse Web 2.0 and HTML5

[F69631]

The truly funny part is Web 2.0 is back to classic Client/Server programming, utilizing an HTML engine as the client. I believe that existed since the 60s with dumb terminals, but certainly no later than the early 80s with the current modern thick client/server model (think X11 and the like)

It seems like you're talking about HTML5 (Creating websites with application-like user experience with combinations of the latest HTML, CSS and JS features) though you refer to it as Web 2.0.

Web 2.0 has nothing to do with user interface (though certain UI elements, such as types of glossy buttons, are often referred to as "Web 2.0 style" because they got popular in blogs, etc.). Web 2.0 refers to the change in how people view the internet and how the content is produced. Web 2.0 refers to the change from

Re:

[Gr8Apes]

The truly funny part is Web 2.0 is back to classic Client/Server programming, utilizing an HTML engine as the client. I believe that existed since the 60s with dumb terminals, but certainly no later than the early 80s with the current modern thick client/server model (think X11 and the like)

It seems like you're talking about HTML5 (Creating websites with application-like user experience with combinations of the latest HTML, CSS and JS features) though you refer to it as Web 2.0.

No, I'm not talking about HTML5 at all. Web 2.0 has everything to do with the the underlying communication architecture. It went from passive 1-way to interactive 2-way communication. This allows for interesting new functionality to be created and displayed in the UI. It has nothing to do with what you've listed there: blogs, youtube, /., etc. All of those are conceptually Web 1.0 products, although they may have some Web 2.0 niceties added on to enhance the user experience.

Google Docs would be a good examp

Re:

[Gr8Apes]

As I reread this post - I should also note that some refer to Web 2.0 as just the active components that hide/show pieces on the page and filling of controls with data on demand. What I'm calling Web 2.0 includes the interaction between the client and the server, which implies the active page controls but includes live connections and activity. 5 years ago, the company I was at marketed this as Web 3.0, although that never appeared to catch on. :) Essentially, we took the web to rich clients instead of rela

Re:

[burning-toast]

Practically EVERY WEEK, & for YEARS now? Yes - You see a NEW "security bug" turning up on ANDROID, a Linux variant!

[Citation Needed]

Yes, I know... Don't feed the trolls and all of that...

- Toast

Re:

[mSparks43]

CarrierIQ is not an android problem.

Re:

[mSparks43]

But CarrierIQ runs on the iPhone as well, and Nokias, so how is it an "Android problem"?

The old Razr mobiles could be used as remote listening devices.

APK in "computers can run software" shocker.

Re:

[mSparks43]

No
It doesn't run on my android phone.
But it does run on any phone its installed on.

Re:

[mSparks43]

Because my phone is Android, and it didn't come with CarrierIQ, and other peoples phones are not Android, and they do come with CarrierIQ so how can it be a android problem?

CarrierIQ is installed "on purpose" by the people who sell you the phone, its not the operating systems fault some people get their hardware from a dodgy vendor, and that vendor doesn't care what operating system you chose.

Not sure what a hosts file has to do with anything, but as you correctly point out, its less of a problem for androi

Re:

[mSparks43]

Saying
"CarrierIQ is an Android problem"
is a lot like saying
"Cars are a Suzuki problem"

Sorry but
Not all cars are Susuki's
like
Not all CarrierIQs are on Android

and
Not all Susuki's are cars
like
not all Androids have carrierIQ

and cars aren't that much of a problem
like
CarrierIQ is not that much of a problem

And plenty of Windows PC's come with CarrierIQ like stuff installed on them:
http://www.dailymail.co.uk/news/article-1383216/Rental-chain-Aarons-caught-spying-customers-home-taking-webcam-photos.html [dailymail.co.uk]

Re:

[mSparks43]

The point we seem to be labouring, is you seem to think vendors installing malware is a security issue.

security issues are ones in which problems arise after you get the device, outside of its intended use. Most of what you are posting is complaints about software doing what it was intended to do (albeit not what the user expected), That is something very different to say, switching your computer on and instantly getting infected with a virus, which has plagued windows for decades and has never been a probl

Re:

[mSparks43]

The minimum ones are:

DHCP Client
DNS Client
Plug & Play
Remote Procedure Call (RPC)

So you still had to rely on Linux to protect you from the Blaster worm then?

Also
"Nobody USES Linux nearly as much as Windows"

Simply isn't true. users may use windows, because that is what they are sold, but it terms of the computing they use they use linux far more, you, reading this, are probably using 1 windows machine, and rely on maybe upwards of 20 machines using some nix variant, before you get on to any of the other n

Re:

[mSparks43]

What gave you THAT idea?
Blaster worm infected anyone connected directly to the internet(i.e.not going through a router- which ussually runs linux)with RPC active

Sure it is that nearly NOBODY uses Linux (on PC's & Desktops especially vs. Windows)

http://en.wikipedia.org/wiki/Google_platform [wikipedia.org]
http://www.computerworld.com/s/article/9116787/Wikipedia_simplifies_IT_infrastructure_by_moving_to_one_Linux_vendor [computerworld.com]
http://www.linuxtoday.com/developer/2010072300835NWHESV [linuxtoday.com]
etc. etc.

I did even better in posting ones regard

Re:

[mSparks43]

_P.S.=> It's also funny how you "abandoned" your statements here requoted in my last post too:

http://news.slashdot.org/comments.pl?sid=2586024&cid=38502472 [slashdot.org]

About how YOU stated that I didn't post any DIRECT Linux kernel level errors in ANDROID, & how things can install via malwares on ANDROID WITHOUT USER INTERACTION, despite your stating otherwise - I did, & it "silenced you" on that account... lol
_
So google and facebook are "nobody"?
Now that's a real ROFL!!!

You're the one who brought up Wind

Re:

[mSparks43]

Also
London stock Exchange woes were not Linuxs fault!
http://www.zdnet.com/blog/open-source/london-stock-exchange-woes-not-linuxs-fault/8358 [zdnet.com]

yet more "OMG someone using linux has problems - blame linux" FUD.

Re:

[mSparks43]

Its pretty obvious why you want "no questions asked".

LSE served exploits from LSE's London Stock Exchange website

Thanks to 3rd party advertising code embedded in the old LSE website, no linux to blame there, just good old html.

LSE running on Linux going down 1st minutes on job @ LSE, & then again too a 2nd time.

Thanks to 3rd party windows machines not doing what they were supposed to.

Ooops, shoot. foot. self.

I guess next you'll be blaming some flood damage on operating system choice. I'm sure you can m

Re:

[mSparks43]

I did post a kernel level error security issue problem that's ANDROID has here ->

No you didn't, you posted a link to security issues which were:

Coverity said it will hold off releasing the details of the flaws until January to allow Google and handset vendors to issue fixes.

->fixed before they were exploited.

Yawn, must try harder.

Re:

[mSparks43]

Oh, and the CA's and were breached using good old brute force attacks on ftp and sql servers.

Again, not Linux specific issues.

Re:

[mSparks43]

Current information on that note I posted from this year (year end 2011) shows it's as vulnerable as any OS out there..

which "note"?
vulnerable to what?

Linux has never had anything like Blaster, Zeusbot or any of the other myriad of worms that infest Windows machines on a daily basis, despite Linux machines being much higher value targets and connected to the web 24/7.

Heck, I don't see how the internet could of happened if your average server was vulnerable to the infamous ping of death and the like, which i

Re:

[mSparks43]

This was the title of the article I used (says it all):
Serious Security Bugs Found In Android Kernel

You linked
http://linux.slashdot.org/story/10/11/02/2238205/Serious-Security-Bugs-Found-In-Android-Kernel [slashdot.org]

which is a summary of
http://www.techweekeurope.co.uk/news/serious-security-bugs-found-in-android-kernel-11040 [techweekeurope.co.uk]
which says

Coverity said it will hold off releasing the details of the flaws until January to allow Google and handset vendors to issue fixes. The flaws could be patched via an over-the-air update, Co

Re:

[mSparks43]

Don't worry - after what I posted, folks KNOW Linux's security's weak!

You do realise you are posting on slashdot right?

There's only 1 Linux system running for every 95 or so that run Windows...

But every windows machine connects to at least 20 Linux machines a day, which is where your argument falls flat on its face.

I posted 64++ already

It's true you've posted lots of links to security firms fixing Android bugs before they were seen exploited in the wild. I'm still waiting for one that was found in the wild

Re:

[mSparks43]

The place where for YEARS penguins said "Linux = secure" & what I post shows it's ANYTHING but that? Sure, I do! You bet... lol!

Just checking

Linux users connect to many orders of magnitude MORE systems running Windows

Nope, because you can't run services on windows without loosing security. Which is why you wrote that post saying shut them all down. Remember.

http://www.theregister.co.uk/2011/01/29/android_data_disclosure_bug/ ..proof-of-concept code...We've incorporated a fix

Fixed before exploited

http://

Re:

[mSparks43]

Sure you can: Ever heard of SFTP? Secure FTP in other words & even 3rd party tools can do it

ROFL
And you think Linux has a limited market share!

show me where I ever said ALL about Windows Services & shutting them ALL down...

here:

The only way to DO it, easily enough, and... yes, you can?

Is to go to security policies @ ALL levels (group & local) & block the services logon entities per service right off from logging on as 'service' or other possible entities, lol... Yes - it works, and windows

Re:

[mSparks43]

(just ones you determine you don't need)

I need all of them, else why would they be there?

if the systems I listed here that were breached here (any of the links I've been posting that dealt in ANDROID security issues

That's the point of
"APK in computers can run software shocker"

And on balance, so far they have all appear to be Apple paid up Fear, Uncertainty and Doubt (FUD). Designed to make people think being able to run their own software on computers is in some way a bad thing.

Take a lot more than "Chines

Re:

[mSparks43]

YOU cannot produce a quote of myself saying "turn off EVERY SERVICE", now can you?

Not sure where you're coming from now, you're twisting yourself in knots. Presumably because you recently realised how lame disabling services is as a solution to all the security problems in those services.

Obviously my "turn them all off" was my reference to this, not that you said to literally disable every windows service (although this is the only way to make windows secure, hence my earlier comment about windows being lit

Re:

[mSparks43]

I posted 72 links of problem

And, afaics, not one of them pertains to a critical security flaw in Android.

Which means Android is, to date, more secure than both windows phone and the iPhone (who both have, and have had, critical remote code vulnerabilities exploited in the wild before they were fixed).

Case closed, no questions asked.

Re:

[mSparks43]

ROFL
not 72 links of good or bad things.

72 links of FUD, which is less than DoD certification and your inability to find a single one pertaining to a critical security flaw.

Simples.

_
I'd like to thank you, been an interesting discussion, before this I just considered Android to be the best of a bad bunch, "least worst option" so to speak, But you managed to convince me I was overly critical, and that actually Android has a pretty flawless security history.

Shame the same can't be said for the alternatives.

Re:

[mSparks43]

Certainly don't min double checking Android is the most secure, good of you to collate them for anyone who happens accross this thread..

http://news.slashdot.org/comments.pl?sid=2586024&cid=38463414 [slashdot.org]

http://news.slashdot.org/comments.pl?sid=2586024&cid=38488282 [slashdot.org] [slashdot.org]

http://news.slashdot.org/comments.pl?sid=2586024&cid=38495050 [slashdot.org] [slashdot.org]

http://news.slashdot.org/comments.pl?sid=2586024&cid=38495800 [slashdot.org] [slashdot.org]

http://news.slashdot.org/comments.pl?sid=2586024&cid [slashdot.org]

Re:

[mSparks43]

the 84 links I posted certainly WERE NOT "GOOD THINGS" HAPPENING ON ANDROID

I completely agree.

They were just "things".

tell us MORE about "ping of death" & IIS, won't you?

Windows = Don't care

Re:

[mSparks43]

In what way were they "BAD"?

Seems to me, if anything, being able to install software on your phone is a fairly useful thing, but mostly its just something you would expect in this day an age.

Re:

[mSparks43]

If they chose to install software that does all that, whats the problem?

We've already established there are no known remote code vulnerabilities to let such things get on there by accident.

Unlike any of the alternatives.

Re:

[mSparks43]

You're right.

Windows has never even pretended it offered these permissions, guess that makes it much more secure.

Bless.

If only windows had sandboxing (you know, like linux and Android), at least then it wouldn't matter for windowz.

Re:

[mSparks43]

that's 3rd party & free too

lol.

Clutch at straws much?

Re:

[mSparks43]

And, btw, I know everything about windows I need to know.

My main day to day machine is a fedora installation, been on fedora since 2004, and has never been compromised.

My laptop is a win7 machine, and has had to be reset to factory settings 3 times since I got it a couple of years ago, after it got some nasty infection that I could find no trace of to remove (found via networking logs @ the gateway), despite generally doing nothing on it but reading a few word documents and browsing the net.

Tells me all I n

Re:

[mSparks43]

& the paragraph above tells me you don't know that much about how to "security-harden" Windows...

like I said before,
Windows = Don't care
Its more that I can't be arsed "security-hardening" it
i.e.
I need my USB ports
I need the CPU and HDD cycles antivirus would use
I like flash animations
I like porn
I read lots of full featured PDFs

You should try running your windows machine with no antivirus on it for a bit, admittedly it won't last very long (unlike linux, but then secretly you know linux

Re:

[mSparks43]

don't run javascript/java/plugins etc

but I use multiple plugins, and all the stock trading platforms I use run on javascript and java. Like I said "disable it" isn't a security answer, its a cop out for an insecure operating system.

Now, give me a read only OS, full featured, up to date, no activation, usb bootable installation of windows, like the linux live usb stick I carry round in my wallet for when I use other peoples machines (or just want to do something secure on the laptop), and we can talk.

Until t

Re:

[mSparks43]

" YEARS of safe" less secure than read only @ the hardware level.

sorry. but that "can't secure" will stand as long as you can't install windowz on a read only file system, and no amount of disabling insecure services, tweeking round the edges, installing 3rd party addons or handing resources over to AV software will ever match it.

Re:

[mSparks43]

* HOWEVER: I actually DO use a "read-only" environs to combat rootkits (Recovery Console from the Windows install media & its LIST, & DISABLE commands (along with FIXMBR))...

you do realize I was being serious about that "typewriter" comment don't you.

You have used:
http://fedoraproject.org/wiki/FedoraLiveCD [fedoraproject.org]

Stay as close to a normal desktop install wrt. features

or something similar?

Re:

[mSparks43]

Assuming we've given up on Android for now.

The point you were arguing against is
Linux is as secure as you make it (up to "impenetrable, read only)

you can't make windows secure (since it has no read only full desktop option).

you are talking about "cleans reliably", No need to clean a linux "live" install, because once configured to your liking, its impossible to write malicious software to it in the first place.

Why waste time trying to secure a substandard (not least due to no multiple desktops) OS, when a s

Re:

[mSparks43]

Windows PE can do what you state... http://en.wikipedia.org/wiki/Windows_Preinstallation_Environment [wikipedia.org]

For what you ask & is in my subject-line... however?

Why??

Like I said, I carry it round with me on a usb stick in my wallet, then if I need a "secure environment" on a machine I cannot vouch for just boot from that, truecrypt makes sure any persistent data is secure if I lose the stick. Linux live is not a "lightweight installation", its a full featured desktop environment (My fedora live stick has office

Re:

[mSparks43]

But that's the other big flaw in your comments.
"Android" isn't "Linux"
"Android" is closer to a (clean room) JVM built using GPL linux code for the HAL.

afaik all the malware you have posted have been attacking this JVM, not the nix code it runs on (which you need a "rooted" phone/tablet to access).

That malware authors target the largest audience should be no surprise to anyone, the question is how successful they are, and from looking through all those links you posted there hasn't been one incident relating

Re:

[mSparks43]

I posted a remote shell exploit gained

Absolutely not.

the only "bug" there was it didn't ask for internet permission.

It still ran isolated from all the phones file system (except SD card which is shared between apps, but still isolated from things like email, contacts, - anything personal - and any other apps installed on the phone)

Even the "most severe" problems you have posted still run in "userspace" they are all bugs in googles Dalvik VM, not the Linux basecode it runs in.

Re:

[mSparks43]

You do realise, these "84 bugs" still represent a higher level of application level security than a windows 7, or even (to some degree) a linux desktop installation?

There are no "application guid" permissions (that I am aware of) on either windows or linux desktops. Its all group and user level.

These "84 bugs", at worst, bring your phone to the level of security provided by a standard desktop install, for an app running with user level permissions.

Except windows desktops still have remote code exploits that

Re:

[mSparks43]

they are serious (especially when they involve folks' money, personal info., & even privacy being stolen or compromised).

OK,
So strip out all the "proof of concept" and other "fixed before exploited" audits by the likes of coverity, where users were never affected.
Drop any that involve CarrierIQ, since CarrierIQ is a problem with mobile phone carriers rather than anything to do with Android.

And how many are you actually left with?

Do any of them give permissions more powerful than can be achieved with an

Re:

[mSparks43]

Users that install fake (not needed) Antivirus from a chinese vendor, give it permission to send premium rate sms messages, deserve everything they get.

PICNIC.

Re:

[mSparks43]

http://mobile.slashdot.org/story/10/11/14/0115255/Android-Holes-Allow-Secret-Installation-of-Apps [slashdot.org]

What's special about the two vulnerabilities is that they can be exploited without an attack on Android's underlying Linux kernel and function in the userspace alone.

Yawn.

So still more secure than an IE BHO then.....

Re:

[mSparks43]

ANDROID though? Face it - Linux based or not, it's being exploited... & thus, it's NOT secure, & the other 86++ or so security issues I posted on ANDROID show that much... kernel level or not, the problems in security ARE there and yes, serious ones (money is the biggest)!

I completely disagree, I've not seen one link to a "serious" issue so far. Mildly annoying for complete morons yes, but nothing that would do any substantial damage to an android user. And mostly just behaviour outside of full appl

Re:

[mSparks43]

* If it happened to you I am certain you'd say it was serious.

"What" happens to me?

I install some software on my phone?

How is that serious?

Re:

[mSparks43]

Just stick with
http://f-droid.org/ [f-droid.org]
or some such.
and there is zero risk?

Re:

[mSparks43]

I still can't get my head around how you can think an OS hat exposes an informed sensible user who sticks with FOSS to zero risk can have "serious security flaws".

Re:

[mSparks43]

Yawn, not true.
https://www.vpnreactor.com/android_l2tp_ipsec.html [vpnreactor.com]

Re:

[mSparks43]

Its not "3rd party", its part of the standard install.

So you don't even have an Android phone then.

Re:

[mSparks43]

Folks lost money by it being stolen from them on ANDROID smartphones, & YOU SAID IT WASN'T SERIOUS? Please, that's *almost* as serious as it gets (only lives threatened is more serious)).... apk

No more due to an "Android security problem" than 401 scams are due to an "email security problem".

PICNIC = Problem In Chair Not In Computer

Re:

[mSparks43]

But its just not true, the link just tells you exactly which settings on a stock android installation to connect to a L2TP/IPSEC VPN, the link I gave is just for an encrypted VPN provider that supports Android.
I use it to connect to home, just checked and my router says the connection is:
( msparks ) L2TP
3DES-SHA1 Auth
Data is encrypted.

Which is great, because it lets me visit all the pron and whatnot on my phone (which are otherwise blocked on the 3G network), along with giving me full access to JANET on

Re:

[mSparks43]

If security issues of ANY kind happened on ANDROID? It's an ANDROID (thus, a Linux problem) problem.

Wow, that has to be the most feeble attempt at constructing an argument I have seen in a long time.

Firstly, we've already established none of your 90 odd links relate to hacked linux, all they show is despite significant effort by hackers to target Android users, they have not escaped Linux userspace, and the best they can do is bypass some additional permissions created by the Dalvik VM in applications the u

Re:

[mSparks43]

Take THAT up w/ the source then...

As I said elsewhere, it isn't missing built in IPSEC, its just that Cisco don't have a standards compliant VPN solution, and haven't released a 3rd party app to allow people invested in their hardware to connect to their routers over secure VPN.

Take it up with Cisco.

The reason WHY is most of us are waiting for the time they MATURE MORE on the SECURITY FRONT is why - I won't, because of THAT alone to be blunt about it.

You mean you/they are too poor to pay twice.

I can't imagi

Re:

[mSparks43]

It's like I told you - check that mp3 out about securing smartphones, & when the presenter asked HOW MANY OF THE AUDIENCE (mostly hacker/cracker - or - security types) HAD SMARTPHONES? It was a MINORITY... & I am telling you WHY - the tech isn't "security-mature" yet is why!

But as we've already established, securing an android phone really couldn't get any easier, and is no different than an ordinary phone.

Step 1. Don't install any new software on it (other than stuff you write yourself).

Which is wh

Re:

[mSparks43]

Although, in your case, I suspect it's more like "I won't get a smartphone cos mummy won't buy me one"

Re:

[mSparks43]

Once a Linux gets a "majority market-share" on ANY platform? It will be attacked & its security "vulnerabilities" on said platform exploited

Well, it was "attacked", and by the looks of your "90 links", with quite some furore.

But no one seems to of actually found a serious vulnerability yet, given despite your efforts you still haven't found a single vulnerability that can get past "Step 1:Don't install new software on it (other than ones you write yourself)".

I have to love the irony of the man sat on th

Re:

[mSparks43]

it appears that others agree with my sentiments & how/why/when/where/how

Confirmation bias.

Re:

[mSparks43]

ANDROID IS VULNERABLE TO SERIOUS ATTACKS & HAS BEEN THUS ATTACKED WHERE IT IS WEAK,

Which apparently is the user rather than the OS.

JUST LIKE WINDOWS HAS BEEN... period/fact!

ROFL
You still haven't explained why,

choosing to install software on a mobile phone that can:
Read contacts
Make phone calls
read emails
and send SMS messages
read documents
view webpages
and watch videos

In any way constitutes a "serious security vulnerability"

But to say this is "just like windows" (for all its remote code exploits)........

Re:

[mSparks43]

There WERE bugs found in the ANDROID kernel I posted about -> http://linux.slashdot.org/story/10/11/02/2238205/Serious-Security-Bugs-Found-In-Android-Kernel [slashdot.org] [slashdot.org] as well as remote shell exploits STILL POSSIBLE -> http://tech.slashdot.org/story/11/12/21/0058235/gaining-a-remote-shell-on-android [slashdot.org] [slashdot.org]

But we've been through these two already.
The first is the results of a security audit (rather than 0day vulns) to secure the operating system, the second is not an "exploit" any more tha

Re:

[mSparks43]

another bad possible

Why is the ability to control a completed isolated sandbox on your phone (or someone who you allow) remotely "bad"?

"security harden" a Windows setup

Does a security hardened windows not allow a remote shell?

How do you manage it remotely?

Re:

[mSparks43]

You mean like when you "security harden" a Windows setup, like so -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&qs=ns&form=QBLH [bing.com] [bing.com]

Hang on, did you just say windows 2000 and XP isn't secure?

Re:

[mSparks43]

Because sandboxes get broken!

Why would you use a remote shell to break your own sandbox?

Re:

[mSparks43]

Why do you need to have a remote shell on a smartphone for?

I use one on the tablet so I can control it while its connected to the HDTV using my phone.

You also avoided answering IF there are security guides for security hardening ANDROID phones... well??

I doubt there are many articles about it, there is only really one thing you need do, which is only install software on it you trust to use your phone.

If only windows were that simple.

Re:

[mSparks43]

http://www.bing.com/search?q=%22Securing+ANDROID%22&go=&qs=ns&form=QBLH [bing.com]

ROFL.
Top link
Andriod FAQ.
Q.Is android secure
A. Yes,The security and privacy of our users' data is of primary importance to the Android Open Source Project. We are dedicated to building and maintaining one of the most secure mobile platforms available while still fulfilling our goal of opening the mobile device space to innovation and competition.

Re:

[mSparks43]

NOT ACCORDING TO 90++ links of security issues occurring on it I posted

Entirely subjective.
you see 90 odd links demonstrating insecurities.

Anyone who can afford decent consumer electronics and so owns an Android device sees 90 odd links that don't and won't affect them.

would be exposed as hiding behind security by obscurity for years now (because a 1.19% marketshare @ BEST/MOST on PC desktops where the "easy meat users" are the exploit them, it had none - wasn't worth attacking)

Exploiting a websever is a mu

Re:

[mSparks43]

Toss ANDROID (yes, a Linux since it uses a Linux kernel) in also, since it's being "shredded" on the mobile phone security-front rampantly for years now?

There are 0day ring0 exploits floating round for both windows desktops and linux installs (many more for windows though).

But you haven't posted one link to an android application escaping ring3, they are all privilege escalations within ring3

ergo Android security > windows and linux security.
ring0=critical
ring1/2=serious
ring3=minor

ergo, you have only pos

Re:

[mSparks43]

MILLIONS OF DOLLARS stolen

And they are still better off than if they bought an iPhone.

Even if it was true.

But my guess is your source is about as reliable as the morons who told you Android has no IPSEC.

Seem like you are getting a bit desperate now.