Rick's b.log - 2012/09/26 |
|
It is the 21st of November 2024 You are 52.15.170.196, pleased to meet you! |
|
mailto:
blog -at- heyrick -dot- eu
First - here's a typical gutter press take on tech subjects:
This issue...
It's a vulnerability which is, on the face of it, fairly innocuous, but thanks to some super cluelessness and ass-backward lack of forethought, can be used to cause serious damage to your phone.
The flaw was first reported with the Samsung Galaxy S III, but I can also confirm that the flaw exists with my phone, the SonyEricsson Xperia Mini Pro.
Before I go into details, here's a simple test.
Click the link above, and you should not see your phone's IMEI number appear on the screen. If it does appear, your phone is vulnerable.
In the era of mobile telecommunications, it became a good idea to add a
Really, if you get a link to
You should only see this after permitting the connection:
Because this dial-automatically behaviour carries with it some... shall we say... implications.
Consider if the link above had claimed to be your IMEI but was in fact a premium rate number that'll hit you for €1,50 per connect?
Or how about this:
If you are using a SonyEricsson Xperia Mini Pro (might work for other models?), then you can also try:
But then there are other codes. Codes to do nice stuff like reset the phone to factory defaults. I couldn't find any details on this for the Xperia Mini Pro (as this function is actually somewhere in the normal menus), but other phones do contain such secret codes. Well, not so secret, Google will turn up several. And astonishingly it appears that the phone does not bother asking for confirmation!!! Fail! FAIL!! FAIL!!!
<cough>
That, stuck into a webpage, will cause the action to happen just by viewing the webpage. It isn't Javascript, so disabling scripts and plugins and such won't stop it.
I know people are falling over themselves to rush fixes out the door, but the sad fact of Android is that the update cycle is roughly:
It is a sad fact of the Android infrastructure that all this needs to happen just to be able to roll out an update. Given we are using a version of Linux, maybe one day phones will have NAND flash inside them so that firmware files ('in ROM') can be updated with small patch files pushed out quickly. Certainly, one thing to consider is how the built-in browser is not available in the
When you are feeling saner...
The flaw here is the Dialler. The fix, install another dialler.
My personal recommendation is myDialer lite by Michał Motyczko. I chose this one because it had permissions that made sense.
Best of all, you don't even need to use this app!
When your phone encounters a
If, on the other hand, you were not expecting anything to be dialled, then you have two choices.
Well, I hope at least these lessons might be contemplated for a future release/fix of Android:
Major Android fail - directly actioning 'tel:' URIs
If you have an Android phone, you NEED to read this.
Well, not actual physical harm (as far as I'm aware), but you might feel that resetting your phone to factory default and chucking away all of your personal data held on the phone (irretrievably) might qualify as a sort of damage.
(don't trust me? view the page source!)What is going on
If you look at the URL of this web page, you will see it starts with http:
which means, basically, it's a webpage. There are all manner of other protocols, some that can be supported by your browser (such as ftp:
) and some which require other programs to work (such as telnet:
). Then there's the final category for links that the browser isn't able to handle directly but knows something that can, the usual candidate here is the mailto:
link for emails.
tel:
link so websites could hyperlink telephone numbers for ease of contacting. You know, it's a bit silly if you have an internet link running at megabits/sec in your pocket, but you need to scrabble around looking for a piece of paper just to write down a number to then tap into the phone. Why not... you know...
And so the tel:
link had a ready-made purpose.
Why this is a problem
This is a problem because, frankly, Android's stock dialler is stupid. Given a telephone number, it will commence dialling it.
Maybe it is working on the theory of "all users are morons"? Maybe it is working on the theory of "all users are lazy morons"? I don't know. But it would have made a lot more sense if the dialler appeared, and then waited for you to tap on the connect button.
*#06#
, you should see this:
But it gets worse
There are a number of secret codes hidden within Android. One of the more popular is this:
That spells "INFO" on the phone-pad, so leads to a menu giving extra information/statistics on the phone.
Do NOT alter anything in the "Phone information menu", you could seriously muck up your phone's ability to connect to mobile networks.
Again, if you see options to alter stuff, best leave 'em be.
[I'm not normally as abusive as this with exclamation marks, but to go for a reset of that nature without spelling out the consequences and asking at least once if not twice is totally bloody stupid]
Oh come on, you gotta click a link, right?
Yeah. Sure. Whatever you say.
<iframe src="tel:nasty-number-here" />
Is this serious?
Now it's a highly publicised thing, yes, I think we can consider it to be serious. God knows the less legit people of the world are looking to make a buck or two off you, what better way than to get your phone to auto-dial something that'll make them money?
Imagine burying this in forums that don't correctly sanitise user-added markup. How many people might get suckered before it gets removed?
When your phone will get an update?
Probably never, sadly, for many of us.
So, some phones will receive an update. I suspect the majority won't unless Google themselves pull strings.
To give a current example, ICS (Android 4) is being rolled out to my phone (as well as the rest of the Xperia range from 2011). Many of them have the ability to switch to ICS, but mine (SI 1251-8056) is currently absent from the list. I wonder if Orange will get around to it before next January (phone renewal, so I might put ICS on the Xperia to play with it, once I have a new phone).
MarketPlay and it does not seem to be updateable in any way other than a new firmware release. Given you are using an actual micro-sized computer system (yes, I said Linux) this whole state of affairs seems nuts, don't you think?
So what can be done?
Scream. Shout. Wail. Smash crockery. Write angry letters to the local paper. Punch the stuffing out of your pillow. Taunt your goldfish with a packet of Findus' finest.
None of this will do anything to solve the problem, but it might make you feel better.
Don't panic that it can directly call numbers - it is a dialler, it is supposed to. Also, read/write contacts. This makes sense too.
What this app does not ask for is geolocation (GPS or WiFi or cell), internet access, and so on.
This app can read your contacts, but it isn't about to upload 'em all to a server in Thailand.
tel:
link, it will recognise that there are two diallers, so it will helpfully ask you which you would like to use...
Do not select "Use by default for this action" as that will defeat what we are trying to do here!
Lessons will be learned...
Yeah, yeah... how many times how we heard that?
If it was up to me, I would ask for confirmation. Then I would spell out what was going to happen, then I would ask again with the wording altered so blindly tapping the same button did not perform the factory reset [in other words, something like "Are you sure you wish to factory reset your phone" (user taps Yes) then "blah blah blah ... do you wish to cancel factory reset of your phone?" (user must tap No)]
#123#
" would be rejected, but given the number of times you're likely to see links to that, I wouldn't imagine it would be a hardship.
tel:
links and "just dial them". God, how can I spell this out any clearer than that?
iPhan, 29th September 2012, 17:09 If you think Android is so bad, just get yourself an iPhone. You won't regret it.Rick, 1st October 2012, 20:04 Oh, I dunno. Paying a premium for "average" hardware doesn't seem to be my idea of worthwhile. Not to mention Apple has its fair share of Fail if you look (gee, let's disregard basic antenna theory and stick the thing on the outside as a feature 'cos it looks really cool!!!; not to mention the current state of the map application). I like the ability to source my apps from where I like (there is one, Mango, that Google has twice rather arbitrarily kicked off its Market/Play so the developer is keeping it going on his own; and I can download and install this without jumping through hoops). Apple has been found to be recording user location information, so in this respect it is probably no better or worse than Android. CarrierIQ has been seen to have been placed into handsets in a rather system-agnostic fashion, including both Android and iOS (among others).
I am also enjoying "syncing" my phone with my computer just by plugging it in and having a drive letter assigned it it (it'll do MTP as well if I need), plus easily removable media cards (dismount from the phone's setup, pop open the back, slide it out), plus the ability to charge it from a completely standardised connector (microUSB). There's one in the car and one in the corner of my room. The one that came with the phone itself is around someplace, too.
So in short, I think a move to Apple would provide my with a more polished and nicer looking user interface experience. As for the rest? Not so sure about that.
Android is not perfect, there's a heap of stuff I'd like to see changed. However I like the freedom and flexibility of the system. That my core "favourite apps" just work on either of my phones (and will on my next one). That there is a freedom to do stuff outside of the Googlesphere. Perhaps freedom is something you don't miss until you no longer have any, and if you never had it in the first place you don't know what it is.
28 years ago, Apple asked me to Think Different.
I am.
(^_^)
© 2012 Rick Murray |
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted. RIPA notice: No consent is given for interception of page transmission. |