It's a cool and interesting type of attack, but I really don't care for the breathless clickbait headlines that are sourced to a few security researchers demonstrating an attack in a lab, that has already been patched against and has never been seen in the wild.
> Requires a victim to first install a malicious app on an Android phone or tablet
As Raymond Chen/Old New Thing likes to say this rather requires being on the other side of this airtight hatchway. You can allow apps to do things on your device.
That the app does not require permissions is the notable bit here. I do not know the mobile system, but I thought apps were supposed to be firewalled from each other unless given explicit grants.
The obvious joke, how long has Facebook been using this exploit?
Several preinstalled bloatware stores such as Galaxy Store, Moto apps and so forth will default to opt-in to automatically installing 'recommended apps and games' - essentially spyware garbage they get kickbacks from - in the background, plus several flagship phones now come with Temu preinstalled.
The 90% of non technically-savvy Android users are 100% exposed to the OP exploit.
The app needs to be opened by the user for the exploit to work, as seen in the video the researchers published, so the surface attack is big but not that big.
I have definitely opened the wrong app by accident on a smartphone - super easy to tap the wrong thing in a variety of situations (grasping at an awkward angle to snap a photo, pocket taps, etc).
It also requires that whatever information the attacker is looking for has been displayed on the screen, so for example my banking app (like most banking apps I guess) masks my 4 digit passcode with asterisks so it is likely safe from this specific attack
PD: I just checked and it also doesn't change the color of the pressed keys or any other visual feedback that an attacker might use.
> The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet.
I think it speaks about the security of Android that this makes the news. Coming from Windows, Android always felt as a MUCH more secure Operating System, not just a similar quality Operating System with touch controls and support for smaller hardware.
There should be a new, stronger word for these kinds of attacks. Like clevevil, or clevil. Yes, pixnapping is clevil. We should strive for the opposite: livelc.
How are you sure? This isn't abusing some poorly secured screenshot API, this is a timing attack on the GPU rendering process and impacts a wide range of GPUs.
Would you buy a hammer that can't ever hurt your thumb? What implications would that have? Would that be a good hammer?
Bad opinion time that I hope will maybe at least be thought provoking: I would hope a malicious app I willingly installed will be able to behave maliciously. Our security bureaucracy is going to grow exponentially and people are still going to be stealing people's shit, because people need to be able to access their shit and people are dumb.
There was a time when we would have said something similar for table saws that cannot cut off your finger. Might be a little harder to pull off the trick with a hammer, but it just seems like another engineering problem. And it would make for a very expensive hammer.
It probably wouldn't be classified as a hammer anymore. You're comparing apples and oranges. Now when you show me the manual hand saw that can avoid cutting off your fingers you'll have an accurate comparison.
Because we're not comparing air nailers or electric nail guns or screw guns. It was about a hammer.
Your comparison is so ridiculous because the table saw did not obsolete any other kind of saw. It was only a new type of saw that allowed for some types of sawing to be done much easier.
Everybody knows about saw stop. But in what way does a table saw compare with a hammer? If you were comparing it to an air nailer, or an electric nail gun, or an electric screw gun, which all can have safety features that require certain things to be met before it will fire then you have a comparison.
If you want to compare the hammer to something that saws you would compare it to a handsaw. Show me the hand saw that cannot damage your fingers.
You must think you're very smart but I don't think you've done any manual labor in your life. Because the table saw never obsoleted any other type of existing saw. It was simply a new tool that enhanced the ability to do certain types of sawing. The more you limit a function of something the easier it is to put guardrails around it. That was the original poster's point. You can limit Android to the point that it is nearly useless or useless only for the most basic of tasks but then you remove the power of it but you do not remove the need for all of the other tasks.
Table saws with saw stop still necessitate hand saws in some circumstances. Power nailers that have safety features that prevent their discharge and unsafe ways do not obsolete hammers.
While I appreciate the sentiment of fighting against oversecure features. This is a great security feature. The Windows OS model started development in the 90s, before the internet or even malware was popular. Android started development around 2010 and was able to provide a security design that contemplated risks of malware and internet.
In Windows installing malware compromises other applications, while in Android, your other apps are safe. In this news, this security mechanism fails. To denounce that the mechanism is completely useless is quite stupid, you just outed yourself as someone who doesn't have any security responsibilities and shouldn't have.
They're called rubber mallets and they are useful in a number of situations where you want to
> I would hope a malicious app I willingly installed will be able to behave maliciously.
You should be able to install an app that has continuous access to your screen but that doesn't mean that continuous access to your screen is something you should have to grant to every piece of software that runs on your computer.
You can hurt your thumb with a rubber mallet. Maybe the better metaphor would be kids' safety scissors which I guess represents the iPhone, but I'd still rather go with the Android (regular scissors) because I'm an adult and I'll take responsibility for the risks of using the more powerful tool.
I think one can still build a product that has a level of guard rails without impacting usability.
I also think iOS is more of an opinionated 'set of shears'. E.g. 'Right Hand only Scissors made from proprietary parts, made to only cut objects that 80% of scissor users need to cut' if we were to go down the road of analogies.
Funnily enough Google Android is removing the ability for unsigned non-adb APKs. I would suggest your 'regular' scissors will be slightly bluntened in the upcoming Android 16 OS release.
Android supremacy at its finest. I would never recommend a family member buying one. The history of this kind of thing is long and keeps continuing to happen.
As Raymond Chen/Old New Thing likes to say this rather requires being on the other side of this airtight hatchway. You can allow apps to do things on your device.
The obvious joke, how long has Facebook been using this exploit?
The 90% of non technically-savvy Android users are 100% exposed to the OP exploit.
PD: I just checked and it also doesn't change the color of the pressed keys or any other visual feedback that an attacker might use.
I think it speaks about the security of Android that this makes the news. Coming from Windows, Android always felt as a MUCH more secure Operating System, not just a similar quality Operating System with touch controls and support for smaller hardware.
First it requires the user take buckets of ammonia and bleach and mix them together.
> 2. Attacker app opens Google Authenticator's main activity
> 3. Attacker app opens a stack of activities to include graphical operations on pixels displayed by Google Authenticator's main activity
Android allows apps to call other apps? While remaining in the foreground? How does that work? I don't think iOS allows this.
Clever and evil.
Bad opinion time that I hope will maybe at least be thought provoking: I would hope a malicious app I willingly installed will be able to behave maliciously. Our security bureaucracy is going to grow exponentially and people are still going to be stealing people's shit, because people need to be able to access their shit and people are dumb.
I think this is the part people are upset about
Yes.
Because we're not comparing air nailers or electric nail guns or screw guns. It was about a hammer.
Your comparison is so ridiculous because the table saw did not obsolete any other kind of saw. It was only a new type of saw that allowed for some types of sawing to be done much easier.
https://www.youtube.com/watch?v=oQu3ccfl7Ow
Or you would yell at a cloud?
If you want to compare the hammer to something that saws you would compare it to a handsaw. Show me the hand saw that cannot damage your fingers.
You must think you're very smart but I don't think you've done any manual labor in your life. Because the table saw never obsoleted any other type of existing saw. It was simply a new tool that enhanced the ability to do certain types of sawing. The more you limit a function of something the easier it is to put guardrails around it. That was the original poster's point. You can limit Android to the point that it is nearly useless or useless only for the most basic of tasks but then you remove the power of it but you do not remove the need for all of the other tasks.
Table saws with saw stop still necessitate hand saws in some circumstances. Power nailers that have safety features that prevent their discharge and unsafe ways do not obsolete hammers.
In Windows installing malware compromises other applications, while in Android, your other apps are safe. In this news, this security mechanism fails. To denounce that the mechanism is completely useless is quite stupid, you just outed yourself as someone who doesn't have any security responsibilities and shouldn't have.
They're called rubber mallets and they are useful in a number of situations where you want to
> I would hope a malicious app I willingly installed will be able to behave maliciously.
You should be able to install an app that has continuous access to your screen but that doesn't mean that continuous access to your screen is something you should have to grant to every piece of software that runs on your computer.
I also think iOS is more of an opinionated 'set of shears'. E.g. 'Right Hand only Scissors made from proprietary parts, made to only cut objects that 80% of scissor users need to cut' if we were to go down the road of analogies.
Funnily enough Google Android is removing the ability for unsigned non-adb APKs. I would suggest your 'regular' scissors will be slightly bluntened in the upcoming Android 16 OS release.