Chainfire, guys, please give a try to the v0.7 version of my app, same place.
Chainfire, it would have been nice to be informed while you were preparing the article (on your early conclusions)
Yes, that's good thinking.
And also why I tried to provide something (even an imperfect workaround) that doesn't alter system.
I have 2 questions tho and I'll verify to get an answer to the first one.
- Is my app really not triggering the "modified" status
- If Chainfire un-do all the modifications applied by his tools, will the device return to its "un-modified" status
Or maybe the "un-modified" status can be faked, restoring the proper function of OTA updates.
The 0.9 update of my app is strong now on boot (or less weak), but this is not very satisfying.
Frustrating as there's no "perfect" fix for regular users I'm thinking about right now.
I'm not really a fan of waiting, are you ?
Nice to have been informed ? I've stated in the threads regarding the exploit and fixes that yours and RyanZA's solutions are
not secure.
The problem is that any solution based on BOOT_COMPLETE
can never be secure. And "sort of", "mostly", etc, have
absolutely no place in security.
To me it appears (I have not checked the code, so I'm just guessing) you now make the receiver blocking during the exploit process in v0.9, again relying on boot order. You cannot rely on boot order even in ideal conditions, and I can think of several scenarios where that just doesn't work (protecting too late) or crashes (leaving you completely unprotected).
Sure, that beats the attached version in the first post, but I have several more tricks up my sleeve. I've rerun my tests against both RyanZA and your v0.9 with a private exploit test version that beats both protections every single time. Before anybody asks me to publish it - sorry but I will not. That may sound like a cop-out (think and say what you will) but if I do release it, you will only try to improve your solution - completely missing the point.
Anyway, I will not discuss the point further, I believe I have made my point, and nothing I can further say or do will convince anyone more than who is already convinced.
As for the modified status, yes that is totally reversable. I'll document this in more detail, maybe add a button in the app to help with it. As for your fix triggering modified, your app can trigger it, but it depends on the firmware version.
Props on the great research Chainfire, I agree with it all 100%
Personally though, malware authors target the easy and low hanging fruit - in this case, 99% of phone users who have not used any kind of fix. (99% is a very low estimate). They have no real reason to try and 'out race' mine or supercurios fix in practice, as (mine in particular) has very few users. Why bother creating a special exploit that only runs on boot, when you can just target 99%+ of all unfixed devices by just running the exploit when the app is started?
I've seen 4 malicious uses of the exploit in the wild so far, and all of them run on app start, which is blocked by all 3 'unsecure'/non-kernel fixes. Users are still VERY heavily encouraged to use any of the fixes as they currently stop all uses of the exploit in the wild. Supercurios is still the best one as it does not require root, and should definitely be advertised by the media as much as possible as it stops a real world and current threat to user security as best as it can.
The thing is, if
I was a blackhat you'd all have some serious problems with that attitude, you would notice by the hard-bricked device in your hand. Maybe we're all lucky I'm not and that all malware authors are too lazy to add 20 trivial lines to their code. (Right ...)
Also who said that exploit would only run at boot ? It's simply what I decided to test against because it's the most obvious flaw. A proper package would try the exploit at several times ... including boot.
Just because you build your house in the middle of nowhere is no guarantee it won't be burgled. And when said burgler comes, if your windows are barred it's not going to help if
there's a big gaping hole where your door should be.
Supercurio's is IMHO still the worst one, as it's the easiest one to beat. And it
does require root, it just
doesn't tell you about it and uses the exploit itself to root. That difference is just meaningless words. It also keeps a rooted background process around that it communicates with through a socket, of which I'm not sure how secure that even is (who knows that might be exploitable, I haven't bothered to try).
As stated though, I'm not going to discuss that point further. If you don't agree I'm not going to be able to convince you.
Furthermore, you're assuming that we know about all the exploits in the wild ... due to the nature of the exploit, it seems unlikely you can reliably detect this type of exploit - there are many ways this hole can be abused, the code going around is just one example of it.
maybe note worthy thing to here, in EU you dont lose your warrantly for applying fixes like this in fact you can install kernels/roms as many times as you want and you still got your warrantly. what comes to my own experience from this, my phone have been repaired 2 times because micro-usb didnt want to co-operate with me first time i had miui installed, second time had cm10 when i sent my phone to get fixed, both times got it fixed free of charge.
source:
https://fsfe.org/freesoftware/legal/flashingdevices.en.html
tl;dr
if flashing original firmware dont fix issues you had on your phone, then you must have the damage covered free of charge(ie. micro-usb port goes crazy)
Being in the right and getting your right are two different things. While what you say is no doubt true, the manufacturer can still claim your rooting/custom firmware is what caused the damaged to the device. And while I believe it's actually their responsibility to prove that, in reality, what are you going to do when they simply refuse to fix your device due to root ?
As an example, HTC claimed HSPL (the bootloader unlock back in WM days) broke my screen, and the (official HTC) repair center simply refused to fix it, because HTC HQ would not cover it (which is not in the EU). Threw some law and some lawyers at them, and in the end my device did get repaired, but I'm pretty sure the repair center footed the bill itself, and with the amount of time and money spent on the process, it would have been cheaper to just buy a new one.
@supercurio I was wondering the exact same thing on how may the "un-modified" status can be faked. Then again, as another user pointed out, though warranty rules and regulations maybe the same across all regions - it is their comprehension and application which is ambiguous.
I for one can attest that at my place they will simply replace the internals of your phone as long as the purchase bill you produce confirms that your device is still covered by the manufacturer warranty.
The unmodified status cannot currently be faked (well technically it can, but nobody done it yet), but the state is certainly restorable (I will document this further with my app).
Thanks Chainfire for this clear explanation.
I would add that, as soon as the exploit has been discovered, it is now risky to install or update apps if you are unsure about the editor.
And this is more risky today than before.
However I think there are several software editors in which we can trust in.
As far as already installed apps are concerned, either they are safe and there is no problem if you do not change anything (add or update).
If one of them is not safe, it is too late, because it lasts before the exploit.
If the author of an app you have installed already would release an update to their app containing the malware and running it at boot, it will generally run before Supercurio's or RyanZA's fix, and you'd be screwed.
really great work chainfire and thanks for your spent time to fix this security hole. i have one last question: can i test if any app/programm use actually this exploit on my device? or if i be infected and run your app, from this time no ohter app can use the exploit?
If you run my patch at boot no other app should be able to use the exploit - I am not aware of any way to beat my method.
