This news is making the rounds: http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/
The real problem is automatic processing of unauthenticed, untrusted inbound MMS videos: "it resides in "Stagefright," an Android code library that processes several widely used media formats. The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. " "Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. " I don't think using TextSecure can avoid this, in that inbound SMS messages will still go into Messenger or Hangouts... or am I wrong? I am still confused about TextSecure's deprecation of SMS support. This is also a problem with WebView/Chrome/Chromium and Firefox, though in the latter since ESR38 it is patched... Orfox is based on ESR38, so yay! "Interestingly, the Stagefright vulnerability also affects Firefox on all platforms except Linux, and that includes the Firefox OS. Firefox developers have patched the vulnerability in versions 38 and up." This is definitely something to think about with our increasing support for multimedia in ChatSecure... currently you have to accept to receive a message from a contact, and of course, establish OTR with them, so that raises the bar quite a bit for an attack like this. We should really be careful about processing inbound media unless you trust+verify the contact I think. +n _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
