# Android Security Flaw



## Percent45 (Aug 31, 2020)

Have you guys heard about this? 









Check your settings, an old Android security bug may leave your private user data exposed - TechReportArticles


'Oversecured' discovered a flaw in Google's own Play Core library. Play Core is responsible for installing new modules and in-app updates.




www.techreportarticles.com





Idk, seems pretty serious. I've been having random ads show up on my phone.. I've Uninstalled everything I could and disabled the rest. No fix. I'm trying to avoid a factory reset. Any suggestions?


----------



## britechguy (Dec 6, 2019)

More panic-mongering about something that no longer exists. From the article referenced on TechCrunch, _Android security bug let malicious apps siphon off private user data:

Google confirmed the bug, rated 8.8 out of 10.0 for severity, *is now fixed*. “We appreciate the researcher reporting this issue to us, and *as a result it was patched in March*,” said a Google spokesperson. _

Click through on the "this bug" part, which leads from the NIST bug back to the Google record for the fix.

Nothing like reporting on a bug, in August, that was patched in March. Google has pushed out multiple updates to its own apps, including Play, since then.


----------



## sectest3 (Aug 31, 2020)

britechguy said:


> More panic-mongering about something that no longer exists. From the article referenced on TechCrunch, _Android security bug let malicious apps siphon off private user data:
> 
> Google confirmed the bug, rated 8.8 out of 10.0 for severity, *is now fixed*. “We appreciate the researcher reporting this issue to us, and *as a result it was patched in March*,” said a Google spokesperson. _
> 
> ...











Oversecured automatically discovers persistent code execution in the Google Play Core Library


The Google Play Core Library is a popular library for Android that allows updates to various parts of an app to be delivered at runtime without the participation of the user, via the Google API...




blog.oversecured.com




they have posted an explanation


----------



## britechguy (Dec 6, 2019)

It's not the folks at Oversecured that are the problem here. Their article, at the end, gives a very clear timeline of events, including noting that the issue was confirmed fixed by Google on 4/6/2020.

It's irresponsible for others to be reporting on this issue by others as though it's a _*current*_ major threat. It was a major threat that was fixed almost 5 months ago, and unless someone is blocking updates on their device, that fix should have long ago been pushed to it.

And if there's something an end-user can do to fix the issue, then give specific steps. The originally referenced article says, as its concluding line, "The good thing about this, though, is that all you have to do to solve the problem on your device is update the Play Core library. You won’t have to wait for Google to release a whole new version of Android of anything." Not telling the end user how to force that update, or confirm it's happened, is ridiculous. The update should happen on its own and should have long ago have happened on its own.

Creating a headline, in August, that reads, _*Watch out Android users, a security bug leaves your private user data exposed*_, given what follows that headline, is nothing more than creating clickbait for its own sake. False panic serves no one when it comes to security issues.


----------



## Percent45 (Aug 31, 2020)

Oh. Good to know. Thanks!


----------



## Percent45 (Aug 31, 2020)

https://www.techreportarticles.com/...bug-may-leave-your-private-user-data-exposed/
How about this?


----------



## britechguy (Dec 6, 2019)

An improvement, but no excuse.

Reporting on security flaws presumes that those doing the reporting have done their due diligence *before* publication. That did not happen here, and should never, ever be allowed to happen again.

Since the article is literally not pertinent, as of the day it was written, taking it down is what's appropriate.


----------



## Percent45 (Aug 31, 2020)

Well, you can tell that to tech crunch. I reworded it to reflect the nature, but it's still good for people to know so ima leave it up.


----------



## Percent45 (Aug 31, 2020)

If anything leaving it up does a service to those who found it on tech crunch, like me, thinking it was current.


----------



## tristar (Aug 12, 2008)

Thanks for reporting it @Percent45, even if not current, some user who hasn't read about it might stumble on and make him/her self aware.

A note though, please refrain from making single liner posts or comments which do not add much value to the Thread but instead increase the Post count. You can use the Edit button in your post to Update your post for any corrections or appends.


----------



## Percent45 (Aug 31, 2020)

Oh, sorry. That's just the way that I type. I will keep that in mind, though.


----------



## Stancestans (Apr 26, 2009)

Percent45 said:


> Oh, sorry. That's just the way that I type. I will keep that in mind, though.


I doubt if tristar is talking about your typing, but rather, making short separate consecutive posts which could easily be consolidated into a single post.


----------



## samanthaevans (Dec 11, 2020)

Percent45 said:


> Have you guys heard about this?
> 
> 
> 
> ...


Which is why I only trust Apple (iOS)


----------



## SpywareDr (Jun 15, 2013)

samanthaevans said:


> Which is why I only trust Apple (iOS)


Google: *apple ios vulnerabilities*


----------



## Stancestans (Apr 26, 2009)

samanthaevans said:


> Which is why I only trust Apple (iOS)


I hope you were being sarcastic.


----------

