This page is dedicated to android security meltdowns. A security
meltdown in this context is a security threat that would almost
force a large part of the android phones in use to be abandoned due
to security reasons.
I hope that this page will show people why we need regular updates
even for the core system of android.
Threat: Android Browser Same Origin Policy Bypass < 4.4 -
CVE-2014-6041
Consequences: Malicious sites can steal sensitive data from
other pages like e.g. the session data of your online banking.
Workaround: Since Android 4.4 there is no built in browser.
So on new devices you can get update via PlayStore and don't have to
wait for the phone manufacture. This won't also affect any data in
other apps. It may be that there aren't much data to be stolen.
Threat: Android Fake ID Vulnerability
Consequences: Malicious apps can impersonate as trusted apps
and thus escape the android sandbox without user recognition to e.g.
install a trojan.
Workaround: Google fixed their play store to stop such apps.
Users of alternative stores are on their own. Like e.g. Amazon
App-Shop or F-Droid (the place for open source apps)
Threat: Heartbleed Bug
Consequences: This bug allows an attacker to get information
that help him to break encrypted connections and read the contents.
Workaround: None, but according to Google only Android 4.1.1
was affected making it a small group of affected people.
Threat: USSD security flaw
Consequences: Any website could trigger USSD codes and e.g.
enter so many wrong pin/puk that the sim card would be broken.
Workaround: Install an app that also reacts on the USSD
intent and so bring up an app selector to the user instead of
executing the USSD code. As of Android 4.0 this is fixed.
Threat: Stagefright
Consequences: An error in androids media playback engine
(named Stagefright) allows malicious medias to execute code. Thus
media files can be send via MMS and are processed sometimes before
the users see them.
Workaround: None. As of 27.07.2015 the hardware manufacturers
are preparing patches. Nexus 6 and Blackphone are the only confirmed
devices that are not vulnerable to this threat.
Threat: One Class to Rule Them All (CVE-2015-3825)
Consequences: This error allows apps without any privileges
to get access to memory of higher privileged apps and then execute
code in their context. This includes apps that run in the highest
security context and allows to take over the whole phone. Affected
android versions are 4.3 to 5.1
Workaround: None. As of 12.08.2015 Google has created a patch
but not distributed.
Threat: Drammer (Extended Rowhammer)
Consequences: Reading bits a lot of time will flip bits in
neighor reagions.
Workaround: None. This is a hardware problem. As of
25.10.2016 Google has planed a patch to make usage of the bug more
difficult.