Wilson’s smart football hits stores next month for $200
Back in February, only a few months after Wilson introduced its smart basketball, the company followed that with a similar product for football players. Up until now, however, Wilson hadn’t shared any pricing or availability details about the X Connected Football. But today it announced that the smart football will arrive on September 8th for $200, the same price as the basketball version. With the Wilson X Connected Football, you can use an iOS app to get a breakdown of your throw, such as the distance, speed, spin rate and spiral efficiency.
Additionally, the NFL-approved ball comes with five game modes designed to help you improve your skills, as well as compare your stats with friends through the app. If you’re interested, Wilson is taking pre-orders already, which include a free copy of Madden 17 for PlayStation 4 or Xbox One.
Via: CNET
Source: Wilson
Starting today, it will be a lot harder to vape if you’re under 18
In May, the Food and Drug Administration (FDA) announced plans to regulate e-cigarettes like it does regular tobacco products. Today, those changes go into effect. First, the new regulations make it illegal to sell e-cigarettes and other vaping supplies to anyone under the age of 18. As we reported when the FDA first revealed its plans, the age limit was already being enforced in some places, but now it’s the rule nationwide. Retailers will be required to ask for identification from any customer who appears to be under the age of 27 and are prohibited from providing free samples to minors.
E-cigarette products will also have to go through an approval process before they can be sold. Before now, this wasn’t a requirement. What’s more, existing items that are already on shelves will also have to be approved if they went on sale after February 2007. Companies are allowed to continue selling products for two years while they prepare an application and an additional 12 months while the FDA reviews the paperwork. This also means that there won’t be any new products available for the foreseeable future. Hand-rolled cigars as well as hookah and pipe tobacco are also included in the new regulations.
“The bad news is that August 8th of this year marks the beginning of a two-year countdown to FDA prohibition of 99.9 percent plus of vapor products on the market,” American Vaping Association president Gregory Conley posted on the organization’s website late last week. “If we do not succeed in changing the FDA’s arbitrary predicate date of February 15, 2007, the vapor industry will shrink to almost nothing beginning August 8, 2018.”
The FDA cites consumer protection at the reason for the new regulations as the debate over health concerns surrounding cigarettes rages on. It’s also a way for the government to keep tabs on vaping products that are popular among teens. “This final rule is a foundational step that enables the FDA to regulate products young people were using at alarming rates, like e-cigarettes, cigars and hookah tobacco, that had gone largely unregulated,” Mitch Zeller from the FDA’s Center for Tobacco Products, explained back in May.
Source: USA Today
Explore ‘Quadrilateral Cowboy’ even further with its source code
The team behind Quadrilateral Cowboy is giving a little something back to the community. Blendo Games has released the game’s entire source code for players and other studios to explore and examine.
Offering up the source code fits right in with the bizarre existence of Quadrilateral Cowboy itself, in fact, as it’s a cyberpunk puzzler that’s all about overseeing a hacking operation while utilizing a 56.6k modem and 256k of RAM. Impressive specs, right?
The code is written in C++, with solution files for Microsoft Visual C++ 2010, and is available in a package that’s just 12MB large. The game was created on a modified version of the same engine behind Doom 3 and Quake 4, and if you’re interested in putting those tinkering skills to good use, you can grab the source here.
That should satisfy any urges to mess about in the world of tech that arise after a game of Quadrilateral Cowboy.
Via: Develop-Online
Massive ‘No Man’s Sky’ day one patch is live a day early
No Man’s Sky’s substantial first-day patch is available now for the PlayStation 4, a day earlier than the game’s August 9th release date. The patch’s file size is 824MB, which isn’t too large considering the number of fundamental changes it makes to how the game plays, but it is roughly a quarter of the game’s size, which is 3.69GB.
No Man’s Sky’s patch brings three story paths to follow in the game — one of which has been completely rewritten — allowing you to make choices early on that will determine what you see later. The update brings a deeper trading system, new combat mechanics — like the slightly revamped hit systems in space fights — and expansions to your personal and space vessel inventories.
This patch, which includes a few more changes, is the “first of many” free updates to the space exploration title. Future upgrades will let you build bases and own “giant space freighters.” No Man’s Sky is seen (by developer Hello Games) as a constantly evolving project. You’ll most likely play a different game when you hop back in a few months later.
Via: Polygon
Day-one patches are the new normal
No Man’s Sky will receive a massive day-one patch that adds a ton of new content and gameplay elements to an already humongous game. This would be just fine, except a few retailers across the nation started selling the game early — it comes out on Tuesday, but some people (including reviewers) were playing it late last week. The patch, which includes the actual finished game with all of its bells and whistles, requires these early players to delete their saves and start over when No Man’s Sky actually comes out. Developers at Hello Games wiped No Man’s Sky’s servers on Sunday and they’re doing the same thing today.
And there’s nothing wrong with any of this.
Some players feel cheated (“I bought the game, so why can’t I keep my progress?”), and others think that a day-one patch is a sign developers are trying to ship an unfinished game (“Isn’t that just a cop-out so they can start making money without doing their jobs?”). These perspectives are not only entitled, but they misunderstand the modern game development process.
Day-one patches are the new normal — and, hell, they’re not even that new.
When Microsoft attempted to sell the Xbox One as an “always-on” console in 2013, the idea received so much backlash that the company changed its entire next-gen ecosystem. Microsoft abandoned the idea of a console that had to be constantly connected to the internet, while Sony crowed that the PS4 was never designed to be always-on.
However, in practice, both of these consoles rely heavily on online connections. Many major, AAA games — even single-player experiences — won’t function without first connecting to the internet, and all games receive multiple patches throughout their life cycles. Some of these patches are small, but some are large updates to the core of a game’s mechanics or playability. Modern consoles are not always-on, but they are mostly-on.
Within this mostly-on ecosystem, not only are developers able to release day-one patches; they’re encouraged to do so. Getting a game certified on consoles is an arduous, bureaucratic process filled with complex forms, weird benchmarks and a thousand ways to get rejected. Nuclear Throne co-creator Rami Ismail laid out the certification process in a blog post last night, and he noted that especially in the case of disc-based games, like No Man’s Sky, developers often submit their builds months in advance.
“If you’ve got months to improve upon a game that went through cert, do you think you would leave those months?” Ismail asked. “Do you think audiences would appreciate a developer just kind of doing nothing for three months? Can you imagine the Kickstarter outrage if a developer, three months from launch, posted, ‘We’re done, it’s good, we’re not touching it again until you get to play in three months?’ Anybody arguing that a game should be done when it goes ‘gold’ is living in the ’90s.”
Besides, not only are games today more connected than they were in the ’90s, they’re vastly more complicated on a technical level. Patches are more prevalent in general because there’s more that can go wrong or need tweaking for a game to operate as its creators envisioned. This doesn’t just apply to console games, either; PC games are just as huge and many also require an internet connection at some point.
The ability to roll out a day-one patch is a crucial facet of a mostly-on ecosystem, in which developers and console manufacturers assume all players have access to the internet, at least for a little while. Long enough to download an update, if not an entire game.
A day-one patch is not a sign that the developers are trying to pull a fast one on players or that they snuck an unfinished game through certification. Sure, it seems like some games simply aren’t done when they hit consoles — we’re looking at you, Assassin’s Creed Unity — and those are worthy of our ire, especially if we’ve just dropped $60 on a supposedly AAA experience. However, day-one patches on their own are not sinister. They’re simply part of the modern game development process.
Sean Murray and the rest of Hello Games were thrust into the limelight the day they revealed the first trailer for No Man’s Sky in late 2013, and they’ve been working under its harsh glare ever since.
“We’re under a pretty intense spotlight right now, and hopefully it’s easy to imagine how hard it would be to switch off from that, or how deeply we care about people’s first impression of the game,” Murray wrote in a post about the day-one update yesterday. “In fact most of us were back here the day after we went gold, working on this update. We’re already proud of what we put on a disk, but if we had time, why not continue to update it?”
No Man’s Sky in particular is a passion project. You can hear it in the way Murray talks about devouring sci-fi novels as a kid and how he dreamed of one day playing a game that allowed him to explore entire universes from the comfort of his couch. The game gained attention because it’s gorgeous, and it kept us hooked because of its premise: the idea of unencumbered cosmic exploration unlike anything we’ve ever been offered in a video game. It’s a huge project and a new experience in the gaming world. And now, with the day-one patch, it’s even better than we could have imagined.
In this case, a day-one patch is not only normal — it’s ideal.
AI hackers will make the world a safer place — hopefully
The spotlights whirl in circles and transition from blue to purple to red and back to blue again. Basking in the glow is a stage constructed to resemble something out of a prime-time singing competition. But instead of showcasing would-be pop stars, the backdrop is built to push 21kW of power while simultaneously piping 3,500 gallons of water to cool its contestants. Those seven competitors were actually server boxes autonomously scanning and patching vulnerabilities.
The DARPA Cyber Grand Challenge (CGC) at the Def Con hacker conference last week pitted these AI systems — housed in the same enclosures you’d find in an IT department — against one another in a digital version of capture the flag. The government research agency is doing its best to add some pizzaz to the event with all the lights and play-by-play announcers. The reality is, though, that this is more than just an e-sports event: The outcome of this competition and the innovation it spurns could change the way the United States government and companies deal with software vulnerabilities and cyber attacks.
The seven teams, which consisted of universities, researchers and companies, built and programmed their AI “bots” to find, diagnose and fix software flaws in a highly competitive environment. The systems also have to defend themselves against other teams attacking the vulnerable code (or flag) on their own server while trying to launch counterattacks. Yeah, it’s complicated. It’s like being handed a series of puzzle with no directions on how to solve them while trying to keep your friends from figuring out the same brain teasers.
Except these brain teasers have the potential to bring down the internet or leave serious vulnerabilities in code that could be exploited by nefarious hackers and nation states. At this early stage, things are looking promising. One of the flaws handed to the bots was the SQL Slammer denial-of-service bug that brought down the net to its knees in 2003 as it propagated to 75,000 servers in 10 minutes. Two of the bots recognized and patched the flaw, with one of them doing so in just five minutes. That’s quicker than a security researcher sitting down at their desk and launching the tools needed to reverse-engineer a bug like that.
The whole thing is being projected on screens to the audience using visualizations that resemble TRON. The arena view is compelling if a bit confusing (the audience was subjected to a 10-minute explainer about each element in the artwork). It’s a bit of a dog-and-pony show to enhance the importance of what’s happening. While we’re being wowed with bright lights and canned commentary, the machines have been hacking away at code for 12 hours at break-neck speeds. They are the rockstars of Def Con, the new Monoliths of 2001 with silkscreened names and flashing LEDs that will change the future of computing.
Behind all the Hollywood-style presentations the actual story of the boxes is that the AI technology in these bots scans code, finds vulnerabilities and patches it so quickly that it has the potential to reduce cyber attacks and squash software flaws before they have a chance to do any harm. A company could throw a new application or OS into a bot like these and find flaws before it even ships. That reduces not only the number of patches being released, but the holes left in applications by bad code before a customer even installs it.
Just don’t expect to see these systems out in the wild anytime soon, DARPA director Arati Prabhakar told Engadget. “This is not a two-year journey,” he said. “I don’t think it’s a 50-year journey either. In a decade I think you’re going to see a huge change.”
DARPA wants this event to help drive innovation in this area. “A few of the specific steps that are gonna happen will probably happen from these competitors,” Prabhakar said. Indeed, this how the agency operates. It did the same thing with its Urban Challenge for autonomous cars. Now we have semi-autonomous systems on the road while full autonomy is being researched by every major automaker and Goole. But like those early cars that went a few years and veered off course, these systems aren’t ready for prime time. Instead, expect to see iterative progress as the technology matures.
But AI machines like those in the competition could also be used to plow through the code of operating systems, infrastructure and applications to find vulnerabilities for exploitation. It’s a future of AI battling AI to see who can find a flaw the quickest. DARPA insists that its research for the department of defense will be to help it thwart attempts by bad actors to infiltrate both government and private systems in the US.
In the meantime, the top robot came from security company and Carnegie Mellon subsidiary ForAllSecure, whose Mayhem AI bot bested the field and went home with a $2 million purse. Unfortunately, later in the weekend it came in last when pitted some the world’s best hackers in the professional CTF competition. David Brumley, CEO of ForAllSecure, is still happy about the bot’s performance. At one point, it was even ahead of two human teams.
The computer has speed on its side, but humans still have critical thinking and years of experience in their corner. The company spent two years working on Mayhem and 13 years researching how to automatically find vulnerabilities. Brumley thinks it’ll be 30 years before computers are as good as the best human security researchers.
But it’s more than just trying to be better than people. “I think what computers are doing is really changing the way we’re going to think about security,” Brumley said. “Right now if you want to analyze something for security vulnerabilities, you have to think long and hard about whether it’s worth the expense.”
For now, the technology is being gamified. Competition breeds innovation. The Mayhem team will go home and start applying what they learn to tackling problems in actual software. There won’t be any lights or commentary. Instead this computer and others like will work side-by-side with human counterparts to secure everything from the Pentagon to the IoT bulbs in your home.
The robot hackers are coming to make things more secure. At least that’s the hope.
We still don’t know why ‘alien megastructure’ star is dimming
Astronomers’ favorite mysterious stellar object, which may or may not be surrounded by an “alien megastructure”, remains unexplained. A reason for the flickering light emitted by the star known as KIC 8462852 continues to evade the scientific community. But scientists have taken a closer look at the star’s brightness levels, and it’s official: the amount of light coming out of it has decreased by three percent over four years. Further, it’s only happening to this one sun and none of its neighbors. The plot continues to thicken.
At first, scientists posited that the star’s intermittent shining was due to comet swarms, but that seemed far less plausible when evidence emerged that it had been irregularly dimmed for over a century. But some have claimed the historical evidence is too unreliable to support a clear decreasing trend, pointed out Gizmodo.
So earlier this year, researchers Ben Montet of CalTech and Joshua Simon of the Carnegie Institute chose to study a few years of data on KIC 8462852, nicknamed Tabby’s Star, gathered by the very precise Kepler space telescope. Ultimately, they explain in an unpublished report, the light decline is significant, not replicated by other nearby stars and is most likely not due to a comet cloud.
Back in October 2015, The Washington Post noted that scientists have mostly dismissed the theory that alien structures are blocking light from Tabby’s Star. Mostly. Aliens should always be the last hypothesis considered, a Penn State University professor told the Post, but it would explain the flickering. Sadly, no new information was revealed in the Louisiana State University researchers’ report, so the dimming remains a mystery. In their own cryptic but measured words from the paper, “No known or proposed stellar phenomena can fully explain all aspects of the observed light curve.”
Source: Gizmodo
FCC Demands AT&T Refund $7 Million in Unauthorized Charges by Scammers
The FCC’s enforcement bureau announced today it has reached a settlement with AT&T that will see the carrier pay $7.75 million for allowing scammers to charge thousands of customers approximately $9 per month for a sham directory assistance service.
AT&T has agreed to issue full refunds to all current and former customers who received unauthorized third-party charges from January 2012 onwards. The refunds are expected to total $6.8 million, while AT&T will also pay a $950,000 fine to the U.S. Treasury.
The scam was uncovered by the U.S. Drug Enforcement Administration while investigating two Cleveland-area companies Discount Directory, Inc. (DDI) and Enhanced Telecommunications Services (ETS) for drug-related crimes and money laundering. During the investigation, DEA officials discovered financial documents related to the scam that primarily targeted small businesses.
AT&T received a fee from the companies for each charge AT&T placed on its customers’ bills. Although DDI and ETS submitted charges for thousands of AT&T customers, they never provided any directory assistance service. Neither DDI, ETS, nor AT&T could show that any of AT&T’s customers agreed to be billed for the sham directory assistance service. Phone companies like AT&T have a responsibility to ensure third-party charges are legitimate and were approved by the consumer.
AT&T is required to cease billing for nearly all third-party products and services on its wireless bills, and can only reinstate charges of that kind with express informed consent from customers. The carrier also must revise its billing practices to ensure that third-party charges are clearly identified on bills, and offer a free service for customers to block third-party charges.
In 2014, AT&T similarly agreed to pay $105 million in fines and refunds for unauthorized third-party subscriptions and premium text messaging services. T-Mobile also reached a $90 million settlement with the FTC, which accused the carrier of “cramming” unauthorized SMS subscriptions like horoscopes on bills. The FCC has taken more than 30 enforcement actions against carriers for related cases since 2011.
Tags: FCC, AT&T
Discuss this article in our forums
How to find your lost Android phone
How do I track my Android phone? There are quite a few tools at your disposal.
Worried about misplacing your phone or (worse yet) having it stolen? Ease your fears and set up a tracking system before your worst case scenario strikes. For best locating results, your phone should be connected to a Wi-Fi signal, but GPS and mobile networks will still manage to pinpoint a fairly accurate location. You must also have a Google account for virtually all of the tracking services available, whether they are built in or downloaded.
- How to enable Android Device Manager on your phone
- How to locate your phone using Google
- Family Locator
- Cerberus anti theft
- Prey Anti Theft
- Lost Android
- Where’s My Droid
- The bottom line
How to enable Android Device Manager on your phone
In newer Android phones, the Device Manager is already located conveniently in your Settings app, so there’s no need for any extra downloads. This locating service has essentially amalgamated with Google to make finding your phone easier. There are just a couple of things you’ll need to activate.
Launch Settings.
Tap Security.
Tap Device Administration.
Tap Android Device Manager so that a checkmark appears in the checkbox.
Tap the back button in the top left corner of your screen.
Tap the back button again in the top left corner to return to the main Settings menu.
Tap Location in the main Settings menu.
Tap the switch beside Location at the top of the screen so that it turns on.
Tap Mode.
Tap High accuracy so the circle is filled in.
Tap the back button in the top left corner.
Tap Google Location History.
Tap the switch beneath Location History so that it turns on.
Tap the switch beside your device so that it turns on.
How to locate your phone using Google
Should you happen to lose your phone, you can locate its whereabouts by logging into your Google account from any computer or even from another phone.
Launch a web browser from a phone, tablet, or computer.
Navigate to Google if it is not your default search engine or home page.
Type find my phone android in the Google search bar.
Tap on Android Device Manager (usually the first option in the search).
Enter your email address and password just as though you were checking your email.
When your phone is located, you have three options to choose from:
- You can Ring your phone so that it makes noise (even if you had it on silent). This feature is helpful if the map indicates that the phone is within earshot and you simply can’t see it.
- You can Lock your phone so that the finder can’t access your home screen. This feature is most helpful if your phone wasn’t previously secured with a passcode or a fingerprint sensor.
-
You can Erase your phone. This is the best option if you know for certain that you aren’t likely to retrieve your phone.
If you are trying to locate your phone with Android Device Manager and it doesn’t seem to be working, the most likely cause is that your phone is not currently connected to Wi-Fi or an available network. In this case, it’s important to keep trying; the moment your phone does make that connection, it will appear on the map.
If you want to download a tracking app for fear of a missing phone crisis, there are a number of options to choose from, and we’re highlighting some choice picks for you.
Family Locator
The Family Locator app by Life360 is essentially a GPS tracker for phones but is especially useful for families with multiple phones in use. Your family members become a “Circle”, the app’s name for a closed group of people who consent to having their phones tracked in real time. Your family members will appear on live maps within the app as little icons so that you can see where everyone is at any given moment.
The app also allows you to chat with people in your Circle or broadcast a meeting time and location. And, of course, if a phone from within your Circle is ever lost or stolen, the app will track it on the map.
Download: Family Locator (Free with in-app purchases)
Cerberus anti theft
This locator app from Cerberus offers an impressive array of remote control features if you find your phone has been lost or stolen. You’ll still be able to lock, ring, or erase your phone, but you’ll also be able to remotely access your camera or sound a loud alarm from your phone, even if it was on silent mode when you lost it.
The advanced features allow you to hide Cerberus in your app drawer so that it can’t be detected if and when your phone is found or stolen. Your missing phone will transmit data to you via the Cerberus website or via SMS text from another phone with the Cerberus app installed.
Download: Cerberus anti theft (Free with in-app purchases)
Prey Anti Theft
The Prey Anti Theft app is impressive in that three different devices can be protected through one download. You’ll have the ability to sound an alarm from your missing phone, take screenshots if it’s in use, and lock down the device the moment you realize it’s missing.
Once you’ve downloaded the app, it will walk you through a series of tutorials to show you how to use your Prey Account to track your phone. The app itself is free and doesn’t require additional purchases in order to access the high-end features.
Download: Prey Anti Theft (Free)
Lost Android
Lost Android will allow you to have remote access to your missing phone via their website. Here, you’ll be able to erase sensitive information if you fear that your phone may never be returned, or send messages to your phone in the hopes of someone finding and returning it.
Additionally, you can choose to remotely forward any calls you may be missing to another number and record a running list of any calls or messages made or photos taken with your phone.
Download: Lost Android (Free with in-app purchases)
Where’s My Droid
The basic features of the Where’s My Droid app allow you to ring your phone if you misplace it, locate it via GPS on Google Maps, and use a passcode to prevent unauthorized changes to apps on your Android phone. Stealth Mode also prevents anyone who finds your phone from seeing your incoming text messages; instead they’ll see a customizable attention word that alerts them of the phone’s lost or stolen status.
The Pro version of the app, which you pay to use, lets you remotely wipe data from your phone, use a landline to access your phone, and remotely lock the device.
Download: Where’s My Droid (Free with in-app purchases)
The bottom line
If your phone is stolen or found and it’s then factory reset, you will not be able to rely on any apps or services to find your it; a factory reset will wipe out any of the original data, accounts, or passwords that are needed to remotely find your Android phone.
As always, exercise caution when retrieving a lost or stolen phone. If you have any concerns about it being lost or stolen, it’s best to set up and test your preferred tracking system as soon as you buy it, and contact the police. It can be a bit of extra front-end work to register some apps, but it will be more work trying to locate a missing phone if no safety nets are in place at all.
How do you track?
What app do you use to track your Android phone, if any at all? Let us know in the comments section below!
QuadRooter: 5 things to know about the latest Android security scare
New Qualcomm-targeted Android security bug is reported to put ‘900 million’ devices at risk. Here’s what you need to know.
Once again, it’s Android security scare season. This morning news broke of the latest collection of vulnerabilities, discovered by security firm Check Point and grouped together under the catchy monicker “QuadRooter.” As usual, most of the reporting has focused on worst-case scenarios and a shockingly huge number of potentially vulnerable devices — in this case, an estimated 900 million.
We’re going to break down exactly what’s going on, and just how vulnerable you’re likely to be. Read on.
1. It’s a Qualcomm thing
Check Point specifically targeted Qualcomm due to its dominant position in the Android ecosystem. Because so many Android phones use Qualcomm hardware, the drivers Qualcomm contributes to the software on these phones make for an attractive target — a single set of vulnerabilities affecting a large proportion of the Android user base. (Specifically, the bugs affect networking, graphics and memory allocation code.)
Qualcomm’s drivers are a big, attractive target.
All four of the exploits that make up QuadRooter affect Qualcomm drivers, so if you have a phone that uses no Qualcomm hardware at all — for example, a Galaxy S6 or Note 5 (which uses Samsung’s own Exynos processor and Shannon modem), you’re not affected by this.
2. It’s serious, but there’s no evidence of it being used in the wild
As the name suggests, QuadRoot is a collection of four exploits in Qualcomm’s code which could allow a malicious app to gain root privileges — i.e. access to do basically anything on your phone. From there, you can dream up any number of nightmare scenarios: attackers listening in on phone calls, spying through your camera, pilfering financial details or locking down your data with ransomware.
No-one’s talking about these exploits being used in the wild yet, which is a good thing. However given the challenges involved in updating the software on the billion-plus Android devices out there, the bad guys will have plenty of time to figure out a practical application.
But…
3. Chances are you’re not actually “vulnerable”
QuadRooter is one of the many Android security issues that requires you to manually install an app. That means manually going into Security settings and toggling the “Unknown Sources” checkbox.
Any vuln which requires you to manually install an app runs into two major roadblocks: The Play Store, and Android’s built-in “Verify Apps” feature.
At the time of writing Google has yet to confirm that the Play Store is blocking apps which use these exploits (we’ve got emails out, and will update this post when we hear). But given that Check Point first disclosed the vulnerabilities back in April, it’s almost certainly doing so. That means you’ll be fine if, like most people, you only download apps from the Play Store.
And even if you don’t, Android’s “Verify Apps” feature is designed to act as an additional layer of protection, scanning apps from third-party sources for known malware before you install. This feature is enabled by default in all Android versions since 2012’s 4.2 Jelly Bean, and because it’s part of Google Play Services, it’s always updating . As of the most recent stats available, more than 90 percent of active Android devices are running version 4.2 or later.
Again, we don’t have explicit confirmation from Google that “Verify Apps” is scanning for QuadRooter, but given that Google was informed months ago, chances are it is. And if it is, Android will identify any QuadRooter-harboring app as harmful and show a big scary warning screen before letting you get anywhere near installing it.
In that case, are you still “vulnerable?” Well technically. You could conceivably go to Security settings, enable Unknown Sources, then ignore the full-screen warning that you’re about to install malware. But at that point, to a large extent, it’s on you.
4. Android security is hard, even with monthly patches
One interesting aspect of the QuadRooter saga is what it shows us about the Android security challenges that still remain, even in a world of monthly security patches. Three of the four vulnerabilities are fixed in the latest August 2016 patches, but one has apparently slipped through the cracks and won’t be fixed until the September patch. That’s cause for legitimate concern given that disclosure happened back in April.
However, a Qualcomm rep told ZDNet that the chipmaker had been issuing patches of its own to manufacturers between April and July, so it’s possible certain models may have been updated outside of the Google patching mechanism. This only underscores the confusion involved with having an explicit patch level from Google, while device manufacturers and component makers are also providing security fixes.
Most Android phone makers suck at issuing security patches. And even up-to-date devices won’t be fully patched for another month.
For now, the only way to know if your phone is theoretically vulnerable is to download Check Point’s QuadRoot scanner app from the Play Store.
Even once patches are issued, they need to go through device manufacturers and carriers before being pushed out to phones. And although some companies like Samsung, BlackBerry and (naturally) Google have been quick about making sure the latest patches are available, most of the folks making Android devices are nowhere near as timely — especially when it comes to older or lower-priced phones.
QuadRooter underscores how the ubiquity of Qualcomm-based Android devices makes them an attractive target, while the variety of hardware as a whole makes updating all of them near impossible.
5. We’ve been here before
- Catchy marketing name? Check.
- Big scary number of “vulnerable” devices? Check.
- Free detection app peddled by security company with a product to sell? Check.
- No evidence of use in the wild? Check.
- Press at large ignoring the Play Store and Verify Apps as a roadblock against app-based malware? Check.
It’s the same dance we do every year around security conference time. In 2014 it was Fake ID. In 2015, it was Stagefright. Unfortunately, understanding of Android security issues in the media at large has remained woeful, and that means figures like the “900 million” affected bounce around the echo chamber without context.
If you’re being smart about the apps you install, there’s not much reason to worry about. And even if you’re not, chances are Play Services and Verify Apps will have your back.
MORE: Android Malware — should you be worried?
AIVAnet 