MUST READ!! Hackers urge all EVO 4G owners to root device citing security flaws!

**redd214** · #1 (**permalink**) 06-03-2010, 10:13 PM

i dont know how much weight this holds but ummm, uh oh....dont shoot the messenger

Nice Hardware, Horrible Sprint Software

From Matt Mastracci - one of the guys from the unrEVOked project:

....It turns out that this is a really, really bad thing for users. The Sprint customizations of Android are so bad that an Android application could get access to all of your data with very little work. It’s so bad that I would not recommend purchasing the Sprint EVO or Hero.....

BGR Article

Remember how jubilant we all were the first time the EVO 4G was successfully rooted? We’ll we’re not smiling anymore. According to Matt Mastracci, one of the men responsible for the first successful root, customizations made to the UI at the request of Sprint have made the phone an easy target to a “whole suite of vulnerabilities” which “are so bad that an Android application could get access to [a user's personal] data with very little work.” As a temporary workaround, Mastracci suggests that EVO 4G owners root their device and is planning to release on Friday a “painless root” too dubbed unrevoked. Mastracci also said that if “Sprint gave users root access to their phone, he and the two hackers he is working with would “be sending these vulnerabilities straight to Sprint.” But until Sprint abandons its “anti-user approach”, Mastracci said he and his team would “hold the exploits close to our chest.”

TeamMike · #2 (**permalink**) 06-03-2010, 11:22 PM

huh? i dont understand... laymens terms please...

nate.spangler · #3 (**permalink**) 06-03-2010, 11:35 PM

so will rooting by itself help/fix the security flaws or is there more that we need to do??

Stunna4life888 · #4 (**permalink**) 06-03-2010, 11:37 PM

People are saying that with Sprint software programming an android app could capture all of your data. IE: passwords, bank account info and such. I have read here and there about it.

Stunna4life888 · #5 (**permalink**) 06-03-2010, 11:39 PM

Quote:

Originally Posted by nate.spangler

so will rooting by itself help/fix the security flaws or is there more that we need to do??

Assuming it only needs to be rooted. FYI there is an OTA update coming out to "fix" the SD card issue, if you plan on rooting by all means DO NOT DOWNLOAD THE UPDATE! Devs are saying that it will more than likely cost you root access as well. If and when someone update we will be able to pull files pertaining to that update and find a way for the SD card fix with a push apk more than likely

Mazzakre · #6 (**permalink**) 06-03-2010, 11:47 PM

Quote:

Originally Posted by redd214

... Mastracci also said that if “Sprint gave users root access to their phone, he and the two hackers he is working with would “be sending these vulnerabilities straight to Sprint.” But until Sprint abandons its “anti-user approach”, Mastracci said he and his team would “hold the exploits close to our chest.”[/B]

So, he knows about vulnerabilities but isn't going to tell anyone about it and possibly get a fix for all users because Sprint wont give root access? Sounds kinda selfish no? Most users dont want/need root access but they will remain vulnerable because of this. Also, i didnt think any phone company gave root access to their users, not just Sprint.
Im grateful to the guy for all his hard work getting a root for the phone but come on.

Just read the article on grack and it looks like he's saying that the hole comes from rooting your phone not from just using the phone... or is he saying that the vulnerability is in how easy it is to root? Im so confused.

nate.spangler · #7 (**permalink**) 06-03-2010, 11:48 PM

thanks for the info. long time winmo user. never even touched an android phone as of yet. have to relearn all over again.

honduranthunder · #8 (**permalink**) 06-03-2010, 11:49 PM

Wirelessly posted (Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 8.12; MSIEMobile6.0) Sprint T7380)

what kind of information is making users vulnerable?

Stunna4life888 · #9 (**permalink**) 06-03-2010, 11:51 PM

Quote:

Originally Posted by Mazzakre

So, he knows about vulnerabilities but isn't going to tell anyone about it and possibly get a fix for all users because Sprint wont give root access? Sounds kinda selfish no? Most users dont want/need root access but they will remain vulnerable because of this. Also, i didnt think any phone company gave root access to their users, not just Sprint.
Im grateful to the guy for all his hard work getting a root for the phone but come on.

A magician never reveals his secrets though. You never know whose on the other side of these board lurking and ready to cause some trouble. If he points itout some "Dev" may take in into his or her hands and run with it. Just gotta be careful these days thats all.

Mazzakre · #10 (**permalink**) 06-03-2010, 11:58 PM

Quote:

Originally Posted by Stunna4life888

A magician never reveals his secrets though. You never know whose on the other side of these board lurking and ready to cause some trouble. If he points itout some "Dev" may take in into his or her hands and run with it. Just gotta be careful these days thats all.

I agree that its not a great idea to release all the info but why not send it directly to Sprint? I dont really need to know where the hole is but if there is one Google or Sprint knowing would be a great idea. Google is a multibillion dollar company, they would get to action quickly to patch it.

Reading the article he says that Google and Sprint have both been proactive in addressing it so maybe they do know about it? If so he sure didnt make that very clear in the article.