Am I being paranoid? Or should I take steps to ensure that my phone is safe?

THE PROGRAM DOES NOT REQUIRE ROOT AND IT MAKES USE OF A FLAW IN BOTH ROOTED _AND_ NON-ROOTED PHONES

the article even said this: “The program is a “root” utility that disguises itself as a program to help easily root your phone” . . . “that’s if it even goes through the process of rooting at all”

the example given at the conference was a fake rooting program but it could be _any_program_ because it does _NOT_ require root

i hope that was clear. please forgive the caps

How quickly can we expect to have critical security patches sent to us OTA? With the development pipeline going from Google to the Hardware Manufacturers, to the Carriers… a simple fix could have multiple hands in the pot, all taking their sweet damn time to correct potential issues. We all know how horribly long it takes to get OS updates to our handsets after they are released by Google – how about a critical security patch?

(And for all you “I’m better than you” root users – you’re part of the problem here. I’m not going to void my warranty so that I can apply patches straight from google.)

However, here we have a glaring example of where it FAILED. Peoples lives could potentially be ruined by this security bug. Real impact to real people trying to live their lives, conduct business, all on a phone that they think is going to, at the very least, keep their SMS messages and Email private to themselves and their respective recipients.

Open source touts its “security” manta by claiming that since there are multitudes of sets of eyes looking at the source, potential security holes are caught and corrected by the community. It didn’t happen here. The tool was released to a bunch of people at a Conference that is stacked with Federal agents to arrest *criminals*. Sets of eyes reviewing the vulnerabilities in the system is great – except with those eyes have mal-intents.

Thats not secure. The open source model didn’t work here. While you might agree with the virtues of the ideology, when put to practice, in this case it failed.

If anything, Google needs to own more of the Android experience. Do not leave the new edition upgrades to the carriers anymore & better scrutiny of the apps. We don’t need to go to Apple extremes, but a better system of checks and verification are needed.

We need to have levels of permissions for developers based on upon their experience & earned trust. Frankly, the open season part of open source creates inherit security risk no different than closed source.

Without the ability to get root, the subsequent security flaws don’t exist.

On the other hand, people wouldn’t be so interested in having the ability to get root if the carriers weren’t such complete d*cks about crapware, disabling features, and other highly valid reasons to break out of their mostly-inept lockdowns.

This presentation came in two parts though, the rootkit being the second half. The first half was about apps that ask to use your data on the phone ie: contacts, network, etc. THis is much more of a concern to me than the rootkit, as developers will steal and hide data within apps we all download. One example they gave is a set of wallpapers that gathered IMEI and serial numbers off the phone and sent it back to a site in China (go figure). These wallpapers had millions of downloads. This has been sent to google and the developer is under investigation. The developer claims it uses that data to “save settings when moving to a new phone”

my 2 cents.