On Wed, 17 Jul 2019 19:03:26 +0100, Roland Perry wrote:
In message , at 16:15:25 on
Wed, 17 Jul 2019, David Walters remarked:
Ooh, that's a bit strong..! What's wrong with old phones, anyway..?

For a 'dumbphone', not a lot.

Using a smartphone once it no longer receives security patches isn't
something I would do personally.

What's the main threat you are trying to avoid?

Mostly some malware getting installed via a remote or drive-by
vulnerability. There are undoubtedly other unpatched vulnerabilities in
my smartphone but I'd rather have protection from the known ones. I also
don't run Windows Vista anymore.

In message , at 11:07:01 on
Thu, 18 Jul 2019, David Walters remarked:
On Wed, 17 Jul 2019 19:03:26 +0100, Roland Perry wrote:
In message , at 16:15:25 on
Wed, 17 Jul 2019, David Walters remarked:
Ooh, that's a bit strong..! What's wrong with old phones, anyway..?

For a 'dumbphone', not a lot.

Using a smartphone once it no longer receives security patches isn't
something I would do personally.

What's the main threat you are trying to avoid?

Mostly some malware getting installed via a remote or drive-by
vulnerability.

What kinds of drive-by malware has been known to be delivered via apps
like Facebook and Twitter? What is the malware trying to achieve.

There are undoubtedly other unpatched vulnerabilities in my smartphone
but I'd rather have protection from the known ones. I also don't run
Windows Vista anymore.

A Windows PC is a completely different environment. Even though it's
also more likely to be running anti-malware than a typical phone.
--
Roland Perry

On Thu, 18 Jul 2019 13:32:23 +0100, Roland Perry wrote:
In message , at 11:07:01 on
Thu, 18 Jul 2019, David Walters remarked:
On Wed, 17 Jul 2019 19:03:26 +0100, Roland Perry wrote:
In message , at 16:15:25 on
Wed, 17 Jul 2019, David Walters remarked:
Ooh, that's a bit strong..! What's wrong with old phones, anyway..?

For a 'dumbphone', not a lot.

Using a smartphone once it no longer receives security patches isn't
something I would do personally.

What's the main threat you are trying to avoid?

Mostly some malware getting installed via a remote or drive-by
vulnerability.

What kinds of drive-by malware has been known to be delivered via apps
like Facebook and Twitter?

I'm not aware of any but I use many other apps on my smartphone such
as Chrome which has had bugs exploited in the past. One example is at
https://www.helpnetsecurity.com/2016...droid-malware/.
That still requires an extra step but a similar bug might not.

What is the malware trying to achieve.

Perhaps it will be combined with some kind of permissions exploit that
means it can harvest data from other apps which in my case would include
my banking details/tokens. I could not have banking apps on my smartphone
but I choose to for the convenience and balance some of the risk by
having an up to date OS. Your choice might be different.

In message , at 14:36:40 on
Thu, 18 Jul 2019, David Walters remarked:
On Thu, 18 Jul 2019 13:32:23 +0100, Roland Perry wrote:
In message , at 11:07:01 on
Thu, 18 Jul 2019, David Walters remarked:
On Wed, 17 Jul 2019 19:03:26 +0100, Roland Perry wrote:
In message , at 16:15:25 on
Wed, 17 Jul 2019, David Walters remarked:
Ooh, that's a bit strong..! What's wrong with old phones, anyway..?

For a 'dumbphone', not a lot.

Using a smartphone once it no longer receives security patches isn't
something I would do personally.

What's the main threat you are trying to avoid?

Mostly some malware getting installed via a remote or drive-by
vulnerability.

What kinds of drive-by malware has been known to be delivered via apps
like Facebook and Twitter?

I'm not aware of any but I use many other apps on my smartphone such
as Chrome which has had bugs exploited in the past. One example is at
https://www.helpnetsecurity.com/2016...droid-malware/.
That still requires an extra step but a similar bug might not.

That's fixed by an upgrade to the browser app, which I don't regard as
coming into the category of "software patches [that one might no longer
be getting].

My phone which isn't getting *Android* updates, has still managed to
automatically update itself to Chrome dated 4th June 2019. Which is the
latest release version.

What is the malware trying to achieve.

Perhaps it will be combined with some kind of permissions exploit that
means it can harvest data from other apps which in my case would include
my banking details/tokens. I could not have banking apps on my smartphone
but I choose to for the convenience and balance some of the risk by
having an up to date OS. Your choice might be different.

Indeed. I would never have a banking app on my phone unless it was of
very little importance. Although like Chrome, I'd hope to be getting
updates to the *app* which in turn had countermeasures for know exploits
within *Android*.
--
Roland Perry

On Fri, 19 Jul 2019 21:32:17 +0100, Roland Perry wrote:
In message , at 14:36:40 on
Thu, 18 Jul 2019, David Walters remarked:
On Thu, 18 Jul 2019 13:32:23 +0100, Roland Perry wrote:
In message , at 11:07:01 on
Thu, 18 Jul 2019, David Walters remarked:
On Wed, 17 Jul 2019 19:03:26 +0100, Roland Perry wrote:
In message , at 16:15:25 on
Wed, 17 Jul 2019, David Walters remarked:
Ooh, that's a bit strong..! What's wrong with old phones, anyway..?

For a 'dumbphone', not a lot.

Using a smartphone once it no longer receives security patches isn't
something I would do personally.

What's the main threat you are trying to avoid?

Mostly some malware getting installed via a remote or drive-by
vulnerability.

What kinds of drive-by malware has been known to be delivered via apps
like Facebook and Twitter?

I'm not aware of any but I use many other apps on my smartphone such
as Chrome which has had bugs exploited in the past. One example is at
https://www.helpnetsecurity.com/2016...droid-malware/.
That still requires an extra step but a similar bug might not.

That's fixed by an upgrade to the browser app, which I don't regard as
coming into the category of "software patches [that one might no longer
be getting].

My phone which isn't getting *Android* updates, has still managed to
automatically update itself to Chrome dated 4th June 2019. Which is the
latest release version.

There is a list of 5 remote code execution
bugs in Android that have been patched this month at
https://source.android.com/security/bulletin/2019-07-01. It's a similar
list for June, May, April etc.

What is the malware trying to achieve.

Perhaps it will be combined with some kind of permissions exploit that
means it can harvest data from other apps which in my case would include
my banking details/tokens. I could not have banking apps on my smartphone
but I choose to for the convenience and balance some of the risk by
having an up to date OS. Your choice might be different.

Indeed. I would never have a banking app on my phone unless it was of
very little importance. Although like Chrome, I'd hope to be getting
updates to the *app* which in turn had countermeasures for know exploits
within *Android*.

If someone has root on the device I don't think any individual app can
keep itself secure anymore. Many apps will try and detect a jailbroken
device and disable themselves but it isn't clear to me that that detection
is infallible. Better to take reasonable steps to secure the device
which includes security patches IMHO.

On 20/07/2019 09:25, David Walters wrote:
On Fri, 19 Jul 2019 21:32:17 +0100, Roland Perry wrote:
In message , at 14:36:40 on
Thu, 18 Jul 2019, David Walters remarked:
On Thu, 18 Jul 2019 13:32:23 +0100, Roland Perry wrote:
In message , at 11:07:01 on
Thu, 18 Jul 2019, David Walters remarked:
On Wed, 17 Jul 2019 19:03:26 +0100, Roland Perry wrote:
In message , at 16:15:25 on
Wed, 17 Jul 2019, David Walters remarked:
Ooh, that's a bit strong..! What's wrong with old phones, anyway..?

For a 'dumbphone', not a lot.

Using a smartphone once it no longer receives security patches isn't
something I would do personally.

What's the main threat you are trying to avoid?

Mostly some malware getting installed via a remote or drive-by
vulnerability.

What kinds of drive-by malware has been known to be delivered via apps
like Facebook and Twitter?

I'm not aware of any but I use many other apps on my smartphone such
as Chrome which has had bugs exploited in the past. One example is at
https://www.helpnetsecurity.com/2016...droid-malware/.
That still requires an extra step but a similar bug might not.

That's fixed by an upgrade to the browser app, which I don't regard as
coming into the category of "software patches [that one might no longer
be getting].

My phone which isn't getting *Android* updates, has still managed to
automatically update itself to Chrome dated 4th June 2019. Which is the
latest release version.

There is a list of 5 remote code execution
bugs in Android that have been patched this month at
https://source.android.com/security/bulletin/2019-07-01. It's a similar
list for June, May, April etc.

What is the malware trying to achieve.

Perhaps it will be combined with some kind of permissions exploit that
means it can harvest data from other apps which in my case would include
my banking details/tokens. I could not have banking apps on my smartphone
but I choose to for the convenience and balance some of the risk by
having an up to date OS. Your choice might be different.

Indeed. I would never have a banking app on my phone unless it was of
very little importance. Although like Chrome, I'd hope to be getting
updates to the *app* which in turn had countermeasures for know exploits
within *Android*.

If someone has root on the device I don't think any individual app can
keep itself secure anymore. Many apps will try and detect a jailbroken
device and disable themselves but it isn't clear to me that that detection
is infallible. Better to take reasonable steps to secure the device
which includes security patches IMHO.

I have a device which I know is not jailbroken but the Wetherspoon
ordering app insists otherwise.

In message , at 09:25:16 on
Sat, 20 Jul 2019, David Walters remarked:

If someone has root on the device I don't think any individual app can
keep itself secure anymore. Many apps will try and detect a jailbroken
device and disable themselves but it isn't clear to me that that detection
is infallible. Better to take reasonable steps to secure the device
which includes security patches IMHO.

My difficulty with this is that even when I had a phone which was
receiving Android updates, they were few and far between. And most
people will be in that same boat.

And yet there's not utter chaos that can be traced back to exploits.

I'm not saying that it's possible to ignore the possibility completely,
but there comes a point when a lot of phones don't have much worth
stealing from them.

I's far far more important for people to moderate their *ordinary*
behaviour on phones, to reduce the risks. As I've said in similar
contexts in the pat, patching your Operating System, or running a Virus
Checker, is very unlikely to stop you being conned into buying a fake
Rolex, or having a password written on a post-it note.
--
Roland Perry

On Sat, 20 Jul 2019 14:00:27 +0100, Roland Perry wrote:
In message , at 09:25:16 on
Sat, 20 Jul 2019, David Walters remarked:

If someone has root on the device I don't think any individual app can
keep itself secure anymore. Many apps will try and detect a jailbroken
device and disable themselves but it isn't clear to me that that detection
is infallible. Better to take reasonable steps to secure the device
which includes security patches IMHO.

My difficulty with this is that even when I had a phone which was
receiving Android updates, they were few and far between. And most
people will be in that same boat.

It's a shame that this is the case but just because most people do
something doesn't mean it is something I want to do. It would be better
if more manufacturers of Internet connected things, not just phones,
had a decent software update commitment.

On 18/07/2019 13:32, Roland Perry wrote:

What kinds of drive-by malware has been known to be delivered via apps
like Facebook and Twitter?

Brexit and Trump?



--
Arthur Figgis Surrey, UK

Arthur Figgis wrote:
On 18/07/2019 13:32, Roland Perry wrote:

What kinds of drive-by malware has been known to be delivered via apps
like Facebook and Twitter?

Brexit and Trump?

That’s too true to be funny...

--
Jeremy Double