Tuesday 28 July 2015

Worried about Stagefright Android bug?

If you have a Sailfish OS device, don't worry about MMS, but...

...manipulated media files watched using Android apps might still be a risk. Please use Sailfish OS apps.

But if you have any friends using Android devices, please warn them about this. Stagefright is a serious "remote code excution" bug, and on Android phones a simple MMS message received automatic can cause a problem to about 95% of Android phones out there.

Worried about Stagefright Android bug?

Worth a read? Please share:

We're more than happy to share Jolla's QUICK answer, given in half an hour, about the effect of Stagefright on Sailfish OS devices like Jolla Phone:
Initial analysis is that SFOS is not directly affected by this vulnerability as the MMS'es are not received and handled by the aliendalvik. 
Eventually we will patch the vulnerability in the aliendalvik when there's a patch available.
[Answered by Jolla employee on the community portal TJC ]

Jolla Phone is not affected by MMS messages, as this part of the vulnerability takes place on Android when it handles MMS messages. All MMS messages are handled by Sailfish OS on Jolla Phone.

Still, Alien Dalvik (Android support) on Jolla might be vulnerable regarding other media files, among 950 000 000 other Androids running out there, so you shouldn't open for example videos from risky sources using an Android app on Jolla. Opening those with Sailfish OS players are not reported to include a risk.

When you warn your friends using Android phones, advice them to disable MMS auto-retrieval on their message settings, and also to avoid risky media file sources in the internet.

As this is not an Android blog, I just mention that this bug is for example capable of hijacking a microphone in most of Android phones. Please read more about this serious bug for example on this great article by Forbes

Share and Shout! Your friends might read it.

By: Review Jolla
Sources: Forbes, TJC
Published: 2015-07-27 22:52 UTC
Updated: 2015-08-06 14:00 UTC

1 comment:

  1. And yet giving *me*, the user, root access is somehow "too dangerous"