Google kutanga , iyo inoronga kuburitsa data pamusoro pekusagadzikana mumidziyo yeAroid kubva kune vakasiyana siyana vanogadzira OEM. Iyo yekutanga ichaita kuti zvive pachena kune vashandisi nezve kusagadzikana kwakanangana neiyo firmware ine magadzirirwo kubva kune vechitatu-bato vagadziri.
Kusvika parizvino, mishumo yekusagadzikana yepamutemo (Android Security Bulletins) yangoratidza nyaya mumusimboti kodhi inopihwa muAOSP repository, asi haina kurangarira nyaya dzakanangana nekugadziriswa kubva kuOEMs. Kare Matambudziko anokanganisa vagadziri vakaita seZTE, Meizu, Vivo, OPPO, Digitime, Transsion uye Huawei.
Pakati pematambudziko akaonekwa:
- MuDigitime zvishandiso, panzvimbo yekutarisa mamwe mvumo yekuwana iyo OTA yekuvandudza yekuisa sevhisi API password yakaomeswa inobvumira anorwisa kuisa chinyararire APK mapakeji uye kuchinja mvumo yekushandisa.
- Mune imwe browser inofarirwa nemamwe maOEM password maneja muchimiro cheJavaScript kodhi inomhanya muchirevo chepeji rega rega. Saiti inodzorwa neanorwisa inogona kuwana yakazara mukana kune mushandisi password yekuchengetedza, iyo yakavharidzirwa uchishandisa isingavimbike yeDES algorithm uye kiyi yakaoma-coded.
- System UI application paMeizu zvishandiso yekuwedzera kodhi kubva kunetiweki isina encryption uye yekubatanidza verification. Nekutarisa HTTP traffic yemunhu akabatwa, anorwisa anogona kumhanyisa kodhi yake mumamiriro ekushandisa.
- Vivo midziyo yaive nayo checkUidPermission nzira yePackageManagerService kirasi yekupa dzimwe mvumo kune mamwe maapplication, kunyangwe zvibvumirano izvi zvisina kutaurwa mu manifest file. Mune imwe vhezheni, nzira yacho yakapa chero mvumo kumaapps ane identifier com.google.uid.shared. Mune imwe vhezheni, mazita epasuru akatariswa achipesana nerondedzero yekupa mvumo.
Source: opennet.ru