Stagefright: Not So Frightening for Dark Android

There are some days where you just wake up in the morning, look at the various security news going around online, and you practically want to spit out your tea and scream, “Holy Hell!”

Yeah, today–after reading about the potential Stagefright vulnerability on Android–was one of those mornings. And this is really why I started the Dark Android Project in the first place: Bringing you real solutions to real problems that affect your privacy and security through your Android device (and more).


So what we have here is a media playback tool that is a core part of Android–called Stagefright–that can be accessed via a sometimes silent MMS message (as in, bypassing you even seeing it being received). MMS is just an SMS text message that has some kind of rich media content in it. Depending on how interconnected Stagefight is to various parts of your particular Android device, the potential exists for some serious undesired access of your data on your smartphone, and then thus potentially doing some serious damage to your life. And this vulnerability affects 95% of Android phones, with the only ones not being affected are those running a rather ancient version of Android: Android 2.2!

Now, let’s be clear, most news sources are going to blow this way out of proportion. On many phones, Stagefright doesn’t have a lot of permissions across the smartphone overall, and so an intrepid bad actor trying to access your phone with this vulnerability by sending an MMS message to your phone number isn’t going to be able to access much, or collect much data (though they may be able to still activate your cameras or microphone). So you can take a bit of a breather here and at least not worry so much about sensitive data getting into someone else’s hands.

Before I get into solutions, the ultimate solution really should have come from Google, who were made aware about this Android exploit in April 2015. A common “grace period” for vulnerabilities to be handled by large tech companies at even the largest of scales (which 950,000,000 Android devices is a pretty large scale) is to solve it within 90 days. Well, it’s been decently past 90 days. The next in line to solve the Stagefright issue would be the hardware manufacturers themselves, and they’re also falling asleep on the security job here (not a surprise, of course).

So has anyone paid any attention to all of this? Actually, yes. The company that created the privacy-conscious Blackphone (and overall thorn in the side of the NSA and others), Silent Circle, has already patched this issue on their consumer Android device. Kudos, to them.

The more interesting company that paid attention to this problem was Mozilla, the company that develops Firefox. As of version 38 for Android, Firefox has patched the Stagefright issue within its browser, since Firefox used Stagefright for playing videos within the browser. The reason that this is interesting is that many bugs and security vulnerabilities (ie: the Verizon “Supercookie”, etc.) have been historically bypassed–and thus, didn’t affect Firefox for Android users–by the fact that Firefox uses different and independent certificate authorities from the rest of the Android operation system. While with the Dark Android Project I generally recommend using IceCat, Orfox, or the AdBlock Browser in place of Firefox, the point remains the same: Use apps that are independent and take security and privacy seriously. I’m not saying Google doesn’t take at least security seriously, but their style of having security (system-wide sharing of certificates, etc.) has been found wanting.

So a real easy way of cutting this Stagefright vulnerability off at the pass is to use Firefox for Android, or to use Firefox-based browsers, anyway. As we talk about often with Dark Android, the web browser may be the most important piece of software on your mobile device, and keeping it protected from everything else that goes on with your smartphone is key to having actual security and privacy of your data.

Now, what’s the real solution? Well, if you follow all of the steps laid out on the main Dark Android Project page, Stagefright isn’t really an issue because you’re using a SIM-cardless tablet, and you’re not even using Google Hangouts (because you don’t use the Google Play Store). So you can’t really receive MMS messages in the first place. So anyone doing a full Dark Android loadout on their tablet has (in this case) nothing to worry about. And going the Dark Android route (which takes some reading and doing) is really the ultimate solution to this.

In the end, SMS/MMS is an antiquated technology. That doesn’t mean it doesn’t have its place. If you don’t have a data connection, but you still have a phone connection on your smartphone, it could be a life saver, admittedly (and by default makes it very popular in developing geographies). It also works wonders if you mainly use a feature phone (which isn’t a bad idea), but of course a feature phone isn’t so concerning as compared to all of the data that your Android or iOS devices collect if it were to be made vulnerable. And perhaps SMS’ most useful feature to date is its use in 2-factor authentication. Have the service or website send a text message with a code and you are far more secure than if you were just using a username and password. That use case is now being replaced, however. With the advent of hardware 2-factor authentication like Yubikeys, or the soon-to-be-released SQRL, or even just QR codes alone that use authentication code apps, the need for SMS/MMS is dwindling, and devices no longer having it will become the norm.

Perhaps in the end this has nothing to do with SMS/MMS, though. When considering the recent revelations about the NSA, or even private groups like Hacking Team, the real problem may be that the market signals aren’t getting sent to Google and others that we won’t accept any company sitting on their ass when these vulnerabilities are revealed. And those market signals get sent by using the services and devices of companies that do take these seriously (Silent Circle’s Blackphone, Mozilla’s Firefox or Firefox-based browsers instead of Chrome, etc.). Some cost money, but some don’t, and are immediately actionable.

Again, this probably isn’t as scary as many are laying it out to be, but keeping on top of your privacy and security still ultimately counts on one thing: Your choices.

Carpe lucem!