Agreed. We need monthly evidence of security patches. The Mudita team is handling this in the worst way possible by not even acknowledging this issue.
3 Likes
Copied from another comment I wrote.
4 Likes
Thanks!
So skipping sideloading now, I’m guessing contacts, notes, photos, and text messages can be obtained, correct?
I’d love to see details of all this. Clearly ways for RCE are vastly limited but not entirely gone.
Imagine two weeks ago I met a guy who is still using some few years old (just few?!) phone running Android 11…
2 Likes
Agreed, yet if Kompakt OS was build somewhere in 2024 (?) then Dec 2023 CVEs should already be taken care of. Hoping to get confirmation of March 2025 update being part of the OS build. Still I’d love to see how often practically those RCEs are used aside from e-mail/webpage phising-like campaigns. Since the era of viruses and trojans, I had a long sleep and now I wake up and it seems phishing is no. 1 way of getting what’s desired.
1 Like
Good choice. I’ve uninstalled sensitive apps I’ve sideloaded like Signal. For now I’m leaving Apple Music and Pocket Casts. Hopefully we can get a clear answer from Mudita about if the OS will be upgraded to 13 or 14.
If not I think I might return the device. Being able to sideload media apps was a big selling point for me.
RCE can still happen via Bluetooth or WiFi. If you need rock solid security I would disable those radios.
1 Like
Security should be number one for any phone manufacturer… With current state it is difficult to connect your bank to a unsafe phone.
3 Likes
I know how that sounds, but I don’t need rock solid security. I don’t believe in ultimate security unless it’s multi-layered and with any smartphone there are entry points were even rooting and playing with iptables might not be enough…?
1 Like
Even if it wasn’t, you may not want to sideload an app outside of official Google store; I wish being lucky enough to get the bank publish their .apk outside of the stores.
1 Like
That was my point about making a special note regarding “zero-click” vulnerabilities. These don’t require you to click on anything at all, and they’re exploiting base android code that there’s a very slim chance Mudita addressed these in any way.
Strange bit is Mudita did do a recent kernel build but the android security version is still from 2022; following screenshot taken today:
2 Likes
This is a great example, zero click RCE against Samsung smartphones using RCS. When sent a voice message through RCS (SMS replacement) the decoder for the APE audio format has a flaw allowing out-of-band write, the recipient doesn’t need to interact with the phone in any way but they could still be compromised.
https://cybersecuritynews.com/zero-click-rce-vulnerability-in-samsung-smartphones/
2 Likes
Han, what is the risk of sideloading Signal and Pocket Casts? I ask because I’ve sideloaded those two apps. I’m an ex-iPhone user, so I’m new to Android and the sorts of threats being discussed here.
1 Like
BTW how does all that apply to Israeli Pegasus spyware? It used to be popular among our state-owned agencies. Sounded like piercing through anything on Android and iOS.
2 Likes
They are not putting users at risk, IF YOU DECIDE to sideload apps that is your decision, just because they are giving you the option to do so does not mean they are responsible if you decide to put apps on your phone that will cause security concerns, thats a weak argument.
7 Likes
You couldn’t even figure out how to uninstall apps with ADB and are grossly uniformed about Android’s security model, yet are calling my arguments weak?
I’m trying to encourage Mudita to do the right thing and make a secure product, blind loyalty isn’t helping anyone.
3 Likes
Unless the vulnerability is found within those specific apps they change very little. If there’s a vulnerability outside of those apps maybe they could enable a delivery method, think if a vulnerability is found within the base Android Webview, it doesn’t matter if a link is sent through SMS, email, or Signal. Now if a vulnerability was found within Pocket Casts that is similar to the Samsung RCS vulnerability I previously mentioned where an audio decoder doesn’t handle input properly and a malicious file is introduced through one of the podcasts you’re subscribed to, then the sideloaded app would be the problem.
Let me know if some terms or explanation isn’t clear and I can reword it.
Please refrain from personal attacks on this forum. Me and many others come here to engage in healthy discussion about the Kompakt and flame wars do not foster that atmosphere. In the end…it’s just a phone.
4 Likes
I understand your frustration but please refrain from personal attacks. It is clear that you have extensive knowledge on Android security and know more about this topic than 99 percent of this forum, but at some point your point is made: Mudita OS is as of right now insecure despite the sideloading of apps or not and Mudita has no clear roadmap to make its OS adhere to the newest Android security standards, which puts any Kompakt at risk of an attack.
Now I believe a Mudita team member has elsewhere given you an update on this matter. However, I would not surprise me if this would not satisfy you so to be helpful to all of us I wish to ask you to a: keep asking critical questions to the Mudita team about security and b: tell us (and Mudita) how to use our device knowing it is unsafe. For instance, it is clear to me that banking is an absolute no-go on this device.
6 Likes
Some say it is unsafe to sideloading banking apps at all since you usually obtain it from 3rd party apk resources where it is virtually possible that someone could have played with the source code (?), I do hope though that it’s possible to rip an .apk off of a working smartphone.
1 Like
I would never, ever sideload a banking app. Never. I also saw a livestream on YouTube by Mudita in which one of the employees recommended NOT to use a banking app on the device. I have a second device that has the latest Android patch without a sim card and that is the only device that has a banking app.
So for those reading this : DON’T USE A BANKING APP ON THE KOMPAKT.
5 Likes
