Hackers urge all EVO 4G owners to root device citing security flaws

By on Jun 3, 2010 at 9:57 PM
Security June 3, 2010

revoked-evo-root

Remember how jubilant we all were the first time the EVO 4G was successfully rooted? Well we’re not smiling anymore. According to Matt Mastracci, one of the men responsible for the first successful root, customizations made to the UI at the request of Sprint have made the phone an easy target to a “whole suite of vulnerabilities” which “are so bad that an Android application could get access to [a user's personal] data with very little work.” As a temporary workaround, Mastracci suggests that EVO 4G owners root their device and is planning to release on Friday a “painless root” too dubbed unrevoked. Mastracci also said that if “Sprint gave users root access to their phone, he and the two hackers he is working with would “be sending these vulnerabilities straight to Sprint.” But until Sprint abandons its “anti-user approach”, Mastracci said he and his team would “hold the exploits close to our chest.”

[Via Electronista]

Read

Tags:
, , , , , , , , , , , , ,
35 Comments

Related Articles

  • patrick

    Who didn’t see this coming.

  • bob

    typical sprint … clueless

  • MikeD

    Not good.

  • eYe

    I ***HATE*** when manufacturers and/or carriers take matters in their own hands. Vanilla builds are actually pretty secure and well-behaved in general. Let’s take a look at custom builds:

    Motorola Cliq – Motoblur caused screen and battery leak.
    Samsung Behold2 – Not upgradable past 1.6 because of their TouchWiz.
    HD2 – not Android but WinMo but still, T-mobile’s pre-loaded apps caused system to freeze and/or crash.
    HTC MyTouch Slide – T-mobile tweaked Sense UI and it came out butt-ugly.
    HTC EVO 4G – RTFA, enough said.

    In my opinion, every phone with Android should come with SD card to install vanilla build if user desires so because just about every custom UI is a more or less fail. Original HTC Sense is nice but it’s a memory hog. Another way would be to run custom UI as an alternative home, not a launcher replacement.
    Further more…. any custom apps should be uninstallable. My wife’s Cliq has at least 6 apps that she never even opened yet, since they’re in /system/app/, she can’t delete them.

    Google needs to step in and mandate some rules there instead of blindly letting manufacturers/carriers do what they want with phones. AT&T’s backflip is a prime example of why Google should do it. Who in the world could come up with putting Yahoo search in Google phone? Only crApT&T.

    /rant

    • joeblow

      I have a Moto Z6W on Fido (Rogers Canada).

      The phone is MOTOMAGX, which is a linux distribution made by motorola. They use GPL applications on the phone.

      I cannot get the source or the developer tools required to make changes to my phone. This is in direct violation of the GPL. But nobody seems to care.

    • Jane Seymour

      @ eYe
      Your post tells the whole story about the problems with any “open” OS, not just Android, and the manufacturers that want to be “different” by adding fancy UIs, widgets, and other crap, that just makes their phone’s screen “look prettier” than the competitor’s, and hopefully sell more phones.

      The opposition may rant all they want about Apple and Steve Jobs, but the fact is that all that shit would never happen with an iPhone.

      Eventually Google is gonna have to take notes from Steve, and take control over Android and enforce their rules, so developers and phone manufacturers have to follow them, if they want fancy UIs and other stuff in their Android hordes. Otherwise Android will become such an intricate mess that it will suffocate itself, and end up as another “open” wannabe OS.

      The more I read about Android and all its shit, the more I love my iPhone.

    • luis

      thats why is alwayz better to buy an unlocked phone no carrier restrictions no carrier bullsh!t

    • jeff

      you know att owns yahoo, right ?

  • bayportbob

    “We’ll we’re……”? Come on, where did you go to school?

    • StevenHamburg

      could’ve been an auto-correction. still does not excuse them for not proof reading.

  • SKINNI

    B

  • Matt Thompson

    Scary. But I don’t expect Sprint to care.

  • Matthew Bray

    Will rooting your device cure the aforementioned vulnerabilities?

    It sounds like they are holding the security of thousands of handsets hostage…

  • Colin

    How is it that the Evo is rooted, but no one has yet to root the incredible?

    • http://www.twitter.com/jimmiekain Jimmiekain

      im waiting on a reply to your post Matthew

  • emil

    Curious that this part of the original post isn’t mentioned: “For the record, both Google and Sprint have been very proactive in plugging this hole.” Nor the anti-apple diatribe. Jussayin.

  • Kendall Spann

    woah

  • MacMan

    Sounds like apple trying to scare away buyers. Haha you fail.

  • Gomer

    And why should we trust the fagalumps who rooted the EVO? Why are they anymore believable than Sprint? Why are these people the best friends I never knew I had? Sure, let me go ahead and put an unsanctioned, untested, incomplete ROM on my new toy that costs me an extra $10 a month. Yes, I will trust complete strangers on the health and usability of my shiny happy. What was I thinking? Of course BGR knows best — the same blog that kowtows with blatant bias to all things Apple and suddenly advises any Sprint users to wipe their phones and go rogue.

    Thank you, Boy Genius. Thank you for doing the thinking for me. iThinknot.

  • NGK

    thank you gomer for rational thought….

  • hateraide

    this site must be paid off….the EVO is straight badass, I find it funny info like this is always posted about Sprint

  • Blackberry192

    BGR’s just reporting the news in this case. They don’t say you should go out and root your phone…but given its audience, it’s obviously necessary to report. The reader can make up their own mind.

    …..and I’m sure a lot of us on this site would trust “complete strangers” over sprint anyday…

  • Scorpeo

    Another sad attempt to undermine the EVO’s launch. I also want to point out, only a few sites ran with, “At&t has the fastest network.” Which was BULL-SHIT! Not even Apple friendly Engadget carried that crap.

  • RCStyle

    i think there is a consensus here, and i not rooting my phone tomorrow. BTW i got an email of this article from a friend of mine. One guess on what phone he sent if from.

  • http://grack.com Matt Mastracci

    This is the author of the aforementioned post. As much as I’d love to be paid off by Apple, I have yet to receive my cheque.

    I’m in the process of transitioning from iPhone to a Nexus One thanks to my overwhelmingly positive experiences with 2.1 and 2.2 and my general distate for Apple’s dev policies. I might have considered keeping this EVO, but Sprint doesn’t offer service in Canada, leaving me with a large (nice screen!) Wifi couch-surfing device.

    As I mentioned in the post, Sprint and Google were fast to move on the issue we reported to them. Sprint should be releasing an OTA update at some point to fix the major bug we found.

    I recommend installing the unrevoked root application we’re launching tonight to protect against one of the problems we’ve found. Not only does it give you control over your device, but it also makes your device slightly more secure in the process. It’s also a very minimal root: it installs the superuser application and the safe su binary that give you control over the device.

    We’ll be releasing details of the exploit later on.

    • six2one

      thanks for the work, ill be watching for the exploit release.

      does this have anything to do with how that screenshot app can work on the evo without being rooted (normally requires root)?

    • Scorpeo

      Why should we believe you, what proof do you have?? I’ve seen the UI referred to as “Sprints UI”, it is not. HTC designed the UI, which is also on the Droid Incredible. Are you saying Sprint specific apps potentially cause a security concern? I do not believe it, one bit!

    • six2one

      “you are a cool kid for reading this… sorry my CSS-fu is not very good.”

      lol, nice

    • http://twitter.com/sprint Sean Doherty

      We want to reassure everybody about some questions that have been raised about HTC EVO 4G.

      We have a software update being deployed that corrects an issue with some MicroSD cards and also deploys a patch that will fix a potential security vulnerability.

      Sprint moved swiftly to make sure this was addressed.

      Sean Doherty
      Sprint Corporate Communications

  • turtle3

    I’m not believing this crap. He’s feeding on the Evo frenzy right now and probably trying to convince thousands of people to either brick their phone or LOAD AN EXPLOIT rather than fix one.

    Timing is all too convenient. I’m calling BS.

    PEOPLE READING THIS – YOU ARE SILLY TO BELIEVE THIS AND IMMEDIATELY ROOT YOUR PHONE. THERE IS NO PROOF, SO BE VERY CAREFUL WHAT YOU DO WITH YOUR NEW DEVICE.

  • trogg

    Firstly, rooting your phone is good practice I hate not having control of a computer I’ve paid a lot of money for.
    Second, if you don’t trust the source head over to xda and find a Rom there, if anyone added an exploit some dev will have found and removed it.

  • Matt

    You don’t see these issues with BlackBerry devices

  • rob

    The android sucks bad.

    It is everything that Window XP was. Slow, buggy, solves software problem by encouraging you to increase cpu speed and full of virus.

  • clamknuckle

    Android is “full of virus”?

  • Jeremy

    OK android rocks and so does the evo.i rooted my phone and have so many more options. if you like the junk the carriers give you then keep it. bottom line is if you want to improve performance, battery life, and capabilities then you should root your evo.

blog comments powered by Disqus