“This could allow hackers to change the GPS data on your phone and lead victims to a different location”
A new report that claims OnePlus has been overriding the standard policies of AOSP (Android Open Source Project). The Chinese manufacturer is reportedly shipping its phones with gps.conf, a text based configuration file. Now, this file should only be used for debugging, but comes as standard in OxygenOS. This is a problem and one that can cause problems for OnePlus smartphone users.
The OnePlus phones are forcibly enabling insecure XTRA data servers, which have been not been in use on Android from a long time. Yes, you can still use them, but this leads to the phone downloading required almanac data via insecure HTTP channels. Now, imagine that you are using your OnePlus device to navigate to a location and a network attacker has managed to get a hold of this data. The attacker can easily lead you to a location of his choice, which can turn out to be dangerous.
The report states that a LineageOS contributor has verified this issue and even filed a bug report on the OnePlus Forum last month. However, OnePlus replied saying that it is aware of this, but stated that the gps.conf isn’t being used for AGPS data. The response came earlier this week, but it turned out that the claims from OnePlus weren’t true. Further testing revealed that the overriding is still happening. The company did also state that a fix is underway and will be available in future software updates.
OnePlus said, “For the downloading under XTRA, the device is reading the address in Modem NV config, which is going through HTTPS instead of HTTP, and GPS.conf has been already ignored, so the XTRA config won’t be working. Thanks for the feedback anyways, and we will Synchronize the GPS.conf to HTTPS in the upcoming updates to fix the issue.”
Using HTTP instead of HTTPS is already a big deal and is considered malpractice as it can lead to network attacks. This overriding is also seen in OPPO phones, which is a part of BBK Electronics that owns OnePlus.
from 91mobiles.com http://bit.ly/2U27ZS5
via gqrds
No comments:
Post a Comment