[security] Stagefright detector released, SFOS apparently affected [duplicate]
The discussion in https://together.jolla.com/question/102740/security-is-alien-dalvik-affected-by-stagefright-vulnerability/ was closed with the conclusion that Alien Dalvik should not be affected.
However, after the presentation at BlackHat USA, a tool was released to check if a device is affected by this issue or not (https://play.google.com/store/apps/details?id=com.lookout.stagefrightdetector). I downloaded the apk and run it on my Jolla and the result is that it seems to be vulnerable:
It could of course be that the tool doesn't work properly in an 'emulated' environment like Alien Dalvik, but now it's up to Jolla team to do a proper check.
BTW: my device is running current latest SFOS 1.1.7.25
You have already an offcial response "Initial analysis is that SFOS is not directly affected by this vulnerability as the MMS'es are not received and handled by the aliendalvik. "
tvicol ( 2015-08-06 10:32:07 +0200 )edit@tvicol If I understand you correctly it's just not affected cause of a missing feature (automatic sms/mms handling) ? Hopefully devs will keep that in mind when adding the feature.
V10lator ( 2015-08-06 11:18:29 +0200 )editThis tool is unreliable in virtual/emulated environments. Tool sending a real MMS and trying to use that message in "vulnerable" way would be better for testing Alien Dalvik (and that tool would most likely result as "not vulnerable")
However, good that you brought the result with this tool here, it might prevent later missunderstandings. I suggest copying the screenshot also to the original question, explaining why the tool isn't reliable on Jolla
simo ( 2015-08-06 12:50:25 +0200 )edit@V10lator, looks like they are aready working on a patch: Comment by tigeli, "Sure.. and we are preparing a fix already for the aliendalvik." https://together.jolla.com/question/102740/security-is-alien-dalvik-affected-by-stagefright-vulnerability/?answer=102744#post-id-102744
mosen ( 2015-08-06 15:47:44 +0200 )edit