if you don't have a Nexus device, it's not secure:
http://androidvulnerabilities.org/

>>53274168
>Assuming a user installed a malicious .apk file on their non-rooted Android device, would the malicious application be able to affect other apps or the system?

>Starting up a Java executable can require loading a lot of class modules, which takes time; replicating that loaded code across each process can also consume a lot of memory. Zygote addresses these problems by having a single process that loads all of the class libraries. When it is time to launch a new app, the Zygote process forks, then begins running the app code directly (without an exec() call).
>This model is certainly efficient, in that new apps can launch quickly and they will have all the needed classes already loaded and ready to go; those classes also need only be stored in memory once. The problem with taking away the exec() stage, though, is that it defeats ASLR; every app running on a given system will have the same randomization offsets. An attacker who is able to run an app on a targeted system, or who can extract the layout information from a running app, will know the layouts used for all running apps, present and future.

>>53274168
Security Engineer here, like everything, it is only secure as the users utilize it and how policies and security controls are implemented.

That being said, there is also the popularity factor, you could have x device and since it is not that popular among many then it is secure (for now). The more popular a device gets, the more it will become a target for criminals.

I tend to lean on the Android side because you can modify it easier (depending on the company and phone model). However, be aware that nothing is secure.

>>53274300
Please translate it in human language so that a human like me can understand.
>>53274306
But is Android more secure than Windows?

There is a hacker constantly haunting me right now. I'm wondering if I switch my laptop with an Android tablet I will be able to put him out of my life.

>>53274306
I mean can an app modify the system partition on a non-rooted device? I think this is the case because of sandbox. Is it?

>>53274743
just install linux on your laptop

>>53274755
no it cant because android is based off linux which was designed with security in mind

>>53274743
>Please translate it in human language so that a human like me can understand.
Attacks that rely on some other part of system being broken are made easier by this.

>>53274860
>just install linux on your laptop
What kind of Linux do you recommend?
I just want to install the most secure one.

Will the hacker no longer be able to access my laptop is I install Linux?

>>53275077
*if I install Linux?

>>53274743
Make sure you secure your router with a strong password, access control lists (ACLs), and disable unused services. Usually in a NAT environment, if the cracker gains access to the router he can misconfigure it to leak information.

In regards to software security, I recomment android and Linux, just make sure to stay up to date with current patches, implement policies, and do not fall for social engineering attacks (ie fake email sending you to a rogue site, phone calls or whatever that leads you to actually run a piece of code).

Lastly, implement a layered security approach, for example: Antivirus (definitions updated daily), Firewall, and browser addons such as HTTPS everywhere, uMatrix. The goal here is that you are limiting traffic via a firewall, using antivirus to detect known viruses, and blocking scripts incase you do fall for a social engineering attack, their client side exploit will not work unless you allow it via uMatrix.

There is really no magic pill against crackers, all you can do is just implement security controls that can only buy you time and deter script kiddies.

>>53275077
Debian GNU/Linux is a good distribution. While Ubuntu is more user friendly, they have steered away from security a bit (however it is still greater than Windows).

Make sure you take the time to read up information about supported hardware and familiarize yourself with the different commands on the terminal (in Linux you will be spending a decent amount of time in the terminal).

I wish you the best of luck, I'll be monitoring the thread for a bit in case if any questions.

>>53275294
well basically this is my situation
http://pastebin.com/7AqkQA0F

am willing to install Linux or anything to be rid of this fucker

>I heard that on Windows a malicious .exe file can affect the system and other programs once installed.

Much as we would like to bash on Windows for being insecure, it has a permissions model just like all of the *nix systems. You run an .exe, it doesn't automatically get access to all your fucking files. You give it administrative privileges, it can install drivers and do whatever it wants. But even without administrative privileges, it can still fuck around with your user-land files, including deleting and encrypting them (i.e. what cryptolocker does). But this isn't a security vulnerability. This is the computer doing what you told it to do. It's just you told it to do something stupid, and it made no attempt to correct you.

>Assuming a user installed a malicious .apk file on their non-rooted Android device

You know, I've seen a couple of people go make these assumptions all the time. "Non-rooted Android device". It honestly doesn't matter if the device is rooted or not. Just because you have root on your device doesn't mean every application now has root access. You still have to tell it explicitly, "yes, I would like you to give this application root." But I digress...

>would the malicious application be able to affect other apps or the system?

What permissions did you give it? Did you let it fuck with the filesystem? It has a limited functionality. It won't touch other applications' shit though.

>Can it happen on a rooted device?

IF and ONLY IF you give it root privileges.

God damn, you guys have been using desktop operating systems for fucking years. All of a sudden, you switch to phones and assume it's a WHOLE NEW FUCKING WORLD OF SECURITY.

Android is a custom graphical shell sitting on top of Linux. Every application is its own user, and their directories don't get to be touched by other applications. The exception is if the application gets root, because root is allowed to do anything it fucking wants.

>>53275406
if my phone's bios is infected, is my only option is throwing it away?

if I install Ubuntu, will the hacker lose access to my laptop? do I have to reset my computer first before installing it?

can i install ubuntu and remove windows 10 on my laptop?

>>53275522

>if my phone's bios is infected, is my only option is throwing it away?
It is possible to flash new firmware. The question here is how the hell did the hacker get access to your firmware in the first place?

>if I install Ubuntu, will the hacker lose access to my laptop?
If a hacker had any sort of backdoor to your laptop, then any install of a new OS, whether it be Ubuntu or just reinstalling Windows will make you lose access. This will not, however, remove the stupidity that caused you to get backdoored in the first place. The problem is not the software you are using. The problem exists between the keyboard and the chair.

>>53275551
i didn't know how to root so i asked some shady person to root it for me.
i regret much much do i
>>53275551
>The problem exists between the keyboard and the chair.
sorry for being tech-dumb
i summarized my situation here >>53275404
but to sum it
i think the hacker has compromised our Wi-Fi router, so he could trick my mother to download a trojan through the internet it is almost certain
after that i have no idea, maybe he could hack my window 10 laptop through the compromised Wi-Fi?

>save all your important shit to an external storage.
>turn off everything.
>go to a friend's house; one that has common sense.
>borrow computer & interwebs
>change all passwords
>go home and fresh install everything; OS & firmware.

stop downloading shit you know youre not supposed to

>>53275615
>fresh install everything; OS & firmware.
what should i do to
i get it that i should install ubuntu on my usb but how do i empty my laptop first?
also when it is empty (containing no os) can i just turn it on and plug in the usb containing ubuntu?

>>53275615
Going to a friends house to change passwords is risky... What if his friends PC is infected or if the guy runs a keylogger?

What if OP accidentally leaves the account logged in?

>>53274168
>>Assuming a user installed a malicious .apk file on their non-rooted Android device, would the malicious application be able to affect other apps or the system?
Only if it contains an exploit to get root access, which does exist.
That's why you don't install apks from unknown sources unless you're absolutely sure about them.

>>53274306
Does anybody think or know if cm security works?

>>53275759
>an exploit to get root access, which does exist.
how
where

>>53275759
How do you know if an apk is bad or has a virus?

>>53275790
you can't

>>53275790
By decompiling it, which is easy and takes about 5 minutes in Google to get the tools and 10 seconds once you have them.

>>53275785
I don't believe the method is public but it was found in some Chinese apks that would gain root access to install malware. They weren't distributed through Google Play but some other app stores.

>>53275573
>i didn't know how to root so i asked some shady person to root it for me.
why do people like you even exist
if you can not do something as simple as following one of the thousands of how-to-root tutorials you do not NEED nor WANT to root
does no one read the fucking warning that says "for experienced users only"?

>>53275884
i said i regret much

>>53274755
>I mean can an app modify the system partition on a non-rooted device? I think this is the case because of sandbox. Is it?
In general no, because every app runs under its own user and group.
They can see many parts of the system partition, some parts do require higher permissions to even read.
App data directories (/data) cannot even be viewed/read by an app without root access, so a general app cannot see what another app's storage without higher privileges. This does not apply to the general storage (/sdcard or /storage), anything there is fair game.

>>53275776
CM is horrible broken security-wise:
android uses signatures at its core for security and CM uses some publicly known private keys (test-keys)
>Since the test-keys are publicly known, anybody can sign their own .apk files with the same keys, which may allow them to replace or hijack system apps built into your OS image. For this reason it is critical to sign any publicly released or deployed Android OS image with a special set of release-keys that only you have access to.
https://source.android.com/devices/tech/ota/sign_builds.html

>>53275884
if you can't just unlock the bootloader and have to use some exploits from who knows where, you aren't much better.