How to Protect Yourself from "Stagefright"
Well, this is just horrifying. The Hangouts app is most vulnerable to this bug; you don't have to do anything but receive an MMS message to be exploited. The Messaging app is almost as bad: you have to view the message, but you'll be exploited even if you don't tap the attachment. Since you must generally view the message to determine whether it has
an attachment, that level of resistance has limited value.
Google has already made security patches available to vendors and carriers, but the phone ecosystem being what it is, they won't arrive on your phone for a long time if ever. (I'm not sure why this can't be worked around with an update to the Hangouts and Messaging apps themselves, but I'm sure if it were that easy, they'd have done it already.) Meanwhile, protecting yourself from the bug -- code-named "Stagefright," after the Android library it exploits -- is up to you.
Now, I'm not pretending to be a phone security expert. And I'm not speaking for Google here. (I don't get paid anywhere near enough to do that
job, thank you.) But I learned that the app TextSecure isn't vulnerable to this bug: it downloads the attacker's file only if you actually tap the attachment to open it, which is as it should be. As a bonus, you can later set up to exchange cryptographically secure messages with other TextSecure users (and with Signal users on iOS), further thwarting the NSA.
So here's what I believe you can do to avoid this bug. The instructions below might vary somewhat by Android version; they work for my phones, but might need some modification for yours. Updates in the comments would be welcome!
First, install TextSecure. You can get it from the Google Play App Store as usual, or from Google's Play Store Web site, which will let you install it on your phone: https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en
Second, make TextSecure your default SMS/MMS app: Settings -> "More ..." -> Default SMS app. Select TextSecure from the popup list.
You are now done. Phew! But read on for how to get bonus points.For Bonus Points
Before I switched to TextSecure, I figured it was probably also a good idea to disable auto-download of MMS messages in both Hangouts and Messaging, just in case
. (You can also do these steps after you've installed TextSecure as above, if you've already done that.)
In Hangouts: 1. Menu (three horizontal bars at upper left) -> Settings. 2. If Hangouts isn't already your SMS app, you need to tap "SMS disabled" and say "Yes"; otherwise, the menu item should already say "SMS enabled" and you can skip this step. 3. Uncheck "Auto retrieve MMS."
In Messaging: 1. Menu (three dots at bottom right) -> Settings. 2. If Messaging isn't already your SMS app, you need to tap "SMS Disabled" and say "Yes"; otherwise, the menu item should already say "SMS Enabled" and you can skip this step. 3. Uncheck "Auto-retrieve."
Crucially, as the last step, switch back to TextSecure as your default SMS app, as described above.
Boy, does this situation suck. It reminds me of the bad old days of Windows viruses ("don't click on that link you got in email!"). The engineering failure behind it isn't as stupid as those were -- it's a somewhat more sophisticated kind of error -- but the end result for users is basically the same.
Oy vey. :-(