this post was submitted on 01 Oct 2025
30 points (100.0% liked)

Android

20878 readers
47 users here now

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

🔗Universal Link: !android@lemdro.id

💡Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.

Support, technical, or app related questions belong in: !askandroid@lemdro.id

For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id

💬Matrix Chat

💬Telegram channels / chats

📰Our communities below

Rules

  1. Stay on topic: All posts should be related to the Android OS or ecosystem.

  2. No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.

  3. Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.

  4. No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.

  5. No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.

  6. No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.

  7. No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.

  8. No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.

  9. No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!

  10. No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities

Lemmy App List

Chat and More

founded 2 years ago
MODERATORS
ijeff@lemdro.id
ladfrombrad@lemdro.id
Paradox@lemdro.id
multimoon@lemdro.id
mikestevens@lemdro.id
Devgard@lemmy.world
limerod@reddthat.com
Netrunner@lemdro.id
30
OnePlus devices have a big SMS vulnerability, but a patch is finally on the way (9to5google.com)
submitted 2 months ago by limerod@reddthat.com to c/android@lemdro.id
3 comments fedilink hide all child comments
 

A OnePlus spokesperson gave 9to5Google the following statement:

We acknowledge the recent disclosure of CVE-2025-10184 and have implemented a fix. This will be rolled out globally via software update starting from mid-October. OnePlus remains committed to protecting customer data and will continue to prioritize security improvements.

As for how this happened, essentially, OnePlus seemingly modified the stock Telephony app back in the Android 12 days — this bug doesn’t exist in OxygenOS 11 — to add additional content providers into the service, including the following three listings:

  • com.android.providers.telephony.PushMessageProvider

  • com.android.providers.telephony.PushShopProvider

  • com.android.providers.telephony.ServiceNumberProvider

Modifying this package isn’t inherently bad, obviously, but when you’re dealing with something that can provide read and write access to messages stored on device, you need to take additional steps to ensure you aren’t leaving vulnerabilities — and that’s exactly what happened here. While OnePlus assigned read permissions for SMS messages to these providers, it failed to add write permissions, which, as Rapid7‘s blog post states, “may allow client apps to perform writer operations, if the relevant write […] operation is implemented within the provider.”

For now, OnePlus users should tread cautiously until that patch rolls out in mid-October. Rapid7 suggests only installing apps from known sources and removing all non-essential apps. If you receive OTP texts for 2FA logins, you’ll also want to switch to an authenticator app as soon as possible to prevent your code from being sent over SMS. Switching to a third-party chat application can also help in this regard.

top 3 comments
sorted by: hot top controversial new old
[–] FutileRecipe@lemmy.world 4 points 2 months ago (1 children)

I'm not downplaying it or saying it shouldn't be fixed, but...

Effectively, due to modifications made to the standard Telephony package left the app open to abuse, allowing any installed application on an affected OnePlus device to access SMS and MMS data, along with metadata, “without permission, user interaction, or consent.”

Just another vector. SMS is already plaintext/unencrypted, so shouldn't be used unless you're saying something you're comfortable with the world knowing. Switch to E2EE apps

[–] limerod@reddthat.com 1 points 2 months ago (1 children)

SMS is mostly used for 2-factor authentication, transaction status. Most people use Whatsapp, telegram or whatever messaging app is popular.

What E2EE app do you use?

[–] FutileRecipe@lemmy.world 3 points 2 months ago

SMS is mostly used for 2-factor authentication, transaction status.

Which they really shouldn't as it's still in the clear. But banks are slow to change, especially if it costs them money. As for mostly, I think it depends on the region. I think I've read that the US, Canada, and a few (not all) European countries still use SMS.

I use Signal, which is widely considered the gold standard for E2EE apps, with the client app of Molly specifically (a hardened version of Signal).