By now, it is fairly likely that you have heard about
the Stagefright security vulnerability
existing in most current versions of Android.

There is not much that developers can do to help prevent their apps
from being the means for malware to exploit this bug. The only absolute
way to prevent an app from causing this problem is to not play any
multimedia obtained from arbitrary sources through Stagefright,
and that restriction is
impractical for many apps.

In theory, one could attempt to devise some sort of scanner that
looks for the sorts of media content that would signal an attempt to
exploit Stagefright. However, creating such a scanner is likely to be
rather difficult, and it implies that you are in position to scan
all media ahead of time. For apps reliant upon streams, that alone
may be a show-stopper.

Until we understand more about the types of media and forms of playback
that could trigger this vulnerability, it is unclear if switching to
a different playback engine (e.g., ExoPlayer)
will help mitigate the risk or not. Hopefully, we will learn more after
the presentations on this vulnerability
scheduled for Black Hat USA and DEF CON 23 in August.

If your app automatically plays media obtained from outside sources,
consider disabling that, so users at least have to specifically request
the media playback. In effect, this is what the ���prevent MMS messages from
automatically loading��� guidance is suggesting to users. Fortunately,
many SMS clients have the ability for users to toggle off MMS auto-playback.
If your app has a similar auto-play capability, if nothing else, provide
an equivalent setting where the user can disable the auto-play feature.

Where this is really going to be a problem is with ads.

If your ad network might be sending down something other than plain images
or simple HTML, such as audio or video, see if you can disable that
type of ad. If that is not possible, contact your ad network and ask them
when they will integrate this sort of control, or what else the ad network
is doing to ensure that the ad network is not taking on ads that might
trigger the Stagefright vulnerability.

In the meantime, we need to wait patiently for somebody to provide us a
bit more to go on with respect to the scope of the vulnerability, so that
we can perhaps come up with more specific guidance for developers.