Linked by Thom Holwerda on Tue 14th Nov 2017 13:13 UTC
Android

This is horrifying:

But even with the data we have, we can take a guess at how many outdated devices are in use. In May 2017, Google announced that there are over two billion active Android devices. If we look at the latest stats (the far right edge), we can see that nearly half of these devices are two years out of date. At this point, we should expect that there are more than one billion devices that are two years out of date! Given Android's update model, we should expect approximately 0% of those devices to ever get updated to a modern version of Android.

Whenever I bring up just how humongous of an issue this is, and just how dangerously irresponsible it is to let average consumers use this platform, apologists come out of the woodwork with two arguments as to why I'm an Apple shill or anti-Google: Google Play Services and Project Treble.

Google Play Services indeed ensures that a number of parts of your entire Android operating system and stack are updated through Google Play. This is a good move, and in fact, Android is ahead of iOS in this respect, where things like Safari and the browser engine are updated through operating system updates instead of through the App Store - and operating systems updates present a far bigger barrier to updating than mere app updates do. However, vast parts of Android are not updated through the Play Store at all, and pose a serious security threat to users of the platform. Google Play Services are anything but a silver bullet for Android's appalling update situation.

Project Treble is the second term people throw around whenever we talk about Android's lack of updates, but I don't think people really understand what Project Treble is, and what problems it does and does not solve. As Ron Amadeo explains in his excellent Android 8.0 review:

Project Treble introduces a "Vendor Interface" - a standardized interface that sits between the OS and the hardware. As long as the SoC vendor plugs into the Vendor Interface and the OS plugs into the Vendor Interface, an upgrade to a new version of Android should "just work." OEMs and carriers will still need to be involved in customizing the OS and rolling it out to users, but now the parties involved in an update can "parallelize" the work needed to get an update running. SoC code is no longer the "first" step that everyone else needs to wait on.

Treble addresses an important technical aspect of the Android update process by ensuring OEMs have to spend less time tailoring each Android update to every specific SoC and every specific smartphone. However, it doesn't mean OEMs can now just push a button and have the next Google Android code drop ready to go for all of their phones; they still have to port their modifications and other parts of Android, test everything, have it approved by carriers, and push them out to devices worldwide.

Project Treble addresses part of the technical aspect of Android updates, but not nearly all of it. While Treble is a huge improvement and clearly repays a huge technical debt of the Android platform, it doesn't actually address the real reason why OEMs are so lax at updating their phones: the political reason. Even in the entirely unrealistic, unlikely, and honestly impossible event Treble solves all technical barriers to updating Android phones, OEMs still have to, you know, actually choose to do so.

Even the most expensive and brand-defining Android flagships - the Note, Galaxy S, LG V, and so on - are updated at best only six months after the release of a new version of Android, and even then, the rollout usually takes months, with some countries, regions, carriers, or phones not getting the update until much, much later.

This isn't because it really is that hard to update Android phones - it's because OEMs don't care. Samsung doesn't care. LG doesn't care. HTC doesn't care. They'd much rather spend time and resources on selling you the next flagship than updating the one you already paid for.

Treble will do nothing to address that.

But let's assume that not only will Treble address all technical barriers, but also all political barriers. Entirely unlikely and impossible, I know, but for the sake of argument, let's assume that it does. Even then, it will be at best four to five years before we experience these benefits from Treble, because while Treble is a requirement for new devices shipping with Android 8.0 out of the box, it's entirely optional for existing devices being updated to 8.0. With the current pace of Android updates, that means it will be no earlier than four to five years from now before we truly start enjoying the fruits of the Treble team's labour.

At that point, it will have been twelve to thirteen years of accumulating unupdateable, insecure Android devices.

The cold and harsh truth is that as a platform, Android is a mess. It was quickly cobbled together in a rushed response to the original iPhone, and ever since, Google has been trying to repay the technical debt resulting from that rushed response, sucking time and resources away from advancing the state of the art in mobile operating systems.

As an aside, I have the suspicion Google has already set an internal timeline to move away from Android as we know it today, and move towards a new operating system altogether. I have the suspicion that Treble isn't so much about Android updates as it is about further containerising the Android runtime to make it as easy as possible to run Android applications as-is on a new platform that avoids and learns from the mistakes made by Android.

Each and every one of you knows I'm an Android user. I prefer Android over the competition because it allows me to use my phone the way I want to better than the competition. Up until recently, I would choose Android on Apple hardware over iOS on Android hardware - to use that macOS-vs-Windows meme - any day of the week.

These days - I'm not so sure I would. Your options as an Android user today? A Pixel phone you probably can't buy anyway because it's only available in three countries, and even if you can buy it, it falls apart at the seams. You can buy a Samsung or HTC or whatever and perpetually run outdated, insecure software. Or you can buy something from a smaller OEM, and suffer through shady nonsense.

You have to be deeply enveloped in the Android bubble to not see the dire situation this platform is in.

Order by: Score:
Or you could...
by Dryhte on Tue 14th Nov 2017 13:36 UTC
Dryhte
Member since:
2008-02-05

... buy a phone from a company that makes good software support its USP.

In fact I'm nearly totally happy with my Wileyfox Swift 2+.
- good software updates (I got it with Marshmallow, but by now it runs Nougat 7.1.2 with September 2017 patches, November 2017 patches and an Oreo update are on the way)
- good enough hardware (SD 430, 32GB, 3GB RAM, fingerprint reader, NFC - ticks a lot of boxes and the SOC is 'okay')

In fact, in my eyes, it has only one drawback, and that is that it comes with Truecaller dialer which I don't want (but there are sufficient decent alternatives available).

Okay I'd be happy with a SD 625 or 630 but really that's just my numbers fetish, the 430 is quite capable.

Did I mention the software updates? I did, didn't I ;)

Edited 2017-11-14 13:49 UTC

Reply Score: 2

RE: Or you could...
by Carrot007 on Wed 15th Nov 2017 00:53 UTC in reply to "Or you could..."
Carrot007 Member since:
2008-02-04

Got it in one!

I am happt with my WileyFox Swift 2 X for all the same reasons. The 2 + would have probably done me but I thought the extras worthwhile and still at a cheap (mid?) price.

In fact the lower spec CPU seems to have advantages. it fast enough for what I do that I do not notice. And the battery can last 2 or 3 days instead of half a day!

I was even so impressed I got one to the OH. But unfortunatly she has already smashed it. Unfortunatly nothing cures that! At least it did not cost much more! She can have one of the chinese one now that seem similar spec for £80. Just might have to send it back to amazon a few times before you get a good one. They have no quality control. Or updates. But as long as It runs 7 I am ok, and they are ones running 7 now. None with 8 as far as I can see. Well unless WileyFox have a good black friday offer!

Reply Score: 0

RE[2]: Or you could...
by Dryhte on Wed 15th Nov 2017 08:01 UTC in reply to "RE: Or you could..."
Dryhte Member since:
2008-02-05

sure, I just didn't want a bigger phone, and I figured the extra resolution might impact battery life.

Reply Score: 2

RE: Or you could...
by grat on Wed 15th Nov 2017 12:51 UTC in reply to "Or you could..."
grat Member since:
2006-02-02

Personally, I'm happy with my Pixel XL. It's a rock solid phone, and it gets reliable updates. The back is a bit hideous, but I don't look at that side unless I have to. ;)

Reply Score: 2

RE: Or you could...
by gan17 on Wed 15th Nov 2017 15:42 UTC in reply to "Or you could..."
gan17 Member since:
2008-06-03

In fact I'm nearly totally happy with my Wileyfox...


Not heard of this company. Looks interesting. Any word on how long they promise security/OS updates?

Main device is an iPhone, but I also carry an old Nexus 5 as my "dirty" phone - by dirty, I mean something that I need for the revolting but necessary stuff (because society has no standards) like WhatsApp, Line, Waze, etc - and am hoping to replace that soon. These Wileyfox phones seem to strike a good performance/price/updates balance.

Thanks for sharing.

Reply Score: 2

Android is a mess
by martini on Tue 14th Nov 2017 14:04 UTC
martini
Member since:
2006-01-23

"Android is a mess" and that is why it had been so successful.

Remember that when Android was released we already have Blackberry and iOS on the market. I thought it was too late and that the market had been already taken.

What it happens from there is what people called "the mess". Since Android was open source anybody building cheap phones in China can bundle it on phones and cheap tablets. Loosing control of Android was what it helped to the worlwide adoption.

When we talk about fragmentation (different Android devices with older OS version without the possibility to update), who we have to blame about that?

The first to blame is the Manufacturer. The manufacturers just want to sell hardware and don't want to spend money on supporting the hardware with periodically software updates forever. It is as simple as their business case. On the other hand Microsoft owns Window on the PCs, so when manufacturers sell hardware, MS make money with the OS and have the business to maintain it, and it also (used) to make money with the updates.

But I think we also need to blame Linux. I think that part of the fragmentation problem is also in part of Linux monolithic kernel design. The Linux kernel is so customizable (which should be good) that allowed it to be compiled on every processor architecture, but it also mean that on each update needs to be recompiled with all the required drivers for each phone. That means you can not generate a standard binary to update the kernel of all phones. We are used to think of an OS like Windows, when you get the standard CD of the new version and you install it over the old one. But that is not the way how a monolithic kernel works with different process architecture, and for sure, you don't get an Android CD each year to update to the new release.

So, Android is different. If you want an update model like Windows, maybe the phone processor architecture needs to be standardized and the kernel should be Microkernel.

Reply Score: 8

RE: Android is a mess
by martini on Tue 14th Nov 2017 14:06 UTC in reply to "Android is a mess"
martini Member since:
2006-01-23

...and the kernel should be Microkernel

Project Zircon (magenta): https://fuchsia.googlesource.com/

Reply Score: 3

RE[2]: Android is a mess
by grat on Wed 15th Nov 2017 12:53 UTC in reply to "RE: Android is a mess"
grat Member since:
2006-02-02

And what problem would that solve?

Would it magically make Samsung, HTC, etc., commit to security updates for the next 3 to 5 years?

Because that's what's needed.

Reply Score: 4

RE: Android is a mess
by The123king on Tue 14th Nov 2017 15:21 UTC in reply to "Android is a mess"
The123king Member since:
2009-05-28

The NT kernel is hybrid monolithic. NT never has been a microkernel. Same goes for the MacOS and iOS kernels. And anyway, like the poster below me, moving to a microkernel is not going to help

Reply Score: 3

RE: Android is a mess
by zima on Wed 15th Nov 2017 23:15 UTC in reply to "Android is a mess"
zima Member since:
2005-07-06

Remember that when Android was released we already have Blackberry and iOS on the market. I thought it was too late and that the market had been already taken.

Blackberry and iOS - perhaps from US & Canada perspective. The rest of the world was mostly on Symbian WRT smartphones and on "feature phone" platforms such as Nokia Series40, Sony Ericsson A200 ...hell, even some touchscreens like LG Cookie; and it moved from them to Android.

Edited 2017-11-15 23:16 UTC

Reply Score: 5

Microkernels will not solve this
by jonsmirl on Tue 14th Nov 2017 14:25 UTC
jonsmirl
Member since:
2005-07-06

Microkernels will simply move the problem from one place in the code to another. Down in the hardware these SOCs are all different unlike the monolithic x86 world. I suspect a microkernel will even make things worse by introducing a new kernel and ruining the skill set of the people the HW manufacturers currently employ.

The correct answer is money. It is in the hardware manufacturer's own interest to do this. It is a way of forcing you to buy a new phone every 2-3 years whether you want to or not. Forcing consumers on this endless treadmill results in billions in profits for the HW manufacturers.

This is only marginally Google's fault. Google could certainly make life easier for the HW OEM but it is not clear if that would make any difference. HW OEMs purposely practice "port and forget". Of course they don't issue any updates, the software team has been moved to the new phone design and there is no one left working on the old phones.

How to solve it? We could force everyone to use Qualcomm processors and create a monoculture like Apple. But do we want that?

I think it may be self-correcting in the future dues to a change in how phone plans are priced. Previously your phone payments were bundled into the phone bill and now they aren't. I used to hate it when after two years my phone bill would not decrease any. Instead they told me to come and get a new phone for "free" and if I didn't get that new phone they'd still charge me for it.

We have not been on this new system long enough to see the full effect. I suspect that it will result in a significant slowing of the upgrade treadmill. If the treadmill slows it will increase pressure on the OEMs to keep things updated.

Reply Score: 4

bassbeast Member since:
2007-11-11

I think you are right as phone OEMs are about to see replacing phones every other year die as hard as the PC makers saw the endless treadmill die when we went from the MHz war to the core wars.

At the shop I have to deal with Android phones all day because everybody seems to need to be shown how to connect their phones to their PCs, be it to get off pictures or transfer music or whatever...know what the most common Android version I'm encountering is? Android 5, because by the time of Android 5's release phones were over 5 inches and had quad cores which was frankly overkill for most users. add to this the fact that most carriers here offer phones running Android 5 that are powerful enough to play 3D games for sub $70? I'm seeing more and more end up on these phones as people realize that $70 phone does everything they would do with an $800 phone for $730 less.

At the end of the day they can add a dozen cores and 48Gb of RAM and if all the users are doing with it are watching YouTube and playing the latest Angry Bird style time waster? Then they are not gonna be able to tell the difference between that $100 phone and the $800 one. again its the same thing that happened to the PC market, you can buy 32 thread systems with 64Gb of RAM and 12Tb of storage but if all they are doing is going to FB and working on docs and editing their home photos that power is pointless.

But sadly short of government intervention I seriously doubt the OEMs will ever give a crap, as I said I'm seeing carriers selling tons of new Android 5 phones and some places are still selling android 4 phones, as long as they can get away with selling phones with zero support that is what they are gonna do.

Reply Score: 5

dsmogor Member since:
2005-09-01

If the security problem rises to pandemic scale (think 100m devices botnets or something) the government (or EC) intervention will be inevitable.
It's as simple as adding some additional requirements to device certification or forcing carriers to throw out known vulnerable devices off the network.

Reply Score: 4

bassbeast Member since:
2007-11-11

or forcing carriers to throw out known vulnerable devices off the network.
...you DO realize if the government mandated this the OEMs would put out phones with zero support and when the next vulnerability came out simply demand everyone buy a new phone?

I have a feeling if the government were to try to order OEMs to support these devices they would just make all phones $600+ and claim that is the cost of having dedicated dev teams to support such a myriad of devices, and frankly they would probably not be lying. The problem is that mobile is where PCs were in the 80s, with everything being black boxes of proprietary everything and what we need is for governments to force the hardware makers to come up with standards and a driver ABI so that it would be trivial for others to make ROMs for the phones.

If this were to happen frankly I would not care if the OEM released a new version of android for my device as there would be competition, and we could choose which ROM had the features and software that does what we want, just as we can now with PC OSes.

Reply Score: 2

kwan_e Member since:
2007-02-18

Microkernels will simply move the problem from one place in the code to another.


That's a non-argument, because all fixes are about moving the problem from one place to another.

What matters is how much damage can be done from one place vs the other place.

Down in the hardware these SOCs are all different unlike the monolithic x86 world. I suspect a microkernel will even make things worse by introducing a new kernel and ruining the skill set of the people the HW manufacturers currently employ.


It would actually be easier. In microkernels, as many drivers as possible are put into user-space, leaving the kernel ABI surface area and the kernel itself small. For SOCs with all their hardware differences, it's actually easier to maintain a small kernel and just deal with compatibility issues as a user-space module/driver/service problem.

In fact, if the microkernel is designed with the original goal of being able to restart services transparently, then people may be more willing to upgrade because it doesn't interrupt them.

The correct answer is money. It is in the hardware manufacturer's own interest to do this. It is a way of forcing you to buy a new phone every 2-3 years whether you want to or not. Forcing consumers on this endless treadmill results in billions in profits for the HW manufacturers.


I agree with this. Putting it this way, it's even more reason to put a company tax on electronic waste. If they get taxed for the waste, they'll need to avoid the tax. Meaning they have to do better supporting it.

Reply Score: 4

dsmogor Member since:
2005-09-01

The problem is that vendors:
* don't want to live with the restrictions that stable kernel -> userspace interface imposes on their HW innovations
* don't care if their implementation of the API is 100% correct unless it actually breaks their particular skins

I can imagine the OEMS will drag implementation of Tremble as long as possible trying to pressure Google to make it defacto optional (by watering down requirements) even post 8.0 as going for 100% compliance if additional $$ spent on manuf side for no apparent benefit.

Reply Score: 3

v a little over-dramatic...
by rhetoric.sendmemoney on Tue 14th Nov 2017 14:29 UTC
RE: a little over-dramatic...
by lucke on Tue 14th Nov 2017 15:02 UTC in reply to "a little over-dramatic..."
lucke Member since:
2007-01-07

It seems that if you're on a patch level older than 2017-09-01, you're susceptible to Blueborne. If you're not running 2017-11-06, you're susceptible to KRACK.

I recently got my first Android phone, LG K10, from a bank. The model was released less than two years ago. It's nice, has everything I would want from a phone. The patch level is at 2017-08-01. If I don't want to share my data, I had better not use WiFi nor Bluetooth.

Edited 2017-11-14 15:02 UTC

Reply Score: 1

Bill Shooter of Bul Member since:
2006-07-14

That is the important update problem with Android, the security updates aren't being delivered to all platforms. There is no good reason why this is the case. This is why its a mess, not the actual os upgrade issue.

Reply Score: 3

RE: a little over-dramatic...
by cranfordio on Tue 14th Nov 2017 15:21 UTC in reply to "a little over-dramatic..."
cranfordio Member since:
2005-11-10

Now, lets look at the iPhone tragedies:
- numerous reports of swollen batteries breaking the phone casing. (LITERALLY falling apart at the seams!)
- most breakable iPhone ever!
- FaceID owned in its first week by a Halloween mask.
- Screen tinting - even if not as noticeable, its there.
- Autocorrect bug
- "The iPhones are susceptible to screen burn in." - Tim Cook
- **touch screen unusable in cold temperatures**


- Haven't heard about the swollen batteries problem, so no comment on this.
- All smartphones have had problems with breaking if mishandled. I have had an iPhone since they first came out in 2007 and I haven't even had as much as a scratch on the screen. I have seen roughly the same percentage of Samsung and HTC phones with cracked screens as I see iPhones
- Horrible demonstration of hacking FaceID and they only answer questions about how their process went with, "We are experts in the field." Which makes their process very questionable.
- All OLED screens have this issue, Apple never denied this, they just found way to get Samsung to make it less obvious.
- Already fixed
- Again, all OLED screens have this issue. But I wonder, who keeps their phone screen on with any one part of their screen never changing for a long enough period to cause burn-in? Personally, I jump from app to app, which changes the whole screen except maybe the very top, frequently, and then the screen is off when I am not using it.
- Unusable for a short period of time. It has to do more with sudden temperature changes as opposed to just being cold. Apple says they are going to address this, we will just have to wait and see.

Reply Score: 3

rhetoric.sendmemoney Member since:
2006-01-22

- Edit: Double post.

Edited 2017-11-14 19:49 UTC

Reply Score: 1

rhetoric.sendmemoney Member since:
2006-01-22

"Horrible demonstration of hacking FaceID and they only answer questions about how their process went with, "We are experts in the field." Which makes their process very questionable. "

Whoops!
https://www.phonearena.com/news/Another-swollen-Apple-iPhone-8-Plus-...
https://www.theverge.com/2017/11/14/16650394/10-year-old-unlock-mom-...

Reply Score: 2

v Options
by jonsmirl on Tue 14th Nov 2017 14:47 UTC
Comment by Sidux
by Sidux on Tue 14th Nov 2017 14:53 UTC
Sidux
Member since:
2015-03-10

I don't usually go through graphs because data is not that easy to analyse from a global perspective.
For example there are people that never log in to Android and obtain apps from other sources (when it's needed).
Others simply won't update because they fear compatibility problems (eg: usually admins that just want the corporate apps to work as they received them from the company without having to explain to anyone that they couldn't connect because X update came and broke something).
From graphs this will show as outdated apps, even if the OEM may very well provide regular security updates.
It's pretty much the same thing with Windows before Microsoft came and forced the update process fo rthe home user.
Apple does this too..
Is this the only way though to keep the ecosystem safe enough? Hard to say but it's good for everybody to have choice.

Reply Score: 3

RE: Comment by Sidux
by CaptainN- on Tue 14th Nov 2017 16:26 UTC in reply to "Comment by Sidux"
CaptainN- Member since:
2005-07-07

My ancient Moto X (running "outdated" Android 5.1, and still runs every app I try on it) received a security update a couple of months ago.

If Thom wants to complain about lack of updates, he needs to make a better case than contextless (and dataless) claims of insecurity. Being "outdated" in some central authority driven way (it doesn't run the latest and greatest from master Google!) doesn't mean a damn thing, and as I've pointed out numerous times, can often lead to better user experience. Android phones don't get slower over time like iOS devices do. No gripes with that from the Apple fan boi...

Edited 2017-11-14 16:26 UTC

Reply Score: 3

RE[2]: Comment by Sidux
by Troels on Tue 14th Nov 2017 19:52 UTC in reply to "RE: Comment by Sidux"
Troels Member since:
2005-07-11

Exactly!!

And probably i could not find a single thing i would miss if i could downgrade my phone from whatever it is running now (is 7 or 7.1 i think, not sure, don't think it is 8) Amazon Webservices weekly(!!!) newsletter with changes is much more exciting than the latest many Android releases.

There might be a little tech stuff that developers care about, but for the end user, it is really same same. Last update to matter was 5.0, just for the new looks, before that it was 4.0.

Yeah yeah, it got the multi screen feature that probably a few people use, probably a bit more on tablets, but some OEMs have had this for years anyway so that didn't really require an Android upgrade, just buying the right product.

Maybe if they started releasing new versions when there was something to release, we could stop this silly discussion. (Just like it would be great if Microsoft would stop making useless but slow to install "major" updates to Windows 10)

Edited 2017-11-14 19:53 UTC

Reply Score: 1

RE[2]: Comment by Sidux
by Peter9 on Wed 15th Nov 2017 08:59 UTC in reply to "RE: Comment by Sidux"
Peter9 Member since:
2017-08-02

My Xperia Z3C was released in September 2014, I bought it in February 2016. Have received update to Android 6.0.1 right after purchase. That was it. My security patch level is still Feb 2016 !!! This is an insult to customers. You can guess what my next device is going to be...

Reply Score: 1

RE[3]: Comment by Sidux
by oiaohm on Wed 15th Nov 2017 09:50 UTC in reply to "RE[2]: Comment by Sidux"
oiaohm Member since:
2009-05-30

My Xperia Z3C was released in September 2014, I bought it in February 2016. Have received update to Android 6.0.1 right after purchase. That was it. My security patch level is still Feb 2016 !!! This is an insult to customers. You can guess what my next device is going to be...

That is normal be it a iphone or an android device. Between 2-3 years from release date of the device has been all you have been promised.

So your next device something Android Oreo that hopefully has 5-6 years support?

By February 2016 you should have got your phone quite discounted because it was running out of support.

This is the normal head in sand problem.

Reply Score: 2

v RE[4]: Comment by Sidux
by fedyac on Wed 15th Nov 2017 15:18 UTC in reply to "RE[3]: Comment by Sidux"
RE[5]: Comment by Sidux
by zima on Wed 15th Nov 2017 23:20 UTC in reply to "RE[4]: Comment by Sidux"
zima Member since:
2005-07-06

My iPhone 6 from 2014 is still receiving updates 3 years later and will be for at least a year.

Then that's also quite short support, since many people bought this phone quite recently (Apple sells / pushes on consumers old models much longer than Android device makers do)

Edited 2017-11-15 23:23 UTC

Reply Score: 3

RE[4]: Comment by Sidux
by Peter9 on Thu 16th Nov 2017 10:24 UTC in reply to "RE[3]: Comment by Sidux"
Peter9 Member since:
2017-08-02

[QUOTE]That is normal be it a iphone or an android device. Between 2-3 years from release date of the device has been all you have been promised.

So your next device something Android Oreo that hopefully has 5-6 years support?

By February 2016 you should have got your phone quite discounted because it was running out of support.

This is the normal head in sand problem.[/QUOTE]

Yeah it's a head in the sand problem - Manufacturers head in the sand...

We're alking about security updates here. They should not be negotiable. Period.

Edited 2017-11-16 10:28 UTC

Reply Score: 1

RE[5]: Comment by Sidux
by oiaohm on Thu 16th Nov 2017 11:12 UTC in reply to "RE[4]: Comment by Sidux"
oiaohm Member since:
2009-05-30

Yeah it's a head in the sand problem - Manufacturers head in the sand...

We're alking about security updates here. They should not be negotiable. Period.


No it users, carriers, sales people, Manufacturers head in sand.

Please note lack of security update to drivers and bios firmware after warranty runs out on laptops/desktops happen as well.

People buying hardware don't ask how long updates will be provided for. Sales people normally don't know because they are not being asked the question enough. Carriers are not cutting off devices out of support as they could and not demanding long support time from companies they get handsets from.

Some Manufacturers gave users unlock-able boot-loaders on the idea that when support run out they would go across to third parties. Then failed to make sure that third parties had the source to pick up the support.

You cannot expect Manufacturers to provide support that user and carriers have not paid for or demanded.

Reply Score: 2

RE[6]: Comment by Sidux
by Alfman on Thu 16th Nov 2017 19:28 UTC in reply to "RE[5]: Comment by Sidux"
Alfman Member since:
2011-01-28

oiaohm,

No it users, carriers, sales people, Manufacturers head in sand.

Please note lack of security update to drivers and bios firmware after warranty runs out on laptops/desktops happen as well.


True, PC system builders can be guilty of not distributing updates too. However there is a significant difference: unlike with android, PC users can often get updates from elsewhere be it windows update or directly from the component manufacturers.

My acer laptop had issues with USB3 and Wifi even though I had the latest drivers supplied by acer.
However it turned out the respective chip makers (intel and atheros if I recall) had fixed my issues in the latest drivers off their websites. Likewise I can get windows updates from microsoft even though my acer warranty is long gone.

So even assuming an acer android tablet and acer windows PC (for example) had similar update schedules, there's still a world of difference between what I can do as a user to update the android tablet versus a windows/linux PC. And because of this, the lack of vendor updates on android are much more problematic.

Edited 2017-11-16 19:31 UTC

Reply Score: 3

RE[7]: Comment by Sidux
by oiaohm on Thu 16th Nov 2017 23:33 UTC in reply to "RE[6]: Comment by Sidux"
oiaohm Member since:
2009-05-30


True, PC system builders can be guilty of not distributing updates too. However there is a significant difference: unlike with android, PC users can often get updates from elsewhere be it windows update or directly from the component manufacturers.

My acer laptop had issues with USB3 and Wifi even though I had the latest drivers supplied by acer.
However it turned out the respective chip makers (intel and atheros if I recall) had fixed my issues in the latest drivers off their websites. Likewise I can get windows updates from microsoft even though my acer warranty is long gone.


There are a few differences.
1. Microsoft gives you 10 years support. Google has only been giving about 5.

2. Equal to going to vendor for drivers on Android is installing third party rom. Just like installing third part rom on android device using generic drivers straight from the device maker does not work under Windows all the time either. Same problem hardware maker customised something and never told anyone.

The reality is lack of vendor updates in laptops for firmware defects and other items is highly problematic to some users as well. So like it or not it mostly the same problem.

Early Microsoft windows did not push out driver updates by windows update either. Google with Android 8.0 is starting to work on pushing out driver updates where they can. People running windows were upset by Windows 10 forced updates because a lot of people even in windows 8.1 were blocking particular windows updates from installing so their drivers work.

Vendors not providing updates to drivers you cannot get else where is truly everywhere and is creating quite large exploit surface area.

Reply Score: 2

RE[2]: Comment by Sidux
by Bill Shooter of Bul on Wed 15th Nov 2017 15:15 UTC in reply to "RE: Comment by Sidux"
Bill Shooter of Bul Member since:
2006-07-14

Agreed, but you do know Google pushes monthly security updates, right? Which means if you aren't getting them each month, you're device is vulnerable to the issues that have been patched since the last security update.

Reply Score: 3

Alarm! The bad guys haz youR lives!!
by CaptainN- on Tue 14th Nov 2017 16:18 UTC
CaptainN-
Member since:
2005-07-07

Show me stats on exploitable android versions, and active exploits when we talk about security problems, or I'm not interested.

Second - this talks about API versions - that's fine as a way to collect stats, but it says nothing about whether all those hopelessly outdated Android installs can run the latest software, built with the latest APIs for the latest API versions. hint: old Android versions can still run new software. The SDK doesn't work like it does on other platforms.

So if we don't have any real data on security (which would be a concern) and the problem of not being able to run current software isn't a problem - well what is the problem?

Reply Score: 3

pmac Member since:
2009-07-08

Show me stats on exploitable android versions, and active exploits when we talk about security problems, or I'm not interested.


The absence of a large volume of reported exploits should worry you even more. We know there are vulnerabilities, and we therefore know that people are exploiting them, but if the exploiters aren't being found then they're being very successful.

Edited 2017-11-14 17:09 UTC

Reply Score: 0

Adurbe Member since:
2005-07-06

There are more than just a few active and documented exploits.

https://www.cvedetails.com/vulnerability-list.php?vendor_id=1224&pro...



Another interesting read is the Nokia vulnerability report, this explains quite how prevalent invented devices are;

https://www.nokia.com/en_int/news/releases/2017/03/27/nokia-malware-...

Edited 2017-11-14 17:28 UTC

Reply Score: 3

Alfman Member since:
2011-01-28

CaptainN-,

Show me stats on exploitable android versions, and active exploits when we talk about security problems, or I'm not interested.
...
So if we don't have any real data on security (which would be a concern) and the problem of not being able to run current software isn't a problem - well what is the problem?


Isn't this the ostrich approach to security? It's fine as long as our heads are in the sand ;)

Seriously though, it's not a good practice to keep known vulnerabilities active. It's not ok for manufacturers to do a lousy job here. A weakened security device only increases the attack vectors for other devices and networks at home and at work. Even if our personally devices aren't directly hit, we still have to pay a high price to cover security breaches and fraud conducted through the exploitation of insecure devices.

KRACK, mentioned earlier, is pretty significant because an attacker can break the security of wireless networks that are otherwise behind firewalls.
https://www.krackattacks.com/

Edited 2017-11-14 18:03 UTC

Reply Score: 5

CaptainN- Member since:
2005-07-07

It's a data approach. I'm interested in knowing whether all these proclamations of insecure android versions are valid or not.

What is the active exploit rate? I'd settle for an estimate of the opportunity rate - but there's no data here. Without knowing that, how can we know for sure this update thing is even a real problem (it's not a problem as far as getting access to new APIs).

Without data, this is all just Chicken Little stuff.

Reply Score: 4

Alfman Member since:
2011-01-28

CaptainN-,

It's a data approach. I'm interested in knowing whether all these proclamations of insecure android versions are valid or not.

What is the active exploit rate? I'd settle for an estimate of the opportunity rate - but there's no data here. Without knowing that, how can we know for sure this update thing is even a real problem (it's not a problem as far as getting access to new APIs).

Without data, this is all just Chicken Little stuff.



But why do you keep ignoring the data when others link to it? The KRACK vulnerability that I linked to in the very post you responded to affects virtually all android devices that haven't been updated.

Suggesting this is "Chicken Little stuff" due to lack of data is inaccurate, you just haven't done your homework on this one. The CVE database, already mentioned by others, is high quality data about real device vulnerabilities in the wild. Another database is here: https://www.exploit-db.com/ You can find remote exploits such as this one: https://github.com/offensive-security/exploit-database/blob/master/p...

Maybe ordinary users can be forgiven for being ignorant about their phone's vulnerabilities, but manufacturers and the tech industry don't have this excuse. Sometimes consumers can end up with a phone that's still under original warranty, yet running the manufacturer's own firmware that's unsupported and unpatched. This was the situation with my phone, unfortunately.

Edited 2017-11-15 18:06 UTC

Reply Score: 3

CaptainN- Member since:
2005-07-07

This article says nothing about the data. As I've said, my first gen Moto X has recently received security updates. That's enough. It doesn't have to run the latest point release to be a secure phone which can run all the apps. That's the point others ignore.

If security releases aren't going out for a majority of users, I concede that's a problem. This article (and Thom) are making a different point

Reply Score: 2

Alfman Member since:
2011-01-28

CaptainN-,

This article says nothing about the data. As I've said, my first gen Moto X has recently received security updates. That's enough. It doesn't have to run the latest point release to be a secure phone which can run all the apps. That's the point others ignore.


The data shows that phones that aren't being updated are vulnerable. If you want to know how long phones are being supported for, Google officially announced 2 years of major updates and 3 years of security updates.

http://www.androidpolice.com/2015/08/05/google-announces-new-update...

How much you consider this a problem may depend on when you buy your phone within the support window. If you buy it towards the end, then you won't be getting support for very long. In any case, google's commitment to long term updates is well behind apple's.

http://www.androidpolice.com/2015/09/17/software-updates-a-visual-c...

You made a good choice with Moto X, it basically runs stock android and their updates should mostly follow google's. Not all android users are so lucky though.

Reply Score: 2

Treble
by Alfman on Tue 14th Nov 2017 18:25 UTC
Alfman
Member since:
2011-01-28

Thom Holwerda,

While Treble is a huge improvement and clearly repays a huge technical debt of the Android platform, it doesn't actually address the real reason why OEMs are so lax at updating their phones: the political reason. Even in the entirely unrealistic, unlikely, and honestly impossible event Treble solves all technical barriers to updating Android phones, OEMs still have to, you know, actually choose to do so.


It won't do much for manufacturers who never gave a crap about providing updated firmwares anyways, but in theory the treble device abstraction ABIs along with working drivers can provide a good & strong foundation for the 3rd party community to build and release updated kernels themselves. We'd be far less dependent upon the manufacture for updates, and IMHO that's a good thing.

I don't have experience with treble as it's not present on my phone, but I'm optimistically hopeful.

Edited 2017-11-14 18:25 UTC

Reply Score: 3

RE: Treble
by jbauer on Tue 14th Nov 2017 18:33 UTC in reply to "Treble"
jbauer Member since:
2005-07-06

Thom Holwerda,

"While Treble is a huge improvement and clearly repays a huge technical debt of the Android platform, it doesn't actually address the real reason why OEMs are so lax at updating their phones: the political reason. Even in the entirely unrealistic, unlikely, and honestly impossible event Treble solves all technical barriers to updating Android phones, OEMs still have to, you know, actually choose to do so.


It won't do much for manufacturers who never gave a crap about providing updated firmwares anyways, but in theory the treble device abstraction ABIs along with working drivers can provide a good & strong foundation for the 3rd party community to build and release updated kernels themselves. We'd be far less dependent upon the manufacture for updates, and IMHO that's a good thing.

I don't have experience with treble as it's not present on my phone, but I'm optimistically hopeful.
"

Agreed. I'm not holding my hopes up but basically Treble is the reason why I'm not even thinking of buying an Android device this year (well, there's the Pixel but I've got other reasons for not considering it).

Reply Score: 2

Absolutely right
by PJBonoVox on Tue 14th Nov 2017 18:39 UTC
PJBonoVox
Member since:
2006-08-14

"This isn't because it really is that hard to update Android phones - it's because OEMs don't care. Samsung doesn't care. LG doesn't care. HTC doesn't care. They'd much rather spend time and resources on selling you the next flagship than updating the one you already paid for."


Absolute spot on about this. Why would they spend their bottom line on new features and security fixes for end users?

However, I'm sure Sony, Adobe, Equifax and the rest of them felt the same about where their money should be spent. Pretty sure they don't feel the same about it now.

So perhaps what the world needs is for a particular model of smartphone from a specific brand to be totally pwned en masse. That *might* make them wake up because their brand name being affected DOES impact the bottom line.

Just a thought.

Edited 2017-11-14 18:40 UTC

Reply Score: 6

Comment by model500
by model500 on Tue 14th Nov 2017 19:36 UTC
model500
Member since:
2016-12-22

our options as an Android user today?

I just don't care that much, as apparently a lot of people don't - if we'd care we wouldn't be buying the phones.
I have a Galaxy S5 (i think, not quite sure, don't really care) - It plays media (on and offline), makes decent photos, browsing the interwebs, mails, chats...shit like that works without hiccups.
for me it's just a phone, I don't have any sensitive data on it (still encrypted though), never buy shit online from my phone, have no social media (except the google accout for gmail and yt).
I'm a really basic user as I believe most of the people are.
I don't know (or care) what version of Android I have, because this one works just fine.
After one month of Windows 8 I felt like "this crap needs to go and be replaced on my laptop" - this kind of feeling never came to be on my phone.
Not an android fanboy at all (was actually considering iPhone when buying this one, but iPhone at that time hadn't had water and dust resistance).

TL;DR: It'a just a phone, don't really care about android version on it.

Reply Score: 4

RE: Comment by model500
by Troels on Tue 14th Nov 2017 19:58 UTC in reply to "Comment by model500"
Troels Member since:
2005-07-11

And after a few more days probably you would stop caring about Windows 8 too, because you realize you can simply ignore most of the useless new parts, and it booted up a bit faster and the start screen search was faster than windows 7, so in total, it was a very slight upgrade ;)

Reply Score: 4

RE[2]: Comment by model500
by Carrot007 on Wed 15th Nov 2017 00:57 UTC in reply to "RE: Comment by model500"
Carrot007 Member since:
2008-02-04

Win 8 was fine come 8.1

Much like Win Vista was fine come SP1.

Reply Score: 3

RE[3]: Comment by model500
by Bill Shooter of Bul on Wed 15th Nov 2017 15:17 UTC in reply to "RE[2]: Comment by model500"
Bill Shooter of Bul Member since:
2006-07-14

It was less bad, but not good. More of a win me service pack kind of improvement. Less of a Vista SP or a Win XP SP.

Reply Score: 0

Out of the woodworks
by avgalen on Tue 14th Nov 2017 22:06 UTC
avgalen
Member since:
2010-09-23

apologists come out of the woodwork with two arguments as to why I'm an Apple shill or anti-Google: Google Play Services and Project Treble.

Well, I am not an apologist, I am not calling you an Apple shill, I am not calling you anti-Google, but I would like to point you to the arguments of
* Point releases are updates as well and they keep many a phone secure. You always focus on phones not receiving the major updates but those updates are about features, not security!
* App stores with vetted apps and retro-active removal of harmful apps.
* A general lack of attack-vectors. It is much harder to attack a phone that accesses most content from isolated apps than it is to attack an internet-connected computer with programs running as admin and interfacing with other programs.

I wish it would be required for every OEM to support the software on their devices much better, but the horrible security on mobile devices just isn't a real problem like it used to be on pc's where most consumers still didn't bother to secure them properly.

And most attacks nowadays don't result from an insecure OS, they come from users getting phished or from stolen online passwords

Reply Score: 5

RE: Out of the woodworks
by Alfman on Wed 15th Nov 2017 03:55 UTC in reply to "Out of the woodworks"
Alfman Member since:
2011-01-28

avgalen,

* Point releases are updates as well and they keep many a phone secure. You always focus on phones not receiving the major updates but those updates are about features, not security!
* App stores with vetted apps and retro-active removal of harmful apps.
* A general lack of attack-vectors. It is much harder to attack a phone that accesses most content from isolated apps than it is to attack an internet-connected computer with programs running as admin and interfacing with other programs.


I wish it would be required for every OEM to support the software on their devices much better, but the horrible security on mobile devices just isn't a real problem like it used to be on pc's where most consumers still didn't bother to secure them properly.

And most attacks nowadays don't result from an insecure OS, they come from users getting phished or from stolen online passwords


On the one hand I agree with you that general code sandboxing model on mobiles provides better security than traditional PC software. But on the other hand we shouldn't dismiss how the number of publicly available attack vectors grows quickly when manufacturers don't provide mobile updates. You are more likely to get pwned by a script kiddy running metasploit against an unpatched mobile device than a patched windows one.

I suspect more mobile users may be pwned than owners realize because they are operating blind and don't have the nearly same wealth of tools at their disposal. Typical PCs are regularly updated and scanned by AV software.

Reply Score: 2

RE[2]: Out of the woodworks
by avgalen on Wed 15th Nov 2017 17:19 UTC in reply to "RE: Out of the woodworks"
avgalen Member since:
2010-09-23

Please tell me how a scriptkiddie (from for example Belgium) would attack my mobile device (from for example The Netherlands)

It seems that the only realistic way to hack another mobile device is via
1) phishing, and not much can protect a user from himself
2) proximity attack (bluetooth/nfc)
3) fake wifi-hotspot (ones you are on the same network, especially an untrusted network, most bets are of)

Both 2 and 3 are very limited attack vectors because 1 source can only attack a few targets and those infected targets don't spread. The risk is also very high

I haven't heard much about a device getting pwned from just browsing a website for example. The only such situations where very old "move this slider to root your ios-device" and "receive this skype/imessage to crash your phone"

Reply Score: 3

RE[3]: Out of the woodworks
by Alfman on Wed 15th Nov 2017 18:50 UTC in reply to "RE[2]: Out of the woodworks"
Alfman Member since:
2011-01-28

avgalen,

Please tell me how a scriptkiddie (from for example Belgium) would attack my mobile device (from for example The Netherlands)

It seems that the only realistic way to hack another mobile device is via
1) phishing, and not much can protect a user from himself
2) proximity attack (bluetooth/nfc)
3) fake wifi-hotspot (ones you are on the same network, especially an untrusted network, most bets are of)

Both 2 and 3 are very limited attack vectors because 1 source can only attack a few targets and those infected targets don't spread. The risk is also very high

I haven't heard much about a device getting pwned from just browsing a website for example. The only such situations where very old "move this slider to root your ios-device" and "receive this skype/imessage to crash your phone"


In practice, you don't really get to decide who hacks you or how they do it. The thing that everyone needs to have pounded into their heads is that no code is 100% safe, including webbrowsers and websites:

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-goog...

https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/

https://technet.microsoft.com/en-us/library/security/MS16-MAR

http://exploit.kitploit.com/2017/05/apple-safari-cve-2017-2491-use-...



As long as software is updated, then that mitigates a good portion of the attack vectors a "script kiddie" would have access to. But for software that hasn't been updated in a while, then there's a good chance that not only is it vulnerable, but the vulnerability is publicly known.

What's good is that software downloaded from the app stores can be updated even on phones that the manufacturer has dropped support for. What's bad is that many users will be using factory bundled applications that only get updates through the manufacture. My phone is rooted and I uninstalled most factory bundled apps and installed managed alternatives, but many users will be using the original apps that came with the phone.

The more we can take device manufactures out of the software loop, the better. IMHO they don't take security seriously enough to hold that responsibility.

Reply Score: 4

RE[4]: Out of the woodworks
by avgalen on Thu 16th Nov 2017 22:09 UTC in reply to "RE[3]: Out of the woodworks"
avgalen Member since:
2010-09-23

In practice, you don't really get to decide who hacks you or how they do it.
My point was that on mobile devices I haven't heard of 1 single "blaster" or "I love you" or "cryptolocker" infection that entered many devices through the outside world and started spreading from device to device. "Apps" are inherently more secure than "programs". Almost all infections came from fake programs in the store (and mostly from outside stores) that performed their actions from inside the app without bothering the OS or other apps or spreading.

What's good is that software downloaded from the app stores can be updated even on phones that the manufacturer has dropped support for.
Yes, almost everyone is always running the same, latest, version of an app on their device. Completely different from pc's and servers where the OS is at most patched but not updated and programs don't get updated much at all.


The more we can take device manufactures out of the software loop, the better. IMHO they don't take security seriously enough to hold that responsibility.

Amen!

Reply Score: 2

RE[5]: Out of the woodworks
by oiaohm on Thu 16th Nov 2017 23:35 UTC in reply to "RE[4]: Out of the woodworks"
oiaohm Member since:
2009-05-30

"In practice, you don't really get to decide who hacks you or how they do it.
My point was that on mobile devices I haven't heard of 1 single "blaster" or "I love you" or "cryptolocker" infection that entered many devices through the outside world and started spreading from device to device. "

I will give you device to device spreading malware has not been common on Android. Fairly much only found in malware that traces back to groups like the CIA and other intelligence groups at this stage.

https://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infec...

The claim that they stay restricted to the application is very false. A lot of the infection are like copycat that use kernel exploits raise privilege and hide.

Then the question comes why do they use exploits to root but not exploits to install?

The answer is simple the majority of malware authors are greedy and lazy so and so. There are a lot of device to device spreading malware code for Windows published. So malware writers recycle it. Now even in most of the exploit kits you will find network spreading example code for windows and other platforms. Now for Android at this stage that example code does not exist.

There are tones of people who have wanted applications to root their phone so they can have more control. So there is tones of example code for that and its in exploit kits. Right up the lazy coders path of recycling someone else work.

Is it safe to presume that malware on Android will remain commonly unable to spread device to device the answer is no we cannot. If it gets too hard to get into the stores for android malware makers will be forced to work on device to device. While they are not doing this it is a great time to fix the development and device maintenance processes up.

Reply Score: 3

RE[3]: Out of the woodworks
by Alfman on Wed 15th Nov 2017 19:34 UTC in reply to "RE[2]: Out of the woodworks"
Alfman Member since:
2011-01-28

avgalen,

I was browsing exploits, and I thought this was an interesting one:

https://www.exploit-db.com/exploits/43127/

// Proof of concept exploit for waitid bug introduced in Linux Kernel 4.13
// By Chris Salls (twitter.com/chris_salls)
// This exploit can be used to break out out of sandboxes such as that in google chrome
// In this proof of concept we install the seccomp filter from chrome as well as a chroot,
// then break out of those and get root
// Bypasses smep and smap, but is somewhat unreliable and may crash the kernel instead
// offsets written and tested on ubuntu 17.10-beta2
/****** overview of exploit ********
waitid uses unsafe_put_user without checking access_ok,
allowing the user to give a kernel address for infop and write over kernel memory.
when given invalid parameters this just writes the following 32 bit integers
0, 0, 0, _, 0, 0, 0
(the 4th element is unchanged)
inside the chrome sandbox we cannot fork (can only make threads)
so we can only give invalid parameters to waitid and only write 0's to kernel memory,

To exploit this in the presence of smap:

I start out by iteratively calling waitid until we find the kernel's base address
When it's found it will not return efault error from the syscall

Now, I can only write 0's at this point, so I spray 10000 threads and attempt
to write 0's over the beginning of the task struct to unset the seccomp flag
This part is kind of unreliable and depends on the size of the task struct which
changes based on cpu.

If it succceeds, I now know where the task struct is and no longer have seccomp
By shifting the location of the write and using the pid of the child process, I
can now write 5 consecutive arbitrary non-zero bytes. So I can create an address
with this bitmask 0xffffffffff000000

Now to create data at such an address I use the physmap, a mirror of all userland
pages that exists in kernel memory. Mmap a large amount of memory, try writing at
various places in the physmap until we see userland memory change. Then mlock that
page.

With controlled data in the kernel, I use the 5 byte write described above to change
our task->files to point at the controlled page. This give me control of the file
operations and arbitrary read/write.

From here, I remove the chroot and edit my creds to make that thread root.
*/



Note that this vulnerability would be exposed by an application even though the bug technically resides in the kernel.

Reply Score: 3

Hard even with custom ROMs
by gld59 on Tue 14th Nov 2017 23:20 UTC
gld59
Member since:
2012-11-09

There are many phone models with stable custom ROMs available (for those willing and able to do that), but there are probably even more where that option isn't there. My Galaxy Nexus is running LineageOS, but my mum's J1 looks like it's stuck with stock 4.4 - how many community hackers would bother with *any* of the "uninteresting" handsets like that?

Reply Score: 0

oiaohm
Member since:
2009-05-30

Reality here is most mobile phones are only support for a max of 3 years.

https://www.businessinsider.com.au/apple-ios-10-iphone-software-upda...

This has been android, ios, blackberry..... The pattern of 3 years or less support goes back to the early 90s with the first feature phones.

Only this year has google with Android and Apple with ios put forward the idea of taking this to 5-6 years.

In studies in USA found that in iphones about 47% keep on using their iphone until it no long works same with about 58% of Android phone users.

This leads to the 1 billion plus devices running out of date software. Let alone the people who don't allow their devices to software update ever.

I would say that phones most likely should be supported for at least 10 years for how long people are going to keep phones. So 5 to 6 years support is still going to be on the short side.

Humans are not as big of consumers as people making phones like.

Reply Score: 4

Debian
by bram on Wed 15th Nov 2017 03:40 UTC
bram
Member since:
2009-04-03

Solution: phones should run Debian and never Android.
All it then needs s an occasional
$ apt-get upgrade

Reply Score: 2

Phew
by Poseidon on Wed 15th Nov 2017 04:00 UTC
Poseidon
Member since:
2009-10-31

People don’t treat phones like the serious devices they are. One guy said he just used gmail on his phone, no biggie.
Considering sms and email are the two most prevalent 2FA out there, Thom is on point.


As a cyber security worker, there’s only pixel or iPhones. Anything else would be irresponsible, unless you can develop drivers for it as an organization and have a dedicated staff for security implementations.

That’s like... insane and probably not realistic considering the regulations and non-open nature of firmware/drivers on Android.

Reply Score: 2

not enough people care
by jimmystewpot on Wed 15th Nov 2017 06:47 UTC
jimmystewpot
Member since:
2006-01-19

The sad reality is that most end users simply don't care or know any better. On osnews you are talking to an echo chamber of technical users. Until 'average Joe or Jane's cares the vendors don't care.

I previously worked for a Telco provider, we surveyed all of our customers of those motivated enough to respond update frequency wasn't even in their top 10. It was always about either iOS or Android and thwn 'the best apps' and related responses.

Based on this data with a sample size in the low hundreds of thousands it seems at a high level that having google services update from the app store has actually done them a disservice... I have no data to prove that but it's one way to read the results.

Also note that these surveys got completed over 4 years ago so the landscape may have changed. I moved on from the Industry since then.

Reply Score: 2

Buy a phone from Google
by hackmykack on Wed 15th Nov 2017 06:48 UTC
hackmykack
Member since:
2006-10-01

I think if people only bought Google Phones (ie. Nexus or Pixel) it would be a much better comparison.

Those phones are comparable to anything Apple makes and you would get OS updates etc.

If more people voted with their wallets then you would probably see a consolidation in the Android market towards vendors that are more Google-like in terms of updates.

As it stands, people buy phones for various reasons ie. price, looks etc. mostly knowing full well that they won't get any updates.

So bottom line ... limit your choice and get security or don't.

Either ways, I don't think it's fair to put the blame squarely on Google for this one as sensational as the headline sounds.

Reply Score: 1

Used and supported by LineageOS
by benoitb on Wed 15th Nov 2017 07:36 UTC
benoitb
Member since:
2010-06-29

My solution is to buy used devices after checking that they are well supported by LineageOS.

This works well for me except for one important fact: camera quality is always degraded on all devices I've had when running an AOSP rom instead of the stock rom.

Also this is not a viable option for most normal people and probably represents less than 1% of all the Android users.

The infuriating thing is that if a few unpaid people can support phones for a long time, it means the vendors could as well. We should force them by law to provide software support for 5 years (or more). If they don't they are not allowed to sell in the EU market for example.

Reply Score: 4

RE: Used and supported by LineageOS
by dsmogor on Wed 15th Nov 2017 12:44 UTC in reply to "Used and supported by LineageOS"
dsmogor Member since:
2005-09-01

How do you do that? XDA mailing lists are at best chaotic.

Reply Score: 2

Dryhte Member since:
2008-02-05
Not sure they miss anything
by ThomasFuhringer on Wed 15th Nov 2017 07:49 UTC
ThomasFuhringer
Member since:
2007-01-25

My Nexus phone always gets the latest update. And with every update it gets slower. Other than that, there is no noticable difference to me, not since a few years. I feel I just get more and more bloat with no tangible benefit in terms of functionality.
And no, a securtiy fix should not come at that performance cost.

Reply Score: 3

RE: Not sure they miss anything
by oiaohm on Wed 15th Nov 2017 09:05 UTC in reply to "Not sure they miss anything"
oiaohm Member since:
2009-05-30

And no, a securtiy fix should not come at that performance cost.

This is wishful thinking. Fixing a security fault normally results in needing to run more code than you did before to prevent the security fault. Its a rare security fault fix that is less code.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/c...

This is a cve security fault fix. That is a few hundred extra bytes of executable code every time it passed.

This is one of the big nasty facts insecure code normally runs faster than secure code because it lacking safe guards and that is why its insecure in the first place.

So saying that security fixes should not slow things is asking for the impossible. Of course security fixes should attempt to minimise performance losses due to the fix.

Reply Score: 3

jimmystewpot Member since:
2006-01-19

I think the problem is not that it gets slower it's how much slower it gets. 7.1.1 on the Nexus 6 with no extra apps is significantly more laggy than the 7.0 release train.

Reply Score: 2

So what outdated?
by nicubunu on Wed 15th Nov 2017 07:55 UTC
nicubunu
Member since:
2014-01-08

My 2 years old midrage phone I bought 2 years ago for some 150€ can run all the apps I need and will continue o for at least one more year. Battery capacity still holds. So why would I lose sleep about it being outdated?

Reply Score: 4

iOS < Android
by crocodile on Wed 15th Nov 2017 08:29 UTC
crocodile
Member since:
2010-01-18

Thom, again you promote a looser like iOS and iPhone. 5 years ago iOS and Iphones had over 22% of worlwide market and now it has 14% and is going down. iOs and iphones lost the war and Android wo.

iPhone and iOs are a luxurious products for a niche market for rich people. Promoting iOs and iPhone is like promoting Ferrari cars to normal people.

The fact is Android's security is good enough for most of normal people for most of the countries. Your standard of secutity is crazy high and can be met only by rich people from rich countries.

Reply Score: 1

hysteria
by unclefester on Wed 15th Nov 2017 08:37 UTC
unclefester
Member since:
2007-01-13

I'm calling complete BS on the story. A billion Android devices are alleged to be insecure. Yet there are no large scale malicious software attacks.

I'm currently running Android devices with 4.4. 5.1 and 6.01. To be honest I can barely tell the difference between versions. They all run the latest app versions. It's pretty much like a rolling Linux release except there is no kernel update.

Edited 2017-11-15 08:38 UTC

Reply Score: 5

RE: hysteria
by oiaohm on Wed 15th Nov 2017 09:46 UTC in reply to "hysteria"
oiaohm Member since:
2009-05-30

I'm calling complete BS on the story. A billion Android devices are alleged to be insecure. Yet there are no large scale malicious software attacks.

The story is not BS. Its like router based attacks were forecast in 2001 they did not start happening large scale attacks to about 2015. There is a delay between forecast and event.

We are seeing large scale Android botnet attempted to be made. With carriers, google and security researches working with each other to shut them down. At this stage they are fairly much holding their own. But it is a question how long this will last.

I'm currently running Android devices with 4.4. 5.1 and 6.01. To be honest I can barely tell the difference between versions. They all run the latest app versions. It's pretty much like a rolling Linux release except there is no kernel update.


Google has been supporting the user-space where they can back 5 years because of people who like you are using older Android. So all 3 for userspace code should be fairly ok. Problem is the kernel updates both 4.4 and 5.1 devices you have would have fallen out of vendor support.

https://en.wikipedia.org/wiki/File:Android_Version_Usage.png
We can get usage data on phones from google play store. To cover 98 percent of users for how long they keep their phones at this stage we need to support back to what was released in 2012 and those devices most likely have kernels from 2011. That is if people don't keep android phones any longer than they currently do.

So we are needing at least 6 years of vendor support. Currently we have been getting 3 years of vendor support. To be on the safe side I would say target 10 years of vendor support.

These numbers also say from the time Google and vendors fix there method to give the need time of 6 years it will take about 6 years to be deployed.

So the data tells us what is required to fix the current problem. Of course we have two options attempt to push for the processes that will have device vendors support their hardware while its still in active usage. Or wait until we have some attack that is failing to contained then attempt to get vendors to extend their support.

Do remember we are talking 6 years delay at least from when support processes are fixed to when its fully deployed. It might be 10+ years all depends on how long people hold on to their phones.

Reply Score: 2

RE[2]: hysteria
by unclefester on Thu 16th Nov 2017 04:43 UTC in reply to "RE: hysteria"
unclefester Member since:
2007-01-13

Android phones have an effective life of 2z-3 years. You can pretty much guarantee the phone will be in landfill long before major exploits are discovered.

Reply Score: 2

RE[3]: hysteria
by oiaohm on Thu 16th Nov 2017 07:04 UTC in reply to "RE[2]: hysteria"
oiaohm Member since:
2009-05-30

Android phones have an effective life of 2z-3 years. You can pretty much guarantee the phone will be in landfill long before major exploits are discovered.

Google play data tells us that people holds on to their android phones for 5-6 years.

So your effective lifetime guess is way out.

Reply Score: 2

Pixel
by Soulbender on Wed 15th Nov 2017 10:21 UTC
Soulbender
Member since:
2005-08-18

and even if you can buy it, it falls apart at the seams


Everyone I know who has a Pixel is very happy with it but I'm sure you know better as someone who doesn't own one...

Reply Score: 3

Not impressed
by kwan_e on Wed 15th Nov 2017 10:49 UTC
kwan_e
Member since:
2007-02-18

Only 1 billion? Intel says "hold my beer".

Reply Score: 2

RE: Not impressed
by JLF65 on Wed 15th Nov 2017 17:07 UTC in reply to "Not impressed"
JLF65 Member since:
2005-07-06

Yeah, Intel and Microsoft. I'd bet the number of computers running outdated Windows is well over 2 billion. The problem comes down to money - the people running these outdated computers and phones CAN'T update because their system is too old and they can't afford a newer one.

My phone is about four years old, but the "latest" Android it could run was from almost three years ago. I couldn't afford a new phone capable of running an updated Android until recently. It's a little easier to get the latest linux to work on old hardware, but most people think you won't be able to run the apps/games you want unless you're using Windows, so most people will stick with Windows.

Reply Score: 0

RE[2]: Not impressed
by zima on Wed 15th Nov 2017 23:21 UTC in reply to "RE: Not impressed"
zima Member since:
2005-07-06

Last time I stumbled onto stats about this, there was less than 2 billion PCs total; IIRC around 1,6 billion.
Mobile phones are vastly more popular than PCs ever were.

Reply Score: 3

RE[3]: Not impressed
by JLF65 on Thu 16th Nov 2017 00:35 UTC in reply to "RE[2]: Not impressed"
JLF65 Member since:
2005-07-06

That's old data. We passed 2 billion a couple years ago, and while PC shipments have declined in the last few years, the global total continues to rise.

Reply Score: 1

RE[4]: Not impressed
by zima on Fri 17th Nov 2017 00:01 UTC in reply to "RE[3]: Not impressed"
zima Member since:
2005-07-06

Still, even with revised numbers it's extremely unlikely that "the number of computers running outdated Windows is well over 2 billion" ;)

Reply Score: 3

RE[5]: Not impressed
by oiaohm on Fri 17th Nov 2017 00:58 UTC in reply to "RE[4]: Not impressed"
oiaohm Member since:
2009-05-30

Still, even with revised numbers it's extremely unlikely that "the number of computers running outdated Windows is well over 2 billion" ;)

Unlikely due to the number of PCs. But would not be impossible it how you measure outdated. Out dated if that is covering drivers, software and OS updates it is truly possible.

Remember if someone installs all their software from Android store all updates come from the store.

Reply Score: 1

Comment by kurkosdr
by kurkosdr on Wed 15th Nov 2017 16:38 UTC
kurkosdr
Member since:
2011-04-11

Yeah, Google learned from their mistake, that's why they repeated it verbatim with Android TV.

Expect Fuschia to be much of the same.

Without regulation mandating security patches for an X number of years, the problem will not be solved.

Reply Score: 3

Comment by jido
by jido on Wed 15th Nov 2017 18:18 UTC
jido
Member since:
2006-03-06

Since Android is an "Open" platform, the OS should be user-updatable.

Also I know that BlackBerry releases frequent updates for its Android phones. I am sure there are others. But you need to buy the phone carrier-free to benefit

Reply Score: 1

Buy an Android device that has custom ROMs
by rklrkl on Wed 15th Nov 2017 21:39 UTC
rklrkl
Member since:
2005-07-06

OK, it's only for tech people (but that's OSnews' target audience isn't it?), but if you don't get a Pixel phone (which I think are too expensive anyway) then research XDA Developers, LineageOS etc. and make sure you get a phone that has a reasonably well supported custom ROM or two.

Use your Android device with the stock ROM during its warranty and when the warranty ends, you can then decide if you want to root/custom ROM your device or not. If the device is still getting stock updates then great, otherwise it's off to custom ROM-land we go.

This is an option that Apple don't provide and can give some Android devices many extra years beyond stock support (heck, my ailing Nexus 10 tablet has actually got an early Oreo build for it!) and often with an Android release that's way better than stock too.

Reply Score: 5

New licensing terms...?????
by mistersoft on Wed 15th Nov 2017 21:48 UTC
mistersoft
Member since:
2011-01-05

While it might be "breaking some implied promise"..


Does Google/Alphabet have to continually license "Android mk222" or whatever future title they wish to moniker their mobile OS in perpetuity??

If indeed that is roughly the terms laid down in the OS AOSP project.....then by all means they should simply come up with a "new" mobile OS. Be it magenta or whatever they end up calling it..

And make the future commercial use terms stricter -- Simply mandate version updates for minimum 3 years or 3 version cycles, whichever is longer.

And non-compliance takes the offending company out of the game. 1 strike and you're out..


Really can't see why it's any harder than this.

AOSP could still live on an OS project... but would be defacto deprecated

Reply Score: 2

RE: New licensing terms...?????
by oiaohm on Wed 15th Nov 2017 22:36 UTC in reply to "New licensing terms...?????"
oiaohm Member since:
2009-05-30


And make the future commercial use terms stricter -- Simply mandate version updates for minimum 3 years or 3 version cycles, whichever is longer.

2 to 3 years is the current. What is need is 5-6 years at least. Because this is how long users are holding on-to devices at this stage. Google is working on moving the terms to that. But its not going to help the people with devices already.


The collected data by google play tells us that we need at a min.

Reply Score: 2

Don't Care v. Care
by wocowboy on Wed 15th Nov 2017 22:58 UTC
wocowboy
Member since:
2006-06-01

The argument that 99% of Android users "just don't care" if their phone is running the latest version of Android, which may very well be true based on the fact there is very little hue & cry from users about this situation, stands in stark contrast to the statistics that 50-60 and even 70% of iOS users upgrade their devices in very short order, just a few weeks and months, following a new iOS version release. Are iOS users that much more concerned and dedicated to keeping their devices updated and by definition, secure? It seems that would be so, and is amazing.

Reply Score: 1

RE: Don't Care v. Care
by zima on Wed 15th Nov 2017 23:26 UTC in reply to "Don't Care v. Care"
zima Member since:
2005-07-06

That's possibly because new versions of iOS apps typically run only on current iOS, while on Android new apps run happily on "old" versions of the OS (thanks to mentioned in the article Google Play Services updates)

Reply Score: 3

What's the alternative?
by zima on Wed 15th Nov 2017 23:28 UTC
zima
Member since:
2005-07-06

Thom, you write

how dangerously irresponsible it is to let average consumers use this platform

...but what other choices are there? Should people move back to "dumbphones"? Apple doesn't want to target "non-premium" users, which form the majority of 2+ billion Android-using population.

Recently you wrote fondly of "race to the bottom" PCs of the 90s in http://www.osnews.com/story/30071/Restoring_a_1998_Packard_Bell_mul... and how "they did make computing accessible to an incredibly wide audience, and they served an important role in the history of computing" ...that's what Android is today, an even greater enabler.

Yes, Android has its issues (like those old PCs had them). However at least they don't seem to hurt it much... (Apple would be all over such news in their keynotes...)

Edited 2017-11-15 23:35 UTC

Reply Score: 4

amazing coincidence
by unclefester on Thu 16th Nov 2017 10:36 UTC
unclefester
Member since:
2007-01-13

I booted up my Samsung Galxy Tab A 4G this afternoon and an update to 7.1 was available. It was updated from 5 to 6 last year. Since it has no carrier mods it is obviously the carriers that are holding back updates.

Reply Score: 2