Linked by Thom Holwerda on Thu 12th Apr 2018 22:42 UTC, submitted by emmzee
Android

Google has long struggled with how best to get dozens of Android smartphone manufacturers - and hundreds of carriers - to regularly push out security-focused software updates. But when one German security firm looked under the hood of hundreds of Android phones, it found a troubling new wrinkle: Not only do many Android phone vendors fail to make patches available to their users, or delay their release for months; they sometimes also tell users their phone's firmware is fully up to date, even while they've secretly skipped patches.

On Friday at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of the firm Security Research Labs plan to present the results of two years of reverse-engineering hundreds of Android phones' operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings. They found what they call a "patch gap": In many cases, certain vendors' phones would tell users that they had all of Android's security patches up to a certain date, while in reality missing as many as a dozen patches from that period - leaving phones vulnerable to a broad collection of known hacking techniques.

Android is a mess.

Order by: Score:
Spiron
Member since:
2011-03-08

This is why Google should have controlled the software distribution along side making it open source. Particularly in regards to the driver level, even if they didn't quite go as far as trying to get everyone to follow the linux kernels guidelines.

Reply Score: 3

Android is a mess.
by Alfman on Fri 13th Apr 2018 03:15 UTC
Alfman
Member since:
2011-01-28

The problem is twofold:
1 - many manufacturers not providing after-sale support
2 - users being way too dependent upon the manufacturer for updates and getting stuck with old & unsupported firmware.

I wish there were better platform standards where neglected users could simply install whatever they wanted from another source.

Reply Score: 4

RE: Android is a mess.
by ilovebeer on Fri 13th Apr 2018 05:36 UTC in reply to "Android is a mess."
ilovebeer Member since:
2011-08-08

The problem is twofold:
1 - many manufacturers not providing after-sale support

The bottom line is there's more money to be made that way. If they could get away with selling phones as-is, they would do it in a heartbeat.

2 - users being way too dependent upon the manufacturer for updates and getting stuck with old & unsupported firmware.
It's not unreasonable to expect your devices manufacturer to provide at least security updates. I don't think it would be unreasonable to legally require manufacturers to provide security updates for at least a 3-5 year term, preferably the latter.

I wish there were better platform standards where neglected users could simply install whatever they wanted from another source.

In addition to that, I wish there were laws that actually protected consumers. Considering how integrated phones have become in peoples daily lives, there should be the expectation that companies take their customers privacy and security seriously, and are legally obligated to do what they can to protect it for X years after purchase.

Reply Score: 5

RE[2]: Android is a mess.
by Alfman on Fri 13th Apr 2018 13:43 UTC in reply to "RE: Android is a mess."
Alfman Member since:
2011-01-28

ilovebeer,

The bottom line is there's more money to be made that way. If they could get away with selling phones as-is, they would do it in a heartbeat.



Time after time we see how consumers are hurt by companies that say these things are important, but then fail to change. It's like zuckerberg apologizing but not actually doing anything about it. You are right about money being a large factor, between protecting user privacy and security or maximizing profits, profits almost always win out.


In addition to that, I wish there were laws that actually protected consumers. Considering how integrated phones have become in peoples daily lives, there should be the expectation that companies take their customers privacy and security seriously, and are legally obligated to do what they can to protect it for X years after purchase.


Yeah, but you know what, for all the fuss they make over consumer injustices, congress has a terrible track record of actually getting things fixed. A solid block in congress constantly pushes for eliminating rules for corporations because corporations are the ones funding the campaigns that get them elected. Under this quite corrupt system, it's very difficult for normal uncorrupted people to get elected (and to remain uncorrupted).

Edited 2018-04-13 13:44 UTC

Reply Score: 4

RE[3]: Android is a mess.
by darknexus on Fri 13th Apr 2018 13:51 UTC in reply to "RE[2]: Android is a mess."
darknexus Member since:
2008-07-15

I agree with you on the last bit, save remove the word "congress" and replace it with the words "national governments" and you've got it. I can't think of one governmental body that actually cares about individuals' rights, in any nation.

Reply Score: 1

RE[4]: Android is a mess.
by zima on Sun 15th Apr 2018 17:27 UTC in reply to "RE[3]: Android is a mess."
zima Member since:
2005-07-06

It's easy and fashionable to be cynical. But places with functional governments are generally nicest to live in, and you wouldn't want to live in places with barely functioning or nonexistant gov...

Reply Score: 3

RE[3]: Android is a mess.
by ilovebeer on Fri 13th Apr 2018 15:09 UTC in reply to "RE[2]: Android is a mess."
ilovebeer Member since:
2011-08-08

Even if congress wasn't under the thumb of corporate purses, they'd be crippled by how divided the country is, in that agreeing to help consumers means agreeing to bipartisanship, which seems borderline criminal these days. Unfortunately I don't see any way out of this corrupted and corrosive state. I don't see how anyone could be optimistic when you have 70%, 80%, 90% of the country wanting something and virtually 0% of it actually happening. If the Gettysburg Address were written today it would read, "government of the people, by the people, for the people.... lol j/k GTFO!"

Reply Score: 2

Google response
by Milan Kerslager on Fri 13th Apr 2018 03:18 UTC
Milan Kerslager
Member since:
2009-11-20

Google responded and the article was updated. I recommend you to read it by itself.

"They noted that modern Android phones have security features that make them difficult to hack even when they do have unpatched security vulnerabilities. And they argued that in some cases, patches might have been missing from devices because the phone vendors responded by simply removing a vulnerable feature from the phone rather than patch it, or the phone didn't have that feature in the first place. The company says it's working with SRL Labs to further investigate its findings. "Security updates are one of many layers used to protect Android devices and users,"

Reply Score: 6

RE: Google response
by Kroc on Fri 13th Apr 2018 07:20 UTC in reply to "Google response "
Kroc Member since:
2005-11-10

Is this the Intel school of security fixes? "We don't need to fix it because everybody is aware of it now."

Reply Score: 2

RE[2]: Google response
by darknexus on Fri 13th Apr 2018 16:44 UTC in reply to "RE: Google response "
darknexus Member since:
2008-07-15

Sounds more like they have their SEP field turned up to full power.

Reply Score: 1

RE[2]: Google response
by grat on Fri 13th Apr 2018 21:45 UTC in reply to "RE: Google response "
grat Member since:
2006-02-02

Is this the Intel school of security fixes? "We don't need to fix it because everybody is aware of it now."


That's not even the Intel policy, so why would it be the Android policy?

Reply Score: 3

RE: Google response
by Carewolf on Fri 13th Apr 2018 15:43 UTC in reply to "Google response "
Carewolf Member since:
2005-09-08

This makes sense. As part of my job I backport Chrome security patches to our Chromium based product. I can skip up to half of the security patches because we simply don't have the feature, or much much more common: it is a fix of a bug introduced after our last branch point.

Edited 2018-04-13 15:45 UTC

Reply Score: 7

There is an answer to this...
by leech on Fri 13th Apr 2018 17:24 UTC
leech
Member since:
2006-01-10

If Android had just stuck with how Linux distributions do things, with a nice auto update of all components (including underlying ones), then allow a 'dist-upgrade' for when new releases are made.

Manufacturers could have then added third party repositories for their own add-ons.

Even Windows 10 is more versatile in it's update process than Android is.

Reply Score: 0

RE: There is an answer to this...
by darknexus on Fri 13th Apr 2018 20:16 UTC in reply to "There is an answer to this..."
darknexus Member since:
2008-07-15

Oh sure, and when the end-user was faced with:
Sub-process returned status code:3
Errors encountered while processing package

Yeah, great idea. Not!

Reply Score: 0

leech Member since:
2006-01-10

Oh sure, and when the end-user was faced with:
Sub-process returned status code:3
Errors encountered while processing package

Yeah, great idea. Not!


Ha, I've only ever seen that when running something that is bleeding edge. You'd run something like RHEL or Debian phones. Something that gets 5+ years of security support.

Reply Score: 1

RE: There is an answer to this...
by grat on Fri 13th Apr 2018 21:47 UTC in reply to "There is an answer to this..."
grat Member since:
2006-02-02

... and who exactly maintains these repositories?

Who updates the device drivers?

Who makes sure that update "X" doesn't interfere with update "Y"?

Who handles the error reports?

Reply Score: 5

Really its not just Android.
by oiaohm on Fri 13th Apr 2018 22:23 UTC
oiaohm
Member since:
2009-05-30

Start reading the number of quirk work around Linux wifi drivers have for defective wifi card firmware or EFI implementations .....

The reality here is one a product is out the door the maker of the product in many cases want to cease support. Worse the problem starts at the individual parts supplies and every step along the line.

So google making a new OS will to not fix this particularly with a highly permissive license. I have not see how they are going to address this problem .

When you understand the problem demanding as much as possible is open source and third party maintainable is really the only way. Of course this puts you head to head with FCC and others.

Reply Score: 5

Will probably never buy Andorid again
by IndigoJo on Sat 14th Apr 2018 16:01 UTC
IndigoJo
Member since:
2005-07-06

After spending more than £500 for an LG phone (the G6) last year and still waiting for the upgrade to Android Oreo, I don't think I'll ever buy another Android again. I'll keep using this until the time is right to buy another iPhone, which has the advantages of being upgraded whenever the new OS comes out and being made by a tech company, not a data company which is always bugging you for free contributions to its database (e.g. asking you to review shops, restaurants etc). I used to use CyanogenMod on my older phones, but Android Pay won't work with an unlocked bootloader.

Reply Score: 0

Vistaus Member since:
2018-03-21

While I agree with you that a lot of manufacturers don't always deliver promised upgrades, in this case you can't really blame LG as Oreo is seriously bugged. Would you want them to upgrade you to an OS version full of bugs? You've seen what happened to some iPhones when Apple released a few buggy software updates throughout the years...

Reply Score: 2

A big task, but not complete
by jido on Sat 14th Apr 2018 19:47 UTC
jido
Member since:
2006-03-06

The work they did is impressive, but I am sad Blackberry phones were not included since Blackberry pride themselves with releasing timely Android updates... I guess they really aren't mainstream nowadays.

Edited 2018-04-14 19:47 UTC

Reply Score: 3