Linked by Thom Holwerda on Fri 11th May 2018 22:47 UTC
Android

Updates are easily the biggest problem facing the Android ecosystem, and Google is working hard to fix that. Project Treble has proven that it's capable of making updates easier, and now Google is stepping up requirements for OEMs when it comes to security patches.

Every little step in this department is a welcome one. It's not yet clear what, exactly, the requirements entail, but hopefully, it's a strict and hard requirement to publish every monthly security update.

Order by: Score:
Finally!
by moondevil on Fri 11th May 2018 22:56 UTC
moondevil
Member since:
2005-07-08

Apparently the largely ignored Oreo's adoption is finally making Google move.

Currently 5.7% adoption after one year, which by this rate would mean Android P would probably never be adopted if they continue to ignore the elephant in the room.

https://developer.android.com/about/dashboards/

Reply Score: 2

RE: Finally!
by gld59 on Sat 12th May 2018 00:09 UTC in reply to "Finally!"
gld59 Member since:
2012-11-09

I wonder how much of that is a result of vendors putting all their resources into putting Oreo on new devices, and having none left to roll out updates to older devices? *If* that is the case, then hopefully once vendors are more familiar with creating the vendor partitions/blobs required for (new) Oreo devices, they can swing resources back to trickling out updates for older devices.

Reply Score: 1

RE[2]: Finally!
by moondevil on Sat 12th May 2018 06:45 UTC in reply to "RE: Finally!"
moondevil Member since:
2005-07-08

If a new device comes out with Android Nougat and gets updated to Oreo, it is not required to go through the Oreo Treble's certification process.

Most new devices on 2018 are still being released with Nougat or Marshmallow on them.

Even if an handset is released with Oreo, thus Treble certified, it is up to the OEM to push the updates, which isn't really happening outside Google, 8.1 is only on 0.8% from those 5.7%.

Reply Score: 2

RE[3]: Finally!
by sj87 on Sat 12th May 2018 17:31 UTC in reply to "RE[2]: Finally!"
sj87 Member since:
2007-12-16

If a new device comes out with Android Nougat and gets updated to Oreo, it is not required to go through the Oreo Treble's certification process.

Most new devices on 2018 are still being released with Nougat or Marshmallow on them.

Most "new devices", i.e. most of the bottom price range, has always been released with an out-of-date Android version. This is because manufacturers just re-package their old hardware from older models and that also means the software. It's not the fault of Oreo nor Google's Treble requirements.

(In Oreo's case, perhaps, the slower-than-usual adoption rate is somewhat explained by the fact that Google released the OS earlier into the year, and the first NEW devices running it followed months later.)

Edited 2018-05-12 17:37 UTC

Reply Score: 3

RE[4]: Finally!
by unclefester on Sun 13th May 2018 02:20 UTC in reply to "RE[3]: Finally!"
unclefester Member since:
2007-01-13

Most "new devices", i.e. most of the bottom price range, has always been released with an out-of-date Android version. This is because manufacturers just re-package their old hardware from older models and that also means the software. It's not the fault of Oreo nor Google's Treble requirements.


No Android version since KitKat is 'out of date'. Android is simply getting more bloated and resource heavy.

Android really needs to go into LTS mode and stop adding BS features and making constant useless. changes.

Reply Score: 1

RE[5]: Finally!
by Alfman on Sun 13th May 2018 07:10 UTC in reply to "RE[4]: Finally!"
Alfman Member since:
2011-01-28

unclefester,

No Android version since KitKat is 'out of date'...


I honestly don't know what you mean by this? I think getting minor updates is a reasonable expectation. The way I see it, if google puts out a minor update and consumer phones never receive it, those phones are out of date.

Android is simply getting more bloated and resource heavy.

Android really needs to go into LTS mode and stop adding BS features and making constant useless. changes.


I don't object to this, but IMHO the lack of bug & security updates has been the bigger problem for my android devices.

Reply Score: 2

v RE[6]: Finally!
by Yoko_T on Sun 13th May 2018 16:15 UTC in reply to "RE[5]: Finally!"
RE[7]: Finally!
by Alfman on Sun 13th May 2018 19:56 UTC in reply to "RE[6]: Finally!"
Alfman Member since:
2011-01-28

Yoko_T,

For those people who live in the *REAL* world, retailers like Target and online sites like Facebook who have access to their personal information and don't really protect it and/or give or sell it to others without their knowledge or permission are the *REAL* problem,not the nonsense you are babbling about.


Mobile users are affected by the same kinds of vulnerabilities that can compromise computers. Buffer overruns are extremely problematic, for example:

https://www.pcworld.com/article/2972168/security/fourth-serious-vuln...

With most computer operating systems we have security updates to protect users from known exploits. The trouble with android devices is that many devices aren't getting updates from the manufacturers. It is pretty foolish to pretend that not having updates for known exploits isn't a problem!

Reply Score: 4

RE[3]: Finally!
by bassbeast on Sun 13th May 2018 09:05 UTC in reply to "RE[2]: Finally!"
bassbeast Member since:
2007-11-11

The problem that Google and the OEMs are gonna be looking at is the rotting elephant in the room that nobody is talking about which is phones have passed the "good enough" stage so that more and more people, just like they have been doing with their PCs for awhile now, simply aren't bothering to replace until the old one dies.

Hell there are still plenty of places selling 5.x devices and why not? They all have quad cores, 1.5-2Gb of RAM, 16-32Gb of storage, nice 5-6 inch screens, good cameras, they are "good enough" for the majority which according to the Google dev list provided above 63% are using 6.0 or older Android phones.

The OEMs haven't cared about updates because they were betting on infinite growth and rollover of old handsets for new, similar to the great PC boom of the late 90s/early 00s but I would argue that is coming to an end and Google knows this, that is why they are pushing for this. But I bet the OEMs sure as hell ain't gonna be happy, heck their entire business model is based on turn over and as more and more simply treat their phone as another appliance its gonna seriously bite them in the bottom line.

Reply Score: 3

RE[2]: Finally!
by Brendan on Sat 12th May 2018 09:55 UTC in reply to "RE: Finally!"
Brendan Member since:
2005-11-16

Hi,

I wonder how much of that is a result of vendors putting all their resources into putting Oreo on new devices, and having none left to roll out updates to older devices? *If* that is the case, then hopefully once vendors are more familiar with creating the vendor partitions/blobs required for (new) Oreo devices, they can swing resources back to trickling out updates for older devices.


The world doesn't work like that.

Imagine you are a mobile phone manufacturer; and you know that by hiring more staff (to roll out updates to older devices) it will cost you $X for the staff and cost you $Y in lost sales due to people not replacing old phones with new phones; but you will also get an additional $Z in publicity (to help sell new phones).

If $X + $Y is less than $Z, then you hire more staff because you'll end up making more profit; and if $X + $Y is greater than $Z you just ignore all the people that want updates because you don't want to lose money.

Note: the words "hire more staff" can be replaced by "not make existing staff redundant" if/where necessary. Either way it's mostly the same $X.

- Brendan

Reply Score: 5

RE[3]: Finally!
by Alfman on Sat 12th May 2018 17:11 UTC in reply to "RE[2]: Finally!"
Alfman Member since:
2011-01-28

Brendan,

The world doesn't work like that.

Imagine you are a mobile phone manufacturer; and you know that by hiring more staff (to roll out updates to older devices) it will cost you $X for the staff and cost you $Y in lost sales due to people not replacing old phones with new phones; but you will also get an additional $Z in publicity (to help sell new phones).

If $X + $Y is less than $Z, then you hire more staff because you'll end up making more profit; and if $X + $Y is greater than $Z you just ignore all the people that want updates because you don't want to lose money.

Note: the words "hire more staff" can be replaced by "not make existing staff redundant" if/where necessary. Either way it's mostly the same $X.


The algebra is sound. Unfortunately if we were to put numbers to those I strongly suspect the costs of supporting older devices along with lower sales caused by longer device lifetimes make it hard to justify better aftersale support.

The thing is that while many people say that they are frustrated with the lack of support, it usually doesn't change their buying behavior. As a business owner I see the same phenomenon with my prospective clients too, where they spend the least possible for services even if nine times out of ten it turns out to be disastrous.

Reply Score: 4

RE[4]: Finally!
by Troels on Sat 12th May 2018 21:58 UTC in reply to "RE[3]: Finally!"
Troels Member since:
2005-07-11

The real thing is that the number of people who care about updates is highly overestimated by the geek community.

I have said it many times before, but the OS updates are too frequent, there is hardly anything in them that anyone care about. Same with many other pieces of software, update notifications and list of what (nothing) is new is the new cookie warning annoyance.

Reply Score: 3

RE[5]: Finally!
by oiaohm on Sat 12th May 2018 23:06 UTC in reply to "RE[4]: Finally!"
oiaohm Member since:
2009-05-30

The real thing is that the number of people who care about updates is highly overestimated by the geek community.

I have said it many times before, but the OS updates are too frequent, there is hardly anything in them that anyone care about. Same with many other pieces of software, update notifications and list of what (nothing) is new is the new cookie warning annoyance.


You have the wrong point of view. People don't care about security until they have the device breached and their bank account emptied.

Updates are important. Now if you want to drop frequency of need updates you have to drop bug count. Drop bug count means improve quality control procedures.

Of course just like general users don't show that much interest in updates until after they are burnt. General users don't demand software makers use the best quality control processes possible either. I guess why is they don't want the pay 4 to 5 the current price for computer stuff.

Reply Score: 2

RE[6]: Finally!
by Alfman on Sun 13th May 2018 06:56 UTC in reply to "RE[5]: Finally!"
Alfman Member since:
2011-01-28

oiaohm,

You have the wrong point of view. People don't care about security until they have the device breached and their bank account emptied.

Updates are important. Now if you want to drop frequency of need updates you have to drop bug count. Drop bug count means improve quality control procedures.


Those are excellent points. Users do care about after sale support and breaches once problems arise, but they often overlook lousy support options at the time of sale. I would think that if they could know ahead of time the specific problems they would face, then it would obviously become factored into their buying decisions, but alas the future can come as a surprise.

Reply Score: 3

RE[6]: Finally!
by Troels on Sun 13th May 2018 07:54 UTC in reply to "RE[5]: Finally!"
Troels Member since:
2005-07-11

Yes, security updates should be released when needed. I am talking about feature updates. It would be much easier for everyone to handle if Google only released every 3rd android version and instead only released security and bug fixes and app updates in between.

Reply Score: 2

RE[6]: Finally!
by Yoko_T on Sun 13th May 2018 15:37 UTC in reply to "RE[5]: Finally!"
Yoko_T Member since:
2011-08-18

"The real thing is that the number of people who care about updates is highly overestimated by the geek community.

I have said it many times before, but the OS updates are too frequent, there is hardly anything in them that anyone care about. Same with many other pieces of software, update notifications and list of what (nothing) is new is the new cookie warning annoyance.


You have the wrong point of view. People don't care about security until they have the device breached and their bank account emptied.

Updates are important. Now if you want to drop frequency of need updates you have to drop bug count. Drop bug count means improve quality control procedures.

Of course just like general users don't show that much interest in updates until after they are burnt. General users don't demand software makers use the best quality control processes possible either. I guess why is they don't want the pay 4 to 5 the current price for computer stuff.
"

You are totally clueless. The threats aren't from lack of "security" or "updates" for the phones or other devices, but the online sites that handle credit card information and other places like Facebook.

Edited 2018-05-13 15:48 UTC

Reply Score: 0

RE[5]: Finally!
by ahferroin7 on Mon 14th May 2018 11:34 UTC in reply to "RE[4]: Finally!"
ahferroin7 Member since:
2015-10-30

I think a better statement is that people don't care about security proactively, only reactively. Anybody who's worked for any extended period of time in the IT industry can tell you that about 90% of users don't care about security until after they've been hacked, and a significant percentage still don't care once that's happened and they've patched that specific hole.

Reply Score: 3

RE[6]: Finally!
by Alfman on Mon 14th May 2018 14:57 UTC in reply to "RE[5]: Finally!"
Alfman Member since:
2011-01-28

aherroin7,

I think a better statement is that people don't care about security proactively, only reactively. Anybody who's worked for any extended period of time in the IT industry can tell you that about 90% of users don't care about security until after they've been hacked, and a significant percentage still don't care once that's happened and they've patched that specific hole.



Totally agree! However, I'm really ashamed to say it's not just "users". While customers would probably prefer for businesses to pay routine costs for security reviews, the reality is many businesses neglect security until after an attack. I've encountered project managers who simply don't want to allocate resources to address security issues or train employees to spot vulnerabilities.

Good security requires a long term commitment with ongoing costs to pay experts to break your product/service. It sounds funny, but if a company hasn't paid a professional to do this, then it's likely they have hidden vulnerabilities that nobody (except for outside hackers) have an incentive to find. Some clients are upset when we identify vulnerabilities that cost them money to fix, nevermind that in the event of an attack it could cost them a lot more!

Edited 2018-05-14 14:59 UTC

Reply Score: 3

RE[2]: Finally!
by unclefester on Sun 13th May 2018 02:24 UTC in reply to "RE: Finally!"
unclefester Member since:
2007-01-13

The low cost models are MTK reference platforms with vanilla Android. This low margin business model makes software updates and ongoing support totally uneconomic.

Reply Score: 3

Re:
by kurkosdr on Sat 12th May 2018 11:09 UTC
kurkosdr
Member since:
2011-04-11

If Google could start by making sure my Nexus 5X won't stop receiving security patches six months from now, that would be great. Then they can turn their attention to OEMs...

Someday, some kid will come up with the Android equivalent of Blaster and the hit to Google's reputation will be huge and the worldwide cost will be in the billions of dollars. This is what you get when you don't regulate the market and let short-term greed dominate decision-making. If the market was completely unregulated we'd be still driving cars without seatbelts spewing lead out of their exhaust and solder in electronics would also contain lead.

Edited 2018-05-12 11:15 UTC

Reply Score: 5