Google has long struggled with how best to get dozens of Android smartphone manufacturers – and hundreds of carriers – to regularly push out security-focused software updates. But when one German security firm looked under the hood of hundreds of Android phones, it found a troubling new wrinkle: Not only do many Android phone vendors fail to make patches available to their users, or delay their release for months; they sometimes also tell users their phone’s firmware is fully up to date, even while they’ve secretly skipped patches.
On Friday at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of the firm Security Research Labs plan to present the results of two years of reverse-engineering hundreds of Android phones’ operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings. They found what they call a “patch gap”: In many cases, certain vendors’ phones would tell users that they had all of Android’s security patches up to a certain date, while in reality missing as many as a dozen patches from that period – leaving phones vulnerable to a broad collection of known hacking techniques.
Android is a mess.
This is why Google should have controlled the software distribution along side making it open source. Particularly in regards to the driver level, even if they didn’t quite go as far as trying to get everyone to follow the linux kernels guidelines.
The problem is twofold:
1 – many manufacturers not providing after-sale support
2 – users being way too dependent upon the manufacturer for updates and getting stuck with old & unsupported firmware.
I wish there were better platform standards where neglected users could simply install whatever they wanted from another source.
In addition to that, I wish there were laws that actually protected consumers. Considering how integrated phones have become in peoples daily lives, there should be the expectation that companies take their customers privacy and security seriously, and are legally obligated to do what they can to protect it for X years after purchase.
ilovebeer,
Yeah, but you know what, for all the fuss they make over consumer injustices, congress has a terrible track record of actually getting things fixed. A solid block in congress constantly pushes for eliminating rules for corporations because corporations are the ones funding the campaigns that get them elected. Under this quite corrupt system, it’s very difficult for normal uncorrupted people to get elected (and to remain uncorrupted).
Edited 2018-04-13 13:44 UTC
I agree with you on the last bit, save remove the word “congress” and replace it with the words “national governments” and you’ve got it. I can’t think of one governmental body that actually cares about individuals’ rights, in any nation.
It’s easy and fashionable to be cynical. But places with functional governments are generally nicest to live in, and you wouldn’t want to live in places with barely functioning or nonexistant gov…
Even if congress wasn’t under the thumb of corporate purses, they’d be crippled by how divided the country is, in that agreeing to help consumers means agreeing to bipartisanship, which seems borderline criminal these days. Unfortunately I don’t see any way out of this corrupted and corrosive state. I don’t see how anyone could be optimistic when you have 70%, 80%, 90% of the country wanting something and virtually 0% of it actually happening. If the Gettysburg Address were written today it would read, “government of the people, by the people, for the people…. lol j/k GTFO!”
Google responded and the article was updated. I recommend you to read it by itself.
“They noted that modern Android phones have security features that make them difficult to hack even when they do have unpatched security vulnerabilities. And they argued that in some cases, patches might have been missing from devices because the phone vendors responded by simply removing a vulnerable feature from the phone rather than patch it, or the phone didn’t have that feature in the first place. The company says it’s working with SRL Labs to further investigate its findings. “Security updates are one of many layers used to protect Android devices and users,”
Is this the Intel school of security fixes? “We don’t need to fix it because everybody is aware of it now.”
Sounds more like they have their SEP field turned up to full power.
That’s not even the Intel policy, so why would it be the Android policy?
This makes sense. As part of my job I backport Chrome security patches to our Chromium based product. I can skip up to half of the security patches because we simply don’t have the feature, or much much more common: it is a fix of a bug introduced after our last branch point.
Edited 2018-04-13 15:45 UTC
If Android had just stuck with how Linux distributions do things, with a nice auto update of all components (including underlying ones), then allow a ‘dist-upgrade’ for when new releases are made.
Manufacturers could have then added third party repositories for their own add-ons.
Even Windows 10 is more versatile in it’s update process than Android is.
Oh sure, and when the end-user was faced with:
Sub-process returned status code:3
Errors encountered while processing package
Yeah, great idea. Not!
Ha, I’ve only ever seen that when running something that is bleeding edge. You’d run something like RHEL or Debian phones. Something that gets 5+ years of security support.
… and who exactly maintains these repositories?
Who updates the device drivers?
Who makes sure that update “X” doesn’t interfere with update “Y”?
Who handles the error reports?
Start reading the number of quirk work around Linux wifi drivers have for defective wifi card firmware or EFI implementations …..
The reality here is one a product is out the door the maker of the product in many cases want to cease support. Worse the problem starts at the individual parts supplies and every step along the line.
So google making a new OS will to not fix this particularly with a highly permissive license. I have not see how they are going to address this problem .
When you understand the problem demanding as much as possible is open source and third party maintainable is really the only way. Of course this puts you head to head with FCC and others.
After spending more than £500 for an LG phone (the G6) last year and still waiting for the upgrade to Android Oreo, I don’t think I’ll ever buy another Android again. I’ll keep using this until the time is right to buy another iPhone, which has the advantages of being upgraded whenever the new OS comes out and being made by a tech company, not a data company which is always bugging you for free contributions to its database (e.g. asking you to review shops, restaurants etc). I used to use CyanogenMod on my older phones, but Android Pay won’t work with an unlocked bootloader.
While I agree with you that a lot of manufacturers don’t always deliver promised upgrades, in this case you can’t really blame LG as Oreo is seriously bugged. Would you want them to upgrade you to an OS version full of bugs? You’ve seen what happened to some iPhones when Apple released a few buggy software updates throughout the years…
The work they did is impressive, but I am sad Blackberry phones were not included since Blackberry pride themselves with releasing timely Android updates… I guess they really aren’t mainstream nowadays.
Edited 2018-04-14 19:47 UTC