Android vulnerabilities

Forums › Android › Android vulnerabilities

1 | 2 | 3 | 4

3848 posts

Uber Geek

Trusted

Lifetime subscriber

#1603090 2-Aug-2016 16:39

NikT:

BlackBerry, Sony, and Xiaomi have been pretty good at keeping up with the patches. Still boggles my mind that phone manufacturers make this much harder for themselves than it needs to be, with endless regional SKUs and unnecessary - unasked for - local-market customisation. What Apple do is not revolutionary or difficult.

tripp:

What i have found is that the telco's seem to be holding things up.

Can't speak for Spark, but when I was there, Voda's testing and approval process took a week at max. The delays were all on the manufacturers' ends*.

Went a little like this:

"When are we getting a new build? Enterprise customers are concerned about recently-publicised vulnerabilities." "Dunno."

"Okay, it's approved, when will you roll it out OTA?" "Dunno."

From the big vendors' perspectives, NZ is a tiny market and its region-specific SKUs are low on the priority chain for updates. Several have said this to me directly. I don't like that at all, but that's how it is. Right now, the truth is that you have to choose between suitability for/reliability on local networks, and frequency of security patches.

*Except that one time HTC decided they'd ship a single flagship SKU with a unified software build to AU and NZ, then found they couldn't roll updates to any of them until every telco in both markets had approved said updates...and naming no names, but some telcos are great at dragging their feet in the name of user experience.

Well the telco's need to start screaming at the suppliers or something, if it is the OEM's holding it up yet they have said they will be doing monthly updates then it should be up to the telco to keep on to them about it. It may be an issue if people start requesting refunds for handsets due to OEM's not doing what they say they will. Guess it could also hit retailers.

1eStar

1604 posts

Uber Geek

#1603142 2-Aug-2016 18:14

With all these android vulnerabilities in the wild, has anyone actually been affected? Or are we just a storm in a teacup here?

rmt38

320 posts

Ultimate Geek
Inactive user

#1603367 3-Aug-2016 09:53

1eStar: With all these android vulnerabilities in the wild, has anyone actually been affected? Or are we just a storm in a teacup here?

That's not how it works.

nakedmolerat

4629 posts

Uber Geek

Trusted

Lifetime subscriber

#1603378 3-Aug-2016 10:14

1eStar: With all these android vulnerabilities in the wild, has anyone actually been affected? Or are we just a storm in a teacup here?

+1, we have heard this since the beginning of Android.

NzBeagle

961 posts

Ultimate Geek

Trusted

#1603385 3-Aug-2016 10:22

How many Windows vulnerabilities have existed and users themselves have failed to run windows update? Sensible use of both mobiles and PCs might help avoid some of the vulnerabilities also.

In saying that, I don't think this makes it ok. If fixes are available, users should be able to access them. As others have said, perhaps there needs to be more separation between the updates. Google already has some of this with the way it updates certain things through the Play Store, even some of the manufacturers have moved aspects to the Store for easier updating. Some aspects shouldn't be held up by carriers and/or manufacturers surely.

Blackberry Priv is tempting, something different, plus it is getting 'Nexus like' updates and timeframes.

rmt38

320 posts

Ultimate Geek
Inactive user

#1603386 3-Aug-2016 10:22

nakedmolerat:

1eStar: With all these android vulnerabilities in the wild, has anyone actually been affected? Or are we just a storm in a teacup here?

+1, we have heard this since the beginning of Android.

To me, the difference is that you know of the problem and have accepted the cost/benefit trade-off. But my parents who both have androids and read emails and roam on the devices overseas, do not know of the cost and have not accepted the cost/benefit trade-off.

What if all these idiots who scam pensioners by phone who you see on trade-me realise they can get the personal information/access by sending emails? What if the ransomware people who are out there and are active expand their market from pc/mac/desktop?

You can accept the cost, and I can reluctantly do so as well, but my outlook is that it is a matter of time.

tripp

3848 posts

Uber Geek

Trusted

Lifetime subscriber

#1603389 3-Aug-2016 10:28

nakedmolerat:

1eStar: With all these android vulnerabilities in the wild, has anyone actually been affected? Or are we just a storm in a teacup here?

+1, we have heard this since the beginning of Android.

That's the issue however, people don't really view that their phones could get hacked etc, most people are in the frame of mind as PC users back in the mid/late 90's. All it would take is some encryption virus to hit and know how to jump to devices via bluetooth/wifi and all hell would break loose.

Sure google and apple check apps on the market place however there have been a couple of times that google has missed things in the apps, I am sure apple has slipped up once or twice as well.

Android lets you run any 3rd party apk from the web (if you OK the install). There is a reason why google is doing a monthly security update now, should we all just accept that there is no issue? Or should we now expect OEM's etc to supply updates.

Would you be happy if your windows / MacOS / Linux did not get security patches or your antivirus supplier did not release patches for months?

People need to think about what they have on their phones, they have banking apps, payment systems, personal details, password apps etc, if anything, hitting a phone has a bigger payoff than hitting a PC/Mac these days.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

rmt38

320 posts

Ultimate Geek
Inactive user

#1603406 3-Aug-2016 10:48

tripp:

People need to think about what they have on their phones, they have banking apps, payment systems, personal details, password apps etc, if anything, hitting a phone has a bigger payoff than hitting a PC/Mac these days.

I was reading about, what is it, IFTTT on this forum. Do people grant access to it, to all their services? Email, twitter, instagram, .. Well, the main one would be email. I saw 6000 people had an IFTTT rule that did something with their email. How many of these services have precise apis that can be locked down to just limited access?

richms

28172 posts

Uber Geek

Trusted

Lifetime subscriber

#1603485 3-Aug-2016 12:23

The gives access to everything model is something I hate about google. I dont want to be logged into my email just to be able to favorite youtube videos etc. I used to have seperate google accounts for things to sort that out, but with the youtube red free with google play music deals and things like that it is harder to do so.

Richard rich.ms

1eStar

1604 posts

Uber Geek

#1603918 3-Aug-2016 22:20

Google considers that having root access is a vulnerability.

If I want to have updated security patches on my 4year old Samsung, I need to root and rom it.

Oh the irony...

rmt38

320 posts

Ultimate Geek
Inactive user

#1603999 4-Aug-2016 07:32

I looked at my redmi note 2 last night, up to date with 2016-08-01 security patch level. Miui do seem to be doing a pretty good job.

1101

3122 posts

Uber Geek

#1607433 10-Aug-2016 09:57

Lets not blame the telco's

Its an industry wide issue for Android (with some exceptions)
God knows , the telcos arnt to blame for no updates on Andriod tablets. So saying its the telcos is a red herring.
When famous brand tablets are sold, new, with old versions of Android, and then your Tablet is somehow obselete within a year (no more updates) :Samsung.....

Lets put the blame where it belongs, at the one company who could force some action on rolling out updates & patches. The one company that has some
say over what happens with its brand when installed on other companies hardware .

olivernz

497 posts

Ultimate Geek

ID Verified

Trusted

Lifetime subscriber

#1607438 10-Aug-2016 10:11

You can blame the telcos though. They should be pressuring the Mobile suppliers. Take LG G4 for example. Still sitting on Android 6.0 in NZ although the 6.0.1 release has been OTA in the rest of the world for months! So what's the problem???

tripp

3848 posts

Uber Geek

Trusted

Lifetime subscriber

#1607516 10-Aug-2016 11:45

Just an FYI

I have flashed the non branded AU firmware on my samsung edge 7 a couple of weeks ago and on Saturday I got the OTA with security fixes and July's security patch.

Just checking the firmware for all 3 of our telcos here (spark, voda, 2degrees) and they still only have firmware dated back in April.

NikT

1710 posts

Uber Geek

Trusted

#1608510 10-Aug-2016 12:16

olivernz:

You can blame the telcos though. They should be pressuring the Mobile suppliers. Take LG G4 for example. Still sitting on Android 6.0 in NZ although the 6.0.1 release has been OTA in the rest of the world for months! So what's the problem???

LG has basically no mobile presence in NZ (Because they don't want to invest in marketing, so the big telcos aren't interested), and I doubt a significant number of units were brought in from AU and actually sold through 2degrees/Harvey Norman. Consider it's a tiny subsection of an already limited SKU for APAC, and you can see why it's not LG's #1 priority. I can also imagining pressuring LG - who, again, provide no marketing support, and chose not to bring the G5 to NZ because there was no interest - won't get 2d anywhere. What are they gonna hold over LG, not ranging their next phone either? When a product drops in price, it isn't because it sold well.

The problems with updates are, fundamentally:

Updates, especially platform updates, cost a LOT of money to build, test, certify, and roll out
The average customer does not care about updates, or actively hates them (For which I largely blame legacy versions of Windows)
The only three companies which are financially incentivised to provide ongoing updates are Google, Apple, and Microsoft, because they own the ecosystems and get revenue from app/content sales
There's only so much profit to be made in a given handset once the costs of R&D/manufacturing/logistics/marketing/training/GST/Et cetera are taken off the top
That revenue gets spread very thin over an installation base through the course of a device's commercial lifecycle (Time it's sold through official channels for), even more so over its consumer lifecycle (Time it's in use for), so the high costs to the companies vs. limited benefits aren't worth it
There are too many different hardware SKUs globally, and too many individual telco/market software builds to maintain in a reasonable timeframe

This needs to be fixed. Incentivising Android OEMs to update has to come from Google. They could share revenue from purchases made from a given vendor's handsets provided they're running the latest Android version or security patch. They could provide support, kickbacks, rebates per SKU, et cetera. The issue with too many SKUs may solve itself in time as telcos globally migrate to LTE and common frequencies, or it may get worse as every spare scrap of spectrum is deployed and devices need to accommodate 4-5 obscure bands per network per country for maximum network performance.

Look, as an enthusiast who got to see the inner workings of the industry, I feel you. I'm passionate about updates and security, and it bothers me that there's a trade-off between the best network experience and timely feature/bugfix/security patches. But the reality is that an update to the G4 isn't going to come any faster if 2degrees' devices team calls up LG Australia and complains. NZ is too small, the volumes sold here are too low to make a difference, and the solutions have to come from a different place.

I also note that BlackBerry has differentiated itself in Android-land by providing timely security patches, but enthusiasts who do want those updates aren't exactly rushing out to buy a Priv.

Product Manager @ PB Tech

Smartphones @ PB Tech | Headphones @ PB Tech

1 | 2 | 3 | 4