Android Won't Catch A Break Until Google Fixes The Update System

[Guest]

Security researchers from Exodus Intelligence discovered that the patch Google released to fix the Stagefright media library vulnerabilities is also vulnerable to attacks.

Android Won't Catch A Break Until Google Fixes The Update System : Read more

 

[kawininjazx]

The big companies like LG and Samsung should be "Android Certified" which means they must meet certain updates, patches, etc. by a certain date. They must also push the phone carriers to catch up. My LG took months and months to get Lollipop. then it took a few months to get a patch where I could actually get email through WIFI.

 

[surphninja]

If Google (Alphabet?) doesn't show some leadership and demand it, this will never happen. The economics won't allow for it. Vendors are only interested in supporting their devices currently on sale, and are quite willing to let users on older models suffer the hackers.

Really, I think what we really need is a law against planned obsolescence.

 

[ZolaIII]

Only secure system is open sourced one not because it won't have vulnerabilities to exploit but because they can be easily & quickly patched. It's much more because of OEM's then nature of Android it self that we have this problem. On the other hand Google's & not so capable fat bottom girls working there take their share in this situation. Google's shooting at only healthy feet because of their gread AOSP & being far from Linux kernel main line represents the biggest problem in whole story about share, fast distribution (based on market share) & security problems.
Hopefully organization like Linaro will be able to help in catching to the Linux kernel mainline but that doesn't help with distribution.

 

[gangrel]

If Google can't get the security concerns under control, then IMO Android is at risk...in its entirety. I don't consider this an exaggeration. It won't happen *soon* but I think it will happen without dramatic action.

I'm not sufficiently well versed to understand exactly how Android is organized. The model that should work for it, tho, is something along the lines of Linux...that there is a core, controlled by a relatively small group, and which can be updated and patched by that group, and NOT by the manufacturers/service providers.

If they can't get to something like this, they'll just drive everyone to Apple. It's not that Apple is virus-free...but they can respond to exposed vulnerabilities much better. Businesses will do this fastest. And I'm by NO means an Apple fanboi...I do have 2 iPod Touches, but those also shw me that I don't want to go any deeper with them. And, of course, Apple ONLY wants to build expensive, perceived-as-ultra-premium devices, and there is NO reason to think that will ever change...it's been their motif from day one. And lack of competition would be very bad.

 

[op8]

Really, I think what we really need is a law against planned obsolescence.

...I don't think we have any chance of turning that around, but we can dream.

 

[gangrel]

What do you want? Do you want ARM to stop developing new cores? Or Qualcomm, Samsung, and MediaTek (?) to stop innovating on them? Let's never update screen resolutions, let's never improve mobile modems.

Get a clue. This isn't planned obsolescence. It's the fundamental consequence of rapidly developing and evolving technology, in a wildly competitive market environment.

And right or wrong...EVERY handset maker of midlevel and above units, MUST revamp their lineup at least once every 2 years, or they're going to effectively disappear. With better specs than their last gen. Would Android 2 be capable of driving everything on an S6 Edge adequately? I doubt it.

 

[Christopher1]

IReally, I think what we really need is a law against planned obsolescence.

There is no planned obsolescence here. The technology is just evolving at such a fast rate that devices are outdated in 3-5 years, tops.
That said, the vendors should be required to support their devices, including releasing firmware and OS updates for them, for at least 10 years.

 

[Alathorne]

My own personal answer is to buy phones that are carrier-independent such as Nexus and now Motorola's sales model. I see it as a 3-fold problem. Google must write the security patch, which goes to the device manufacturer, which then goes to the carrier and finally to the end user. By buying carrier-independent, you can at least cut out that third (and often lengthiest) step.

 

[alidan]

how hard is this.
android is the base for everything
3rd parties send their drivers to google to make sure crap works

now android of any flavor can be installed and drivers are sure to work on any os version from now to X (major os revision that requires brand new driver certs)

 

[gangrel]

Alathorne: better still, refuse to buy the excessively skinned variants of Android. And don't *touch* a phone being offered, new, with an older Android version. I can't remember who, but I know I've seen some BRAND NEW phone models...maybe even NOT out yet, but to be released very soon...using Android 4.4. I made the comment a few days ago after Google announced their rapid-update policy: go pure Android, for update speed. So Nexus phones, or (at least for now) Motorola. I also expect Samsung will step up to bat, but I wonder on how many models. Samsung's got such a massive portfolio.

alidan: that makes Google the bottleneck, but I think you're not far off. It should be possible to divorce the GUIs and app-level functionality, which is where the various skins should live, from the hardware-level stuff that might be subject to this kind of certification, and to all the control functionality that should be Google's purview. The issue probably is keeping Android totally open. It's also likely true that getting this kind of code separation is easier said than done.

 

[capt_taco]

What would be better is at least some degree of standardization so that every device does not need its own unique flavor of the same Android version that works only on that model. Then you could do a general update that fixes problems. I know it'll never be perfect, but if they can make one version of Windows and Linux work across all manner of hardware configurations that the OS maker has no control over, surely they could at least get the core functions of Android standardized enough to deal with. Because right now, the main method of updating seems to be that your carrier or manufacturer pushes on out to you if you bought a 10-million selling model like the Samsung Galaxy or HTC One; otherwise, you're on your own.

 

[Karadjgne]

The last really good version of Windows was '95C. In that particular version, most of the' back doors' were deliberately closed / locked / deleted by Microsoft. More than a few of those doors were actually found by others outside of Microsoft, and we're taken note of. I doubt Google isn't doing something similar with the android OS. Just waiting for some enterprising young over achieving Hacker to find the back door before shutting it down, but they will have to account for all the other stuff that actually has a legitimate use for that back door and get those work around in line before making any patch public.

 

[kenjitamura]

even the fragmented "Linux" ecosystem all have a much better security update model

"Even"? Really? The most secure of the three systems listed gets the negative connotation? I've used linux without a antivirus and minimally configured firewall for over 7 years and never had any kind of malware/infection where as without an antivirus you'd be guaranteed to catch a virus on WIndows in under 7 minutes and also very likely to get one on Mac in under 7 hours.

 

[zanny]

even the fragmented "Linux" ecosystem all have a much better security update model

"Even"? Really? The most secure of the three systems listed gets the negative connotation? I've used linux without a antivirus and minimally configured firewall for over 7 years and never had any kind of malware/infection where as without an antivirus you'd be guaranteed to catch a virus on WIndows in under 7 minutes and also very likely to get one on Mac in under 7 hours.

At that, there isn't even a common Linux distro taking security to the extreme. At the high end of (usable) desktops you oculd be running every app containerized, on a grsec kernel with PAX MAC. Add in toolkit level sandboxing (which Gnome and Qt are both implementing) and you have so many more layers of security than anyone else, on top of having the traditional security autoinstall push updates distros like Fedora / Ubuntu / Debian have.

 

[jasonelmore]

They need to cut carriers out of the update cycle.. Carriers should not have to approve and decide who and when people can upgrade..

Google should implement a system that looks something like this.

Google Finalizes code and pushes out to staging site.
Samsung, Motorola, HTC, OnePlus, etc.. all grab build from staging site
Device makers mentioned above, add their skins, apps, and drivers
Device makers upload customized builds to google final secondary staging site
Google pushes the updates to users devices after reviewing device makers changes.

The carrier info that is needed to run the phone is like 2 kb in size.. APN, IMEI, ICCID etc.. that can be pushed after the fact.

 

[Blueberries]

Needs more two-way encryption and authentication of actual cell-towers. Phone A -> Message -> Encryption -> Cell Tower -> Filter unsafe characteristics reassemble completely new manually mapped message header -> Safe message sent to phone B with time stamp -> verification of hash and geological location of cell tower / ping response time -> decrypt safe message

It would at least be harder then. There will always be a way.

 

[jasonelmore]

The last really good version of Windows was '95C. In that particular version, most of the' back doors' were deliberately closed / locked / deleted by Microsoft. More than a few of those doors were actually found by others outside of Microsoft, and we're taken note of. I doubt Google isn't doing something similar with the android OS. Just waiting for some enterprising young over achieving Hacker to find the back door before shutting it down, but they will have to account for all the other stuff that actually has a legitimate use for that back door and get those work around in line before making any patch public.

tell that to the people who used sub7 and Trojan on all those 95 and 98 and ME machines.. any common teenager could become a hacker in those days.

 

[gangrel]

The last really good version of Windows was '95C. In that particular version, most of the' back doors' were deliberately closed / locked / deleted by Microsoft. More than a few of those doors were actually found by others outside of Microsoft, and we're taken note of. I doubt Google isn't doing something similar with the android OS. Just waiting for some enterprising young over achieving Hacker to find the back door before shutting it down, but they will have to account for all the other stuff that actually has a legitimate use for that back door and get those work around in line before making any patch public.

There is almost NEVER a legit use for a back door, and NO legit software should EVER use one.

 

[Christopher1]

There is almost NEVER a legit use for a back door, and NO legit software should EVER use one.

Except that most of those 'backdoors' are things that are documented and put in the OS for a very good reason/you are told what they are used for in the real world.
I.E. with the whole Windows 10 'keylogger' thing that is actually a mechanism to improve the Touch Keyboard functionality.

 

[Blueberries]

The last really good version of Windows was '95C. In that particular version, most of the' back doors' were deliberately closed / locked / deleted by Microsoft. More than a few of those doors were actually found by others outside of Microsoft, and we're taken note of. I doubt Google isn't doing something similar with the android OS. Just waiting for some enterprising young over achieving Hacker to find the back door before shutting it down, but they will have to account for all the other stuff that actually has a legitimate use for that back door and get those work around in line before making any patch public.

There is almost NEVER a legit use for a back door, and NO legit software should EVER use one.

You would probably take $10 billion a year as a "legit use." Most companies do.

 

[gangrel]

Then it's not a back door, by my lights.

 

[back_by_demand]

For all the complaining about Microsoft, they have a single centralised system for updates. All despite having hundreds of OEMs or even PCs custom built from parts and has been doing so for 17 years.

This is for Google to fix, not fob off to the OEMs.

 

[surphninja]

IReally, I think what we really need is a law against planned obsolescence.

There is no planned obsolescence here. The technology is just evolving at such a fast rate that devices are outdated in 3-5 years, tops.
That said, the vendors should be required to support their devices, including releasing firmware and OS updates for them, for at least 10 years.

When you've planned to drop support for a device as soon as the new lineup is released, that's planned obsolescence.

I'm not saying they shouldn't continue to innovate on new designs, but support for the old ones should continue for a certain period of time, especially in regards to security updates.

 

[gangrel]

Most devices continue to be supported for a few years, but true, some makers don't.

I know that, for me at least, the ability and willingness to support for at least a 2-3 year window has become a significant factor. I'm not sure you can expect support for too much longer...the hardware environment with phones evolves so fast. If you ask for 5 years...that would be Froyo. Android 2.2. (Wiki says 2.3 was released in December 2010.) Obviously, the changes between then and now have been enormous, and it's quite likely that a security patch for 5.1 would have to be completely redeveloped to patch 2.2. If it even could be.

I wonder how much the handset makers really foresaw the need for mid- to long-term...call it 2 years for mid-term, 4 for long term...support. When did the security issues really start to surface...a year, maybe 18 months ago? What I think is, we're in the paradigm shift now...from lifestyle adjunct/semi-toy device, to an essential tool and a core part of more peoples' lives, and with a need for security that is equal to the need of a full-blown PC. Or maybe it's just easier to say...they might be small, but modern phones ARE full-blown computers.

Also: we, the users, have encouraged this. A big chunk of the user market buys the big, long-term, EXPENSIVE plans that say, yeah, UPGRADE. We're overcharging you for the plan by SUCH a large amount that we can afford it. This market segment never kept a phone for more than 2 years...so how can you blame the handset makers for planning on longer-term support? As long as the users continue to chase the rainbow of the IDEAL PHONE, obsolescence is inherent.