Feeds

back to article 'Over half' of Android devices have unpatched holes

Duo Security is claiming that “over half” of Android devices have unpatched vulnerabilities. The company’s Jon Oberheide says in this blog post that the results come from the first slew of users of the company’s X-Ray Android vulnerability scanner. Promising to announced detailed results on Friday (September 14) at the Rapid7 …

COMMENTS

This topic is closed for new posts.

Page:

Mushroom

Only half?

ALL operating have unpatched holes. Always.

9
0
Anonymous Coward

All?

Including Linux? Oh wait...

0
0
Bronze badge
Mushroom

Re: All?

Most Linux OSs are about as secure as a paper bag with zillions of vulnerabilities. It's not exactly news.

3
5
Anonymous Coward

Re: All?

>>Most Linux OSs are about as secure as a paper bag with zillions of vulnerabilities. It's not exactly news.

You must be new here.

Thats not a popular sentiment in these here forums. The Register operates under the rather shaky premise that Linux is God, and any criticism, even if its warranted, is dealt with harshly.

1
0
Bronze badge
Mushroom

Re: All?

Well this is a news forum - don't people read abou tthe endless succession of Linux based websites being hacked? Enterprise Linux distributions are much less secure than Windows in terms of number of vulnerabilities, and has been every year since 2003.

This is why you are so much more likely to be hacked if you run a Linux based server than a Windows one. Windows was designed from the bottom up to be secure - whereas with Linux it is only via bolt on after thoughts like SEL, full ACLs being an addon, etc, etc.

http://www.zone-h.org/news/id/4737

0
2
Bronze badge
Facepalm

This article...

...was clearly written once home from the pub.

6
2
Bronze badge

Re: This article...

Looks like the "write once, read never" approach. Makes me wonder why I bothered.

And yes, I did use the "send corrections" link.

1
0
FAIL

Re: This article...

.... By a butthurt Apple fanboy who is feeling angry that the iphone5 is a massive fail that's 8+ months behind other key players

0
1
Bronze badge
Thumb Down

Shut up and pay

Apple managed to take a lot of power from the telcos with the first iPhone but most customers still don't control the very phone they pay so much for. The mix of Google, Samsung, and Sprint screwing with the software has made my Galaxy S2 unreliable at best. Now I'm one of the many getting stuck in roaming mode without service. Me repeatedly sending it in for warranty repairs is more of a protest than a way to make any actual progress.

3
1
Silver badge
Linux

Re: Shut up and pay

There is an easy, quick answer:

http://www.cyanogenmod.com/devices/samsung-galaxy-s2

GJC

10
2
Anonymous Coward

Re: Shut up and pay

*sigh* just because you can tinker with your Android smartphone and put the latest custom firmware on there doesn't mean the average punter on the street can or wants the hassle of doing it. I've got an Android tablet and smartphone and the update situation is an absolute mess. I've had to put custom firmware on my phone due to Ice cream sandwich being promised then failing to materialise and as for the tablet that was abandoned with Gingerbread even though Honeycomb had been out for some time.

Google need to take the Apple approach and try and get more power off the networks for the updating of their devices

5
6
Anonymous Coward

Re: Shut up and pay

It's nothing to do with Google. The whole Android "takeover the world" strategy is to give the software away and just licence a few things like Google applications and their application store.

It's the OEMs who feel the need to customise the OS and extend it. If they used stock Android it could be upgraded easily.

7
0
Silver badge
Linux

Re: Upgrades

"*sigh* just because you can tinker with your PC and put the latest version of Windows on there doesn't mean the average punter on the street can or wants the hassle of doing it."

It's a computer that can make and receive phone calls, not a phone. You want a phone, get a 6310i, it does the job *much* better. As it's a computer, the OS is upgradeable.

Yes, not everyone will want to do this. But the option is there if you want to take control and step out of what you see as a problematic situation.

GJC

6
4
Bronze badge

Re: Upgrades

Geoff Campbell - except the OS ISN'T upgradeable UNLESS the carriers approve of the update. It's nothing like Windows or Linux or Mac OS X - the updates in most of these Android devices have to be approved by the manufacturer. Can you imagine if Dell, HP, etc. had to approve every single Windows update? It'd be a total mess, but Android phones work in this way, unfortunately.

What we need is a mobile OS where the OS is completely separate from the manufacturer's stuff, so it'll be upgradeable by Google when they release it.

4
1
Anonymous Coward

Re: Shut up and pay

Oh hells yes, stock Android is so much nicer than HTC, Samsung or Sony's crufty "enhancement".

1
1
Silver badge
Boffin

Re: @Test Man

I just provided the link to the solution to that problem. Most phones can get stock Android with no manufacturer or operator cruft on.

Yes, I agree, the first-time installation is not as simple as, say, Windows 7, but there are step by step guides provided. Once you've done the first one, upgrading is generally just a matter of copying a zip file onto the phone, rebooting, and selecting the "upgrade me!" option from the menu.

GJC

3
4
Anonymous Coward

Re: Shut up and pay

And Oxygen-ROM is very good if you have say an older HTC and need to get to the Land of Gingerbread ASAP.

According to my fuzzy memory I used Clockworkmod/UnRevoked to root it first.

http://forum.xda-developers.com/wiki/Oxygen_ROM

http://download.oxygen.im/roms/

And apparently some crazies are trying ICS on HTC Desire.....

http://pinappu.hubpages.com/hub/HTC-Desire-Update-with-Android-Ice-Cream-Sandwich-ICS-or-Android-40

be interested to know how well that works.

2
2
Silver badge

Re: Upgrades

> You want a phone, get a 6310i, it does the job *much* better. As it's a computer, the OS is upgradeable.

I both agree and disagree with Mr Campbell.

Many people don't WANT a pocket computer ( though I do) but they do want a pocket device that goes on the internet and plays Angry Birds. Something I have heard many times from the less IT savvy is that they don't like the way "things keep bloody changing as soon as I've just got used to them!" (Apple seems to know this, iOS and OSX look roughly like they always have done)

Technically, I'm sure Mr Campbell is correct- its self-evident that securing a smartphone is a far bigger challenge than securing a fine old 6210i- though it is itself a connected computer.

That said, my advice to old boys in the pub inquiring recently about getting a smart phone is: stick with your clamshell phone with big buttons and buy an [Android- 'cos of the price] 3G tablet (no long term contract) for checking the cricket scores and emailing grandchildren, and as a general email option for when your laptop starts playing silly buggers again. (This isn't a generalisation of the abilities of my senior fellow drinkers, but based on specific individuals talking about their eyesight, fingers and what they might want such a device for). Any input from Reg readers- or even a Reg article- on this subject would be appreciated.

Cheers

2
0
Bronze badge
Mushroom

Re: Upgrades

With Windows, patching to the latest version is automatic though.

0
1
Anonymous Coward

Re: Shut up and pay

My HTC desire has never been better since I went with cyanogen mod. It wasn’t bad in the first place, but the lack of usable RAM was a problem once you installed a few apps. I expect HTC thought they had all bases covered and you wouldn’t need more than a couple of toys to add...

looking forward to my Samsung Galaxy note 2

1
0

This is one of the reasons I now use an iPhone. I am no longer held hostage by inept or indifferent carriers. My previous Nokia smartphones not receiving timely updates still irritates me.

10
9
Anonymous Coward

Hostage?

"This is one of the reasons I now use an iPhone. I am no longer held hostage by inept or indifferent carriers."

Correct! You're now being held hostage by the manufacturer of your iDevice.

16
6

Re: Hostage?

There is some truth in that because of app store lock in though I am extremely happy with my iPad so my App purchases can be used there. If I decide to buy something else.

I was interested in the LG Optimus Vu as much as an eReader as a phone but it is not being released in Australia. I have certainly not been irritated by little things like I was on my previous Nokias.

I have a phone that works and does what I want, it will be tough to make me switch from that now.

7
0
Anonymous Coward

Re: Hostage?

Who provide two years of updates, twice as long as Android devices.

3
2
Thumb Up

Thats exactly why i bought my iPhone. i was fed up with not being able to update the firmware to fix the bug because 3 hadn't bothered to authorise it!!

3
1
Silver badge

Didn't Apple drop support on older phones?

Phones that people were still locked into using as they got them new with a 2 year contract. No patches for existing customers there either.

0
3
PJI
Bronze badge
Thumb Down

Re: Didn't Apple drop support on older phones?

No. Not unless the 3G is less than two years old.

0
0

Re: Didn't Apple drop support on older phones?

No, you're wrong. The only ones not supported had contracts that expired years ago. Get your facts straight, if you can.

0
0
Anonymous Coward

Re: Hostage?

You're now being held hostage by the manufacturer of your iDevice.

not only are they holding you hostage, but they have you by the balls and if you think about upgrading to a non i device they start to squeeze !!! just look at how much of a pain it is to transfer your contacts, apps and media.. your fruity friends will just find it less of a hassle to add a "s"

at least with an android device you can switch manufacturer as and when without too much difficulty....

1
1

Re: Hostage?

There will not be much pain at all if I decided to switch from the iPhone.

My music, ebooks, audiobooks are all in formats that can be read by other software. The files are organised and easy to search. Finally for media Apple allows anybody to use the iTunes library with their phone syncing app they are not allowed to make their phone use iTunes directly like Palm was doing. Nokia have been doing that for years. I used to sync iTunes playlists to my N95 and N8 all the time.

Contacts. I have no problem syncing my address book contacts with my earlier Nokias in the past and do not think it will be a problem in the future. I gave away my N8 because it is a piece of rubbish and kept my N95 which is my emergency backup phone. I have not synced contact changes for a couple of months but will do so soon.

My contacts are duplicated in my Address book and in my Outlook address book, any new phone will be able to work with one of those applications.

There is only as much lock in as you want there to be, in my case bugger all.

2
0
Silver badge

This is why you want to separate hardware from software and both from operators

I mean if there was a decent stable hardware platform for mobile phones, you could simply take a boot medium of your favourite operating system, in the version _you_ want, and install it. Alternatively the phone could boot from SD-card.

It's just not feasible having to port your operating system to every hardware platform, and outsourcing that work to the hardware manufacturers has been proven to be a bad idea. They have no interest in maintaining support for their older devices.

So at least do it like CP/M did it, have a common "BIOS", a layer of software, in ROM, which handles input and output for basic features like setting the correct mode on the LCD or accessing flash and SD or the GSM subsystem or USB. Then have something to enumerate the rest of the hardware.

1
3
Silver badge

Re: This is why you want to separate hardware from software and both from operators

Well, if not the OS maker, and not the device makers (who would have the most knowledge of the device), and not the community (which can't be trusted), then who codes the modules? In the meantime, device makers intentionally use different hardware to differentiate themselves from the competition. As Android relies on an open hardware model (in contrast to Apple which runs a closed integration model), it becomes a tradeoff, and it's one that's rather difficult to solve to everyone's satisfaction. Yes, even to the average consumer since even what "just works" varies from person to person.

0
1
Silver badge
WTF?

I see your fault

"and not the community (which can't be trusted)"

Why shouldn't I trust the community? So far communities like Debian have done an amazing job.

2
0
Devil

What is the real badge of an utter fool?

0
1
Silver badge

I dunno.... 'NATAS' self-tattooed across their forehead?

I give up, why don't you tell us?

1
0
Anonymous Coward

But you need the vulnerabilities

Without the holes, you'd have trouble rooting the phone to remove the crapware.

11
0
Bronze badge
Childcatcher

Re: But you need the vulnerabilities

Right! Being vulnerable to Gingerbreak is a feature, not a problem.

I think vendors are missing a trick not selling multiple versions of their phones. They could target those customers who "just want a phone" (whatever that means) by giving them a closed system that does whatever updates and security it does completely outside the customers' view. The same phone could be sold as an open version of the same; complete control is given to the owner. Or is there such a marketing plan - of which I am unaware - already out there?

0
0
Bronze badge
Mushroom

Re: But you need the vulnerabilities

Crapware on a phone? Yuck. Glad I use WP.

1
4

Over half is a polite way of say all of them.

Android and malware go together like fat people and donuts.

4
9

Unbranded...

My Droids have always been unbranded non carrier specific jobies, i get firmware updates fairly quickly.... but then i am still tied to the device manufacturer so before the fanbois jump in and point that out, it makes you no better than me...

1
2

im glad

I'm glad such exploits existed because without them people would have had a harder time gaining root on their android phones, no root would mean no custom roms which would mean you would be stuck depending on your carrier to push out an update and hoping their own junk they throw in doesn't slow you down to much or break much.

For all those ISheep who might prattle on about how the iphone doesn't have such things, how do you think iphones are jailbroken oh right people exploit a vulnerability in the ios. Every operating system has weak points no matter who makes it and without them at the moment we wouldn't have the freedom we currently have with our own devices.

3
3

Re: im glad

Ofcourse there are holes in everything, there is a big difference though with holes that only work when you have physical access to the device compared to those that have not. And the lack of patching is not just regarding security holes, for most functionality patches, or timely upgrades for additional functionality would be fine as well.

It is a shame that many of the carrier and also the phone manufacturers shoot themselves in the foot with unnecessary personalisation to differentiate themselves. It makes it hard and systems become unsupported way too quickly.

2
0
Gold badge

Some positive spin on the problem: The freedom to have your device rooted. The hole in the wall of the garden etc.

0
0
Anonymous Coward

Carriers don't care, Nothing new, I'm a Nexus user.

I guess the only way to fix this issue is to get the EU to make it unlawful to abandon products still in their intended life-cycle.

Sometimes the EU can be helpful.

0
0

Re: Carriers don't care, Nothing new, I'm a Nexus user.

In theory I tend to agree... but whose life-cycle?

The manufacturers? (Very short - so they can sell you the next latest and greatest 5 minutes after you've bought it)

The operators? (Very long - so you keep paying them through the nose for all eternity if at all possible)

0
0
Pint

This is why we went Good

Apple has done some good things with OTA iOS updates but you're still (as posted earlier) confined to running an OS with weaknesses baked into them.

In a way, at least you can guarantee that an iOS device has the same flaws as all of the other ones. Apart from, that is, the ones no longer getting updates.

Your personal data is mostly your problem, we're protecting corporate data in a way we're happy with. And I guess now we'll have to strike off the chance for someone to use an iPhone 3GS as it's orphaned from this week on....

Relax, have a beer. It isn't going to get any better. You're always relying on someone else.

And I'm surprised that this article hasn't managed to get the trolls out, it seems that might have been part of the motivation in writing it....

0
1
Silver badge

Re: This is why we went Good

>And I'm surprised that this article hasn't managed to get the trolls out,

I too have been pleasantly surprised by the maturity of this thread... except for Drefsab who is seeing 'iSheep' (what ever they are) where there aren't any...

2
0
Meh

Better get the iPhone 5 then.

I suppose, thanks for saving me theReg!

1
0
FAIL

Too many middlemen

My phone came with Froyo (2.2) and we were promised an upgrade to Gingerbread (2.3) by LG. It took them 9 months to deliver, plus another 7 months for my carrier to add its bloatware and make an OTA update. I'm glad I only waited about 2 months before getting Gingerbread with CyanogenMod.

The weird thing is, LG had a minor update ready at the time, but it wouldn't install. LG was at a loss as to why it wouldn't work.

0
0
Bronze badge

To anyone saying Apple is the answer..

...It isn't!

Nexus is the Answer, proper fully patched Andriod.

The only way to get updates is to cut out the toss pots who cant be arsed. This is not a Google problem its a vendor and carrier problem.

The more layers you add the worse the support gets. Google are good at fixing the OS, the Vendors are worse than Google but better than Carriers.. the lower you go down the pyramid the worse the problem gets.

3
2

Page:

This topic is closed for new posts.