back to article Fragmented Android development creating greater security risks

The fragmentation of Android is creating additional security risks, as the rush to release new devices without sufficient testing is inadvertently introducing security flaws, security researchers have warned. The researchers – Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveed and XiaoFeng Wang – uncovered flaws in …

  1. Syntax Error

    Who cares

    Most users couldn't care less and the OEM's are not much better.

    1. Indolent Wretch

      Re: Who cares

      To answer your question the security reasearchers/companies/fear-mongerers care. That's why they constantly bombard these sites with press releases which say nothing of interest.

      1. I ain't Spartacus Gold badge
        Megaphone

        Re: Who cares

        To answer your question the security reasearchers/companies/fear-mongerers care. That's why they constantly bombard these sites with press releases which say nothing of interest.

        I saw a stat the other day that something like 20-30% of UK online banking activity is now done through mobile devices.

        Google appear not to give a flying fuck about the security of their users, just so long as they keep getting the advertising revenue. At least when Microsoft released XP, mass use of the internet and mass virus outbreaks were relatively new to the world. And they started to respond reasonably quickly, with SP1, automatic updates, checks to make sure you were running anti-virus and the like. Then gave up on the whizzy updates to XP they were working on to re-write the whole shebang in a more secure manner. Vista was that disappointing for a reason...

        This Android updates problem has been around for a very long time now. And I'm not talking about not getting latest shinies, but missing out on security patches for brand new handsets. And Google would appear to have done the square root of bugger-all about it!

        1. P. Lee

          Re: Who cares

          It isn't about Google, its about OEMs/third-parties who write custom rubbish software, including drivers for their custom hardware.

          I think the subtext is supposed to be "buy an iphone" but I'm not sure I'm getting many security fixes for my 3G either - for the OS or for the apps.

    2. Ugotta B. Kiddingme

      Re: Who cares

      THIS user does. That's who.

      I can't/don't speak for any others, but I care rather a lot about this. My android devices are used for casual gaming and casual web browsing only. Nothing involving credit cards or banking is EVER done on an Android device or, for that matter, my WinPhone. Yes, I give up some cool and convenient functionality. I can live with that - and the ever-so-slightly better security of my personal data that goes along with it.

  2. TeeCee Gold badge
    Meh

    Translation

    What they said: "helped the manufacturers fix those problems."

    What this actually means: "Made sure that the manufacturers won't make these particular mistakes again in their new products. Much as we'd have liked them to issue fixes for their existing user base, they all told us to get knotted."

    The problem with allowing a wide variety of hardware and letting manufacturers customise the O/S[1] is that this customisation is being done by cheapskate fucks who regard any design more than a year old as obsolete and any effort spent supporting such as money down the crapper.

    [1] MS found exactly the same with WinMo. The clever thing Google have done with Android is managed to get people to actually blame the device's maker when the thing's an unreliable bag of shite rather than the O/S itself. MS never managed this very important bit of sleight-of-hand marketing.

    1. dotdavid

      Re: Translation

      Yes, when you look at the list of phones they analysed you can see they're only reasonably high-profile ones that the manufacturers might consider providing a patch for. I'll bet the issues are in no way limited to those phones;

      "The researchers analysed five different distributions: Google Nexus 4, Google Nexus 5, Sony Z1, Samsung Galaxy S4 and Samsung Galaxy S5, all running OS versions 4.4.X (except for Samsung S4 running version 4.3)"

      Perhaps the researchers want to keep the manufacturers on-side - if they'd announced that the Samsung Galaxy Ace (or whatever cheap popular-yet-obsolete Android handset they picked) had these problems I doubt a patch would have ever seen the light of day, and they wouldn't have gotten much appreciation from the manufacturer either for highlighting the fact that they can't be bothered to security patch anything but their latest high-profile handsets.

  3. heyrick Silver badge

    Isn't the real problem here...

    ...that it is damned hard / impossible to update important parts of the core without issuing a completely new firmware upgrade?

    Just imagine if Patch Tuesday was "here you go, now just reinstall Windows". Every time.

    1. Paul Crawford Silver badge

      Re: Isn't the real problem here...

      Funny how Linux desktop & server have updates easily applied to any part of them, often while the thing keeps running. Why can't phone makers, who use the same OS as a starting point, achieve this known application technology as well?

      1. Richard Taylor 2

        Re: Isn't the real problem here...

        Many phone manufacturers either can not afford to do so or don't have the technical competence (not worth paying for :-)

  4. Richard Taylor 2

    The problem is that 'probably' these manufacturers are under the cosh in terms of costs. And as we all know, security and testing is one of the first things to be chopped by the beancounters. For all their many faults, these are some advantages in paying an Apple premium - they can afford to patch, and will have a godawful problem once the first major vulnerability releases email accounts/passwords/bank accounts etc...

    So for Apple there is the carrot and a hell of a big stick.

  5. Dan Paul

    How about some enterprising software developer create.........

    an Android App that takes away the unnecessary permissions from OTHER Android apps?

    Why the hell does a weather app need permissions for my contacts, photos, etc??????

    Of course Google could have done that when they made Android but they are too busy plowing through your contacts, photos, etc!!!!!!!!!!!!!!!!!!!

    1. Loud Speaker

      Re: How about some enterprising software developer create.........

      Why the hell does a weather app need permissions for my contacts, photos, etc??????

      To email them to0 the highest bidder! (You must be new to computers).

  6. Mark 85
    Alert

    After reading the comments...

    we really need a cynic icon, El Reg

    I'm just as cynical as everyone else but they've pretty much covered what I think.

  7. chasil

    AOSP bugs

    "AOSP [Android Open Source Project] code has had the most eyes on it, from Google, the SOC partners, the OEMs, the community. It is quite reviewed."

    No, it is most certainly not. Let's review the AOSP bugfest:

    - Towelroot

    - Stock browser same origin policy failure

    - OpenSSL

    It goes without saying that the use of OpenSSL *requires* the ability to patch.

    How does 4.1 Jellybean do on the ssllabs.com browser scanner? I would think the score is an F - and if not, it's certainly not for lack of trying.

    1. bitmapbrother

      Re: AOSP bugs

      "No, it is most certainly not. Let's review the AOSP bugfest:"

      Only 3, dookie? BTW, Towelroot was a linux bug.

      Let's have a look at the hundreds of iOS security exploits:

      http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49

      Or what about that Windows 0 Day OS?

      http://www.cvedetails.com/product/17153/Microsoft-Windows-7.html?vendor_id=26

      That's only for Windows 7. In total Windows has more than a thousand security exploits.

    2. bitmapbrother

      Re: AOSP bugs

      Oh, look, Microsoft just patched another 0 day. What a bug ridden POS this OS is.

      1. chasil

        Re: AOSP bugs

        Oh, look, Microsoft CAN patch a zero day. Android cannot for fundamental components of /system. The Architects of Android express both arrogance and incompetence, and they deserve the lawsuits that WILL come.

  8. Christian Berger

    The problem with Android was listening to much to hardware manufactureres

    They should have had a "single OS-image" policy from the start. Where you have one Android image which can run on any device, just like you have with most PCs. This would also have made alternative images a lot easier.

    Hardware manufacturers would have had to agree to well defined interfaces, eliminating the need for binary only drivers and making hardware discoverable.

    Unlike previous attempts like Microsoft's MSX, we now can have rather flexible hardware with features added in compatible ways. Your SoCs would, for example, all have the same framebuffer mode, acceleration features however, could be different on each one of those.

  9. chasil

    4.3 jellybean

    The scanner at ssllabs.com reports the stock browser on cm10.2:

    - doesn't support TLS 1.2

    - is vulnerable to logjam

    - is vulnerable to freak

    - is vulnerable to poodle

    How on earth could TLS 1.2 be disabled? And why weren't the MOST STRINGENT security settings used, since there was absolutely no update capability?

    This is truly pathetic. Operating systems simply should not be designed this way.

  10. chasil

    And now, we have Stagefright

    There is a now a critical MMS bug on all Android versions from 2.3 up. It allows the exploit of the system account (uid 1000) on many phones.

    http://www.extremetech.com/mobile/210906-950m-phones-at-risk-for-stagefright-text-hack-thanks-to-android-fragmentation

    http://www.pcworld.com/article/2953052/most-android-phones-can-be-hacked-with-a-simple-mms-message-or-multimedia-file.html

  11. gioeleslfierro

    Security is not a priority for OEM, this is the problem, not Android itself

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like