back to article Patching a fragmented, Stagefrightened Android isn't easy

Android users face a triple patching headache with the recent discovery of a collection of serious vulnerabilities affecting smartphones and tablets running Google's mobile operating system. Security experts warn that the fragmented nature of Android devices will make patching more difficult than it would be in updating PCs. …

  1. Anonymous Coward
    Happy

    Ha ha ha ha haah hah haaa

    "For now it's up to users, who are advised to keep a close eye on the patch availability for their particular device and operating system, and apply these critical fixes at their earliest opportunity, according to Rapid7"

    I guess they don't own a Android device more than about a year old then. There's only a couple of makers out there that bother (Google and Sony spring to mind).

    The rest of us? No need to bother we know the answers

    1. heyrick Silver badge

      Re: Ha ha ha ha haah hah haaa

      Sony? My last year device is stuck with Android 2.3.something. Don't know if Samsung will be any better but at least my current phone is running an android from this decade!

    2. The Bam

      Re: Ha ha ha ha haah hah haaa

      My 2014 Nexus 5 was updated OTA yesterday. My 2013 Nexus 7 was updated OTA this morning.

      1. Big-nosed Pengie

        Re: Ha ha ha ha haah hah haaa

        My Nexus 4 got the update yesterday.

    3. mathew42
      Devil

      App to collect update status

      > I guess they don't own a Android device more than about a year old then. There's only a couple of makers out there that bother (Google and Sony spring to mind).

      How hard would it be to write an app that checked the current firmware, compares it with the latest release from Andriod and lists unpatched critical security bugs?

      Apple or Microsoft might even be interested in 'helping'. Alternatively Cyanogen might be interested with a link to installation.

  2. Zog_but_not_the_first
    Gimp

    REM had the answer in 1992?

    Losing my Religion? I thought that was aimed at fanbois looking to switch to Android.

    1. Michael B.

      Re: REM had the answer in 1992?

      Nah, it's obviously Everybody Hurts that they are referring to. Though "Bang and Blame" from a few years later is most companys' approach to security.

      1. Dan 55 Silver badge

        Re: REM had the answer in 1992?

        Automatic for the People... Do I win a prize?

        1. Simon Harris

          Re: REM had the answer in 1992?

          Anyone with an older phone will probably be left in Ignoreland.

    2. Buzzword

      Re: REM had the answer in 1992?

      The difficulty in getting Android updates is on a par with landing a "Man on the Moon".

    3. choleric

      Re: REM had the answer in 1992?

      No no no no no! It's the end of the world as we know it (and I'll flash mine).

    4. tirk

      Re: REM had the answer in 1992?

      Nightswimming? Take your device with you and the vulnerability is gone!

  3. sabroni Silver badge

    Google is taking the lead on revitalising the patching pipeline for the Android ecosystem

    Sounds so much better than "Google made an OS without thinking about security patches and they've just realised that that might be a problem."

    1. dotdavid

      Re: Google is taking the lead on revitalising the patching pipeline for the Android ecosystem

      Technically they have yet to realise it's their problem.

      Frankly I doubt the carriers and manufacturers will ever change, as an Android user Google is our best hope to introduce a sane (read: eliminates the carriers and manufacturers from the process) Android update system.

      1. Adam 1

        Re: Google is taking the lead on revitalising the patching pipeline for the Android ecosystem

        The problem with the carriers is that they have a vested interest in obsolescence. If you have to get a new phone then they get another 2 years contract out of you.

    2. Steve Crook

      Re: Google is taking the lead on revitalising the patching pipeline for the Android ecosystem

      I'm not sure that Google are entirely the problem. Manufacturers and their Android skins mean that there's always going to be inertia in getting ports to earlier versions. Then there's OnePlus, Cyanogen and others who have their own versions of Android.

      Finally, there's the replacement cycle. With phones on 2 year contracts there's little incentive to fix problems when manufacturers know that the phone is going to be replaced with something else relatively soon. If there's little incentive to fix a relatively new phone, there's none to fix something that's second hand.

      It's a mess.

      1. dotdavid

        Re: Google is taking the lead on revitalising the patching pipeline for the Android ecosystem

        Sorry I should have said it's Google's problem to solve, as they're really the only people in the Android ecosystem able to enforce a unified update system on all of the other people.

        What I would give for an Aptitude-style update system for Android; manufacturers, carriers and yes even ROM modders could then just run their own repos.

      2. Naselus

        Re: Google is taking the lead on revitalising the patching pipeline for the Android ecosystem

        "I'm not sure that Google are entirely the problem"

        To be honest, Google have been trying to get a grip on 'Droid fragmentation for at least the last couple of years. Getting handset manufacturers to recognize the problem helps a lot - since as little as six months ago most of them thought OS upgrades meant 'we can sell new handsets' rather than 'we should probably sort out setting these up for our current line-up' - but carriers are even worse; they see it as a massive use of their bandwidth with no rewards whatsoever.

        I know, who'd have thought the people who run mobile phone networks are money-grubbing dicks, right?

  4. Steve Evans

    "it needs to push carriers to push over-the-air updates promptly after fixes become available."

    Carriers?

    I don't think they get a say in it any more... Sure, back in Nokia Symbian days they did (because they were always customising the interface - and generally screwing it up), but on iPhone and Android, the phone polls via the intarwebs for OS updates.

    Whilst it's possible carriers have redirected this, most of them don't bother fiddling with the system partition, they just stick on a few crappy carrier apps, which a system update will happily go underneath.

    The delay is the OEMs like Samsung, HTC and LG, who heavily modify, and change the source of updates from the Google servers to their own.

    1. Khaptain Silver badge

      Re: "it needs to push carriers to push over-the-air updates promptly after fixes become available."

      "The delay is the OEMs like Samsung, HTC and LG, who heavily modify, and change the source of updates from the Google servers to their own."

      This is definately where the major problems lie, Google have no problem pumping out the base version...

      1. Dan 55 Silver badge

        Re: "it needs to push carriers to push over-the-air updates promptly after fixes become available."

        Well, the problem is also somewhat Google's in that Android isn't very modularised. What changes do phone manufacturers make apart from changing the theme and adding a few applications? It shouldn't be enough to make updating costly and slow.

        1. Charles 9

          Re: "it needs to push carriers to push over-the-air updates promptly after fixes become available."

          There can be A LOT of under-the-bonnet changes to the baseline Android core to make a manufacturer's unique features run. Take Samsung's TouchWiz. They added quite a bit to the standard Android. In particular, the WiFi Calling that keeps me on T-Mobile is inseparable with TouchWiz on a Samsung phone. AIUI it's the same across the board; the only phones that do T-Mobile WiFi Calling all have custom UIs where the feature is baked in. It must be baked in pretty deep as in over two years since the likes of the S4 have been released, no one's been able to disentangle the feature and add it to an AOSP-based UI.

          1. Dan 55 Silver badge

            Re: "it needs to push carriers to push over-the-air updates promptly after fixes become available."

            WiFi calling is SIP and Android's got a built-in SIP client. The same could be achieved on standard Android by T-Mobile making their SIP settings public.

            1. Charles 9

              Re: "it needs to push carriers to push over-the-air updates promptly after fixes become available."

              It's more than that because of the automatic negotiation and the fact they can tie it to your existing number: something IIRC SIP can't do.

              1. Vic

                Re: "it needs to push carriers to push over-the-air updates promptly after fixes become available."

                It's more than that because of the automatic negotiation and the fact they can tie it to your existing number: something IIRC SIP can't do.

                SIP can do that trivially - you just need the operator running the number to route the call to their SIP server. It's techincally very easy - although you might find it politically impossible with various operators...

                Vic.

    2. Neil 8

      Re: "it needs to push carriers to push over-the-air updates promptly after fixes become available."

      I disagree, my old Note 2 on Three was landed with a pile of random lock-up bugs which I could ultimately only fix by replacing the Three image with a pure Samsung one I found online.

      The operators still can and control the image update process and they certainly don't push updates monthly. For phones more than a couple of years old it's more likely never.

    3. Naselus

      Re: "it needs to push carriers to push over-the-air updates promptly after fixes become available."

      "Whilst it's possible carriers have redirected this, most of them don't bother fiddling with the system partition,"

      Actually, most of them do. I know at least half of the UK networks run the OTA servers for their phones in-house, and it's there that the updates push from; it's probably more than that. The device manufacturers are, after all, using the network provider's bandwidth to push the updates - and a 2gig download to 30 million mobiles is a LOT of bandwidth to allow someone else to randomly use whenever they feel like it.

  5. Neil Alexander

    Google did attempt to repair this mess before with the "Update Alliance", and look how quickly that fell apart. I hate to use the F word, but fragmentation is a problem with Android will never go away.

  6. Warm Braw

    Hm.

    >The Android ecosystem works by the OEMs & vendors being responsible

    I think that's what's called a false premise.

  7. Peter Gathercole Silver badge

    Sony

    Sony aren't much better, unless it is for their permium phones.

    I have an Xperia SP, which I have owned for about 2 years, and still works fine, and does pretty much everything I need it to. The only exception that the internal flash storage is getting full, mainly because the thumbnail cache for the Album app. currently sits at about 1GB of the internal flash used.

    Although 4.4 was originally promised, it never happened, and Sony are saying that they are not intending to issue further patches for 4.3 on any device. And that's ignoring the ISP.

    The problem is, as I see it, that consumers who do not want to update their phone every year are being left stranded with nowhere to go apart from something like Cyanogen.

    I tend to pass my phones down to my kids. Until recently, I had a Samsung Galaxy Apollo running 2.3 and an Sony Xperia Neo running 2.4.3 in use by my kids (the Samsung finally give up the ghost a few weeks back) and I tend to keep phones for 2 years before moving on.

    But I look at the phones that I may move on to, and very little in the midrange that I'm looking at is much better than my SP, and those that are are generally still running 4.3 or 4.4, so may already or could soon enter the unpatched category. I don't value a phone enough to either pay £200+, or enter into a £25+ per month contract that would get me a higher end phone that is likely to remain patched for any length of time.

    I think that there should be regulation that forces updates for a minimum time, at least as long as the longest contract, from the point of initial sale or supply rather than introduction on all devices that could be vulnerable (something like at least four years from introduction or two years from sale, whichever is latest)

    1. dotdavid

      Re: Sony

      Sometimes manufacturer updates aren't what they're cracked up to be. I bought my wife an Xperia Ray (awesome form factor and build quality) after hearing it would get the then-newish Android 4.0 ICS installed. There was indeed an update but it was never rolled out over the air, at least not to my wife's handset. I understand there were performance issues that Sony couldn't be bothered to resolve (the XDA community seemed to manage well enough).

      1. Adam 1

        Re: Sony

        > Sometimes manufacturer updates aren't what they're cracked up to be

        True, but I don't think that updates need to be whatever new flavour of confectionary is out. We just want security patches to be delivered promptly for a period of around the expected lifespan of the computer that happens to sometimes make phone calls.. In fact, automatically changing the messaging app and moving the menus around when moving from ginger bean to ice kit pop is going to cause my folks all manner of confusion so I would prefer nothing visible.

  8. SecretSonOfHG

    Android is the new Windows

    ... and the story somewhat repeats itself. Only this time it is not one company (was MS now is Google) to blame but multiple.

    Google has to accept that their view of the world simply does not match the real world. It is not acceptable to redeem as unsupported anything that is older than two years just because you think that people keeps changing its phone as you release new ones. Carriers, however, are much, much worse. Because for them keeping the phone OS up to date is simply a costly activity which not only costs them money, it also actually discourages its customers to get a new phone.

    To its credit, Android had security designed in. The only flaw was the assumption that it was not going to be exploited. Anything in these days will be compromised and exploited.

    Now grab some popcorn and watch the high profile leaks and lawsuits fly...

    1. Anonymous Coward
      WTF?

      Re: Android is the new Windows

      How is it the new Windows?

      Patches for windows are rolled out for 10+ years and don't rely on on 3rd parties to push them out.

      1. Richard Plinston

        Re: Android is the new Windows

        > Patches for windows are rolled out for 10+ years

        Windows Phone 7 was supported for less than 4 years.

        Windows Mobile 6.5 was supported for little more than 2 years.

    2. James 100

      Re: Android is the new Windows

      In fact I'd say the problem here is that (in one important respect) it *isn't* like Windows. With Windows, Dell can shove in their own buggy drivers and shovel a load of junk adware on top - but it's still Windows, it still gets the updates from Microsoft, and you can buy/download newer versions directly from MS without getting Dell's permission first.

      I do like the flexibility of open source - I'll probably be running CyanogenMod myself soon - but if Google had limited the manufacturer and carrier roles to "you provide Linux kernel drivers and any apps you want" and "you can provide network-specific apps" respectively, keeping control of the core OS and updates for themselves, I think the whole Android platform would be better for everyone. (Including the manufacturers, I suspect, since they'd have less work to do!)

      1. Metrognome

        Re: Android is the new Windows

        I disagree with part of your premise.

        If Google went down the road you describe then Android couldn't/wouldn't be able to boast Andy Rubin (in)famous tweet about what being open meant: https://twitter.com/Arubin/status/27808662429

        Then, as you know, there are two flavours of Android. The Google vetted and approved Android with the various forks that exist. Why should Google be responsible for patching the forks?

  9. Paul Smith

    Bright side

    If Google loses to Oracles copyright claim's, does that mean they could sue Oracle for publishing insecure API's?

    1. Named coward

      Re: Bright side

      If you could sue someone for publishing insecure APIs you could sue pretty much any software vendor which publishes APIs (that includes all OSes and all Open Source) since security vulnerabilities always exist.

      1. JakeMS

        Re: Bright side

        Well.. no.

        You cannot sue any open source projects as 99.999% have a clause in them much like the GPL which states the following:

        "15. Disclaimer of Warranty.

        THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

        16. Limitation of Liability.

        IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES."

        (Copy and paste, I didn't CAPS it)

        Thus, if the shit hits the fan, it's your problem not the projects. Thus you cannot sue them :-).

        1. Charles 9

          Re: Bright side

          "Fit for Purpose" laws can trump contracts, even ones with "No Liability" clauses.

  10. Nigel 11

    A general problem

    Vendors of devices containing software are allowed far too much latitude to escape any product liability with respect to latent bugs. Contrast the auto industry, where if a serious latent problem is discovered with a car, they have to recall and fix all the cars (or face paying out billion-dollar damages, witness the Ford Pinto). They can't get away with just saying "it's out of warranty" or "it's an old model" or "read the license disclaimers". Similarly, phone manufacturers should be obliged to fix bugs that were present in the device at the time it was sold, or in subsequent versions of its software, use of which is required to provide a fix for day-zero bugs. This for at least five years after sale, preferably ten.

    Of course, the result of stricter product liability would either be more expensive phones, or fly-by-night manufacturers of cheap phones whose business plan includes going into liquidation within a year.

    If Samsung don't patch my S4, the next phone I buy will be a Google one (the only company that pretty much can't evade its moral responsibilities). That, or there will be a breakthrough for a properly open source phone with Linux-style community support.

    1. Charles 9

      Re: A general problem

      That'll never happen. With the car example, people were KILLED as a DIRECT result of the flaws. You'll never be able to pin the same thing on a phone and therefore can never make the risk great enough to require overriding oversight (which in turn gets pushed back by privacy concerns).

      1. Paul Crawford Silver badge

        Re: A general problem

        You could make the phone suppliers responsible for any reasonable loses due to known but unpatched bugs for, say, 5 years after the product was last sold.

        Hell, why not the same thing for ALL products with built-in firmware/software? At least then manufacturers have to factor in the support costs for the shit product development cycle and that might lead to better software by design, and certainly a patching system. You know, like the ones that Linux has been using for 10+ years that for some reason Android phones did not have.

        1. silent_count

          Re: A general problem

          "You could make the phone suppliers responsible for [...] "

          I like the idea but who has the clout to make it more than just wistful dreams?

          - Google won't. They want to suck as much data as possible so they won't do anything to limit the number of manufacturers who make android devices.

          - The US won't. Regulating anything seems anathema to them. Double that for anything which comes between corporations and profit margins.

          - The Chinese might have the clout but don't I can't see them caring enough to bother.

          That leaves the EU. They might just get a sufficient bee in their collective bonnet about protecting European citizens, and it's a large enough market that the phone manufacturers can't just ignore them.

        2. Charles 9

          Re: A general problem

          "You could make the phone suppliers responsible for any reasonable loses due to known but unpatched bugs for, say, 5 years after the product was last sold."

          And how do you do that when the manufacturers are located in countries that simply don't care?

          1. Paul Crawford Silver badge

            Re: A general problem

            "And how do you do that when the manufacturers are located in countries that simply don't care?"

            Then it is the importer. If they can't get an agreement from the manufacturer to cover such requirements & costs then they won't import. If a few go under due to legal problems then no one will import the product and they lose £Ms in sales. Simple really.

            1. Charles 9

              Re: A general problem

              And if they sell direct to international customers over the Internet?

          2. Nigel 11

            Re: A general problem

            And how do you do that when the manufacturers are located in countries that simply don't care?

            Put the manufacturers on a banned list should they fail to honour their legal responsibilities. That threat would certainly keep the big guys like Apple and Samsung and Sony in line. There would doubtless still be "grey" (or outright black) imports of dodgy mobiles from companies you'd never heard of, but at least you'd have the option of buying a trusted brand and getting better.

            The strange thing is how little the big brands seem to care about this issue. When the general public decide that there's really no advantage at all in buying a big brand over buying "cheap and cheerful", because the hardware is no longer sufficiently distinguishable and the software is all equally crap, then the cheapest will be the best. For similar reasons the "free" phone on an expensive 24-month contrick is another doomed business model.

  11. Anonymous Coward
    Anonymous Coward

    The latest (unnamed) privilege escalation hole....

    Unnamed threats are not allowed. Were all names based on something like *gate, *lypse used already?

    Please sponsor a contest for this!

  12. James 51

    In general, how vulnerable are platforms like BB10 and Sailfish that have app compatibility with Android to exploits aimed at Android?

    1. Charles 9

      Hard to say. BB10 is supposed to have QNX under the hood which is normally hardened against exploits, but it's still manmade. About the only reason it and Sailfish don't make headlines are their abysmally-low takeup rates. Much like how MacOS and Linux usually didn't get as much attention by the hackers until recently.

      1. Adam 1

        Jeep runs* QNX. Never underestimate the ability of the universe to create idiots that can break anything.

        *Autocarrot wanted to write ruins. Well played Google.

  13. WonkoTheSane
    Thumb Up

    Android 5.1.1 arrived today

    This version closes the "Stagefright" vulnerability, and arrived on both my Nexus 5 & 7 last night.

    1. wiggers

      Re: Android 5.1.1 arrived today

      5.1.1 came out in April this year, before Stagefright was discovered. Are you sure it fixes this vuln?

      1. WonkoTheSane

        Re: Android 5.1.1 arrived today

        Definitely got a patch, but it actually WASN'T a version bump (my error).

        It WAS a Stagefright fix though, being the first of the new monthly security updates:-

        http://officialandroid.blogspot.ca/2015/08/an-update-to-nexus-devices.html

  14. Anonymous Coward
    Anonymous Coward

    Pushing out updates is not always feasible

    Much of "third-world" telecomms infrastructure is creaky at best. Pushing out multi-MiB updates is guaranteed to bring it to its knees (not to mention drain mobile accounts). Changing only the rotten bits (pun intended) is very tricky. I have no quick fix in mind.

  15. Mikel

    So buy your Nexus from Google

    Build LMY48I. My Nexus 5 is already patched OTA. Problem solved.

  16. Wolfclaw
    Facepalm

    Googles own fault for giving the manufacturers and mobile network free range to bastardise the o/s with any crap they feel like !

    1. Charles 9
      Meh

      And yet it was the only way to make inroads against the iPhone, since only a company like Apple (with its uniquely sirenesque appeal) could actually usurp the control from the carriers. Everyone else (Google included), the carriers could impose "take it or leave it" conditions. And if Google left it, they'd be conceding the phone market to Apple, which to them was unacceptable. So what do you do?

      Besides, the core of Android (where the fault lies) is open-source, meaning anyone can make forks of it (like Amazon has done). Once someone rolls their own, it's basically out of your hands.

  17. andriesfc

    This is 100% the carrier's fault. They insist on either bleeding of profit from OEM per each OTA, or refuse to do it. Apple was the smart one by basically refusing to bend the knee to the carriers. Google, for many historical reasons opted to deal with the carries via proxy with the likes of Samsung, and the various OEM's.

  18. dgurney

    What a shoddily designed OS.

    This is what happens when you release a hacked-together, poorly conceived platform and allow it to be subverted.

    Android was supposed to be the open-source OS that freed us from the tyranny of Apple and telcos. IT ISN'T. Why? Because it has become dozens of hacked, proprietary flavors that are controlled and doled out by those very telcos. And they do it one version at a time for every device from every telco, so users wait months or years or forever.

    Meanwhile, Windows runs on millions if not billions of disparate configurations, and users can pretty much upgrade the day the new OS is released.

    Google's failure to design a proper abstraction layer and hardware reference model make Android a sorry, amateurish excuse for a platform. They blew it. And now where is our great open-source savior?

    1. Charles 9

      Re: What a shoddily designed OS.

      "Meanwhile, Windows runs on millions if not billions of disparate configurations, and users can pretty much upgrade the day the new OS is released."

      Those millions of PCs happen to run on standardized hardware pushed due to need to have a common clone design back in the 80's which grew from there. The phone market matured differently, with multiple highly-competitive firms delivering proprietary, often Trade-Secret- and Patent-protected all-in-one designs that ticked the major box of power efficiency. Such an ecosystem prevents a one-size-fits-all design and because Trade Secrets and Patents are involved (many of them being linchpins), not even Google could force the manufacturers to toe the line.

    2. anonymous boring coward Silver badge

      Re: What a shoddily designed OS.

      It's nothing to do with Android being poorly designed, and everything to do with the carriers being control freaks of the highest order.

  19. anonymous boring coward Silver badge

    "Android users are still expected to seek out these patches and apply them themselves"

    What?

    That's not something your average phone user can do. The carriers actively stop you form doing it!

    Don't pretend as if's just users being a bit lazy that's the problem here.

    This is a mess of the Android Phone industry's own doing, and they should be obliged to sort it out, or else... (Fine them for failing to provide security updates.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like