Got a Nexus? Google has five critical Android security fixes for you Google has fixed 12 security bugs in its Android source code – including five that would allow miscreants to achieve remote code execution or root access. The Mountain View giant said its January Android security update includes patches for five CVE-listed security vulnerabilities it rates as "critical" risks, two considered " …
This post has been deleted by its author
I don't know if I'd say bonkers, just ignorant. I agree in theory as a tech geek but after all these years I am really just unaware of any users of at least "first world" android based phones that have suffered at all. If for no other reasons than people seem to keep their phones for < 2 years and their more multilayered security vs Windows PCs for example, have a way larger attack surface, and legacy usage issues, such as admin by default and no vetted "app store". I think most of the vulnerabilities in phones just aren't practically exploitable in a significant way. The real security issue these days is these servers that are getting hacked.
Just another example of why anyone who chooses to use an Android phone is bonkers
Actually, it's just an example of product liability legislation not being properly applied. Companies like Samsung would certainly up the game if they had a few legal cases to deal with. Of course, you're out of luck with your Note II (long out of warranty) but you should be able to stick CM on it without too many problems: a friend of mine keeps his Galaxy II alive with it. Still, if you've got the cash to splurge on an IPhone 6s, then good for you.
Apple does have a justly good reputation for providing updates for all its handsets at once. But this isn't to say that it doesn't leave them exposed to flaws for long periods of time (the IOS 9 release notes indicated some glaring holes) and anecdotal evidence suggests that IOS updates are also used to encourage hardware updates.
I have the Nexus 5; will NEVER buy another Google phone.
After the latest over the air updates my phone will not come out of sleep mode without a reboot.
I can make calls but cannot receive calls till I get a new phone.
Will NOT be a Google phone unless there are major changes.
LG phones are never reliable, why on Earth did Google chose LG for a Nexus phone?
I have a t-mobile galaxy s6 and that has had 6 updates since it came out, with no publicly known vulnerabilities (as of a few days ago anyway). I also have a Note 3 with cyanogenmod that I update monthly with the latest nightly build, which always contains the AOSP patches. So, its hard to say that only Nexus phones are updated promptly. Apple even sits on a bunch of bugs/vulns for a while and then does a release here and there.
After Android shit the bed by the baddies being able to root your phone with an MMS its not even worth comparing the two security wise. Root with an MMS lmfao. With holes that big why bother writing malware? I bet a majority of android devices are still vulnerable even to this day.
EDIT:
@ASDF "I bet a majority of android devices are still vulnerable even to this day."
Since my provider isn't pushing updates to my Android phones, you would be right. I'll have to root or upgrade soon just to update my phone. I won't be getting another Android based phone, not because they aren't fit for purpose, but because providers won't push updates to phones they sold.
Spot on.
Even if the manufacturer is on the ball & creates updates to their devices, the carrier (I'm looking at you Verizon) may never push it out OTA to our handsets. If the carrier can't be bothered to provide security updates in a timely manner, then either we void the warranty by rooting it & upgrading manually, or we buy a brand new device with the latest OS that's available at the time.
I've decided that I will no longer be a Verizon Victim & will be switching just as soon as I'm no longer in peril of being raped to death by early termination fees. Hell, even *APPLE* updates more often than Verizon!
I'm so glad we don't seem to have carrier crippling here in the UK... Did about 10 years back with Nokia Symbian phones. Most of those *never* received an update unless you knew how to change their model number to generic Euro.
I jumped to an Android HTC, quickly leant how bad OEMs are at support and updates and have been Nexus ever since.
The one thing that can be said for Android is the ability to be able to go completely open source with F-Droid is its one big advantage over iOS. But that generally requires voiding the warranty and does require frequent rom flashing (to get latest patches, etc) and is not really an option for a non nerd. Still its perfect for a non-work spare older mobile. Android under warranty is a sucker's bet. Better to ebay an unlocked Android or get an iPhone under warranty.
Android under warranty is a double sucker's bet because you are almost always stuck without recourse to all of Google's lovely spyware Trojan horse software. Best part of cyanogenmod is telling Google Hangouts to fuck off proper and not even having a frigging google account on the phone leaking out your privacy.
Who offers AOSP under warranty? Perhaps Amazon offers Android without GApps forced on you under warranty but it will just be replaced with their privacy busting apps. Samsung apps are just as bad except according to the eStar app put out by those Purdue researchers its apps drain the batteries far worse than Google's.
CVE counts tend to relate more to what platform security researchers are paying attention too as opposed to the security of said platform. Was Android included? That would be my guess of number one OS wise considering the raw number of devices running it world wide.
A CVE ranking by vendor wouldn't include "Android". I suppose Google's would include it but Apple's include OS X, TV OS (the iOS for the Apple TV) and so forth so vulnerabilities in common code may be counted multiple times. Microsoft may suffer from that as well for i.e. vulnerabilities that affect Windows 7, 8, and 10 since those are considered separate products.
Hang on! I read the comments under the article yesterday that said MS didn't have the most CVEs last year and we were all agreed that counting CVEs was a pointless exercise that showed nothing about a platform's security....
Where were you? Running your nightly cyanogen update?
I have a nice shiney Moto X Style. Unfortunately it doesn't have Marshmellow because Vodafone (only seller in Australia) have seen fit to block the update until they've validated it, regardless of the fact that the phone isn't connected to Vodafone. Previously Telstra blocked updates to the Nexus 6.
My only option is to flash the firmware from another country and copy the correct modem files.
The worst part is that I tend to use phones and tablets for more risky activities (e.g. connecting to public wifi) so security updates are even more important.
You guys are behind the times. People no longer care. It's a phone. It works. If you get hacked then you get a new phone and or take it back to the shop and if they get your card details the banks refund you.
That's how most people think. Privacy? Its just a phone!
It's shocking isn't it? But hey here in 1984 people love it...
Ordinary end users simply don't care and in the real world the chances of them getting hacked are vanishingly small. The only thing that would make them sit up and take notice would be something akin to a mass effect Android worm that bricks tens of millions of devices.
The only people flashing ROMs are us techies and even then I'd wager it's a small percentage of the technically savvy folks. Third party ROMs are not the answer. There needs to be a commercially viable incentive for Android vendors to update - ideally one that bypasses the Telcos entirely - and I can't see that happening.
If you're non-techie and concerned about security (which you should always be!), then the Nexus range is pretty well the only sensible Android choice. If you are techie, then it's either Nexus or a device that has CyanogenMod support (Nexus can run CM of course, which is what I do on my Nexus devices).
At least Google is actually releasing monthly security updates now, which puts a little pressure on OEMs/carriers to up their game with similarly scheduled updates. The fact that you can see the security patch level month in "Settings -> About device" helps as well.
I suppose 'good' insofar that Motorola *are* patching stuff (compared to other manufacturers abandoning phones), but it's being done very slowly compared to pre-Lenovo ownership.
My X took months to receive a Stagefright patch, despite announcement of said fix waaay back.
Of course, you're not using your phone for financial transactions, are you?
Or for conducting an extramarital affair? Or for internet dating before you tell your soon-to-be-ex? Or for looking at naughty videos that your employer would not approve of? Because there are criminals called blackmailers and some of them will be tech-savvy.
I don't use my phone for financial stuff, extra- (or intra-) marital affairs, internet dating, or watching naughty videos. I do use it for calling and texting people, email and occasionally reading websites, weather reports, making shopping lists and reminders, and as an alarm clock. Occasionally I use the GPS and mapping. Am I odd?
If Google aren't working on a way of being able to patch handsets irrespective of OEMs and carriers in Android O then they're being incredibly dumb IMHO.
It is encouraging to see that other Android variants (Android TV, Android Auto, Android Wear) get their updates straight from Google - perhaps that is the long term plan but it can't come soon enough.
With Marshmallow, Google has made rooting the device a lot harder, as system integrity is checked at boot time. Luckily the clever Mr. Chainfire has managed to come up with a systemless root to get around this.
Unfortunately these new checks mean you have to return your rooted device to stock recovery before attempting to apply or manually flash any Android updates. There have also been reports of devices boot-looping after applying updates, if the user has previously disabled any of the built-in Google bloatware.
So, on the one hand, Google releases timely security patches, but on the other, they make it increasingly harder for the end user to apply these patches to a rooted device [or to root the device in the first place], or to a device where the Google bloatware/spyware crap has been disabled.
And, to pre-empt the inevitable "people who root only do it so they can run dodgy software" remark, I root my Android devices for one reason only: so I can use the excellent Ad-Away to customise my hosts file and block advertising and spyware [which is potentially a far bigger security threat than many of the ones these patches address].
So, there's the Catch-22: Do you wait [possibly in vain] for your device manufacturer or carrier to get around to rolling out these patches, or do you root the device so you can do the job yourself today —knowing that increasingly the "vulnerabilities" these patches are addressing are the very ones which allow you to root your device and apply timely security patches in the first place?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
