Researcher outs Android exploit code A security researcher has released proof-of-concept code that exploits a vulnerability in most versions of Google's Android operating system for smartphones. M.J. Keith of Alert Logic said he released the attack code to expose what he characterized as inadequate patching practices for the open-source mobile platform. Rather …
Many of the network's are slow to allow their contract customers to get the latest versions of the OS and when finally they do release it, it's crippled with branding toss.
I think the network's either do not realise how important updating the OS can be or just don't give a damn.
The Android platform source code isn't being patched for current releases. That is the main issue.
Also, then you get an additional delay due to manufacturers and networks hacking about with the updates.
I would argue that you are more secure on Android if you are rooted and have a well maintained custom ROM installed, like CyanogenMod.
I'd rather take the paid for version of the phone on an installment plan. Not only it's branding-free, I'm also free to pop in any SIM I want into the phone- useful for going on holidays and not having to put up with roaming charges (protip: Prepaid cards are typically cheap to own in Asian countries and you can dispose of them once you've depleted your call time and are leaving the country).
Do the sums, Dude! The so-called "free" phones generally cost a couple of hundred quid more than buying SIM-free and getting a SIM-only deal from the network operator of your choice. And so you are paying for the priviledge of getting all the network branding and operator lock-in.
Makes no sense to me at all. If you can't afford the phone, take out a bank loan to pay for it, it'll still work out cheaper.
GJC
I think his point is that android needs a system for patching that doesn't involve upgrading the whole OS in the same way windows update or apt-get upgrade works.
This would allow phone manufacturers or google themselves to release security updates without having to wait for the networks' marketing departments deciding what default wallpaper and crummy apps they want to push on users.
In theory there shouldn't be anything stopping the latest webkit code going into android 1.5 etc.
I'm a bit surprised google didn't plan for this from day 1 as selling phone manufacturers subscriptions to a security update service is an obvious way for them to make money from hardware sales.
I own an HTC Desire and my wife a Samsung Galaxy S. I see the quality of the software maintenance differs incredibly between those two vendors.
Since both of them use proprietary software or heavy customizations on top of (or inside) Android, I can't see what Google could do to release patches quickly.
Personally, considering Android's fragmentation, I think the only thing Google can do to improve software patching by the various vendors is putting pressure on them on a political (or maybe economical) level...
JMTC, jco
I just wrote a post without reading yours but I did answer your question.
"I can't see what Google could do to release patches quickly."
With Gingerbread, they're moving an unknown amount of the "default" applications into the Market. Much like how Google Maps now comes pre-installed but can still be updated through the Android Market.
When this happens, application vulnerabilities will be able to be patched as quickly as the vendor can write the code and press 'Publish' in the Android Market.
Core OS vulnerabilities will still need an OTA firmware update and thus the operators to pull their fingers out.
"Core OS vulnerabilities will still need an OTA firmware update and thus the operators to pull their fingers out."
Another part of Gingerbread/3.0 is the dislocation (not the technical term, but I like it) of the UI from the OS, allowing OEMs to rebrand but not then requiring months of tech work everytime Google release updates.
Strangely, I don't think Google initially expected OEMs to make changes to the UI (HTC's first Sense was like a parasite on to the OS - in a good way), so these changes should benefit everyone.
This guy's point seems to be based around the patching method used to upgrade the firmware more than anything to do with the vulnerabilities themselves.
“They do a good job of repairing future releases, but I think a better patching system needs to be set up for Android.”
During Google IO 2010, Google stated that with Gingerbread they will be splitting many applications from the OS so that they will be updated through the Android Market separate to the OTA firmware updates. This is intended to help with fragmentation. There was no mention of the browser specifically, but it would be a prime candidate.
My guessing is this guy has seen this and thought "here's my chance". He hasn't said anything new and if the browser is separated in Gingerbread, then his point becomes invalid for Android at least. Does Safari on the iPhone update separate to iOS? (genuine non-iPhone-user question, not flame bait.)
"The bigger point, Keith said, is that most users have no idea their devices are vulnerable to bugs that were patched long ago on other platforms."
Like most Windows users then? (Had to get the boot in somewhere.)
When this was brought up on Slashdot, someone suggested that in the US people might get together and force the operators/handset manufacturers to provide Android upgrades for longer, by claiming they have suffered harm as a result of the lack of security patches. I find this possibility quite exciting.
These phones aren't anything like the dumbphones the operators are used to selling (where they can just sell you a box with a contract, and two years later sell you another box with a contract) - they are full handheld computers and thus should be supported with security patches at least for an average contract length of time.
As said by others the patching problem has already been addressed by Google using the same methodology that will cure fragmentation, over the next couple of releases Android will become a collection of smaller apps that will all update through the market.
And for anyone saying Android is the new WinMo, you obviously never used WinMo as even the old 1.5 Android actually works out of the box, unlike many of my old WinMo phones.
Actually this bloke makes a good point. With desktop Windows, you have free* patch maintenance and you know you'll have it for years after you purchase the product.
With Android it's a guessing game. I'm still on 1.6, the only way I can upgrade is to do it manually with an unofficial ROM. Vodafone tell me Google control the updates and I occasionally hear rumours that 2.2 is on the way, but then nothing happens. This is the problem with Google branded phones, maybe the situation is better for Android phones that use the manufacturers ROM.
Basically, Google need to clearer about the update process, how long a certain phone will be supported for etc. The updated OS is a strong selling point, but if those updates don't appear then people are going to be put off. It's just too amateur at the moment.
*As in you don't usually need to pay anything on top of the initial price.
Isn't that the point of Android? to shift the burden of maintenance and support onto the OEM.
It's the OEM that builds your Android ROM, licences the Google apps and market place. Google don't have anything to do with your phone (unless you have a Nexus).
Putting the OEMs in charge is good for Google but bad for the phone user. The OEMs spend time building the ROMs, designing the hardware and so on. They get their profit when you buy the phone, after then they get nothing else. So it is not in their interest to prolong your use of the device for any longer than they need to (and certainly not any more than their direct competition).
The difference with the competition is they build the ROMs. Apple build the ROMs for iPhone and Microsoft build the ROMs for Windows Phone 7. So with WP7 your updates are not at the mercy of the OEM. With Apple you get around 2 years of updates based upon the lifespan of the iPhone 2G.
Therefore the two platforms that seem to have a pretty clear update policy are WP7 and iOS. It is only Android which needs to get its act together.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
