back to article Android users left at risk... and it's not even THEIR FAULT this time!

Tardiness in providing security updates is leaving the vast majority of Android devices hopelessly insecure, according to researchers at the University of Cambridge. Over the last four years, an average of 87 per cent of Android devices were vulnerable to attack by malicious apps, according to the research, which blames a …

Page:

  1. Destroy All Monsters Silver badge
    Gimp

    Oh, so you are locked into a contract?

    Crickets chirping...

    1. Michael Wojcik Silver badge

      Re: Oh, so you are locked into a contract?

      I'm not; I have a phone I bought outright from one of those Amazon-hosted resellers, and I use an AT&T-hosted MVNO with a monthly payment plan. (It's about 1/3 the cost of the AT&T plan I used to have.)

      My phone is a Samsung, originally AT&T-branded. Bought new and unlocked.

      No updates in sight. Samsung isn't publishing any for this phone, and AT&T won't supply updates if you're not on contract. Samsung's "commitment" to supplying updates clearly doesn't apply to devices they don't consider current.

      Phone's rooted, so I can just disable Stagefright (using build.props) if I want - at the moment I just have MMS auto-downloading disabled. But the updating process isn't any better if you're not under contract.

  2. Anonymous Coward
    Anonymous Coward

    Cambridge boffins

    or paid-for-hire clickbaiters, you decide..

    " leaving the vast majority of Android devices hopelessly insecure"

    I have yet to EVER see ANY Android device with Malware, so these "boffins" just made themselves look like total chumps.

    1. Anonymous Coward
      Anonymous Coward

      I have yet to EVER see ANY Android device with Malware

      How would you know if the phone had been infected? It may be stealthy malware.

      1. Khaptain Silver badge
        Coat

        Re: I have yet to EVER see ANY Android device with Malware

        "It may be stealthy malware."

        If it was so stealthy the boffins wouldn't know either.

        1. Anonymous Coward
          Anonymous Coward

          Re: I have yet to EVER see ANY Android device with Malware

          Quite true, but the OP is not one of the boffins.

          1. Khaptain Silver badge
            Coat

            Re: I have yet to EVER see ANY Android device with Malware

            The OP might be a stealthy boffin :-)

            1. Anonymous Coward
              Anonymous Coward

              Re: I have yet to EVER see ANY Android device with Malware

              Or a stealthy chump

    2. sisk Silver badge

      Re: Cambridge boffins

      I have yet to EVER see ANY Android device with Malware

      I've personally seen two infected devices, one of which was mine and I always double check the permissions on my apps before I let them install. The other wasn't even rooted and didn't have the "allow unknown sources" checked so the infection either had to have come in through stagefright or something similar or from the Play Store itself.

      Not to slam Android, because it is still my mobile OS of choice and most likely will be at least until a new player comes into the market, but the malware for it is out there and works. That's why I run a security app.

      1. Lee D Silver badge

        Re: Cambridge boffins

        Just because "allow unknown sources" was off, doesn't mean it's ALWAYS been off.

        I've seen people do nothing more than read that an app needs to turn that option on to work, then press to go to the menu directly, switch that option, let the app install, then go back in and turn it off again.

        In fact, even things like Amazon App Store require this as they are "not Google". So you can be sure that MILLIONS of Android users have turned that option on, and some brainy ones may even have turned it off again, which may well be like closing the stable door after the horse has bolted.

        P.S. The Android App Store, then, is free to install what it likes.

        1. sisk Silver badge

          Re: Cambridge boffins

          Just because "allow unknown sources" was off, doesn't mean it's ALWAYS been off.

          True enough, but I know the owner of that particular phone very well. I can say with absolute confidence that it's always been off on that phone.

          1. Yet Another Anonymous coward Silver badge

            Re: Cambridge boffins

            And what makes you think the "known sources" aren't malware?

            Google does a line-line security analysis of all Apps on the play store in the 7hours before approving them ?

        2. tiggity Silver badge

          Re: Cambridge boffins

          On the subject of Amazon - I did not install their Amazon underground app - inspected what rights it wanted - an absolutely ludicrous (in a bad way security / privacy wise) set of permissions, way in excess of what was required with the functionality it nominally offered.

    3. Kevin McMurtrie Silver badge

      Re: Cambridge boffins

      There's more to malware than botnets and lost files. Much of what's in Google Play Store is garbage of some kind trying to get easy ad revenue. You might think you're clean, but you might have a few impostor apps that do exactly what you expect but send ad revenue to a different developer. Or maybe they collect a bit of extra information of extra value. Lots of apps even have Google Play Store reviews with proof that they're malware.

    4. Trevor_Pott Gold badge

      Re: Cambridge boffins

      I have yet to EVER see ANY Android device with Malware, so these "boffins" just made themselves look like total chumps.

      I clean an average of 6 devices a week each with various forms of malware. Maybe you're not as representative of the industry as you think?

    5. Anonymous Coward
      Anonymous Coward

      Re: Cambridge boffins

      Well still never seen or heard of a single Android malware issues. I do know a couple of people stung by the age old Windows problems..

      http://www.bbc.co.uk/news/technology-34527439

      Funny this seems to have slipped by without getting a mention, perhaps nobody is paying the security researchers to promote this... That would instantly suggest who was behind all this Android scare stories.

    6. Michael Wojcik Silver badge

      Re: Cambridge boffins

      I have yet to EVER see ANY Android device with Malware

      Neither your Anecdote nor your CREATIVE use of CAPITAL letters are COMPELLING arguments.

  3. Anonymous Coward
    Anonymous Coward

    Updates

    Funny, not a problem with the iPhone.

    1. Blank-Reg
      Gimp

      Re: Updates

      iOS has its own problems.

      Android as naff as ever though

      1. Anonymous Coward
        Anonymous Coward

        Re: Updates

        Of course it does, not disputing that, but thanks for the DV

    2. Anonymous Coward
      Anonymous Coward

      Re: Updates

      Indeed, but there is a huge difference between the iPhone/iOS and Android.

      iDevices are designed hardware and software by a single OEM. This OEM then ensure that the various networks toe the line in terms of updates and keeping crapware to a minimum. i.e. the OEM cares and ensures quality. This even goes as far down to the connector - rather than use USB which was never designed for such a job, iDevices have a purpose-made connector so that DAC can happen *on the device itself* meaning that add-ons are much cheaper and easier for other vendors to make. Heck the iDevice dock being the most common to see.

      Android, on the other hand, is thrown over the wall by the writer who then provides zero support, standards or guidance. Thus networks add crapware and ignore updates as well as OEMs adding crapware and ignoring updates. What the end-user winds up with is a dog's dinner that barely functions (hardly surprising, it is Linux after all) in a cheaply made unit and with a woeful connector.

      This is, and many other reasons, are why Android and its ilk are simply best avoided.

      1. CAPS LOCK Silver badge
        Joke

        " a dog's dinner that barely functions (hardly surprising, it is Linux after all) "

        LOL, you can't argue with that...

        1. James O'Shea Silver badge

          Re: " a dog's dinner that barely functions (hardly surprising, it is Linux after all) "

          Well, if all you're after is making down-vote-baiting troll attempts, no, you can't. If you're after having even a modicum of accuracy, yes, you can argue with that. Quite well, actually.

          1. Destroy All Monsters Silver badge

            Re: " a dog's dinner that barely functions (hardly surprising, it is Linux after all) "

            Don't feed the ANTI-RICHTO!

          2. sabroni Silver badge
            Happy

            Re: down-vote-baiting troll attempts

            Judging by the icon it was a joke. Made me laugh anyway.....

      2. Mad Chaz

        Re: Updates

        "dog's dinner that barely functions (hardly surprising, it is Linux after all) "

        So how's OSX treating you? You realize it's freebsd, right?

        1. Anonymous Coward
          Anonymous Coward

          Re: Updates

          > So how's OSX treating you? You realize it's freebsd, right?

          You realise FreeBSD != Linux and that OS X != iOS?

        2. James O'Shea Silver badge

          Re: Updates

          OS X is based on NeXTStep, which in turn used the Mach kernel. Some things from BSD (_not_ strictly FreeBSD) were added. And things have changed sufficiently over last decade and a half that it would be extremely inaccurate to call OS X either Mach or BSD. It most definitely is NOT FreeBSD.

          1. asdf Silver badge

            Re: Updates

            > It most definitely is NOT FreeBSD.

            Nope but FreeBSD most definitely will support your Apple hardware long after Apple stops (will keep those iTunes updates coming to the end of time though) and a strong argument could be made better even while Apple supports it.

      3. Teiwaz Silver badge
        Meh

        Re: Updates

        No point to a UV/DV for a coward. Ignorance and cowardice are best not rewarded.

      4. DougS Silver badge

        Re: Updates

        This OEM then ensure that the various networks toe the line in terms of updates and keeping crapware to a minimum

        No, the networks are not involved AT ALL with iOS. They don't have the ability to install crapware or anything else on iOS, and all updates are delivered directly from Apple so the carrier has zero ability to control or interfere with you choosing if and when to update iOS.

        The only thing the carrier controls on an iPhone is 'carrier settings', which you might see referred to in a popup once a year or so, or when you change carriers. Basically it is a small file that allows the carrier to specify stuff like LTE bands, roaming partners, carrier hotspots and so on. But since Apple controls the format and allowed content of the file, and it is not executable code, the carriers can only use it for the designated purposes and can't use it to mess with your iPhone. The only difference you might see if a few menu items in the Cellular settings go away for certain carriers or if your phone is SIM locked due to a contract. The carrier settings go away when you switch carriers via a new SIM and is replaced by your new carrier's settings.

      5. This post has been deleted by its author

    3. sisk Silver badge

      Re: Updates

      There's malware in the wild for iOS too. And no, you don't have to jailbreak your iWhatsit to get it. The difference is that you can get decent anti-malware for Android while iOS anti-malware is somewhat crippled by restrictions Apple places on it.

      I've said for years that no matter what platform you're running only a fool runs a system with access to the internet and no anti-malware and I stand by that. Unfortunately Apple encourages people to be fools in that regard.

      1. sabroni Silver badge

        Re: no matter what platform you're running

        Well maybe, but the risk decreases with market share. I bet anyone running a Palm Pre on Web OS is fairly safe....

      2. DougS Silver badge

        @sisk

        Which malware is that then? I assume you are probably referring to the recent issue where some Chinese developers grabbed Xcode off a bulletin board instead of from Apple, which added malware (in the form of a popup to ask for your iCloud credentials) to the compiled code when these developers then uploaded to the app store? Apple remotely disabled all the affected apps, as they always do if any malware is found. What's the point of running anti-malware when it would basically do the same thing in relying on signatures from the outside to tell it what's malware and what isn't?

      3. Anonymous Coward
        Anonymous Coward

        Re: Updates

        There's malware in the wild for iOS too

        Please, please, please, name it so I can have a look at it - by that I mean in a Western app store, though, I would never install an app where I could not even read the screen. It will be totally worth rebuilding the phone from scratch because I have as yet not seen a single such app. Pretty please?

        I've said for years that no matter what platform you're running only a fool runs a system with access to the internet and no anti-malware and I stand by that.

        You can do rather well if you start with decent fundamentals. Anti-virus is more like forgetting to add the brakes when you design a sports car and then fix it by selling chains and boat anchors. I must admit, though, that Google is the only company I know that has been able to start from a Unix platform and then make it look more like Windows from the perspective of vulnerabilities :)

        1. sisk Silver badge

          Re: Updates

          Toires, LBTM, and FindCall. There are three trojans that can infect un-jailbroken iOS devices. And that considering that iOS is undoubtedly one of the hardest to infect platforms currently available. Granted one is proof of concept and the other two have been removed from the appstore, but if three can do it then more can as well. I personally view anti-virus on hardened OSes the same way I view the carbon monoxide detector in my house: the odds of needing it are astronomically against it, but if I ever DO need it I'd much rather have it than not.

          There's no doubt iOS is more secure than Android. How much of that is due to good design and how much is due to the walled garden and relative obscurity of the underlying system is up for debate, but it's a purely academic debate. I realize that the odds of ever actually encountering iOS malware are pretty insignificant, but just as I would probably tell my landlord where to shove it if he tried to make me get rid of my CO detector I would be uncomfortable not having access to decent anti-virus software. There is simply no such thing as a perfectly hardened system.

          1. Anonymous Coward
            Anonymous Coward

            Re: Updates

            Toires, LBTM, and FindCall. There are three trojans that can infect un-jailbroken iOS devices.

            The first two were proof of concepts that were patched before anyone could put them into production, and one (1) that made it to the app store. The latter got pulled quickly, also because it didn't work that hidden because iOS does not allow SMS sending or making calls without user interaction (stops premium rate abuse).

            I reckon iOS fares rather well in any "how vulnerable is my device out of the box" comparisons, ditto for "how easy is it to keep up to date" comparisons, simply because it is known hardware.

            How much of that is due to good design and how much is due to the walled garden and relative obscurity of the underlying system is up for debate

            Obscure? iOS? LOL :).

            1. sisk Silver badge

              Re: Updates

              Obscure? iOS? LOL :).

              Yes, iOS is relatively obscure compared to Android. Any neophyte script kiddie with a basic understanding of java can get the source code, spend a few months studying it and know the ends and outs of how the system works. With iOS unless you work for Apple you don't actually know exactly what's going on under the hood. That's what I mean by relative obscurity.

    4. Anonymous Coward
      Anonymous Coward

      Re: Updates

      OK, I will spell it out for you.

      This Android scareware FUD that is going around at the moment, this is Apple money. Apple have their own problems. Apple device security if you look at it without bias, is actually inferior to Android. It doesn't have several of the layers of protection that Android has.

      http://lifehacker.com/how-secure-is-android-really-1446328680

      iPhone is secure because it's locked down. Android is secure because it's also locked down, but it does allow you to unlock it (with a warning). Users are idiots.

      1. asdf Silver badge

        Re: Updates

        >This Android scareware FUD that is going around at the moment, this is Apple money. Apple have their own problems. Apple device security if you look at it without bias, is actually inferior to Android

        Ok let me know when iOS allows an attacker to root your boot locked (non jailbroken) phone without user intervention with an MMS. That is an entirely different class of shit security more of the Windows XP worm kind. Last I heard its still not completely fixed and in all forms is still certainly a vulnerability on the majority of Android phones out there.

        1. asdf Silver badge

          Re: Updates

          Also (bah missed edit period) yes iOS has some vulnerabilities (plus Apple's security record and practices are a mixed bag) as well but the fact that they have a very successful patching system (most handsets supported are kept up to date at a remarkably high level) plus a much better full disk encryption solution means Android (as shipped in vast majority of handsets) has some work to do.

    5. MrDamage

      Re: Updates

      Noooooo.

      iPhones just leave you feeling seasick just looking at the screen, or refuse to let you use it as intended because you're right handed, or send your car barreling down an airport runway, or charge you a premium price on a "new" phone for features that have been in competitors devices for 4 years.f

      Yep, not a problem with iPhones, because who has the time to write malware for IOS when the device in question doesnt work well enough for you to test it?

      1. asdf Silver badge

        Re: Updates

        Funny I thought the conversation was about security of the various handsets and not your personal opinion about phones. There is much not to like about Apple but the fact remains they are the only handset maker making any kind of profit on phones today so they are obviously doing something right (and its not all marketing even if the majority, their competitors spend plenty on marketing as well).

  4. kdh0009

    Name and Shame

    Sony's the worst aren't they?, aren't they?

    1. Anonymous Coward
      Anonymous Coward

      Re: Name and Shame

      No far from it....

      And even if they stop supporting it, they help you get Cygenmod and rooting your phone.

      1. Mark Allen

        Re: Name and Shame

        This is the feature I want. If a manufacturer decide to stop supporting the device then at least give us the ability to support it ourselves with Cygenmod. I have an annoying Asus tablet here that had updates abandoned barely three months after purchase! I expected support to at least get to the end of the one year warranty....

  5. Simon Harris Silver badge

    AndroidVulnerabilities

    The score has three components:

    f - the proportion of devices free from known critical vulnerabilities.

    u - the proportion of devices updated to the most recent version.

    m - the number of vulnerabilities the manufacturer has not yet fixed on any device.

    But how realistic is this considering

    d - the time delay between an update being available from the manufacturer and the carrier being arsed to push it out?

    1. Steve Davies 3 Silver badge

      Re: AndroidVulnerabilities

      Then there is :-

      x : the probability that the release of the OS you are running on your phone actually has a patch generated for it.

      IMHO for the majority of devices x --->>>> Infinity.

      After all you can still buy devices running Gingerbread which is madness

      1. Tom 35 Silver badge

        Re: AndroidVulnerabilities

        If you buy a "free" with contract phone you will be lucky to get kitkat, lots have jellybean, and don't expect to ever see an update even if one was available from the maker of the phone. No change since the days of the flip phone.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019