back to article Android users left at risk... and it's not even THEIR FAULT this time!

Tardiness in providing security updates is leaving the vast majority of Android devices hopelessly insecure, according to researchers at the University of Cambridge. Over the last four years, an average of 87 per cent of Android devices were vulnerable to attack by malicious apps, according to the research, which blames a …

Silver badge
Gimp

Oh, so you are locked into a contract?

Crickets chirping...

8
1

Re: Oh, so you are locked into a contract?

I'm not; I have a phone I bought outright from one of those Amazon-hosted resellers, and I use an AT&T-hosted MVNO with a monthly payment plan. (It's about 1/3 the cost of the AT&T plan I used to have.)

My phone is a Samsung, originally AT&T-branded. Bought new and unlocked.

No updates in sight. Samsung isn't publishing any for this phone, and AT&T won't supply updates if you're not on contract. Samsung's "commitment" to supplying updates clearly doesn't apply to devices they don't consider current.

Phone's rooted, so I can just disable Stagefright (using build.props) if I want - at the moment I just have MMS auto-downloading disabled. But the updating process isn't any better if you're not under contract.

0
0
Anonymous Coward

Cambridge boffins

or paid-for-hire clickbaiters, you decide..

" leaving the vast majority of Android devices hopelessly insecure"

I have yet to EVER see ANY Android device with Malware, so these "boffins" just made themselves look like total chumps.

6
29
Anonymous Coward

I have yet to EVER see ANY Android device with Malware

How would you know if the phone had been infected? It may be stealthy malware.

16
1
Silver badge
Coat

Re: I have yet to EVER see ANY Android device with Malware

"It may be stealthy malware."

If it was so stealthy the boffins wouldn't know either.

6
3
Anonymous Coward

Re: I have yet to EVER see ANY Android device with Malware

Quite true, but the OP is not one of the boffins.

4
1
Silver badge
Coat

Re: I have yet to EVER see ANY Android device with Malware

The OP might be a stealthy boffin :-)

7
0
Silver badge

Re: Cambridge boffins

I have yet to EVER see ANY Android device with Malware

I've personally seen two infected devices, one of which was mine and I always double check the permissions on my apps before I let them install. The other wasn't even rooted and didn't have the "allow unknown sources" checked so the infection either had to have come in through stagefright or something similar or from the Play Store itself.

Not to slam Android, because it is still my mobile OS of choice and most likely will be at least until a new player comes into the market, but the malware for it is out there and works. That's why I run a security app.

10
1
Silver badge

Re: Cambridge boffins

Just because "allow unknown sources" was off, doesn't mean it's ALWAYS been off.

I've seen people do nothing more than read that an app needs to turn that option on to work, then press to go to the menu directly, switch that option, let the app install, then go back in and turn it off again.

In fact, even things like Amazon App Store require this as they are "not Google". So you can be sure that MILLIONS of Android users have turned that option on, and some brainy ones may even have turned it off again, which may well be like closing the stable door after the horse has bolted.

P.S. The Android App Store, then, is free to install what it likes.

3
0
Anonymous Coward

Re: I have yet to EVER see ANY Android device with Malware

Or a stealthy chump

0
0
Silver badge

Re: Cambridge boffins

There's more to malware than botnets and lost files. Much of what's in Google Play Store is garbage of some kind trying to get easy ad revenue. You might think you're clean, but you might have a few impostor apps that do exactly what you expect but send ad revenue to a different developer. Or maybe they collect a bit of extra information of extra value. Lots of apps even have Google Play Store reviews with proof that they're malware.

2
0
Silver badge

Re: Cambridge boffins

Just because "allow unknown sources" was off, doesn't mean it's ALWAYS been off.

True enough, but I know the owner of that particular phone very well. I can say with absolute confidence that it's always been off on that phone.

0
0
Silver badge

Re: Cambridge boffins

And what makes you think the "known sources" aren't malware?

Google does a line-line security analysis of all Apps on the play store in the 7hours before approving them ?

1
0
Gold badge

Re: Cambridge boffins

I have yet to EVER see ANY Android device with Malware, so these "boffins" just made themselves look like total chumps.

I clean an average of 6 devices a week each with various forms of malware. Maybe you're not as representative of the industry as you think?

0
0
Anonymous Coward

Re: Cambridge boffins

Well still never seen or heard of a single Android malware issues. I do know a couple of people stung by the age old Windows problems..

http://www.bbc.co.uk/news/technology-34527439

Funny this seems to have slipped by without getting a mention, perhaps nobody is paying the security researchers to promote this... That would instantly suggest who was behind all this Android scare stories.

0
1
Silver badge

Re: Cambridge boffins

On the subject of Amazon - I did not install their Amazon underground app - inspected what rights it wanted - an absolutely ludicrous (in a bad way security / privacy wise) set of permissions, way in excess of what was required with the functionality it nominally offered.

1
0

Re: Cambridge boffins

I have yet to EVER see ANY Android device with Malware

Neither your Anecdote nor your CREATIVE use of CAPITAL letters are COMPELLING arguments.

1
0
Anonymous Coward

Updates

Funny, not a problem with the iPhone.

4
37
Gimp

Re: Updates

iOS has its own problems.

Android as naff as ever though

2
0
Anonymous Coward

Re: Updates

Of course it does, not disputing that, but thanks for the DV

0
10
Anonymous Coward

Re: Updates

Indeed, but there is a huge difference between the iPhone/iOS and Android.

iDevices are designed hardware and software by a single OEM. This OEM then ensure that the various networks toe the line in terms of updates and keeping crapware to a minimum. i.e. the OEM cares and ensures quality. This even goes as far down to the connector - rather than use USB which was never designed for such a job, iDevices have a purpose-made connector so that DAC can happen *on the device itself* meaning that add-ons are much cheaper and easier for other vendors to make. Heck the iDevice dock being the most common to see.

Android, on the other hand, is thrown over the wall by the writer who then provides zero support, standards or guidance. Thus networks add crapware and ignore updates as well as OEMs adding crapware and ignoring updates. What the end-user winds up with is a dog's dinner that barely functions (hardly surprising, it is Linux after all) in a cheaply made unit and with a woeful connector.

This is, and many other reasons, are why Android and its ilk are simply best avoided.

9
36
Silver badge
Joke

" a dog's dinner that barely functions (hardly surprising, it is Linux after all) "

LOL, you can't argue with that...

2
17

Re: Updates

"dog's dinner that barely functions (hardly surprising, it is Linux after all) "

So how's OSX treating you? You realize it's freebsd, right?

13
3
Anonymous Coward

Re: Updates

> So how's OSX treating you? You realize it's freebsd, right?

You realise FreeBSD != Linux and that OS X != iOS?

7
6
Silver badge

Re: Updates

OS X is based on NeXTStep, which in turn used the Mach kernel. Some things from BSD (_not_ strictly FreeBSD) were added. And things have changed sufficiently over last decade and a half that it would be extremely inaccurate to call OS X either Mach or BSD. It most definitely is NOT FreeBSD.

6
2
Silver badge

Re: " a dog's dinner that barely functions (hardly surprising, it is Linux after all) "

Well, if all you're after is making down-vote-baiting troll attempts, no, you can't. If you're after having even a modicum of accuracy, yes, you can argue with that. Quite well, actually.

3
0
Silver badge

Re: " a dog's dinner that barely functions (hardly surprising, it is Linux after all) "

Don't feed the ANTI-RICHTO!

2
0
Silver badge
Meh

Re: Updates

No point to a UV/DV for a coward. Ignorance and cowardice are best not rewarded.

1
1
Silver badge

Re: Updates

There's malware in the wild for iOS too. And no, you don't have to jailbreak your iWhatsit to get it. The difference is that you can get decent anti-malware for Android while iOS anti-malware is somewhat crippled by restrictions Apple places on it.

I've said for years that no matter what platform you're running only a fool runs a system with access to the internet and no anti-malware and I stand by that. Unfortunately Apple encourages people to be fools in that regard.

8
5
Silver badge
Happy

Re: down-vote-baiting troll attempts

Judging by the icon it was a joke. Made me laugh anyway.....

1
3
Silver badge

Re: no matter what platform you're running

Well maybe, but the risk decreases with market share. I bet anyone running a Palm Pre on Web OS is fairly safe....

2
0
Silver badge

Re: Updates

This OEM then ensure that the various networks toe the line in terms of updates and keeping crapware to a minimum

No, the networks are not involved AT ALL with iOS. They don't have the ability to install crapware or anything else on iOS, and all updates are delivered directly from Apple so the carrier has zero ability to control or interfere with you choosing if and when to update iOS.

The only thing the carrier controls on an iPhone is 'carrier settings', which you might see referred to in a popup once a year or so, or when you change carriers. Basically it is a small file that allows the carrier to specify stuff like LTE bands, roaming partners, carrier hotspots and so on. But since Apple controls the format and allowed content of the file, and it is not executable code, the carriers can only use it for the designated purposes and can't use it to mess with your iPhone. The only difference you might see if a few menu items in the Cellular settings go away for certain carriers or if your phone is SIM locked due to a contract. The carrier settings go away when you switch carriers via a new SIM and is replaced by your new carrier's settings.

3
2
Silver badge

@sisk

Which malware is that then? I assume you are probably referring to the recent issue where some Chinese developers grabbed Xcode off a bulletin board instead of from Apple, which added malware (in the form of a popup to ask for your iCloud credentials) to the compiled code when these developers then uploaded to the app store? Apple remotely disabled all the affected apps, as they always do if any malware is found. What's the point of running anti-malware when it would basically do the same thing in relying on signatures from the outside to tell it what's malware and what isn't?

3
5
Anonymous Coward

Re: Updates

There's malware in the wild for iOS too

Please, please, please, name it so I can have a look at it - by that I mean in a Western app store, though, I would never install an app where I could not even read the screen. It will be totally worth rebuilding the phone from scratch because I have as yet not seen a single such app. Pretty please?

I've said for years that no matter what platform you're running only a fool runs a system with access to the internet and no anti-malware and I stand by that.

You can do rather well if you start with decent fundamentals. Anti-virus is more like forgetting to add the brakes when you design a sports car and then fix it by selling chains and boat anchors. I must admit, though, that Google is the only company I know that has been able to start from a Unix platform and then make it look more like Windows from the perspective of vulnerabilities :)

3
3
Silver badge

Re: Updates

Toires, LBTM, and FindCall. There are three trojans that can infect un-jailbroken iOS devices. And that considering that iOS is undoubtedly one of the hardest to infect platforms currently available. Granted one is proof of concept and the other two have been removed from the appstore, but if three can do it then more can as well. I personally view anti-virus on hardened OSes the same way I view the carbon monoxide detector in my house: the odds of needing it are astronomically against it, but if I ever DO need it I'd much rather have it than not.

There's no doubt iOS is more secure than Android. How much of that is due to good design and how much is due to the walled garden and relative obscurity of the underlying system is up for debate, but it's a purely academic debate. I realize that the odds of ever actually encountering iOS malware are pretty insignificant, but just as I would probably tell my landlord where to shove it if he tried to make me get rid of my CO detector I would be uncomfortable not having access to decent anti-virus software. There is simply no such thing as a perfectly hardened system.

5
0

This post has been deleted by its author

Anonymous Coward

Re: Updates

OK, I will spell it out for you.

This Android scareware FUD that is going around at the moment, this is Apple money. Apple have their own problems. Apple device security if you look at it without bias, is actually inferior to Android. It doesn't have several of the layers of protection that Android has.

http://lifehacker.com/how-secure-is-android-really-1446328680

iPhone is secure because it's locked down. Android is secure because it's also locked down, but it does allow you to unlock it (with a warning). Users are idiots.

2
5
Anonymous Coward

Re: Updates

Toires, LBTM, and FindCall. There are three trojans that can infect un-jailbroken iOS devices.

The first two were proof of concepts that were patched before anyone could put them into production, and one (1) that made it to the app store. The latter got pulled quickly, also because it didn't work that hidden because iOS does not allow SMS sending or making calls without user interaction (stops premium rate abuse).

I reckon iOS fares rather well in any "how vulnerable is my device out of the box" comparisons, ditto for "how easy is it to keep up to date" comparisons, simply because it is known hardware.

How much of that is due to good design and how much is due to the walled garden and relative obscurity of the underlying system is up for debate

Obscure? iOS? LOL :).

4
5
Silver badge

Re: Updates

> It most definitely is NOT FreeBSD.

Nope but FreeBSD most definitely will support your Apple hardware long after Apple stops (will keep those iTunes updates coming to the end of time though) and a strong argument could be made better even while Apple supports it.

1
0
Silver badge

Re: Updates

>This Android scareware FUD that is going around at the moment, this is Apple money. Apple have their own problems. Apple device security if you look at it without bias, is actually inferior to Android

Ok let me know when iOS allows an attacker to root your boot locked (non jailbroken) phone without user intervention with an MMS. That is an entirely different class of shit security more of the Windows XP worm kind. Last I heard its still not completely fixed and in all forms is still certainly a vulnerability on the majority of Android phones out there.

4
0
Silver badge

Re: Updates

Also (bah missed edit period) yes iOS has some vulnerabilities (plus Apple's security record and practices are a mixed bag) as well but the fact that they have a very successful patching system (most handsets supported are kept up to date at a remarkably high level) plus a much better full disk encryption solution means Android (as shipped in vast majority of handsets) has some work to do.

4
1
Silver badge

Re: Updates

Noooooo.

iPhones just leave you feeling seasick just looking at the screen, or refuse to let you use it as intended because you're right handed, or send your car barreling down an airport runway, or charge you a premium price on a "new" phone for features that have been in competitors devices for 4 years.f

Yep, not a problem with iPhones, because who has the time to write malware for IOS when the device in question doesnt work well enough for you to test it?

2
6
Silver badge

Re: Updates

Funny I thought the conversation was about security of the various handsets and not your personal opinion about phones. There is much not to like about Apple but the fact remains they are the only handset maker making any kind of profit on phones today so they are obviously doing something right (and its not all marketing even if the majority, their competitors spend plenty on marketing as well).

0
0
Silver badge

Re: Updates

Obscure? iOS? LOL :).

Yes, iOS is relatively obscure compared to Android. Any neophyte script kiddie with a basic understanding of java can get the source code, spend a few months studying it and know the ends and outs of how the system works. With iOS unless you work for Apple you don't actually know exactly what's going on under the hood. That's what I mean by relative obscurity.

1
1

Name and Shame

Sony's the worst aren't they?, aren't they?

0
0
Silver badge

Re: Name and Shame

No far from it....

And even if they stop supporting it, they help you get Cygenmod and rooting your phone.

1
0

Re: Name and Shame

This is the feature I want. If a manufacturer decide to stop supporting the device then at least give us the ability to support it ourselves with Cygenmod. I have an annoying Asus tablet here that had updates abandoned barely three months after purchase! I expected support to at least get to the end of the one year warranty....

2
0
Silver badge

AndroidVulnerabilities

The score has three components:

f - the proportion of devices free from known critical vulnerabilities.

u - the proportion of devices updated to the most recent version.

m - the number of vulnerabilities the manufacturer has not yet fixed on any device.

But how realistic is this considering

d - the time delay between an update being available from the manufacturer and the carrier being arsed to push it out?

0
0
Silver badge

Re: AndroidVulnerabilities

Then there is :-

x : the probability that the release of the OS you are running on your phone actually has a patch generated for it.

IMHO for the majority of devices x --->>>> Infinity.

After all you can still buy devices running Gingerbread which is madness

2
0
Silver badge

Re: AndroidVulnerabilities

u - the proportion of devices updated to the most recent version

If the carrier hasn't pushed it yet the device isn't counted in u.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017