back to article Exposed: Lazy Android mobe makers couldn't care less about security

Let's nail this once and for all: Too many Android smartphone makers simply aren't rolling out Google's security bug fixes for the mobile operating system. Germany-based Security Research Labs (SRL) today said that even top vendors – such as HTC, Huawei, and Motorola – leave punters vulnerable by not patching devices for known …

Silver badge

Not just Google

My 3year old Moto G hasn't received any updates for 3days - damn lazy lineageos developers

26
5
Anonymous Coward

The issue if Google. No one else.

Google dumps on each handset manufacturer the responsibility of patching the OS for their handset. This is the equivalent of Microsoft creating a system were each PC maker is able to "customize" the Windows on the PC's they make to such an extent that all patching is on the PC vendor.

Bull shit.

Google should do what Microsoft did and standardize the OS, leaving hardware makers responsible for the phone equivalent of the BIOS. If the manufacturers want to load their customized crapware on top of Android, fine. But it should be ON TOP.

The Android ecosystem architecture as Google created and promotes it is fundamentally flawed and no amount of finger pointing nor lipstick will change that.

16
4
Gold badge
Big Brother

Google should do what Microsoft did and standardize the OS

Very neat.

See how willingly people can be persuaded to lock the manacles on their wrists.

I'm not surprised this is posted AC.

In truth you now have a PC in your pocket.

Treat it like one. That suggests you need a subscription model for the updates.

Now if one of the phone mfg were to do a tie up with one of the major Linux distros......

1
6
Anonymous Coward

Re: Google should do what Microsoft did and standardize the OS

John, did the whole point go whooshing over your head?

MS design (for it's faults) is completely vendor agnostic. It make no difference if you run a HP, Dell or Dave WhiteBox PC's. They all get update.

This was exactly the same with WinPhone (RIP).

Android design was flawed from day 1. It relied on the vendor to roll out patches, which, when they are making almost no profit of the handsets (especially low end) it is hardly a winning formula.

They have started to correct this, but how well it goes is another matter.

"Now if one of the phone mfg were to do a tie up with one of the major Linux distros......"

You mean something like Unbuntu phone? I guess you blinked and missed that disaster.

9
1

Re: The issue if Google. No one else.

You do realise that it is supposed to be opensource and customisable? So, the manufacturer becomes responsible, and Google can only do so much before they could land up compromising a custom installation, even compromise security.

So, yes, a better way would be optimal. Such as isolating security. Manufacturers use either Google's or others, security code, and the provider of the code provide updates to it. Outside security, the manufacturers customise. It allows common open security initiatives to exist besides android initiatives.

0
0
Silver badge

Re: Not just Google

Moto G3 user here, Motorola stated it would stop providing updates for the G3 (Damn I can't find the bleeding link but I havent had any updates since last year). My phone well over 2 years old and I got it on the cheap just before it stopped being sold (Also not locked to any provider as meh to that).

1
0
IT Angle

Mobiles, Automobiles, Killer Robots

This is and always will be a the norm. The commercial reality of Technology.

We can always expect updates that trash 45,000 PC's and 4500 servers [Merrick] in one company or lack there of that allows anyone with enough incentive to trash you at will or spread mayhem. [Wifi, Bluetooth & Mobiles]

Little national or world wide mayhem has ensued thus-far,

My system and devices are more betrayed and trashed by the O/S and it's manufacturers that other actors

4
9
Silver badge

Re: Mobiles, Automobiles, Killer Robots

The market needs a credible alternative to iOS and Android. Google will use its strength to strangle any newcomer at birth condemning the world to mediocrity. One of the many reasons I won't touch their shitty mobile OS.

24
6
Silver badge

Re: Mobiles, Automobiles, Killer Robots

"The market needs a credible alternative to iOS and Android"

But the market as a whole doesn't want an alternative. Ignoring Lineages and AOSP forks, there's been multiple flavours of Nokia OS, Tizen, Sailfish, Ubuntu, Firefox, Blackberry, Windows, and others offered, and nobody has yet managed to make sufficient sales to economically drive their chosen business model.

There's plenty of people like you, like me that don't want to pay the Apple tax, but don't like Google's slurping. But too few have put their hand in their pocket and been willing to support an early stage, half baked OS. Looking back, both iOS and early Android were very crude by today's expectations, but people bought them anyway. That no longer seems to apply. And later versions of Windows phone OS were fully featured and mature, but still nobody wanted to step out of line and buy it.

Who will do it and how this duopoly will be broken I can't say. But I can say the market has been offered a whole lot of choice, but turned its nose up at those choices.

14
0
Anonymous Coward

Re: Mobiles, Automobiles, Killer Robots

"The market needs a credible alternative to iOS and Android"

There was one, Windows, but people ignored it and derided it due to "lack of apps"

How about Ubuntu phone remember that? No?

What about Firefox Phone?

People need to have 10,000 "torch" apps and 50,000 "HD sexy wallpaper" apps AKA data harvesting, ad pushing malware, otherwise there is no point having it, after all quantity, not quality counts.

6
0

Re: Mobiles, Automobiles, Killer Robots

'People need to have 10,000 "torch" apps and 50,000 "HD sexy wallpaper" apps AKA data harvesting, ad pushing malware, otherwise there is no point having it, after all quantity, not quality counts.'

I'm sure you could rig up a travesty generator to create thousands of torch apps, sexy wallpaper apps, and fart apps, to kick start the app ecosystem of a new phone OS.

0
0

Re: Mobiles, Automobiles, Killer Robots

this silly thing is is Finding a app that does not need 10 unrelated permissions (should only need camera permission to use the flash) some of them are so high the clean ones cannot be found unless you search for "Torch no ads"

google needs to really re work on how it approves apps , its all well and good having 200k apps when 199,000 of them are full of crap or just a app that is just a bowser placeholder with ads to whatever your accessing) google should just remove and force them into review status all apps

apart from key apps that are well known and trusted ones (and the ones that are well vastery installed should go for code review to make sure they are not abusing permissions like needing a and adverts or screen overlay ads

1
0
Silver badge

Re: Mobiles, Automobiles, Killer Robots

both iOS and early Android were very crude by today's expectations, but people bought them anyway. That no longer seems to apply.

In the case of Android it most certainly does apply!

0
1
Silver badge

No money in it

the user has paid for the 'phone ... the ROI on security updates is zero. Far better to encourage the user to buy a new model that has got lots of shiny new (useless) features.

No manufacturer brags long term patch availability, so punters do not think about it as a purchasing criterion.

The only way to get them to do it would be to make the manufacturer liable in some way - as with motor cars. That will be a long time coming.

The same applies to all IoT stuff.

49
3
Silver badge

Re: No money in it

"the user has paid for the 'phone ... the ROI on security updates is zero."

The ROI isn't zero. There's a reason why the iPhone X can retail for 250 pounds more than the Galaxy S9 and still get away with it.

16
8
Silver badge
Trollface

Re: iPhoneX

Is it Security Theatre? Please tell me the answer is Security Theatre?

15
1
Silver badge

Re: No money in it

It's called the Midas Touch. That has little to do with RoI.

7
3
Gold badge

Re: No money in it

"...the ROI on security updates is zero. Far better to encourage the user to buy a new model..."

Well if your service is shit, my next phone is from someone else.

19
0
Silver badge

Re: No money in it

The ROI isn't zero. There's a reason why the iPhone X can retail for 250 pounds more than the Galaxy S9 and still get away with it.

I don't think that has much bearing on it. Apple have a "relationship" business model. Every other phone vendor is a hardware maker (excepting Google devices), and if they charged £250 more, they wouldn't put that into a shoebox for several years to release for future software support, they'd bank the lot of it as profit and pay out as a cash dividend. Manufacturing is a completely different business to service, and doing either well is hard enough, doing both well is truly exceptional.

Regarding the Google devices, as others have already noted in this thread, Google are not really a software house - that's just a means to an end, and the end is slurping huge amounts of user data. Even when the phone moves out of support, it is still spewing the user's data back to Google's servers. So they approach software not as a service, but as a manufacturer: "Fling it out of the door, move on to the next one".

20
0
Silver badge

Re: No money in it

still spewing the user's data back to Google's servers

They can't stay that blaise, if the owners wake up to both the insecurity of their device and the importance of such.

Can't spew much new info when it's sitting at the back of the sock drawer with the other dead pieces of electronics...

Thankfully, I think the larger public don't know and don't really care still.

6
1

Re: No money in it

the user has paid for the 'phone ... the ROI on security updates is zero.

Not really ... I bought a Moto phone in part because the word on the street was that Moto were good at releasing timely patches. Unfortunately the joke seems to be on me, because in 18 months it hasn't been updated to Nougat or Oreo, and hasn't seen a security patch since January last year. There is allegedly a release of Nougat for at least some versions of this handset, but I haven't seen an OTA update for mine.

My point is: I would definitely pay more for a phone that was guaranteed to receive OS updates a reasonable time -- say version upgrades for three years and security updates for a couple more beyond that.

For me, it would have to have an SD card slot and a user-replaceable battery ... so the Pixel and the iPhone are both ruled out.

11
0
Silver badge

Re: No money in it

My point is: I would definitely pay more for a phone that was guaranteed to receive OS updates a reasonable time -- say version upgrades for three years and security updates for a couple more beyond that.

So get <anything that supports Lineage> and use that. My Oneplus2 gets OTA builds every week and updated to Oreo a while back.

5
0

iPhone X

"There's a reason why the iPhone X can retail for 250 pounds more than the Galaxy S9 and still get away with it."

One of them anyway. And Apple has been providing not 18 months or two years of updates, but generally at least four years from launch date. Without anyone having to bitch or whine or throw a fit to get them to do it.

How many times now has Google announced a security initiative with great fanfare (device encryption, etc.) only to step way back later because "it's too difficult?"

I would agree with other commenters that the mobile device ecosystem needs another OS competitor or three. I use Apple because they're the best overall tradeoff for me (strongest security and fast devices are what I care about, other people have other priorities) in a field of the problematic options. That being said, I think we've past "peak Apple" in terms of their software quality and more options would be welcome. Unfortunately, the only players with the resources and possible interest in delivering them would be Samsung and Microsoft and neither seem capable of executing.

9
0
Bronze badge
Devil

Whose money in it?

IT people who earn their money with the assumed security of their customers will advise them to patch their software. Overwhelming eveidence shows that software that security patches fix one error at beat, leading to more fixes and patches and never to software that is actually secure, impenetrable and bug-free.

Therefore, applying security fixes ownly shows you pretend to care about security.

2
3

Re: No money in it

I have an Apple phone mostly because it gets security patches.

I'm not aware of any Android phone manufacturer with a reputation for providing patches. If I'm wrong, please enlighten me!

And I don't want to futz around with open source projects. For something as important as my phone it needs to "just work". So I want a firmware build that's tested and supported by my phone manufacturer.

7
0
Silver badge

Re: No money in it

My point is: I would definitely pay more for a phone that was guaranteed to receive OS updates a reasonable time

Guaranteed? By whom? And you'd believe anybody making such promises?

Only Apple users have good reason to believe their god will protect them here. Except that the proliferation in SKUs for Apple suggest that they're moving to a world of fragmented user base and smaller user numbers per older SKU. And when you get to that, the economics of supporting older handsets simply don't work out as well.

Cook may well have served Apple's death warrant, simply by launching too many variants.

1
1
Silver badge

Re: No money in it

There’s basically three product lines, plus different size and colour options, and the possibility of buying an older model. That’s perfectly manageable.

1
0
Silver badge

Re: No money in it

There's a reason why the iPhone X can retail for 250 pounds more than the Galaxy S9 and still get away with it.

Is it the same reason Rolex can charge $10k for a watch it cost $2k to make?

3
0
Anonymous Coward

Re: No money in it

"Well if your service is shit, my next phone is from someone else."

And eventually that company goes bust.....

In 5 years there will only be 1/2 a dozen manufacturers. You either pick one of those disasters or do your best to lock what little you can down.

0
1
Silver badge

Re: No money in it

"Is it the same reason Rolex can charge $10k for a watch it cost $2k to make?"

Not really the same point, but you can certainly consider ROI a factor in haute horologie. General rule of thumb is that if a watch costs less than $5k it will depreciate over time, whereas those costing more than $5k will appreciate. Hence ROI.

0
0
Silver badge

Re: No money in it

Not really the same point, but you can certainly consider ROI a factor in haute horologie. General rule of thumb is that if a watch costs less than $5k it will depreciate over time, whereas those costing more than $5k will appreciate. Hence ROI.

Rolex doesn't dabble in haute horlogerie, presumably because they sell strongly enough already. That "rule of thumb" is not something I've come across before. Only very few watches (and in the case of Rolex, only a handful of models) have historically appreciated in real value, regardless of list price.

ROI... As with cars, I can only say good luck to anyone who wants to invest in luxury watches!

0
0

Re: No money in it

"The ROI isn't zero. There's a reason why the iPhone X can retail for 250 pounds more than the Galaxy S9 and still get away with it."

people pay more for the iphone because its an iphone and admitty its consistent layout, Not security updates (unless you got the X phone then, with the blackberry playbook gesture system it uses most don't like it and end up selling it or returning it, most non english people seem to be doing this)

until something like MSblaster happens again but on android people won't care (a lot harder as most people's phones are behind a NAT on mobile providers) but not impossible if it used MMS to send to binary or SMS to link to a binary to then spread to other phones via some sort of bug

0
0

Re: No money in it

"I'm not aware of any Android phone manufacturer with a reputation for providing patches. If I'm wrong, please enlighten me!"

google devices for 3 years of point of manufactured (tends to be october every year when they release a device, so 3 years from that date, Not sold) pixel is first google owned device (well technically its HTC) if the pixel 2 did not have stereo speakers i probably would not not bought it

they might extend it to 4-5 this year pixel 3 as android kernel now has a Longer LTS cycle of 6 years (was 2 years before so by the time the phone came out google was having to backport fixes manually, with it been 6 years they don't need to do that now) personally security patches should be longer then 3 years as it currently is with most mobile makers (who bother to do it)

some people keep there phones for longer than 3 years or worse sometimes there new contract phone is 2-3 years old with 1-0 years of security updates if any

1
0
Silver badge

Re: No money in it

”people pay more for the iphone because its an iphone and admitty its consistent layout, Not security updates...“

My company pays more for iPhones precisely because of the security updates. Couldn’t give a toss about layout.

Your motivation != my motivation != everybody else’s motivation.

1
0
Silver badge

Re: No money in it

”Rolex doesn’t dabble in haute horlogerie“

hautehorlogerie.org begs to differ.

https://www.hautehorlogerie.org/en/amphtml/brands/history/h/rolex/

0
0
Silver badge

Re: No money in it

While well made, Rolex's stock in trade is basic steel tool watches (which, before their prices began dramatically inflating ~30 years ago, were even considered affordable!) They don't decorate their movements, indeed they are hidden, they don't combine major complications and the most complicated watch they offer is a chronograph. Unlike the true high-end watchmakers, to address more wealthy customers they are content to take these basic watches and throw precious metals and/or gemstones at them (then charge several times the marginal cost of doing so.)

Almost every brand listed on FHH's website is more innovative than Rolex. When you can't physically manufacture enough of your product to keep up with demand and operate at margins that Apple would likely be jealous of, you don't have to innovate. For (IMO) true "haute horlogerie", some examples would be A. Lange & Söhne, MB&F or Urwerk.

1
0

I don't know why google did it this way. Surely standard security updates are common code across all devices?

2
2
Silver badge

thank ARM, chipset (SoC) OEMs and lazy developers

every phone essentially runs a custom version of Android, not a generic version that will run on any platform that has sufficiently powerful hardware (like it is on PCs)

14
4
Silver badge

"Surely standard security updates are common code across all devices?"

Nope, not really, due to the fact that the boundaries between 'what Google looks after', 'what manufacturers look after', and 'what third parties like driver vendors look after' have always been terribly fuzzy in Androidland; there just isn't a reliable shared core bit of Android in all Android phones which Google can update directly and which no one else touches. Phone manufacturers cook up their own system images from the Android sources and all sorts of other bits, and then it's up to them to re-build the things with updated Android components when Google sends updates out to the Android trees. If the manufacturers don't, you're just not getting those updates (unless you run a third-party ROM).

Android One is (in part) an attempt to address this, but there aren't many Android One devices available outside the developing world, and they aren't that desirable.

20
0
Gold badge

Why Google did it this way...

Well, first off, on the application side, most updates *are* generic. However, the close you get to the hardware, the less likely that a patch will not need to be device-specific, and consequently unavailable to most consumers. I can think of two reasons why Google did it this way, both of which they (G) now regret.

Firstly, the original Android was a quick and dirty bodge. Yes, there was Linux in there somewhere, but there is little evidence of big G defining a standard platform or insisting that vendors make drivers available. Consequently, every phone is a new platform. (This is very evident if you go to www.lineageos.org, where you will find separate builds for every phone they support (well over a hundred, as far as I can tell) and if there isn't a keen developer with your exact model then there probably isn't a build for it. In the realm of 64-bit ARM-based servers, I believe there is now some moves afoot to standardise a platform. There's nothing similar at the other "phoney" end of the market, and until accelerometers, cameras, GPS and such like become standard kit in server racks (!) I don't think a server platform standard helps us at the other end of the market.)

Secondly, the phone companies were delighted to be "in the loop" with a power of veto over delivering updates because they were also "in the loop" with bundling an actual phone with your contract for network service. They ended up with the ability to bully you into upgrading your contract every couple of years. Giving them this power was probably the key to getting them interested in Android in the first place, but big G would like the power back now.

So we have project Treble, as big G says "Thanks for the leg-up into the phone market. I can take it from here myself.".

12
0

I'm hoping to take delivery of an Android One device some time this week. I'll get back to you in a couple of years as to its on-going support.

1
0

Android update statistics

I wonder what the statistics are on these measurements of android update problems:

1. How many phones were originally released running some android version V and are still on version V despite the new version, or in some cases several new versions, having been out for a long time (at least six months)?

2. How many phones are being actively manufactured and sold running android versions that aren't the latest or second-to-latest.

It seems many manufacturers do one or both of those. Sure, new security patches need to come out for phones on a regular basis, but the article is sort of right in that the security problems dealt with in last month's patches probably aren't well-known exploits in use by a lot of malware writers. Instead, they'll focus on the bugs that can affect lots of older versions of the OS, knowing that a lot of phones on those versions are in use. I am not a primary android user, but none of the android devices I or my family members have purchased got a single OS update. I'm sure the flagship $800 devices at least get one, but it doesn't seem good practice that standard or cheap phones would get no attention at all. By the way, we're not talking $30 budget nobody's-heard-of-them manufacturers here. In addition, I took a quick look at a list of standard affordable price ($100-$400) phones. Some of them are running 7.0, but I see many on lollipop or marshmallow. Not a single one runs oreo, even though the main release was seven months ago. I'm prepared to guess that those devices have security holes that are much larger and better known, and that, as they won't be updated to any new OS, they're probably not getting security patches either. If I was writing malware, that's what I would target.

8
1
Anonymous Coward

Re: Android update statistics

In my experience...

If you buy last year's Landfill Android for under $100, about a year later you'll wake up one morning to discover your phone's been auto-updated, and that's the only update you'll ever receive.

If you buy this year's flagship for $500+, about a year later you'll wake up one morning to discover your phone's been auto-updated, and that's the only update you'll ever receive.

27
1
Silver badge

Re: Android update statistics

It may well work like that now, I wouldn't know. That said, My Galaxy S2 started shipping with Gingerbread, got upgraded to Ice Cream Sandwich, and currently keeps marching on Jelly Bean. Not a bad run altogether I'd say.

1
0
Anonymous Coward

The article seems to imply Google good, others bad yet even Google will only give you updates for 2 years. I'm typing this on a perfectly serviceable Nexus 10 that is stuck on Android 5 and the final security patch was over 2 years ago!

28
0

Suddenly Windows on laptops and desktops isn't looking so bad when it comes to patching...

8
6

Locked boot loaders

And this is one of the main reasons why locked boot loaders should be illegal IMHO.

At the very least, if locked boot loaders are allowed, manufacturers should be required by law to unlock any phones that they're not providing security updates for. If a phone goes more than a certain period - say 2 months without an up to date security patch, then it should be mandatory that the phone boot loader be unlocked so that it's then possible for others to take on the job that they obviously no longer want.

Locked boot loaders are one of the reasons why I haven't upgraded from my nearly 4 year old (but very capable) phone that is now getting weekly updates for LineageOS.

37
0
Silver badge

Re: Locked boot loaders

I've got a phone (Xiaomi) that has an unlocked boot loader. Makers even happily allow promotion of Lineages OS on their user community web site.

But that doesn't really solve the problem because it's still far too much faffing around to load a new phone OS, and until you've tried it you've no idea what works and what doesn't. And because there often are a few capabilities that don't work properly on a Lineages port, it is not a good proposition for mainstream users.

9
0
Silver badge

Re: Locked boot loaders

Plus what about the increasing number of apps that won't run except in a pristine environment?

4
1
Gold badge

Re: Locked boot loaders

"a pristine environment"

Given that we're talking about a network-connected device that hasn't received a patch in living memory, I'd say that "pristine" is probably not the word you were looking for. For a related example, consider that XP went out of support a few years ago. Only a complete fool would connect an XP box to the internet today. Are the rules different for phones? Do they get special protection from hackers? Is their software significantly more hardened against attack? Umm ... not as far as I can see.

A phone where the vendor has no intention (and no track record with past models) of supporting it beyond 2 years is a phone with built-in obsolescence. It would be interesting to see a test case or two that pitted a phone vendor against consumer protection laws.

7
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018