back to article Google tells Android's Linux kernel to toughen up and fight off those horrible hacker bullies

The security folks at Google have been detailing how they intend to harden up Android against attack. In a blog post, Jeff Vander Stoep of the mobile operating system's security team said that in the next build of the OS, named Nougat, Google is going to be addressing two key areas of the Linux kernel that reside at the heart …

  1. Paul Crawford Silver badge

    Patching speed is probably the issue

    While it is great that Google are improving the security architecture in general, if 90% of smartphones using Android still fail to patch things is a growing clusterfuck as ever.

    Really, why can't the core OS and libraries be auto-patched for security as most Linux distos do?

    1. Charlie Clark Silver badge

      Re: Patching speed is probably the issue

      The risks of Android are routinely overblown – not to say that they don't exist – but the attack vectors are usually outside normal use patterns. This doesn't, however, excuse manufacturers from improving their woeful update practices.

      What you suggest simply isn't possible at the moment because the kernel on each phone is owned by the manufacturer and any kind of OTA is going to rely on their keys, or you open the door to drive-by hacks of the kernel.

      The only way things will change is if cases, such as the one currently winding its way through the Dutch courts, decide that manufacturers are at fault and impose sanctions / requirements. I'm not holding my breath on that one as the software industry has a dreadful record of providing security updates.

      1. TheVogon Silver badge

        Re: Patching speed is probably the issue

        "The risks of Android are routinely overblown – not to say that they don't exist – but the attack vectors are usually outside normal use patterns. "

        You mean like say - playing a media file - visiting a website - or receiving an SMS message?

      2. John70

        Re: Patching speed is probably the issue

        I thought manufacturers update practice was to release a new phone/tablet with the latest Android not update current equipment.

    2. Planty Bronze badge
      Stop

      Re: Patching speed is probably the issue

      You seem to have pulled that 90% figure out of your arse.

      These changes are fir Android N. The reality is, you are only likely to see this stuff in a new phone, or a Nexus. Your old phone will get security patches for its existing version of Android.

      Security is an evolutionary thing, just because there is new techniques to beef up security, doesn't mean your current device is insecure (Android is very secure in reality), its Google keeping ahead of the curve, securing FUTURE products, when you buy your next phone.

      1. alain williams Silver badge

        Re: Patching speed is probably the issue

        Your old phone will get security patches for its existing version of Android.

        Oh really ? Try telling that to Samsung - I got one update for my phone. They lose interest as soon as they have something new that they want to sell you. Long term support - ha! a customer pipe dream :-(

        1. Argh

          Re: Patching speed is probably the issue

          I'm not sure about the cheaper models, but the flagships (Galaxy S and Galaxy Note) tend to be updated regularly, at least for security patches.

          My 2+ year old S5 is still updated almost every month.

          If you are using a network branded phone, this may not be the case, particularly if you are on EE/Orange, who seem to be the worst for regular updates, from looking at firmware releases. Flash an unbranded firmware, if you can,to get the updates .

        2. Anonymous Coward
          Anonymous Coward

          Re: Patching speed is probably the issue

          That's becuase you bought a Samsung. My Sony Android phones are serviced well with security updates (and even major OS updates - My Sony tablet shipped with 4.4, got 5.0, 5.1 and recently 6.01).

          It's not Google's fault you bought a shit phone.

      2. Snowy Silver badge

        Re: Patching speed is probably the issue @Planty

        Nexus phones only get updated for two years, or is that considered the life of a phone now?

        1. timrichardson

          Re: Patching speed is probably the issue @Planty

          My Nexus 2013 tablet still gets updates.

    3. Dave 126 Silver badge

      Re: Patching speed is probably the issue

      >Really, why can't the core OS and libraries be auto-patched for security as most Linux distos do?

      Because [technical reasons].

      1. Uffish

        Re: Because [technical reasons].

        I can understand that quick and easy update solutions were not included when the phones were designed, but can the manufacturer's understand that one way or another we pay good money for their products and would probably prefer something that doesn't go rancid after a couple of years.

        Throw-away is just so last year dontcha know.

    4. timrichardson

      Re: Patching speed is probably the issue

      I got four Android phones in the family, oldest is HTC m7. Other three are Samsungs. They all have stagefright patches (even though the m7 is stuck on Android 5, it still gets security patches). All were bought from Telstra, an Australian tell, which is supporting them. So mainstream users who buy phones from a good network provider should be OK for patches.

    5. David 164

      Re: Patching speed is probably the issue

      Really, why can't the core OS and libraries be auto-patched for security as most Linux distros do?

      I'm going to take a guess and presume the mobile phone operators being the control freaks they are want to test each an every patched first, also they probably worry about being blame for customers going on their data limits unknowingly, through this could be solve by making it only wifi only feature, auto patched over wifi. Another issue is Motorola and others laying their own software on top of android, there some potential for new security patches to break these software.

  2. Anonymous Coward
    Anonymous Coward

    About bloody time!

    Pity it's taken Google till Android version 7 to implement best security practices known, at least conceptually, since the 1970s.

    1. Sil

      Re: About bloody time!

      Instead of spending so much time looking for security bugs in third party products, Google could begin by looking for vulnerabilities in its own products. It could also fix security bugs in older versions of Android, since it is well aware of the fragmentation of the ecosystem.

      1. joeldillon

        Re: About bloody time!

        It's not so much 'Google the corporation' doing that as 'one guy working at Google', you know.

      2. Anonymous Coward
        Anonymous Coward

        Re: About bloody time!

        The fragmentation that apple told you about????

    2. Daniel Palmer

      Re: About bloody time!

      >implement best security practices known, at least conceptually, since the 1970s.

      Known since the 70s but not implemented in probably the most widely used proper (i.e. not RTOS) kernel in the world? I wonder if there is some level of "easier said than done" to this?

      1. David 164

        Re: About bloody time!

        probably hardware requirements, a lot of things thought of in the 60/70/80 only became possible when memory became so cheap.

  3. Nano nano

    Android would be more secure if they allowed phones to update components.

    There is no way I am bricking my phone with one of their "Big Bang" updates.

  4. Anonymous Coward
    Anonymous Coward

    Taking a leaf from Grsecurity

    Maybe this means Grsecurity features will finally make it one by one to the mainline kernel!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019