Beware of Geeks
Google has teased 47 Android patches for Nexus and Pixel devices. Among the critical bugs in the Android Security Bulletin, five concern the media framework, one is system-level, four hit Qualcomm components. The worst, Google said, is one of the media framework bugs, not yet fully disclosed, but it “could enable a remote …
"Source code patches will land within 48 hours, Pixel and Nexus firmware images are due December 5, US time, and the rest of the world can, as usual, wait for patches to wend their tired way down through vendors and carriers to never ever appear as an update, over-the-air or otherwise".
I don't get why people on a site for IT professionals complain about this as much as they do. If you buy a new laptop, do you keep the installed Windows Home Edition with McAffe, Norton, various Rootkits from the vendor, and other unwanted bs? Or do you simply nuke it and install a clean OS yourself? Would you expect Dell or Toshiba or whomever to react to security holes in their crapware faster than Samsung does with Android updates?
Installing a custom ROM on an Android device is not hard - with the caveat that some vendors make it impossible by locking the bootloader, but this can easily be researched prior to the purchrase. But if you have a non-locked (or unlockable) handset, the process is roughly as time-consuming as a Windows 7 installation, and I'd say it's even less complicated. The specific details might vary by manufacturer, but in general, you flash a custom recovery with some manufacturer tool, download your preferred ROM onto your device or its SD card, then boot into the recovery and flash the downloaded image. Getting the recovery installed is the hardest step, once you've done that a completely fresh install takes literally 10 minutes and five clicks, including downloading the new ROM.
Given the obvious benefits such as removing vendor crap, better battery life (I get two days plus out of my Motorola X Play with Lineage 14.1 and also got two days out of my old S3), way higher frequency of updates, extended device life after the manufacturer abandons the handset (the aforementioned S3 has various Android 7.1 ROMs and probably even Android 8 ROMs now), there are very little reasons why anybody with the technical capability to flash their device shouldn't do so. Losing the warranty might be an issue to some, although that can sometimes be averted by re-flashing the original ROM prior to sending it in to be repaired. Most other problems, e.g. flaky camera apps on some ROMs with some devices, often boil down to device and ROM choice.
I'm not sure when I will receive an update containing these patches, but as Lineage is usually pretty fast, I wouldn't be surprised to see it this week. So no, the "rest of the world" will definitely see these patches, as long as they invest the initial work of flashing their device.
Installing a custom ROM on an Android device is not hard
Two things: A lot of the manufacturers make it as difficult as possible to unlock bootloaders. No unlocked bootloader, no custom ROM.. (as is the case for my 10" ASUS tablet)
Secondly - for a lot of people it's going to be near damn impossible. My wife (for example) - despite being a former mainframe assembler systems programmer and now making her living as a web-monkey it about as non-technical as you can get. She can (eventually) use the Android phone I got for her but, for updates and the like, it gets handed back to me. Intelligence (she is, very) and working with computers doesn't automatically translate to the, quite frankly, techie task of rooting, recovery partition and system replacement.
So thou and I can do it but I suspect that we are in the 1% of Android users who can and do.
Idiots who care about updates but for unfathomable reasons bought a Mon google phone from a network carrier will have to wait.
This is not a failing on Android or Google, Android gets updated every month.
This is purely human fail, plebs that had unrealistic expectations of their £100 phone... We sadly live in a society fill of braindead cretins.
I would love to hear a sane credible reason why its not Samsung's problem that you don't get your updates like other android devices.
14 Samsung cretins did not like this comment. Doesn't change anything however. You didn't care about updates when you splashed your cash, and now is not the time for regret. You should have engaged your brain earlier.
Complaining that Android doesn't get updated on yoru Samsung (or whatever) is not a failing for Android, it's a failing of Samsung. If iOS were available on non-Apple devices, it would be exactly the same boat (worse actually, given there is no way to service system apps outside of full firmware updates).
Think about that for a monent and let it sink in.
To our anonymous friend,
You'll probably have more than 14 downvotes when a few more people have read your rather childish posts.
Windows PCs get updates, however cheap and shit your vendor is.
The reason Android doesn't have a good upgrade model is because Google allowed it to be the case. And more importantly because Google have continued to allow it to be the case, given they've had all the power in that relationship for at least 4 years now.
It's because Google give barely a shit about their customers, just so long as they can mine their data.
Obviously it's a shame that non-techy customers don't care about updates.
But it is important to remember that Google used to make it relatively hard to get hold of their relatively cheap Nexus devices - again in order to appease their vendors and help make Android a monopoly that they could abuse. And now their Pixel devices are over-priced - so if you buy those you're just getting ripped-off in a different way. And even at their Apple prices, they only give you 18 months - 2 years of software support. And by the looks of it, bugger-all customer service.
My current phone is a Windows Phone. If I replace with a droid, it will be a relatively cheap and disposable one, like it is. I paid £130 for it, 3 years ago - and it's been perfectly adequate. If I'm forced to spend serious money, the only conclusion I can draw is that it has to be with Apple, if I want reasonably acceptable service.
I think you fundamentally misunderstand Android if you're comparing how Windows does updates to how they are done for Android phones.
The base of Android (AOSP) is an open source project (yes, open-sourced by Google, but still exists independently). Anyone can take AOSP of whatever version they like and produce whatever they like with it - Google have no control over this. Google have built proprietary value-added services on top of AOSP (play services, maps etc). These services are optional, and Google alone is responsible for updating them in a timely manner (which it does, frequently).
What we're talking about here is updates to the AOSP base. Google collates the updates and releases them to vendors/partners every month, 1 month before the public release. Hence any company with sufficient interest in updating their customers can get access to these patches a month before the public release. I'd be a little surprised if the Google internal teams don't have access to the patches earlier, so perhaps they get a head-start, but if a company was sufficiently determined, they should be able to get the patches integrated, QA tested and released within that month.
However, operators sit as another layer between the vendor and customer - they typically do some "value add" tweaking and then they have to QA and release. And it may be that phone manufacturers wait for kernel updates to come from the chip vendors such as Qualcomm, who have to do their own testing. Getting all that done within 1 month probably isn't realistic.
I'm not saying Google are entirely blameless here, but the main responsibility has to lie with the handset manufacturers, since that is who has released the product. They cannot wash their hands of it after release - they should be pushing all the chain to QA test and release security patches in a timely manner. It is a question of priorities - and the simple truth (as the OP was trying to indicate) is that whilst Google prioritises getting these patches out every month for the phones they have direct control over, other manufacturers don't seem to show the same level of enthusiasm.
I fully understand the model. And I agree with you, that it's the vendors to blame for being shit and not even providing security updates and bug fixes. And sometimes it's because they've encumbered their kit (or the networks have) with additional software that they're unable/unwilling to support and test with patches. Obviously this is to their advantage financially, as they want people buying new handsets to get new features.
However Google have known this problem for many years now. And at some point, there could well be some horrible security incident. Remember how few people had experience viruses before the "I Love You" email thing, or whichever one was first to hit it big around 2000.
That did terrible damage to Microsoft's reputation, which they still haven't recovered from. Even though they've made serious (if imperfect) and expensive efforts to beef up security in the years since.
I'd argue this is a risk to Google's reputation, although it's harder for this stuff to spread on phones, obviously. But it might happen on a huge scale. And if it does, what will Google do then?
But anyway, even Samsung gave up on Tizen as a viable Android alternative. Windows Phone and Blackberry have fallen by the wayside, and we're just left with Apple or Android. So Google have the power to kick the crap out of the vendors, if they choose to. The fact that they don't choose to, and have made pretty minimal efforts to sort this problem out, tells you they don't care. Not that I wish a mass virus outbreak on the innocent users, but it would be nice to see life bite Google on the arse for their arrogance, greed and incompetence.
I believe Google is doing all it can to make the devices secure. Through the Play services which they completely own they fix (circumvent) bugs, they prevent apps being installed, they scan apps and they monitor (and control) all Play devices. And for what I can see they do a rather good job. I've never heart about mass phone infections or virus break-outs on either iDevice or Android (play) device. So they must do something right. Patching the core Android system should be far better than it is right now, but it has improved a lot over the last three years or so. And I think it will get better over time.
It was only last month that there were a million downloads from Google's official Play store of a fake Whatsapp app - which had only been up for a short while. This slipped through automated checking in a way that it would probably have never got through ten seconds of human scrutiny from Apple's appstore.
But Google are obsessed with automation - if not also being greedy.
There's obviously a much bigger problem with the unofficial app stores, which I think mostly affects Chinese users. You could argue that isn't Google's fault, though the shit app permissions model that they created, most definitely is.
Shoving more and more functionality into their own Play Services (which they can update) is one way of fixing some of these problems. Though it's also a way of allowing them to claim Android is Open Source, but it not actually really being so - because you need Google's Play Services for the full experience. So that looks as much like a response to people like Amazon forking Android than it does a way of solving the vendors breaking the update model.
@ I ain't Spartacus - ACs posts may well be childish, but there is a valid point lurking under there. As long as people don't consider the availability of regular updates as a significant factor influencing their buying choice when purchasing a phone, there is little incentive for manufacturers to change their attitude to providing said updates. And the fact is that the majority of people seem to vote with their wallets to say that regular updates are not a big deal, in fact no few of them explicitly say they'd like less updates. You can hardly blame manufacturers for focusing on things that their customers actually care about.
I completely agree with you that a lot of users actively don't want UI changes - which only confuse them, after they've got used to how a device works. The surprise from friends I've told to reboot phones before I'll fix them leads me to suspect that most people don't think of them as having software at all - but as a hardware device that happens to allow them to install apps.
I'm sure if you sat them down and made them think about it, they've happily recognise that there's an OS on there, as well as apps - and that it's basically a mini PC. At which point they might vaguely consider wanting security updates.
But until a massive Android outbreak makes global news, like "I love you", "melissa" etc., I doubt they're going to think much more about it.
Maybe that'll never happen? Or perhaps Google's seeming lack of care over the marketplace will be the thing, where they do all their checking by automatic processes and hoping for the best?
So it would be nice for users to think about this. But seeing as they're not going to, and the manufacturers are shit at software, and it's Google's reputation on the line, I'd hope for them to do better by the customers. And I judge them harshly because they not only don't, but don't even make the effort to,when it would cost them very little at this point.
Also, what about customers who don't have £500 to blow on a handset? They can't go either Pixel or iPhone? Previously they had Windows Phone, which had worse apps, but better updates. Now they have no good choices.
Maybe whatever company it is that's hired Nokia's brand name for this month will prove reliable and deserve to prosper?
I will play my part by not funding the Android brands that take the piss so blatantly. But I'll also fulfill that role by calling out Google for being greedy, short-sighted (unusual for them), arrogant (business as usual) and lazy - in the hopes that this will also help.
No, the reason why is because mobile phones are not PCs, all PCs adhere to the ancient IBM PC specification. and also a PC requires the end user to apply their own device drivers for graphics cards and whatnot. You are trying to compare to very dissimilar things. The fact you don't understand the difference is a major fail.
What's interesting is Project Treble attempts to do something very similar to what a PC BIOS / IBM PC spec does, hiding the hardware behind a abstracted interface (sorry for the long words, ask a grown up).
As mentioned, if Apple had to support thousands of devices all with different specifications, chip-sets, sensors and such, they would be in a far worse state.
all android devices from google have 2 years feature and security updates and 1 security updates
samsung seem to follow this model as the other 2 S5+ i have had updates on september (its EE branded rom so they are norm delayed by about 2-6 months, but as this phone is more then 3 years old now it might not get security updates any more)
most phones only seem to get updates for short time, phones running 8.x will likely be a lot rarer due to the requirements of seamless update been required if sold with 8.0 as standard (unless the phone came with 7.x first and was upgraded to it) Seamless update is very good on my pixel
14 Samsung cretins did not like this comment. Doesn't change anything however.[.... more supercilious* drivel].
One day you'll fail at something. It doesn't really matter what, and you'll find far too much laughter and little help for your liking (and probably some words that you're sure sound German).
Once that day has come you may find the plebs are no longer quite so plebeian and the cretins not as cretinous, but it's okay, the extra humility you take from it will improve you're life no end.
Think about that for a monent and let it sink in.
* Yes, the irony isn't lost.... it's been a long day.
So when I looked at that brand new Lenovo tablet, costing £450 last week, still on Android 6 (i.e. 2 versions out of date), did that make me a cheapsake pleb?
I didn't buy it, because I'm not a moron, as well as a cheapskate pleb, but hey. The really cheapskate pleb £120 Lenovo tablet was still on 5, if memory serves.
The Samsung tablets I looked at didn't seem to fare any better, so I guess I'm forced to get an iPad. As with a phone, I'm not giving a vendor north of £400 in order to get abandoned almost immediately. I can live without feature updates, but I demand bug fixes and security updates. With a phone I want 3 years of life, a tablet at least 4.
..and this is why nobody buys Android Tablets. I want to buy a new one, but there is nothing out there that is decent enough, supported enough, and the right price (note I didn't say cheap enough)...
Manufacturers seem to believe the tablet market is dead. It's not, it's in hibernation, waiting for something that's hald decent, and not a Kindle, iPad or Samsung,
If I needed a new tablet to replace my perfectly good but hardly used Surface RT, I would buy a reasonably price W10 tablet.
I would imagine that it would get updated regularly, my 4 yr-old RT tablet still gets updates and it has been obsolete for some time.
But then, I still get WP10 OS updates fairly often too, just "No new System features", just security and bug fixes I guess.
Thankfully, the apps get updates very regularly.
"This is not a failing on Android or Google"
Yes it is.The chosen model makes it a dependency on manufacturers to test and push out patches which is long proven to be a poor solution.
Both Windows Mobile and IOS manage to deploy patches / updates directly when needed - usually without carrier involvement - so we know this model is not required.
"Both Windows Mobile and IOS manage to deploy patches / updates directly when needed "
Errm, Google do too, buy a Pixel rather than a Samsung.... Spot the common factor here. Updates are easy for all mobile manufacturers, be it Google, Apple, Microsoft (or even the new Nokia) when you only have a handful of devices to update. When you are Samsung and throwing 50 devices a year onto the market (and it is that many when you take into account the full range of devices multiplies by regional and market differences), is suddenly ALOT harder. How is ANY of this Google's fault? Anyone can download Android and start making Android based devices, some are better at it than others.
Essentially some manufacturers care about marketshare and money, but sod all about delivering updates. Some are far more realistic in their abilities to service their products, and offer proper support.
#fail at understanding a simple concept.
Damn Google... they could have anticipated planned obsolescence for profit by phone manufacturers and created an architecture which could easily be patched without having to upgrade the entire OS which older phones don't have the capacity or have the capability to run.
Have you seen how badly a 2 Year old IOS device runs on the latest iOS version? Did you really expect whoever you bought your device from to want to support it for 5 years?
How much did you pay for this device? let me guess, less than £200. Sorry, but it was bin material over 3 years ago.
Oh, the tedious AC "rubbishing the opposition" part of the sales pitch. Piss off Googledroid, it's clear that you have nothing to add to this. What could you add? MS do a fantastic job compared to Google, still putting out patches for fucking XP if you're prepared to pay for them. My front room pc runs 7 and that still gets updates. That's a generic, built to spec pc from 5 or 6 years that cost about £200.
Google are cunts.
@AC:"Have you seen how badly a 2 Year old IOS device runs on the latest iOS version? Did you really expect whoever you bought your device from to want to support it for 5 years?"
The iPhone 5S is still a perfectly serviceable phone that runs iOS11 without problems.
Can't say the same for a Galaxy S4 - released around the same time as the 5S, and stuck on Android 5.0
My Lumia 950 has been updated maybe 20 times in the last 3 years and it runs just a fast as it did when I bought it.
Why does adding features have to slow down a device significantly?
Any new feature may take performance away but only when it is used.
The core kernel should get more efficient if anything as improvements are sought out and deployed.
Since the battery life improved on my phone somewhat over several iterations, I assume that was the case.
What makes you think they didn't? And if they didn't, why should they care?
As MS taught them Android is "good enough" to get most of the market they want.
Because Androids core goal is not to provide OS services.
It's to slurp your data. And that functionality works just fine in all versions.
All else is merely a side effect.
That is not Android's goal. This might be what Google want, but Google is not the same as Android. You just don't accept Google Services (which are built ontop of Android, but entirely optional - you just opt out).
How hard is this for iOS fanboys to understand? Just because Apple force you to accept Apple's terms, it's not the same in Google land, you can have an Android device without the Googly bits. Just opt out. press cancel during sign up. Just don't expect to run Maps, Play Store, Photos, etc etc,
About as hard as it is for Anonymous Google Saletards to understand that people on here use android and are fully aware of how integrated the snooping is.
Google services? Like the fucking keyboard app, that sends every fucking keystroke to Google? How come I wasn't opted out of that when I didn't accept the Google Ts&Cs?
The OS is full of sneaky, phone home bollocks. FFS they were scraping mast locations for years "accidentally".
Opt out my arse.
"people on here use android and are fully aware of how integrated the snooping is."
No, you clearly aren't...
Android comes with a keyboard, and GBoard (previously known as Google Keyboard) is a different product, and is downloadable from the Google Play store, after accepting the terms and conditions.
Neither of them send every keystroke back to Google.
You have failed on every point you tried to make.
As any consumer rights fule noes: a low price is not an excuse for not meeting statutory requirements which in this case means providing relevant software updates.
However, what we are seeing is a failure of the regulatory authorities to enforce the relevant consumer protection laws. This is, unfortunately, typical for software.
" The comparison was between buggy software that keeps giving exploits month after month."
Nope, the clickbait writers at El_Reg have a free story every month. Apple never disclose what they fix behind closed doors. Given they use many of the same chips in their products, it's HIGHLY likely they are also integrating updated vendor drivers every month that fix the SAME bugs, they just don't tell you about it, and don't give away a free clickbait story as a press bonus...
Apple files a CVE for every security bug they fix in iOS. Just because Apple doesn't have a constant flow of bugs that allow an attacker to p0wn your device via MMS doesn't mean they're hiding such bugs. But if it takes you feel better about Android's failings to play whataboutism with iOS, be my guest.
Everyone has their weak point, Google's seems to be their media framework (though maybe Qualcomm takes a lot of blame there) Apparently Apple's is dates (still trying to figure out how you have a bug that hits at such a random time as 12:15am on Dec. 2...)
"Apple has posted an update to address a host of bugs in its iOS mobile software."
"Google prepares 47 Android bug fixes, ten of them rated Critical"?
"Google has teased 47 Android patches for Nexus and Pixel devices."
The Android security model is fucked. Is there any reason you couldn't do the equivalent of apt-get update and pull down whatever updates are relevant to either your crappy £100 no-name mobe or your £700 Google flagship phone?
@AC:"You do, you go to the Google Play store, and press Update All."
That updates your phone to Android 8.0 with the latest hotfixes, does it?
The Play Store updates your apps, you friggin halfwit.
I'm talking about the software that runs your phone. Back to idiot class for you I'm afraid...
That updates your phone to Android 8.0 with the latest hotfixes, does it?
No of course not. But neither does Apt-Get Update..... #Fail
You also seem to think that you need to be running the latest Android to be running the latest HotFixes, this is another fail. That is totally untrue. Patches go out every month all the way back to KitKit (and possibly beyond). It's hilarious how much fail is in what iOS fan-boys have been told about Android by Apple.
The Android security model is fucked.
It's not without its problems but the evidence suggests that it's doing quite well: still waiting for something like Wanna Cry for phones.
All the modern phone OS do a fairly good job of something that is not that easy. They've had lots of examples of how not to do things and have indeed learnt from them.
"It's not without its problems but the evidence suggests that it's doing quite well: still waiting for something like Wanna Cry for phones."
The largest share of Android phones today (31%) are running Android 6.0.
Depending on whether you're running 6.0 or 6.0.1, you're looking at between 493 and 640 vulnerabilities which haven't been, or might never be patched. I won't even get into that bunch of CIA hacks for Android that showed up on Wikileaks earlier this year.
Still waiting for something like Wannacry? How about DoubleLocker? The Reg reported on it back in October.
The main reason you haven't seen it yet is because attackers haven't figured out a way to monetize a mass attack on phones. The days of hacks "for the lulz" are mostly gone, because it is now considered a serious crime.
PC malware is almost totally monetized now - either it sends spam, fake clicks ads, or more recently asks for ransom. Anything you do to a phone that causes battery life to take a shit will probably result in the phone being trashed and replaced - which would also be the fate of phones that got ransomware. It wasn't individuals ponying up the ransom for Wannacry, it was businesses and public institutions that incur real costs from it and figured paying the ransom was the cheaper alternative. That doesn't apply for phones.
@DougS:"It wasn't individuals ponying up the ransom for Wannacry, it was businesses and public institutions that incur real costs from it and figured paying the ransom was the cheaper alternative. That doesn't apply for phones."
Watch the Eset video of DoubleLocker in action. The ransom was something like 40 or 50 quid.
How many people would happily pay that to get back all those photos of their kids that they've never backed up? Could be a good business model...
I don't care about who gets what patch when. I don't care about the advantages or disadvantages of Android or iOS.
I care that any software was every allowed to go into production when it permitted integer or stack overflows.
All software processes should Always test the validity of All data Before processing it.
Please feel free to print that out and epoxy it to your screen. We've (by which I mean users and accomplished programmers (of which I am both)) has enough. And deadlines are not an excuse to propagate system breaking code.
Google say they have bugfixes for the OS on my Nexus phone. The OS version gets repeatedly listed.
But nobody is saying anything about whether there will be an update distributed.
Every OS manufacturer stops support for older versions. I can live with that. But I wish there was a bit more clarity about which OS version will get updates on which Nexus phones. Just a clear link to a "supported versions" page would be enough. It looks like the info is on Wikipedia, but I'd rather trust a page provided by Google.
Frankly, this story on The Register has too much of the feel of a press release by somebody who has no stake in the game.
if there is a update your phone will have patch level of the 5th or 6th of that respective month
like mine is currently november 5th on pixel 2,,, but they did not push the update out for the 6th nov update that fixes the wifi 0000 key that basically makes your secure WP2 traffic basicly unencrypted and injectable (i get that update plus all these security fixes very soon when i get 8.1 in next day or 2 , for 99% of every one else that be in next 6+ months or never unless they get a new phone)
Biting the hand that feeds IT © 1998–2019