Security takes a backseat on Android in update shambles The majority of Android smartphone users are walking around with insecure devices running out-of-date OS builds, leaving personal and business data at greater risk of attack. The latest figures from Google's Android developer web site show that 44.4 per cent of users have the latest version of Android (Android 2.3 or later …
"Only if you have the very latest and shinest versions of their mobile hardware!" Demonstrably false; the 3Gs has been available for 2.5 years and supports iOS 5. The iPhone has been available for 4.5 years and has seen 4 revisions. Of the 5 handsets released, only 2 are no longer supported. Google aren't even supporting their own devices for more than 1.75 years! People in glass houses...
There is actually a simple answer, Google has mobile makers by their dangling bits over access to the market, maps, mail, talk, etc - the closed and licensed Google apps.
Just make that access conditional on makers providing a decent set of regular upgrades.
No upgrade? No free maps and Gmail for you. See how quickly those upgrades would come out..
Now if only Google would care enough...
Just make them break with an error message if the version they're running is behind after a reasonable period of time with a polite message referring the user to their operator or mobile manufacturer for more information. Then you'll see how quickly they manage to pull their finger out.
Even so, things like browser updates are app updates, not firmware updates, and should be able to be pushed out by Google to everyone without operator or mobile manufacturer getting in the way.
Don't trust anyone who says "incentivised".
The legal situation is fairly clear - the "supplier" is liable for any damages incurred as a result of failing to repair a known fault. It may take a couple of court cases to change attitudes. However, their is no onus on manufacturers to supply users with the latest and greatest version of their firmware.
"The majority of Android smartphone users are walking around with insecure devices running out-of-date OS builds, leaving personal and business data at greater risk of attack."
Google and the handset makers do not care - exactly this has happened to me - now I use iOS - at least they bother to support older handsets like my 3-4 year old 3GS as well as the newer ones.
This is the hidden cost of Android - handset obsolescence.
Not much I can do about it. I have an HTC Desire.
Yeah, I know there's some manual hack that can supposedly shoe-horn it in but it seemed to have 'Here be dragons' stamped all over it by HTC.
Sadly this is just typical of modern consumer electronics. There's no money to made in the software so not much interest in updating it. They'd rather we just threw our old perfectly functional unit away and spend our hard earned money on a new one.
I'm not sure I agree, I've got a HTC Trophy (yes, I know it's WP7) and this has had several updates which come from MS admittedly, although firmware updates required for WP7.5 by necessity had to be produced by HTC, but were then distributed by MS.
I think it's probably more along the lines of the handset manufacturers not wanting to be the companies supplying the updates channel for software that they don't really have that much of a say over. I really think that Google need to face up to the fact that they need to be the distribution channel for updates to their OS. This is how everyone else has updated their OSes for years. The only times that phone companies have updated their handsets has been when they run their own OS.
http://www.cyanogenmod.com/
I assume, as you read the register, your a geek who has the necessary skills to implement this exceptionally easy process. Backup your data, install.
Of course, it means you'll lose the HTC interface - can't remember what it's called offhand. I haven't missed it, as my desire now flies like shit of a shovel - and it's *vanilla* android.
This post reminds me of a comment made back in Apple's doldrum years pre-iStuff. Apple had put out an advert bragging that there were tens of thousands of Windows viruses but none for their OS. A virus author responded by pointing out that it wasn't worth a coder's time to write viruses for Macs - there were so few in use at the time that a virus written for them wouldn't be able to propagate.
Apparently it still isn't worth their while, as there are no known viruses for OS X (Malware and Trojans are not self-propagating viruses).
Poor old virus writers eh? They'd LIKE to write a virus for the OS that intelligent, well-off people with no anti-virus software use, but they simply don't have the time!
This post has been deleted by its author
Pressure on manufacturers and operators is the way to go. It should be in their interest to provide the shortest turnaround possible for bugfixes and other upgrades. The article should also have mentioned that there is community builds available for most android phones, and such software is usually updated within hours when critical bugs are found. This solution is unfortunately only available to those with the right knowledge and who are willing to accept the loss of warranty. Community-provided services could easily be extended to fully automated services if manufacturers and operators had been more cooperative. It is time to stop the lockdown of handsets. Consumers should demand hardware designs which are "safe" so that there's no reason warranty should be affected by the use of unauthorised software. Finally manufacturers should be required to at least provide an open bootloader as a final upgrade before they abandon further upgrades to a model.
In the case of Android, the manufacturer is not the same entity (in most cases) as the OS developer. Consequently *they* are the ones who have control over the updates - we're talking people like Samsung, HTC etc. who are the main (but certainly not the only) gatekeeper of users getting updates for devices.
Whereas in Apple's case, Apple is the manufacturer and developer, and you don't even get network operator crapware attached that also blocks or delays updates. So when Apple pushes out an update, the only delay is down to the user (or network failures, a la iOS 5)
The problem with many mobile phone OSes over the years has been the same.
Back when I had my old HTC Tytn II a few years back, Microsoft was releasing regular updates to WinMo 5, but these were blocked by HTC. Effectively rendering the "Windows Update' program on the phone useless. Then, HTC released a free upgrade to WinMo 6, which, again , saw very few updates, but this didn't bother me, as I only had the phone for a few more months.
Then I got an N95. I read, regularly, about the features in new builds of Symbian. None of which were ever available to my phone, despite being for N95s. The problem? O2 were blocking them.
Put simply, Google need to do something about it. They need to ensure that all their manufacturers and operators release the updates. Personally, I think the Network Operators should lose the right to customise the software on the phone, but I doubt that's gonna happen. Apple and Google are the only two players in the market big enough to enforce that restriction on the operators,. Apple have already done it, but, frankly, Google don't appear to give a flying toss about anything other than selling advertising.
In the older Nokias you can easily change the product code to the equivalent unlocked, non-customised version and run the usual updater and the updates miraculously flood in. The key words you need to look for are NSS or JAF.
The newer ones (Symbian 3) are more protected against tinkering, but it seems that they are working with operators to get updates out fairly quickly. I've just got a service pack for Anna by running Nokia Suite and there's an iPlayer update available OTA.
I put an idea to HTC (I've got an HTC Desire HD, a Motorola Milestone and a G1) about updates but unsurprisingly I heard nothing back from them. They like to throw their Sense UI on any new version of Android that appears which adds extra time to the already long update process. The idea? A simple one that I think would generate massive positive feedback.
Google release a new Android version
HTC build the new version WITHOUT Sense and offer it as an optional download
HTC build the new version WITH Sense and offer it as an OTA download when it's ready.
I don't know how difficult it is to build from source but I imagine it will be far easier for HTC than a bunch of coders doing it in their spare time. Imagine the joy as people get the latest version sooner and then, should it be made available for their device, a Sense version at a slightly later date. The obvious benefit is happy customers who come back to your brand. It would also extend the life of handsets that can't handle more bloated... sorry, more 'feature packed' versions of Sense.
You don't get many new customers by shafting your existing customer base, you get them by treating the existing customers well. They, in turn, recommend your brand and you get positive publicity for going against the grain. I only have to look at my Motorola Milestone to know that I will never touch another phone they make. A great handset that was ignored in favour of pushing new models onto the same people they ignored.
I don't understand why manufacturers and telcos continue to pour money into developement of crapware. This is not even bundled crap that they get paid for à la Windows - this is their own crapware they've spent time and money on!
Surely the cheapest option is to just release plain vanilla, perhaps with some tasteful widgets or themepack already installed (note: theme pack, not reskin).
Of course one of the main problems with updates is that manufacturers or Google refuse to pass them on to older devices because of the supposed limitations of older hardware (even though Gingerbread works better than Froyo on my crippled Milestone).
This is where I think Google should release seperate updates that deal with security (the kernel bit) and shell (the condiment bit). Manufacturers should then be required to push out security updates but have a choice over condiments.
Of course what would be even better is if manufacturers simply offered 2 update streams - LTS (switched on by default) or Latest! And! Greatest! - a simple checkbox in the settings would suffice with a "here be dragons" warning for those that have the technical gonads and know what they're doing, the ordinary consumer would be non-the-wiser.
They need to realise that those of us who root are less likely to actually put a burden on technical support than the ordinary user. Instead we are more likely to accept the consequences of our choice or find a solution.
"stats were gathered by analysing visitors to the Android Marketplace"
Non-Google-approved versions of Android cannot access this service. There's a lot of "Android" in China that isn't a Google-approved fork. Even Amazon's Kindle Fire falls into this category. Some are on older branches than 2.2.
On the other hand, Google are quick to count these half-kin as "Android-powered" when they need a big number to shout about...
THIS is probably why so many android phones are behind the update curve:
http://www.theregister.co.uk/2011/11/22/trojan_exploits_itunes_flaw/
The faster Google and the ISPs/telcos update the security patches, the faster and more cleverer they have to be to obscure more national diriective back doors...
DAMMIT GOOGLE! GIVE US FIREWALLS, INTRUSTION DETECTION, AND PROSECUTORIAL FORENSICS CAPABILITY!
"Do no harm" my frackin' ASS! My HTC android tends to crash at times. I become deeply suspicious. I don't have available to me (last time i checked) a google-provided IDS, and no tools like etherape or firestarter or guarddog.
This is not the same as someone demanding a home builder provide the alarm system or the private security patrol. While google may have reluctantly or diagnostically included the plumbing/wiring for auditors and developers to do forensics to protect devices, google is woefully, almost criminally culpable if slews of phones are intruded. Banks probably should demand that remote account access customers surrender their mobes to a bank-chosen forensics team when the client claims account fraud. It would be interesting if it turns out that google could have been proactive in preventing such attacks and account fraud by equipping the phones with a warning feature.
But, nohhhh, that'll give us more power to block ads. Imagine adblockplus and betterprivacy at the phone level, not just at the firefox level. We could just replace adverts with boxes, or silently drop them.
But then fb and others would lobby against it, because their sucky business models rely on adverts, and maybe 99% of their adverts mean NOTHING personal or attractant to me. I don't have enough money to stay on top of all my bills as it is. They don't advert anything that will help me MAKE more money. I find those upgrades and first-purchases ON MY OWN, because I don't want footprints of *all* of my interests causing me to be beseiged by 25 vendors, most of whom are woefully underperformers or way over my budget. Even the stuff I use daily and enjoy using and has upgrade offers every major holiday are often just a destabilizing hair above my pain threshold.
Ultimately, google are being asses and defiant ones at that. We are under no obligations to use ther OS, but nor are we under any obligation to blindly take their word for it that their OS is secure enough and that if we don't trust their word then we SHOULD pay for 3rd party tools.
The thing that sucks about most if not all those 3rd-party tools is that they invariably demand that we resort to Cyanogen (apparently a quite good implementation), or something else to "root" our phones. Since rooting can leave us orphaned from our service providers, and a bad update could in some cases brick our phones, it goes back to google to offer a well-implemented means of knowing when miscreants/assholes are screwing with our phones. We have the RIGHT to know if we're being monitored, and without discrimination, that means that anyone on our phone without our explicit invite is a wanton intruder/trespasser -- whether country, corporation, or crook. And, in numerous cases all three of those can be one in the same, interchangeable, and worhty of the virtual at-door trapdoor or guillotine if caught.
Certainly, one day on a whim, I may take my mobe to some one, pay to have it searched for a root kit, and then expose that rootkit without discrimination. Intruder beware. Hell, it may be that google won't GIVE us IDS because they could be under a national directive/national letter to obstruct or delay rollout of personal securty tools in the first place.
Paranoia? No, rage!
It's a bit shameful that only v2.2 is available for the Defy. It's even more shameful that the Orange France makeover is stuck at v2.1.
I think Google enticed epic fail with their system not being able to update the kernel, system files, built-in apps (browser, youtube...) *separately* to the manufacturer/carrier fluff.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
