Android, heal thyself Google's Android mobile operating system is now on a par with others when it comes to security, says Accuvant security researcher Joshua Drake, aka jduck. But there are still problems in the operating system, not least a staggered update process. Then there's webkit, which permeates the operating system but is developed …
Exactly - if ever - I have an Android handset that is basically junk as no updates available and it was literally 12 months old. Now wishing to harp on about iPhones but a mates 3GS is now 4 years old and still going strong and runs the latest iOS 6. I have another (newer) handset that cannot be upgraded further so is now ageing - bottom line is you are lucky to get 12-28 months out of most Android handsets so bit wasteful and expensive.
I know many people upgrade every 18 months but many do not or do not NEED to but with Android they NEED to. Personally I prefer a SIM only contract and upgrade when I want - that may be after 12 months or after 3+ years if I choose.
"Exactly - if ever - I have an Android handset that is basically junk as no updates available and it was literally 12 months old. Now wishing to harp on about iPhones but a mates 3GS is now 4 years old and still going strong and runs the latest iOS 6."
Moot!
I had a droid for years now and never EVER had any issues!
Don't get me wrong, the situation with updates in Android isn't good enough and there are too many phones that are not getting them.
However, not getting the updates does not make them junk. The OS does not have an expiry date built into it and continues to function long after newer releases come out. I'm using a phone with 2.3 on it and while eagerly await my upgrade in February (because I have a tablet running ICS and it's just better) the phone still does everything the box it came in said it would do.
So there are actually several options: you can accept you aren't going to get the latest release and use the phone until it dies you you are due an upgrade from your operator (I would argue that most users are fine with this) you can install a newer version yourself via Cyanogenmod or something similar, or you can research the phone you buy and buy one from a manufacturer/operator with a good track record of updates (or a Nexus).
So, the situation isn't ideal, but you have more options than you do with other OSes.
The podcast is about how security was bodged in initial releases and is better in newer versions. The fact phones running old versions don't stop running is irrelevant, they are insecure compared to phones running later versions.
It's difficult to seriously argue that phones that don't get updates are better than ones that do...
This post has been deleted by its author
"It's difficult to seriously argue that phones that don't get updates are better than ones that do..."
@sabroni:
Who is trying to argue that phones that don't get updates are better than ones that do?
I am challenging the A/C's statement that phones that do not get the updates are "junk", on the grounds that, while they may be less secure, they still work and can often be upgraded using other, admittedly flawed, methods but it's quite clear from my post that I feel getting updates is preferable to not getting updates.
UNIX is NOT secure by design. It is impossible to make an operating system secure by design. And besides, the major security flaw in any system is always the user.
Believe me, I've crushed too many "secure-by-design" systems during routine pentests to do anything but laugh when $corporation promises "MOST SECURE OPERATING SYSTEM EVER".
Looking at you, Kaspersky.
The whole application deployment model of Android and iOS is different from UNIX, and seriously alters the security model.
With UNIX, you have the concept of a superuser, which is responsible for the installation of applications which are then used by non-privileged users.
Android does away with the requirement to use superuser to install applications. Instead, Google have invented an application deployment framework that sits above the OS and runs as a single non-privileged user, which handles all application installation and execution, as well as making it the guardian of user data. As a result, the traditional UNIX security model is not involved.
In many cases, it is not the Android OS per-se that is compromised by the security vulnerabilities. It is the application and/or the users data. This is a fault in the execution environment (Dalvik?), not in the underlying OS.
Please don't confuse the two.
" is now on a par with other.................
...........Then there's webkit, which permeates the operating system but is developed independently of Android."
It is a near bog standard computer system designed to compete with OS/X and Windows.
No one owns us there which is as much its own problem.
And there is nothing wrong with dated OS.
Why get your smartphone multi crippled by the latest updates?
Half the time it is as if the update is designed to kill your phone.
Not likely, this is the 21st century and phone users treat them very differently to computers - even if you are to tell them that the phone in their pocket has as much computing power as a desktop computer of only a few years ago.
A smart phone is a commodity device - they need to effectively manage themselves. This means automatic over the air updates, preferably wireless so as to not blow mobile data limits but if the carriers got involved properly could even be excluded from mobile data limits. Various carriers have implemented custom features for specific manufacturers of phones, so this isn't out of it by a long shot. The upside for a carrier is that despite the additional bandwidth, which frankly doesn't cost them a lot, they will benefit from likely having less malware and problems on their network keeping it cleaner generally and better performing phones are more likely to retain the carrier's loyalty because the majority of users are likely to associate carrier and phone performance together.
However these updates must be diff. based, not enormous downloads of the entire OS for every update... as soon as the updates get big and require frequent restarts then users will try to find ways around having them happen as they'll see them as a meaningless bind.
First the Android operating system gets updated.
Then the phone manufacturer adds their bits
Then the phone operator adds their bits.
So if a vulnerability is found today and the patch developed the same day, it could be months before the update hits your phone.
And sometimes it will die at one of those steps and you'll never get patched. Like HTC saying they would not produce an update the Desire phone (which they changed their mind about after pressure from the public).
Yea, you could stick on a different ROM and update it that way, but we are talking the public here, not us geeks. Most won't know how. Many won't even know what an update is.
To those who know more about the inner workings of Android:
Is there a way to produce a generic patch for some problems? Not a full build, but replacement of one or two common files that are not dependant on device or carrier?
I am not overly concerned with Android security, because it is still at the level of not working and not being fit for purpose.
I want my HTC Desire Z (Android 2.3 - no more updates forthcoming except if I had time and inclination to hack one in) mail client and Exchange (2010) ActiveSync to work reliably, not just occasionally, to sync contacts straight away, instead of after a few days or maybe not at all. I want it to send just a single copy of each email I send, rather than timing out, giving me an error meanwhile the message have gone to my Sent folder while it gets ready to send the next copy. In short it is fatally broken.
For a while a used a third part email client, which solved the time out and multiple email send issues (ahah, at least it's not a hardware issue) when sending over SMTP, but it did not support Exchange 2010. I tried another apparently highly regarded mail client for ActiveSync, but that spent half the time crashing, after which I decided I really didn't have time for this stuff.
All that might be due to bugs in Android, HTC software or whatever Vodafone put on top, but that effectively leave me nowhere to go to look for a resolution. It has seriously blighted my experience of Android and I would be very reluctant to spend out on another Android phone.
My solution to the email issues has been to buy a Blackberry, which at least works reliably and fast, except for lacking native Exchange ActiveSync at this present time.
So, my only experience of an Android device is it's great as an internet toy, media player and telephone, but worse than useless as a serious piece of business kit. Security? Don't make me laugh.
Thanks for listening :-)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
