Android users left at risk... and it's not even THEIR FAULT this time! Tardiness in providing security updates is leaving the vast majority of Android devices hopelessly insecure, according to researchers at the University of Cambridge. Over the last four years, an average of 87 per cent of Android devices were vulnerable to attack by malicious apps, according to the research, which blames a …
I'm not; I have a phone I bought outright from one of those Amazon-hosted resellers, and I use an AT&T-hosted MVNO with a monthly payment plan. (It's about 1/3 the cost of the AT&T plan I used to have.)
My phone is a Samsung, originally AT&T-branded. Bought new and unlocked.
No updates in sight. Samsung isn't publishing any for this phone, and AT&T won't supply updates if you're not on contract. Samsung's "commitment" to supplying updates clearly doesn't apply to devices they don't consider current.
Phone's rooted, so I can just disable Stagefright (using build.props) if I want - at the moment I just have MMS auto-downloading disabled. But the updating process isn't any better if you're not under contract.
I have yet to EVER see ANY Android device with Malware
I've personally seen two infected devices, one of which was mine and I always double check the permissions on my apps before I let them install. The other wasn't even rooted and didn't have the "allow unknown sources" checked so the infection either had to have come in through stagefright or something similar or from the Play Store itself.
Not to slam Android, because it is still my mobile OS of choice and most likely will be at least until a new player comes into the market, but the malware for it is out there and works. That's why I run a security app.
Just because "allow unknown sources" was off, doesn't mean it's ALWAYS been off.
I've seen people do nothing more than read that an app needs to turn that option on to work, then press to go to the menu directly, switch that option, let the app install, then go back in and turn it off again.
In fact, even things like Amazon App Store require this as they are "not Google". So you can be sure that MILLIONS of Android users have turned that option on, and some brainy ones may even have turned it off again, which may well be like closing the stable door after the horse has bolted.
P.S. The Android App Store, then, is free to install what it likes.
On the subject of Amazon - I did not install their Amazon underground app - inspected what rights it wanted - an absolutely ludicrous (in a bad way security / privacy wise) set of permissions, way in excess of what was required with the functionality it nominally offered.
There's more to malware than botnets and lost files. Much of what's in Google Play Store is garbage of some kind trying to get easy ad revenue. You might think you're clean, but you might have a few impostor apps that do exactly what you expect but send ad revenue to a different developer. Or maybe they collect a bit of extra information of extra value. Lots of apps even have Google Play Store reviews with proof that they're malware.
Well still never seen or heard of a single Android malware issues. I do know a couple of people stung by the age old Windows problems..
http://www.bbc.co.uk/news/technology-34527439
Funny this seems to have slipped by without getting a mention, perhaps nobody is paying the security researchers to promote this... That would instantly suggest who was behind all this Android scare stories.
Indeed, but there is a huge difference between the iPhone/iOS and Android.
iDevices are designed hardware and software by a single OEM. This OEM then ensure that the various networks toe the line in terms of updates and keeping crapware to a minimum. i.e. the OEM cares and ensures quality. This even goes as far down to the connector - rather than use USB which was never designed for such a job, iDevices have a purpose-made connector so that DAC can happen *on the device itself* meaning that add-ons are much cheaper and easier for other vendors to make. Heck the iDevice dock being the most common to see.
Android, on the other hand, is thrown over the wall by the writer who then provides zero support, standards or guidance. Thus networks add crapware and ignore updates as well as OEMs adding crapware and ignoring updates. What the end-user winds up with is a dog's dinner that barely functions (hardly surprising, it is Linux after all) in a cheaply made unit and with a woeful connector.
This is, and many other reasons, are why Android and its ilk are simply best avoided.
OS X is based on NeXTStep, which in turn used the Mach kernel. Some things from BSD (_not_ strictly FreeBSD) were added. And things have changed sufficiently over last decade and a half that it would be extremely inaccurate to call OS X either Mach or BSD. It most definitely is NOT FreeBSD.
This OEM then ensure that the various networks toe the line in terms of updates and keeping crapware to a minimum
No, the networks are not involved AT ALL with iOS. They don't have the ability to install crapware or anything else on iOS, and all updates are delivered directly from Apple so the carrier has zero ability to control or interfere with you choosing if and when to update iOS.
The only thing the carrier controls on an iPhone is 'carrier settings', which you might see referred to in a popup once a year or so, or when you change carriers. Basically it is a small file that allows the carrier to specify stuff like LTE bands, roaming partners, carrier hotspots and so on. But since Apple controls the format and allowed content of the file, and it is not executable code, the carriers can only use it for the designated purposes and can't use it to mess with your iPhone. The only difference you might see if a few menu items in the Cellular settings go away for certain carriers or if your phone is SIM locked due to a contract. The carrier settings go away when you switch carriers via a new SIM and is replaced by your new carrier's settings.
This post has been deleted by its author
There's malware in the wild for iOS too. And no, you don't have to jailbreak your iWhatsit to get it. The difference is that you can get decent anti-malware for Android while iOS anti-malware is somewhat crippled by restrictions Apple places on it.
I've said for years that no matter what platform you're running only a fool runs a system with access to the internet and no anti-malware and I stand by that. Unfortunately Apple encourages people to be fools in that regard.
Which malware is that then? I assume you are probably referring to the recent issue where some Chinese developers grabbed Xcode off a bulletin board instead of from Apple, which added malware (in the form of a popup to ask for your iCloud credentials) to the compiled code when these developers then uploaded to the app store? Apple remotely disabled all the affected apps, as they always do if any malware is found. What's the point of running anti-malware when it would basically do the same thing in relying on signatures from the outside to tell it what's malware and what isn't?
There's malware in the wild for iOS too
Please, please, please, name it so I can have a look at it - by that I mean in a Western app store, though, I would never install an app where I could not even read the screen. It will be totally worth rebuilding the phone from scratch because I have as yet not seen a single such app. Pretty please?
I've said for years that no matter what platform you're running only a fool runs a system with access to the internet and no anti-malware and I stand by that.
You can do rather well if you start with decent fundamentals. Anti-virus is more like forgetting to add the brakes when you design a sports car and then fix it by selling chains and boat anchors. I must admit, though, that Google is the only company I know that has been able to start from a Unix platform and then make it look more like Windows from the perspective of vulnerabilities :)
Toires, LBTM, and FindCall. There are three trojans that can infect un-jailbroken iOS devices. And that considering that iOS is undoubtedly one of the hardest to infect platforms currently available. Granted one is proof of concept and the other two have been removed from the appstore, but if three can do it then more can as well. I personally view anti-virus on hardened OSes the same way I view the carbon monoxide detector in my house: the odds of needing it are astronomically against it, but if I ever DO need it I'd much rather have it than not.
There's no doubt iOS is more secure than Android. How much of that is due to good design and how much is due to the walled garden and relative obscurity of the underlying system is up for debate, but it's a purely academic debate. I realize that the odds of ever actually encountering iOS malware are pretty insignificant, but just as I would probably tell my landlord where to shove it if he tried to make me get rid of my CO detector I would be uncomfortable not having access to decent anti-virus software. There is simply no such thing as a perfectly hardened system.
Toires, LBTM, and FindCall. There are three trojans that can infect un-jailbroken iOS devices.
The first two were proof of concepts that were patched before anyone could put them into production, and one (1) that made it to the app store. The latter got pulled quickly, also because it didn't work that hidden because iOS does not allow SMS sending or making calls without user interaction (stops premium rate abuse).
I reckon iOS fares rather well in any "how vulnerable is my device out of the box" comparisons, ditto for "how easy is it to keep up to date" comparisons, simply because it is known hardware.
How much of that is due to good design and how much is due to the walled garden and relative obscurity of the underlying system is up for debate
Obscure? iOS? LOL :).
Obscure? iOS? LOL :).
Yes, iOS is relatively obscure compared to Android. Any neophyte script kiddie with a basic understanding of java can get the source code, spend a few months studying it and know the ends and outs of how the system works. With iOS unless you work for Apple you don't actually know exactly what's going on under the hood. That's what I mean by relative obscurity.
OK, I will spell it out for you.
This Android scareware FUD that is going around at the moment, this is Apple money. Apple have their own problems. Apple device security if you look at it without bias, is actually inferior to Android. It doesn't have several of the layers of protection that Android has.
http://lifehacker.com/how-secure-is-android-really-1446328680
iPhone is secure because it's locked down. Android is secure because it's also locked down, but it does allow you to unlock it (with a warning). Users are idiots.
>This Android scareware FUD that is going around at the moment, this is Apple money. Apple have their own problems. Apple device security if you look at it without bias, is actually inferior to Android
Ok let me know when iOS allows an attacker to root your boot locked (non jailbroken) phone without user intervention with an MMS. That is an entirely different class of shit security more of the Windows XP worm kind. Last I heard its still not completely fixed and in all forms is still certainly a vulnerability on the majority of Android phones out there.
Also (bah missed edit period) yes iOS has some vulnerabilities (plus Apple's security record and practices are a mixed bag) as well but the fact that they have a very successful patching system (most handsets supported are kept up to date at a remarkably high level) plus a much better full disk encryption solution means Android (as shipped in vast majority of handsets) has some work to do.
Noooooo.
iPhones just leave you feeling seasick just looking at the screen, or refuse to let you use it as intended because you're right handed, or send your car barreling down an airport runway, or charge you a premium price on a "new" phone for features that have been in competitors devices for 4 years.f
Yep, not a problem with iPhones, because who has the time to write malware for IOS when the device in question doesnt work well enough for you to test it?
Funny I thought the conversation was about security of the various handsets and not your personal opinion about phones. There is much not to like about Apple but the fact remains they are the only handset maker making any kind of profit on phones today so they are obviously doing something right (and its not all marketing even if the majority, their competitors spend plenty on marketing as well).
This is the feature I want. If a manufacturer decide to stop supporting the device then at least give us the ability to support it ourselves with Cygenmod. I have an annoying Asus tablet here that had updates abandoned barely three months after purchase! I expected support to at least get to the end of the one year warranty....
The score has three components:f - the proportion of devices free from known critical vulnerabilities.
u - the proportion of devices updated to the most recent version.
m - the number of vulnerabilities the manufacturer has not yet fixed on any device.
But how realistic is this considering
d - the time delay between an update being available from the manufacturer and the carrier being arsed to push it out?
'd' extends towards infinity by an exponential rate based on 'a' (where 'a' is the device age in months [unlocked handsets] or days [locked handsets]), inversely reducing 'm' so pretty much all anyone ends up with is 'f' and 'u', a big ¯\_(ツ)_/¯ and a link to buy the latest yet-to-be-abandoned handset.
I was rather distressed to learn that LG cuts you off if you root your device. Every other manufacturer I've ever had an Android from will at most unroot your phone during an update but LG blocks you from their updates completely, even after unrooting. If you root an LG phone you'd best be running a custom ROM if you want updates.
because I've never paid much attention to mobile phones and how they work, but here goes anyway:
is there any reason other than attempting to enforce user lock-in that one can't simply install any OS one likes on modern 'smartphones'?
One of the main resons I'm not terribly interested in them is because of their price being similar to that of a full-blown desktop. That being so, I expect similar levels of control over the thing, so that I can ensure its security to the best of my (admittedly not uber) ability. Android doesn't interest me for obvious reasons, and iPhones don't interest me because of the excessive procing (well, they're beyond my reach anyway). My ideal would be a pocket computer running a normal linux distro with a clip-in bit that gives it phone capability - and such that I could turn the phone part off without turning the whole thing off. Does such a beast exist? Could it (as in could it, realistically, given the situation as it is now where phone operators expect to own your phone body and soul yet still get you to pay for the privelege)?
(all comments posted here based on theoretical knowledge only - I have not personally rooted my current device or deployed recent versions of any OS or other software mentioned here. Caveat Lactor applies...)
Not really stupid...
Lots of ways round the lock-in problem; simplest is probably to get an Android device and then root it and install whatever alternative Android-derivative you favour. Cyanogenmod is good, apparently.
For a full-linux experience, something like this may be interesting: http://www.ubuntu.com/phone
And then there are others out there, like Mozilla with FireFox Phone, who will say they're doing something similar.
"why can't I just install whatever I like" will fall down, I suspect, due to driver issues - no smartphone (I assume) runs a desktop chipset, so you can't just deploy your current-favourite wintel build as that simply won't boot.
Options are more limited, I understand, if your hardware is an iThing; you can unlock it but there won't be the choice of alternative OS that there seems to be if your starting point is a 'droid.
See my own post below - this sort of idiocy has persuaded me to pre-order a v0.1 device from an unknown supplier; here DEFINITELY be Dragons!
is there any reason other than attempting to enforce user lock-in that one can't simply install any OS one likes on modern 'smartphones'?
The biggest barrier is, for lack of an easier way of putting it, driver issues. If you tried to install iOS on an Android device it would never work because iOS support for non-Apple hardware doesn't exist. Ditto for installing Android on an iThing. There is an app in the works that lets you install Windows Mobile on Android devices, but I've not read anything about it other than that it's in the works. No bets on how wide the support for it is. With some Android phones you don't even have the option of custom ROMs because there aren't any with hardware support for that model.
Really the only way to get a similar level of control in your mobile device as what you have on a desktop is to buy an Android device, root it, and install a custom recovery on it (which, of course, voids the warranty but gives you access to custom ROMs, which is about as close to an alternative OS as you can really get). Jailbreaking an iOS device can get you close to the level of freedom you enjoy on the Mac, but you're still stuck with iOS. Unlike Android you don't even have any custom ROMs you can install on them.
@sisk (and others that have responded to my question) - thank you, much appreciated! That rephone kickstarter looks interesting! And funnily enough, I have been slowly gathering bits to make a mobile PC based on an RPi (which, let's face it, can be done just by plugging bought bits together, which is about my level. I'm only at baby steps level of both software and hardware hacking).
This type of problem has convinced me to pre-order the WileyFox Storm.
My existing HTC handset has no updates available (still on 4.1 Android) and any that were ever offered came with EE's cruftware.
Hopefully the WF will allow me to update Cyanogen OS whenever I like, plus delivering the security features that we should be asking for as standard...
All of that assumes that it will show-up as scheduled at the end of the month, of course...
Sorry to disappoint Tim but running Cyanogen is still no guarantee of receiving updates. Mainly because there is no hardware standard for phones, there is no one size fits all OS distribution. Each different phone model requires a custom ROM build, so support only lasts for as long someone is prepared to do the development work to update the ROM build for your phone. Though with Cyanogen support duration is often better than the original manufactures.
Yeah CyanogenMod support kinda goes on a scale.
- Manufacturer's ROM. You'll be lucky to get one or two updates unless you're running a Nexus or certain Moto phones.
- CyanogenMod with their built-in OTA updater
- Unofficial CyanogenMod on XDA developers, which tend to be a bit more fiddly to keep up to date as they tend not to have an OTA update mechanism
The latter category though can have support for years, depending on the install base for your phone. My Asus Transformer TF101 is running the latest Android despite official support ending at Android 4.0 and the latest official CyanogenMod being CM10 (Android 4.3), thanks to the efforts of a particularly dedicated device maintainer.
which blames a failure of some manufacturers to provide regular security updates for the problem.
That would imply that there's at least one which actually does provide updates for all its devices out in the field[1]. Care to name them as I'd like to buy one of their products?
Ah.....right.......typo was it......?
[1] I.E. Not only the ones still covered by the warranty.
My father asked me for recommendations for an unlocked smartphone. I would have recommended an iPhone, except he doesn't want to spend more than $200. I held up my nose and recommended a Windows device to him precisely because of Android phone makers' unacceptable policies.
It's not surprising, really, the OEMs would rather sell you a new phone than help you make your old last. Software updates should be firmly in the hand of the ones making the software, i.e. Google, not the Android OEMs.
At the margins these firms (using that term rather loosely) operate at, there's zero chance of being able to support the devices at all. People would have to pay some sort of premium which they demonstrably are unwilling to do. Samsung does charge a premium but doesn't seem to do updates for very long and look where it's gotten. Little to no respect on this issue.
And that completely ignores carriers who likely have a major role in Sammy's issues. Change consumer behaviors. 'Til then? Live with it.
at pushing its users under the bus that is concerning updates.
The Samsung phone I got (Samsung Galaxy Centura ) I don't recall getting a single update since I got it. It currently has android 4.0.4 in it...
Sad thing is I do like their hardware I have a LG that I was going to switch to that I found no where near as robust.
When they can just sell you a new phone? I mean, if you're *really* that worried, you'll spring for one, right?
I can see how people who prefer flagships might be hesitant with this approach, perhaps, but maybe if people stop buying flagships and switch to cheap land-fill models instead, manufacturers might get the message.
A little off topic but it's interesting to note HTC's latest quarterly loss (early Oct 2015) was reported by the Beeb but not on El Reg (at least not that I noticed). Perhaps El Reg could just have a cut and paste template story ready for the inevitable in Jan 2016?
http://www.bbc.co.uk/news/business-34451104
Straying back towards topic a little, it's something other Android handset manufacturers should take note of. HTC's problems are down to reaping what they've sown for years though their egregious neglect of customers, especially WRT security updates and bug fixes.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
