Stagefright flaw still a nightmare: '850 million' Androids face hijack risk Mobile security biz Zimperium reckons 600 to 850 million Android devices are still vulnerable to a Stagefright flaw that lets webpages and videos inject malware into phones and tablets. Stagefright is a software library buried deep within Android that processes multimedia files. It is used by a key Android component called …
I restrict all my web browsing to my desktop computer; not only is the screen much larger and the mouse and keyboard more convenient, it is much more secure, fully patched and with extra safeguards such as NoScript and Adblock.
In view of all the half-assed Android patching, or no-patching, I certainly wouldn't use my smart phone for accessing online banking or anything else of a sensitive nature. I gather Google are pushing something called Android Pay too? No thanks. Android just doesn't seem like a safe/secure environment to me. I'll just continue using my smart phone for making calls, playing chess, listening to MP3's stored on the SD card, or reading (free) Kindle books. Web browsing on Android? No chance.
and along comes Google Pay to spice things up a bit.
Come on Alphabet get your frigging act in order. Refuse to let the google pay app be installed on any version of android that is vunerable to these sorts of threats.
Perhaps this will make the device manufacturers get their act together with updates.
Until then, the only game in town for secure operation is Apple. At least they do issue patches/updates.
@Adam 1, That as may be, but if the OS isn't properly patched, using the Android equivalents of NoScript and Adblock would be rather like having window locks on your property and security bolts on your front door but leaving the back door wide open. Extra security in one area doesn't compensate for a lack of security elsewhere.
But I'm guessing the unspoken elephant in the room is that some of us might be using our phones / tablets to surf for free tuggables. And there is a veritable Aladdin's cave of dodgy MP4s out there, and anyone who wants to get their thang on is not going to be shielded by a click-to-play protection. Because no play == no funsies.
Icon because, ahem.
There are too many parties involved, and too little incentive for the manufacturers that are dragging their feet to move faster. Older handsets (by which I mean anything not current gen) are neglected as a way of encouraging end users to upgrade to the latest and greatest.
I'll still never buy an Apple device though. Wonder if my Nokia 3310 still works. Actually, why do I even ask, of course it does.
I would put the carriers as the number one problem. If you go for a brand new phone you might get one update if you are lucky. Get a "free" phone and forget it. Even if there is a newer version of the software available from the manufacture then what is on the phone when you take it out of the box don't expect to ever get the update.
It's been like that forever, they treat phones the same as toasters. When I bought a moto Razor it came with ver 1.0 software that almost worked. There have been at least 3 upgrades released by moto, but zip from the phone company so I had to Debrand the phone so I could install factory software that was usable.
Why would a manufacture upgrade the software for a 2 year old phone if they know that no one will ever see it. I have a nexus 4 and might be looking at the next smallish nexus to come out after the 5x.
The god-awful state of Android security patching to me signals that you really should not consider any Android device but a Nexus. Or, I suppose, any manufacturer that sells unlocked devices (and therefore not dependent on carriers) and vows to roll out security patches quickly, and keep them coming for at least a couple of years.
This led me to just replace my 1st-gen Moto G with a Nexus (okay, this and the Google Fi fire-sale on the device.)
However, I don't know where this leaves the vast Android entry-level market. I don't know of a single entry-level phone at the moment where I would expect prompt and long-lasting patching.
Google really needs to fix this problem, or somebody else will come along who will.
"Google really needs to fix this problem, or somebody else will come along who will."
Who? Not Mozilla. Not Canonical. Not Blackberry. Not Nokia. Not even Microsoft, although strange as it may seem they may be the only hope.
Would you buy a new phone with no app support?
The industry's crying out for a proper open source phone but the sadly I think the moment has passed. Maybe we need someone to emerge as the new RMS for the mobile first era.
"Google really needs to fix this problem, or somebody else will come along who will."
Who? Not Mozilla. Not Canonical. Not Blackberry. Not Nokia. Not even Microsoft, although strange as it may seem they may be the only hope.
The miscreants will in a way. Once enough of them have been compromised and probably binned, the word will spread and Android will either need to be supported by the manufacturers or die.
I'm actually in the process of getting a suitable 2.hand android device just for running CyanogenMod. After considering various alternatives, it now looks like the least bad smartphone successor for my WP7 device (which otherwise works OK, but is getting more and more trouble with incompatible web pages).
My Galaxy S2 is still on 4.1.2. And that was an upgrade a few years back. It's unlikely to see an upgrade of Android ever again and I suspect the company won't upgrade the phone itself to a newer model unless it dies.
I predict some clumsiness on my part in the near future. Knowing my luck they have a drawer full of these antiques.
"Nexus devices are the exception: they can install Google's firmware updates via the Play services"
Er, no. Not for my new Nexus 6P at least. It installs OS updates through the same OTA mechanism as any other Android phone. The difference between my 6P and anything else is that this comes from Google and not my carrier or device manufacturer.
You might be confusing it with the fact that Play now updates essential libraries and other large chunks of the OS as well as applications.
Device manufacturers are just as shit as carriers. My old Moto G got ONE OTA update (to a buggy version of Lollipop) the entire 2 years I had it.
I bought it because I thought Motorola was working with Google to provide updates and security. I was wrong. (EDIT: I also bought it because it was made in Ft Worth, Texas, and then Motorola closed that and moved the jobs overseas)
This is why I passed up the Moto X Pure Edition for the twice-as-expensive 6P.
Seems like they need to break Android into 3 pieces: Device Drivers, OS, and Overlays. The device drivers are provided by the manufacturer for their specific hardware, and seldom if ever change. If they need to they can be updated OTA. The OS comes from Google, and is updated OTA. The Overlays come from the carrier, and are routed to dev/null.
And there was rejoicing all around.
Overlays have been around since Lollipop, but they're only now getting carrier and manufacturer attention.
As for separating the drivers and the rest of the OS, Android N should be a start to this if Google's word is accurate. Drivers can get tricky since they're usually tied to the kernel (due to the architecture; hardware on ARM is usually static rather than dynamic like it is on x86), and if the kernel itself has a problem, this can create a cascade effect.
And then there's the matter of the manufacturers working in cartel to keep a captive market. Especially now with Android apps increasingly root- and custom-aware.
And as for choosing Nexus, the main reasons I don't like them are lack of a removable battery (probably the least graceful part of the device to age) and lack of an SD slot.
Taking advantage of this flaw was supposed to be difficult, with ASLR making it very difficult to deliver a viable payload. However, ASLR was added with 5.0, so is NBG with older devices (and "old" isn't referring to ancient). Any anyway, this is no longer the case since North-bit demonstrated a proof of concept:
http://blog.frankleonhardt.com/2016/android-stagefright-bug-gets-serious/
It's stating the obvious. It hasn't changed. It's not going to change without legislation.
Let's do something useful on mobile phone review scoring out of 10. Take the overall score.
No commitment for at least three years of patching and Android upgrades (if the phone hardware can handle it) : cost in £100s/divided by £100 multiplied by minus two (£100=-2, £400=-8)
No unlockable bootloader and rooting capability : -11
No commitment to provide drivers/developer documentation so third party ROMs can be created for the latest released Android version (after a reasonable timescale) : -11
Manufacturer has form of lying about upgrades that are perfectly possible, technically : -4
No removable battery : -3
Note that doesn't mean they're obliged to enable upgrades to later versions for third parties - provided the latest supported version of Android for that phone can be patched, they get a pass.
If the score is below zero, the entire review is 'This phone got a score below zero. Only idiots buy phones with a score below zero. Are you an idiot?'
Of course the current situation, and the 'your non removable battery no longer holds a charge, better buy a new phone' attitude, keeps people on a two year phone upgrade treadmill.
Google (Nexus) do not get a pass on this one - they only patch phones up to about three years old.
Note that the Blackberry Priv, which Blackberry said would have news about a Marshmallow update 'in 1Q 2016' have seven days left to tell its users when an upgrade will be arriving..
Don't trust any mobile phone companies, don't buy an Android phone that can't be unlocked and rooted, and have Cyanongenmod applied to it. Going to update my 2012 phone to Marshmallow tonight, as it now has an SELinux enabled build, with official Cyanongenmod nightlies not far off. Without that I'd be stuck on insecure ICS.
"Don't trust any mobile phone companies, don't buy an Android phone that can't be unlocked and rooted, and have Cyanongenmod applied to it. Going to update my 2012 phone to Marshmallow tonight, as it now has an SELinux enabled build, with official Cyanongenmod nightlies not far off. Without that I'd be stuck on insecure ICS."
And what about the increasing number of apps that don't like running in a rooted or custom ROM environment?
"And what about the increasing number of apps that don't like running in a rooted or custom ROM environment?"
Personally I haven't encountered any problems like this with apps; then again I'm not a great app aficionado - I particularly hate websites that nag you to install their app (TripAdvisor is a personal peeve).
ORLY? Let's face it. BOTH iOS and Android have big fat targets on their back. So does Windows, and not even MacOS and Linux are safe. All you can do at this point is live with it. After all, you may just get shot through your bedroom window by a ballistic bullet fired by a drunk shooter several miles away. Pick your poison.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
