It's 2019, and a PNG file can pwn your Android smartphone or tablet: Patch me if you can Google has emitted security fixes for Android that should be installed, should you get the chance, as they can be potentially exploited to hijack devices. The worst vulnerability in the latest monthly batch, according to the ad giant, is one in which a maliciously crafted PNG image could execute code smuggled within the file, …
I wonder what proportion of phones out there are in this position (mine is on 5.0.1 as well), and are being used for purposes such as mobile banking and two-factor authentication? Stating the obvious, I suppose, but I bet there is a significant number of people who are wide-open to abuse and don't realise it.
Coincidentally, I note that Signal are rolling out an update that allows previewing of URLs in a message. I think I'll make sure that's turned off and carry on copying the URLs to view elsewhere.
> My bank is obsoleting OTP tokens and forcing all customers
> to use or the banking app or SMS.
Can't you visit the local branch?
;-)
My bank is phasing out SMS in favour of their app (you need to point the mobile at the banking-screen, which shows some kind of flicker-code, IIRC, and then the mobile shows a code that you have to enter into the form on the website).
SMS still works - but I've got no idea for how long.
They have the older, original mobile app that works without SMS but seems to use some sort of private key on my phone for authentication.
Apparently, because of the wide spread misuse of SIM-swaps, SMS is no longer considered secure.
Can't you visit the local branch?
Obviously use cases and bank affordances vary widely, but I've never done any banking on my phone. I do a fair bit online using a regular browser (locked down, non-privileged account, etc) from my personal laptop, and I do some via branches. My bank is a credit union, so it still invests pretty heavily in retail banking, including branches, unlike the for-profit banks.
Lots. This is one reason why I will not install banking apps on my mobile.
Same here. No store apps either. Mine is a phone, address book, and notepad (and Frozen Bubble for those times I'm stuck waiting someplace). And some music to play through VLC (screen is too small to use for video, or reading). Consdering my 5yr old Moto Droid is still on 4.4, probably a wise idea.
Consdering my 5yr old Moto Droid is still on 4.4, probably a wise idea.
LineageOS for Moto Droid Maserati
M.
Which isn't what I am seeing
Oh, well, clearly your experience is definitive.
If we're going to trade dueling anecdotes: I've had several Android devices, from well-known manufacturers, and only one has ever received OTA OS updates. And it's been a while since that one has.
Google's reliance on carriers to distribute updates is a bullshit mechanism that has failed most users.
Perhaps you should avoid £50 phones?
Android supports over 10,000 different device models and form factors. Apple support a handful. There is no way this is Google's issue, it's 100% manufacturer and carrier, compounded by idiot consumers like yourself that don't vote with their wallet, and continue to buy tat, and cry about the tat not being well supported.
Certainly anything from Samsung anyway. They have corporate amnesia about most of their devices from around six months from first release for many of them... But then I've yet to figure out quite they need so many models.
Case in point: Samsung phone bought last November. Security patch level: 1 November 2018.
And, unfortunately, devices running on old security updates are very common. Again with the anecdotes, but a friend of mine has two tablets that she uses very frequently, both of which are still on version 4.3*. My only hope is that they are too old to run the newest malware. She is, at least, a sharp person who will probably spot most scams, but it is still unpleasant to think of those things online in 2019.
*Neither received a single update of any kind.
Regrettably my S5 has had one security patch since I bought it. I'm not holding my breath.
I know Samsung et al like customised ROMs so they can throw bloatware in it, but FFS, after x years of never using their "added-value apps" surely they can let go and allow Google to push out vanilla ROMs c/w patches.
Gotta give credit where's it's due. I have a Sony Xperia (XZ Premium from June 2017) and a week or so ago got the firmware update to the January 2019 security patch level. I started on Nougat/7.1, then upgraded to Oreo/8.0 and now on Pie/9. It never lagged security patches by more than about two months. My previous Sony handsets also got regular updates, up to and sometimes past two years from launch period.
Sony also publishes publishes build instructions and newer kernels for devices long past their two year support cycle for third parties who want/need to make custom builds
* https://developer.sony.com/develop/open-devices/get-started/supported-devices-and-functionality/
* https://developer.sony.com/develop/open-devices/downloads/software-binaries
Why did you buy a 3rd party phone if you care so much? Only an idiot would do such a thing.
1st party phone is a Google pixel
2nd party phone is a network SIM free phone
3rd party is a network provider phone.
You are at the mercy of 3 tiers of companies. There is clearly nothing wrong with Android if some models get these patches every month, and many do. Not just Google phones. Do your beef is with the lower tiers in your support pyramid.
I would also get you are blissfully unaware of Google Enterprise program that mandates updates for 3 years and withing 90 days of Google's release. Only an idiot would shop for phones that aren't on that list when they cared about updates..
All the indicators are that the YOU are the problem.. you are an uneducated plebs that didn't bother doing any research about how your phone is supported before buying it.
"Why did you buy a 3rd party phone if you care so much? Only an idiot would do such a thing."
Thanks for the compliment.
"1st party phone is a Google pixel"
That involves paying google a bunch of money, buying a hideously overpriced device, getting the wonderful extra google spyware unless I flash it, in which case there is no support... No thanks.
"2nd party phone is a network SIM free phone"
Sure, that is always nice to have. Some networks will make it a terrible pain to get one of those onto their network in the first place. Or maybe the person concerned got the phone from someone else, either an employer, as a gift, or from a previous owner.
"There is clearly nothing wrong with Android if some models get these patches every month, and many do."
Your logic says that there is nothing wrong with [x] if some examples of items in category [x] get good condition [y], with the clear indication that the remaining members don't get good condition [y]? So, in that case, you'd wholeheartedly agree with these statements, then:
1. There is nothing wrong with your car because some of those cars work perfectly well. The fact that it crashed yesterday, injuring the driver because the airbag didn't function properly and putting that pedestrian in the hospital because the brake pedal did not, if you want to be inordinately technical, activate the brakes, was clearly not anyone's fault, or if it was it was your fault.
2. There is nothing wrong with the lunch you had today because some people ate it and survived. The fact that yours, personally, was a little bit contaminated with antibiotic resistant bacteria and so were those of a number of others was clearly a fluke.
3. There is nothing wrong with floors because you can see many people walking on them and being supported just fine. Therefore, you are happy that you are falling through a hole in the floor because there is no problem with the floor over there where you are not right now.
4. There is no problem with Samsung Galaxy note 7s because there were one or two that never exploded. Many others did, resulting in a bit of flames and some injuries, but some didn't, so clearly it was fine.
A little tip, for there to be absolutely no problems with something means that all things in that category must work. That's why nothing is free of problems. Android is not even mostly free of problems.
Nice word dump. Hope you feel better now, I always do after a sit down.
People keep buying Samsung et al, companies with a horrible record of prompt updates, because ooh shiny shiny. It is a computer, they need to put patching higher on their list of priorities. OnePlus, Nokia, refurbed Google devices, all are both affordable and frequently updated.
Companies shift their resources, if longevity is important you must actually make it a priority in your buying decision and keep in mind nothing lasts forever.
This is what happened to me whilst in Redhill town centre. I had my bluetooth on hooked to the car, and then my phone said i was receiving a file called "nursery schedule.png" but my phone's antivirus probably blocked the transfer and the transfer failed and disappeared. I have a 2018 huawei p smart on emui 8.0.... I thought it was a bit shady...
So can we use this exploit ourselves to jailbreak otherwise nailed-shut devices? Like maybe to install a bootloader so you can install a current and supported version of LineageOS on it?
I would like that, as I have a 'landfill tablet', abandoned by its retailer, that I would like to bring up to date. It is currently running Android 5.1 (Lollipop) with Linux kernel version 3.10.62
Sadly, it is probably using all sorts of nasty binary firmware blobs in the hardware drivers, which will be incompatible with any reasonable update. One of the benefits of Project Treble Bettershark,Ars Technica is meant to be reducing such problems in future.
Maybe it's time to retire my 1st. gen Moto G even though it is still working fine. I wouldn't do banking on any phone but I don't want it dialling premium rate numbers.
Any recommendations for a phone that's less than about £150 would be welcome. When I get a new one I'll try loading Lineage on the old one.
My Nokia 5 has just updated itself to Android 9, with January 2019 security updates. I expect the February update will be along soon.
It came with Android 7 installed and updated to 8.1 previously. There's a slightly improved model now, but I think it's still around £150, SIM-free.
“The worst vulnerability in the latest monthly batch, according to the ad giant, is one in which a maliciously crafted PNG image could execute code smuggled within the file, if an application views it.”
Why is this kind of thing still happening in the year of Ano Domini 2019, Anno Hegirae 1440, Common Era 2019.
SMS still works - however, I have no idea for the length of time. Apparently, as a result of the broad spread manipulation of SIM-swaps, SMS is now not considered stable. My bank is currently phasing-out SMS in preference of these program (you want to tip that the phone at the banking-screen, which shows some type of flicker-code, IIRC, and the phone shows a code you must input in the shape on your web site ). They've the old, original cell program which works without SMS however generally appears to make use of some type of private key in my mobile for authentication.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
