www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
How Android phones hide missed security updates
By Thom Holwerda, submitted by emmzee on 2018-04-12 22:42:51

Google has long struggled with how best to get dozens of Android smartphone manufacturers - and hundreds of carriers - to regularly push out security-focused software updates. But when one German security firm looked under the hood of hundreds of Android phones, it found a troubling new wrinkle: Not only do many Android phone vendors fail to make patches available to their users, or delay their release for months; they sometimes also tell users their phone's firmware is fully up to date, even while they've secretly skipped patches.

On Friday at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of the firm Security Research Labs plan to present the results of two years of reverse-engineering hundreds of Android phones' operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings. They found what they call a "patch gap": In many cases, certain vendors' phones would tell users that they had all of Android's security patches up to a certain date, while in reality missing as many as a dozen patches from that period - leaving phones vulnerable to a broad collection of known hacking techniques.

Android is a mess.

 Email a friend - Printer friendly - Related stories
.
Post a new comment
Read Comments: 1-10 -- 11-20
.
There is an answer to this...
By leech on 2018-04-13 17:24:29
If Android had just stuck with how Linux distributions do things, with a nice auto update of all components (including underlying ones), then allow a 'dist-upgrade' for when new releases are made.

Manufacturers could have then added third party repositories for their own add-ons.

Even Windows 10 is more versatile in it's update process than Android is.
Permalink - Score: 0
.
RE: There is an answer to this...
By darknexus on 2018-04-13 20:16:53
Oh sure, and when the end-user was faced with:
Sub-process returned status code:3
Errors encountered while processing package

Yeah, great idea. Not!
Permalink - Score: 0
.
RE[2]: There is an answer to this...
By leech on 2018-04-13 20:24:07
> Oh sure, and when the end-user was faced with:
Sub-process returned status code:3
Errors encountered while processing package

Yeah, great idea. Not!


Ha, I've only ever seen that when running something that is bleeding edge. You'd run something like RHEL or Debian phones. Something that gets 5+ years of security support.
Permalink - Score: 1
.
RE[2]: Google response
By grat on 2018-04-13 21:45:15
> Is this the Intel school of security fixes? "We don't need to fix it because everybody is aware of it now."

That's not even the Intel policy, so why would it be the Android policy?
Permalink - Score: 3
.
RE: There is an answer to this...
By grat on 2018-04-13 21:47:50
... and who exactly maintains these repositories?

Who updates the device drivers?

Who makes sure that update "X" doesn't interfere with update "Y"?

Who handles the error reports?
Permalink - Score: 5
.
Really its not just Android.
By oiaohm on 2018-04-13 22:23:52
Start reading the number of quirk work around Linux wifi drivers have for defective wifi card firmware or EFI implementations .....

The reality here is one a product is out the door the maker of the product in many cases want to cease support. Worse the problem starts at the individual parts supplies and every step along the line.

So google making a new OS will to not fix this particularly with a highly permissive license. I have not see how they are going to address this problem .

When you understand the problem demanding as much as possible is open source and third party maintainable is really the only way. Of course this puts you head to head with FCC and others.
Permalink - Score: 5
.
Will probably never buy Andorid again
By IndigoJo on 2018-04-14 16:01:56
After spending more than £500 for an LG phone (the G6) last year and still waiting for the upgrade to Android Oreo, I don't think I'll ever buy another Android again. I'll keep using this until the time is right to buy another iPhone, which has the advantages of being upgraded whenever the new OS comes out and being made by a tech company, not a data company which is always bugging you for free contributions to its database (e.g. asking you to review shops, restaurants etc). I used to use CyanogenMod on my older phones, but Android Pay won't work with an unlocked bootloader.
Permalink - Score: 0
.
A big task, but not complete
By jido on 2018-04-14 19:47:02
The work they did is impressive, but I am sad Blackberry phones were not included since Blackberry pride themselves with releasing timely Android updates... I guess they really aren't mainstream nowadays.

Edited 2018-04-14 19:47 UTC
Permalink - Score: 3
.
RE: Will probably never buy Andorid again
By Vistaus on 2018-04-15 09:32:36
While I agree with you that a lot of manufacturers don't always deliver promised upgrades, in this case you can't really blame LG as Oreo is seriously bugged. Would you want them to upgrade you to an OS version full of bugs? You've seen what happened to some iPhones when Apple released a few buggy software updates throughout the years...
Permalink - Score: 2
.
RE[4]: Android is a mess.
By zima on 2018-04-15 17:27:56
It's easy and fashionable to be cynical. But places with functional governments are generally nicest to live in, and you wouldn't want to live in places with barely functioning or nonexistant gov...
Permalink - Score: 3

Read Comments 1-10 -- 11-20

Post a new comment
Username

Password

Title

Your comment

If you do not have an account, please use a desktop browser to create one.
LEAVE SPACES around URLs to autoparse. No more than 8,000 characters are allowed. The only HTML/UBB tags allowed are bold & italics.
Submission of a comment on OSNews implies that you have acknowledged and fully agreed with THESE TERMS.
.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?