back to article 'Over half' of Android devices have unpatched holes

Duo Security is claiming that “over half” of Android devices have unpatched vulnerabilities. The company’s Jon Oberheide says in this blog post that the results come from the first slew of users of the company’s X-Ray Android vulnerability scanner. Promising to announced detailed results on Friday (September 14) at the Rapid7 …

COMMENTS

This topic is closed for new posts.
  1. Smokey Joe
    Mushroom

    Only half?

    ALL operating have unpatched holes. Always.

    1. Anonymous Coward
      Anonymous Coward

      All?

      Including Linux? Oh wait...

      1. RICHTO
        Mushroom

        Re: All?

        Most Linux OSs are about as secure as a paper bag with zillions of vulnerabilities. It's not exactly news.

        1. Anonymous Coward
          Anonymous Coward

          Re: All?

          >>Most Linux OSs are about as secure as a paper bag with zillions of vulnerabilities. It's not exactly news.

          You must be new here.

          Thats not a popular sentiment in these here forums. The Register operates under the rather shaky premise that Linux is God, and any criticism, even if its warranted, is dealt with harshly.

          1. RICHTO
            Mushroom

            Re: All?

            Well this is a news forum - don't people read abou tthe endless succession of Linux based websites being hacked? Enterprise Linux distributions are much less secure than Windows in terms of number of vulnerabilities, and has been every year since 2003.

            This is why you are so much more likely to be hacked if you run a Linux based server than a Windows one. Windows was designed from the bottom up to be secure - whereas with Linux it is only via bolt on after thoughts like SEL, full ACLs being an addon, etc, etc.

            http://www.zone-h.org/news/id/4737

  2. nuked
    Facepalm

    This article...

    ...was clearly written once home from the pub.

    1. Frumious Bandersnatch Silver badge

      Re: This article...

      Looks like the "write once, read never" approach. Makes me wonder why I bothered.

      And yes, I did use the "send corrections" link.

    2. Mike Judge
      FAIL

      Re: This article...

      .... By a butthurt Apple fanboy who is feeling angry that the iphone5 is a massive fail that's 8+ months behind other key players

  3. Kevin McMurtrie Silver badge
    Thumb Down

    Shut up and pay

    Apple managed to take a lot of power from the telcos with the first iPhone but most customers still don't control the very phone they pay so much for. The mix of Google, Samsung, and Sprint screwing with the software has made my Galaxy S2 unreliable at best. Now I'm one of the many getting stuck in roaming mode without service. Me repeatedly sending it in for warranty repairs is more of a protest than a way to make any actual progress.

    1. Geoff Campbell
      Linux

      Re: Shut up and pay

      There is an easy, quick answer:

      http://www.cyanogenmod.com/devices/samsung-galaxy-s2

      GJC

      1. Anonymous Coward
        Anonymous Coward

        Re: Shut up and pay

        *sigh* just because you can tinker with your Android smartphone and put the latest custom firmware on there doesn't mean the average punter on the street can or wants the hassle of doing it. I've got an Android tablet and smartphone and the update situation is an absolute mess. I've had to put custom firmware on my phone due to Ice cream sandwich being promised then failing to materialise and as for the tablet that was abandoned with Gingerbread even though Honeycomb had been out for some time.

        Google need to take the Apple approach and try and get more power off the networks for the updating of their devices

        1. Anonymous Coward
          Anonymous Coward

          Re: Shut up and pay

          It's nothing to do with Google. The whole Android "takeover the world" strategy is to give the software away and just licence a few things like Google applications and their application store.

          It's the OEMs who feel the need to customise the OS and extend it. If they used stock Android it could be upgraded easily.

          1. Anonymous Coward
            Anonymous Coward

            Re: Shut up and pay

            Oh hells yes, stock Android is so much nicer than HTC, Samsung or Sony's crufty "enhancement".

        2. Geoff Campbell
          Linux

          Re: Upgrades

          "*sigh* just because you can tinker with your PC and put the latest version of Windows on there doesn't mean the average punter on the street can or wants the hassle of doing it."

          It's a computer that can make and receive phone calls, not a phone. You want a phone, get a 6310i, it does the job *much* better. As it's a computer, the OS is upgradeable.

          Yes, not everyone will want to do this. But the option is there if you want to take control and step out of what you see as a problematic situation.

          GJC

          1. Test Man

            Re: Upgrades

            Geoff Campbell - except the OS ISN'T upgradeable UNLESS the carriers approve of the update. It's nothing like Windows or Linux or Mac OS X - the updates in most of these Android devices have to be approved by the manufacturer. Can you imagine if Dell, HP, etc. had to approve every single Windows update? It'd be a total mess, but Android phones work in this way, unfortunately.

            What we need is a mobile OS where the OS is completely separate from the manufacturer's stuff, so it'll be upgradeable by Google when they release it.

            1. Geoff Campbell
              Boffin

              Re: @Test Man

              I just provided the link to the solution to that problem. Most phones can get stock Android with no manufacturer or operator cruft on.

              Yes, I agree, the first-time installation is not as simple as, say, Windows 7, but there are step by step guides provided. Once you've done the first one, upgrading is generally just a matter of copying a zip file onto the phone, rebooting, and selecting the "upgrade me!" option from the menu.

              GJC

          2. Dave 126 Silver badge

            Re: Upgrades

            > You want a phone, get a 6310i, it does the job *much* better. As it's a computer, the OS is upgradeable.

            I both agree and disagree with Mr Campbell.

            Many people don't WANT a pocket computer ( though I do) but they do want a pocket device that goes on the internet and plays Angry Birds. Something I have heard many times from the less IT savvy is that they don't like the way "things keep bloody changing as soon as I've just got used to them!" (Apple seems to know this, iOS and OSX look roughly like they always have done)

            Technically, I'm sure Mr Campbell is correct- its self-evident that securing a smartphone is a far bigger challenge than securing a fine old 6210i- though it is itself a connected computer.

            That said, my advice to old boys in the pub inquiring recently about getting a smart phone is: stick with your clamshell phone with big buttons and buy an [Android- 'cos of the price] 3G tablet (no long term contract) for checking the cricket scores and emailing grandchildren, and as a general email option for when your laptop starts playing silly buggers again. (This isn't a generalisation of the abilities of my senior fellow drinkers, but based on specific individuals talking about their eyesight, fingers and what they might want such a device for). Any input from Reg readers- or even a Reg article- on this subject would be appreciated.

            Cheers

          3. RICHTO
            Mushroom

            Re: Upgrades

            With Windows, patching to the latest version is automatic though.

      2. Anonymous Coward
        Anonymous Coward

        Re: Shut up and pay

        And Oxygen-ROM is very good if you have say an older HTC and need to get to the Land of Gingerbread ASAP.

        According to my fuzzy memory I used Clockworkmod/UnRevoked to root it first.

        http://forum.xda-developers.com/wiki/Oxygen_ROM

        http://download.oxygen.im/roms/

        And apparently some crazies are trying ICS on HTC Desire.....

        http://pinappu.hubpages.com/hub/HTC-Desire-Update-with-Android-Ice-Cream-Sandwich-ICS-or-Android-40

        be interested to know how well that works.

      3. Anonymous Coward
        Anonymous Coward

        Re: Shut up and pay

        My HTC desire has never been better since I went with cyanogen mod. It wasn’t bad in the first place, but the lack of usable RAM was a problem once you installed a few apps. I expect HTC thought they had all bases covered and you wouldn’t need more than a couple of toys to add...

        looking forward to my Samsung Galaxy note 2

  4. Eric Hood

    This is one of the reasons I now use an iPhone. I am no longer held hostage by inept or indifferent carriers. My previous Nokia smartphones not receiving timely updates still irritates me.

    1. Anonymous Coward
      Anonymous Coward

      Hostage?

      "This is one of the reasons I now use an iPhone. I am no longer held hostage by inept or indifferent carriers."

      Correct! You're now being held hostage by the manufacturer of your iDevice.

      1. Eric Hood

        Re: Hostage?

        There is some truth in that because of app store lock in though I am extremely happy with my iPad so my App purchases can be used there. If I decide to buy something else.

        I was interested in the LG Optimus Vu as much as an eReader as a phone but it is not being released in Australia. I have certainly not been irritated by little things like I was on my previous Nokias.

        I have a phone that works and does what I want, it will be tough to make me switch from that now.

      2. Anonymous Coward
        Anonymous Coward

        Re: Hostage?

        Who provide two years of updates, twice as long as Android devices.

      3. Anonymous Coward
        Anonymous Coward

        Re: Hostage?

        You're now being held hostage by the manufacturer of your iDevice.

        not only are they holding you hostage, but they have you by the balls and if you think about upgrading to a non i device they start to squeeze !!! just look at how much of a pain it is to transfer your contacts, apps and media.. your fruity friends will just find it less of a hassle to add a "s"

        at least with an android device you can switch manufacturer as and when without too much difficulty....

        1. Eric Hood

          Re: Hostage?

          There will not be much pain at all if I decided to switch from the iPhone.

          My music, ebooks, audiobooks are all in formats that can be read by other software. The files are organised and easy to search. Finally for media Apple allows anybody to use the iTunes library with their phone syncing app they are not allowed to make their phone use iTunes directly like Palm was doing. Nokia have been doing that for years. I used to sync iTunes playlists to my N95 and N8 all the time.

          Contacts. I have no problem syncing my address book contacts with my earlier Nokias in the past and do not think it will be a problem in the future. I gave away my N8 because it is a piece of rubbish and kept my N95 which is my emergency backup phone. I have not synced contact changes for a couple of months but will do so soon.

          My contacts are duplicated in my Address book and in my Outlook address book, any new phone will be able to work with one of those applications.

          There is only as much lock in as you want there to be, in my case bugger all.

    2. chris 17 Silver badge
      Thumb Up

      Thats exactly why i bought my iPhone. i was fed up with not being able to update the firmware to fix the bug because 3 hadn't bothered to authorise it!!

      1. Wize

        Didn't Apple drop support on older phones?

        Phones that people were still locked into using as they got them new with a 2 year contract. No patches for existing customers there either.

        1. PJI
          Thumb Down

          Re: Didn't Apple drop support on older phones?

          No. Not unless the 3G is less than two years old.

        2. My backside

          Re: Didn't Apple drop support on older phones?

          No, you're wrong. The only ones not supported had contracts that expired years ago. Get your facts straight, if you can.

  5. Christian Berger

    This is why you want to separate hardware from software and both from operators

    I mean if there was a decent stable hardware platform for mobile phones, you could simply take a boot medium of your favourite operating system, in the version _you_ want, and install it. Alternatively the phone could boot from SD-card.

    It's just not feasible having to port your operating system to every hardware platform, and outsourcing that work to the hardware manufacturers has been proven to be a bad idea. They have no interest in maintaining support for their older devices.

    So at least do it like CP/M did it, have a common "BIOS", a layer of software, in ROM, which handles input and output for basic features like setting the correct mode on the LCD or accessing flash and SD or the GSM subsystem or USB. Then have something to enumerate the rest of the hardware.

    1. Charles 9 Silver badge

      Re: This is why you want to separate hardware from software and both from operators

      Well, if not the OS maker, and not the device makers (who would have the most knowledge of the device), and not the community (which can't be trusted), then who codes the modules? In the meantime, device makers intentionally use different hardware to differentiate themselves from the competition. As Android relies on an open hardware model (in contrast to Apple which runs a closed integration model), it becomes a tradeoff, and it's one that's rather difficult to solve to everyone's satisfaction. Yes, even to the average consumer since even what "just works" varies from person to person.

      1. Christian Berger
        WTF?

        I see your fault

        "and not the community (which can't be trusted)"

        Why shouldn't I trust the community? So far communities like Debian have done an amazing job.

  6. Anonymous Coward
    Devil

    What is the real badge of an utter fool?

    1. Dave 126 Silver badge

      I dunno.... 'NATAS' self-tattooed across their forehead?

      I give up, why don't you tell us?

  7. Anonymous Coward
    Anonymous Coward

    But you need the vulnerabilities

    Without the holes, you'd have trouble rooting the phone to remove the crapware.

    1. Robert Helpmann?? Silver badge
      Childcatcher

      Re: But you need the vulnerabilities

      Right! Being vulnerable to Gingerbreak is a feature, not a problem.

      I think vendors are missing a trick not selling multiple versions of their phones. They could target those customers who "just want a phone" (whatever that means) by giving them a closed system that does whatever updates and security it does completely outside the customers' view. The same phone could be sold as an open version of the same; complete control is given to the owner. Or is there such a marketing plan - of which I am unaware - already out there?

    2. RICHTO
      Mushroom

      Re: But you need the vulnerabilities

      Crapware on a phone? Yuck. Glad I use WP.

  8. toadwarrior

    Over half is a polite way of say all of them.

    Android and malware go together like fat people and donuts.

  9. geekclick

    Unbranded...

    My Droids have always been unbranded non carrier specific jobies, i get firmware updates fairly quickly.... but then i am still tied to the device manufacturer so before the fanbois jump in and point that out, it makes you no better than me...

  10. Drefsab

    im glad

    I'm glad such exploits existed because without them people would have had a harder time gaining root on their android phones, no root would mean no custom roms which would mean you would be stuck depending on your carrier to push out an update and hoping their own junk they throw in doesn't slow you down to much or break much.

    For all those ISheep who might prattle on about how the iphone doesn't have such things, how do you think iphones are jailbroken oh right people exploit a vulnerability in the ios. Every operating system has weak points no matter who makes it and without them at the moment we wouldn't have the freedom we currently have with our own devices.

    1. Jean-Paul

      Re: im glad

      Ofcourse there are holes in everything, there is a big difference though with holes that only work when you have physical access to the device compared to those that have not. And the lack of patching is not just regarding security holes, for most functionality patches, or timely upgrades for additional functionality would be fine as well.

      It is a shame that many of the carrier and also the phone manufacturers shoot themselves in the foot with unnecessary personalisation to differentiate themselves. It makes it hard and systems become unsupported way too quickly.

  11. Giles Jones Gold badge

    Some positive spin on the problem: The freedom to have your device rooted. The hole in the wall of the garden etc.

  12. Anonymous Coward
    Anonymous Coward

    Carriers don't care, Nothing new, I'm a Nexus user.

    I guess the only way to fix this issue is to get the EU to make it unlawful to abandon products still in their intended life-cycle.

    Sometimes the EU can be helpful.

    1. Gio Ciampa

      Re: Carriers don't care, Nothing new, I'm a Nexus user.

      In theory I tend to agree... but whose life-cycle?

      The manufacturers? (Very short - so they can sell you the next latest and greatest 5 minutes after you've bought it)

      The operators? (Very long - so you keep paying them through the nose for all eternity if at all possible)

  13. Fuh Quit
    Pint

    This is why we went Good

    Apple has done some good things with OTA iOS updates but you're still (as posted earlier) confined to running an OS with weaknesses baked into them.

    In a way, at least you can guarantee that an iOS device has the same flaws as all of the other ones. Apart from, that is, the ones no longer getting updates.

    Your personal data is mostly your problem, we're protecting corporate data in a way we're happy with. And I guess now we'll have to strike off the chance for someone to use an iPhone 3GS as it's orphaned from this week on....

    Relax, have a beer. It isn't going to get any better. You're always relying on someone else.

    And I'm surprised that this article hasn't managed to get the trolls out, it seems that might have been part of the motivation in writing it....

    1. Dave 126 Silver badge

      Re: This is why we went Good

      >And I'm surprised that this article hasn't managed to get the trolls out,

      I too have been pleasantly surprised by the maturity of this thread... except for Drefsab who is seeing 'iSheep' (what ever they are) where there aren't any...

  14. PoiuyTerry
    Meh

    Better get the iPhone 5 then.

    I suppose, thanks for saving me theReg!

  15. Chris Clawson
    FAIL

    Too many middlemen

    My phone came with Froyo (2.2) and we were promised an upgrade to Gingerbread (2.3) by LG. It took them 9 months to deliver, plus another 7 months for my carrier to add its bloatware and make an OTA update. I'm glad I only waited about 2 months before getting Gingerbread with CyanogenMod.

    The weird thing is, LG had a minor update ready at the time, but it wouldn't install. LG was at a loss as to why it wouldn't work.

  16. Parax

    To anyone saying Apple is the answer..

    ...It isn't!

    Nexus is the Answer, proper fully patched Andriod.

    The only way to get updates is to cut out the toss pots who cant be arsed. This is not a Google problem its a vendor and carrier problem.

    The more layers you add the worse the support gets. Google are good at fixing the OS, the Vendors are worse than Google but better than Carriers.. the lower you go down the pyramid the worse the problem gets.

    1. Anonymous Coward
      Anonymous Coward

      Re: To anyone saying Apple is the answer..

      the sooner Google Layerise Android the better. So that you can Update The Droid Core without changing the Vendor Drivers Layer or the Carriers Spam Layer. then the vendors/carriers can independently update their layers as they see fit.

      1. Anonymous Coward
        Anonymous Coward

        Re: To anyone saying Apple is the answer..

        Are You A Man From Mars?

      2. RICHTO
        Mushroom

        Re: To anyone saying Apple is the answer..

        You mean ditch that legacy monolithic kernel and move to a hybrid microkernel architecture with layered everything and fully modular? (Like Windows)

    2. pewpie
      Trollface

      Re: To anyone saying Apple is the answer..

      You're forgetting the one big security hole in iPhones/iFads/iPlods.

      iOS.

  17. Anonymous Coward
    Anonymous Coward

    World-class!

    "'Over half' of Android devices have unpatched holes".

    Compared to 100% of Windows devices. Not so bad, after all; if you buy an Android device you have a fighting 50% chance that it's secure.

    1. RICHTO
      Mushroom

      Re: World-class!

      Actually, Zero exploitable vulnerabilities so far in Windows Phone. Versus at least 300 in IOS and god knows how many in Android.

      As per all of Microsofts other current OSs - they have far fewer vulnerabilities than the competition.

      1. Anonymous Coward
        Anonymous Coward

        Re: World-class!

        "Actually, Zero exploitable vulnerabilities so far in Windows Phone..."

        I didn't say anything about Windows Phone. (Does anyone buy that anyway?) I was talking about Windows. In the news this morning:

        http://www.independent.co.uk/life-style/gadgets-and-tech/news/microsoft-admits-millions-of-computers-could-be-infected-with-malware-before-theyre-even-out-of-the-box-8139437.html

        1. RICHTO
          Mushroom

          Re: World-class!

          Current Window versions also have far fewer vulnerabilites than say OS-X or enterprise Linux distributions.

          Pirate copies of software being also trojaned is hardly a Windows only issue. Just look at the Android market.

  18. Hagglefoot
    Meh

    And thats why Apple wins

    Like many a phone user I dipped my toes in the Andriod world only to find on three seperate occasions that the gap between google, carrier and vendor is very wide.

    In each case the fault was down to patching updates not being released by the carrier because they had not yet redeveloped and tested thier version on the base level OS or patch.

    At which point its now time for phone upgrade. So the issue never gets fixed and the phone goes to recycling.

    And this is why Iphone wins, its one OS and one lot of patch notes and only one interface for which if there is a frustrating bug you not on your own or pending a seperate vendor patch or fix.

    The vast majorityof customers like simple one stop shopping and user experience to do their job, so until Andriod says no to vendor/carrier fiddles with the OS and make them add-on apps instead. Meaning that the base OS can always be patched directly without having to do some sort of jailbreak to load the latest OS; then i'm afriad as people tire of the experience they eventually even through Iphone hand me downs move to the apple experience.

    And once you have had a bite of the apple there is no going back. I'm afraid to say that this is the hook which costs the extra bucks that eventually people end up willing to pay.

    1. Charles 9 Silver badge
      Unhappy

      Re: And thats why Apple wins

      "The vast majorityof customers like simple one stop shopping and user experience to do their job, so until Andriod says no to vendor/carrier fiddles with the OS and make them add-on apps instead. Meaning that the base OS can always be patched directly without having to do some sort of jailbreak to load the latest OS; then i'm afriad as people tire of the experience they eventually even through Iphone hand me downs move to the apple experience."

      And that will never happen. Android, unlike Apple, has no glamour. The carriers know that the iPhone series is the most sought-after mobile phone, full stop (sure, Android has more overall penetration, but it's spread out among several manufacturers, none of which approach Apple's single-vendor penetration). They have the allure that makes people buy them way over cost, imperfections and all. In a fantasy world, that would be considered glamour: the ability to alter the perception of the people around you. None of the other carriers have that kind of draw, which means the carriers can always walk away and pick company B instead. Indeed, until the iPhone, North America wasn't really that interested in smartphones, so that should give you another idea as to the singular power of Apple in the phone market. No other company can dictate terms to the carriers because no one wants to be without the iPhone.

  19. h3

    You don't need root for a custom rom. (I would rather the holes be closed).

    Unlocked Bootloaders are the important thing at least then you get the option to fix it if you want. (Regardless of anyone else).

    (If you want to leave it unrooted you can fastboot boot clockworkmod and then apply the patched files to /system). (You are not likely to get a system with an unlocked bootloader that won't let you mod files in /system because you can replace the lot if you need to).

    I agree with getting a 6310i problem is it is difficult to buy one these days that is not ebay seller refurbished (i.e using lots of junk 3rd party parts).

    (I use a 6230i and a few Android Devices. The Nokia is streets ahead when it comes to bluetooth and being a good phone with good battery life).

  20. Anonymous Coward
    Anonymous Coward

    6310i

    Nah, you want a 3310.. those beasties are indestructible.

    I have three here, the problem is the batteries are made of 24 carat unobtanium flangium oxide and you can't even get broken ones to recell.

    I did look into retrofitting them with a little casing 3D printed with a MAX1555 to take a Nokia BL5C or 5B as those are slightly easier to find.

    The phone works stably up to 4.8V so it is quite happy to run on a fully charged lithium but charging could be a problem.

    Not so sure about the GSM though, that is due to be shut down due to the switch to 4G as it overlaps with the frequencies.

    I did also work out how to add Bluetooth to such a dinosaur using the extra space in the battery compartment, and use the display as a wifi signal meter.

    1. Anonymous Coward
      Anonymous Coward

      "24 carat unobtanium flangium oxide"

      Upvoted for knowledge of materials science, have to try to remember that one...

  21. David 155

    re: 6310i

    Sounds like you have too much time on your hands.

  22. Anonymous Coward
    Anonymous Coward

    So the choices are

    1) be assimilated into the collective and feel a false sense of smugness because you think Apple are secure, or

    2) live with a "version" of android that no one controls. Hmmm.

    Or of course Windows phone!

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020