'Over half' of Android devices have unpatched holes Duo Security is claiming that “over half” of Android devices have unpatched vulnerabilities. The company’s Jon Oberheide says in this blog post that the results come from the first slew of users of the company’s X-Ray Android vulnerability scanner. Promising to announced detailed results on Friday (September 14) at the Rapid7 …
>>Most Linux OSs are about as secure as a paper bag with zillions of vulnerabilities. It's not exactly news.
You must be new here.
Thats not a popular sentiment in these here forums. The Register operates under the rather shaky premise that Linux is God, and any criticism, even if its warranted, is dealt with harshly.
Well this is a news forum - don't people read abou tthe endless succession of Linux based websites being hacked? Enterprise Linux distributions are much less secure than Windows in terms of number of vulnerabilities, and has been every year since 2003.
This is why you are so much more likely to be hacked if you run a Linux based server than a Windows one. Windows was designed from the bottom up to be secure - whereas with Linux it is only via bolt on after thoughts like SEL, full ACLs being an addon, etc, etc.
http://www.zone-h.org/news/id/4737
Apple managed to take a lot of power from the telcos with the first iPhone but most customers still don't control the very phone they pay so much for. The mix of Google, Samsung, and Sprint screwing with the software has made my Galaxy S2 unreliable at best. Now I'm one of the many getting stuck in roaming mode without service. Me repeatedly sending it in for warranty repairs is more of a protest than a way to make any actual progress.
*sigh* just because you can tinker with your Android smartphone and put the latest custom firmware on there doesn't mean the average punter on the street can or wants the hassle of doing it. I've got an Android tablet and smartphone and the update situation is an absolute mess. I've had to put custom firmware on my phone due to Ice cream sandwich being promised then failing to materialise and as for the tablet that was abandoned with Gingerbread even though Honeycomb had been out for some time.
Google need to take the Apple approach and try and get more power off the networks for the updating of their devices
It's nothing to do with Google. The whole Android "takeover the world" strategy is to give the software away and just licence a few things like Google applications and their application store.
It's the OEMs who feel the need to customise the OS and extend it. If they used stock Android it could be upgraded easily.
"*sigh* just because you can tinker with your PC and put the latest version of Windows on there doesn't mean the average punter on the street can or wants the hassle of doing it."
It's a computer that can make and receive phone calls, not a phone. You want a phone, get a 6310i, it does the job *much* better. As it's a computer, the OS is upgradeable.
Yes, not everyone will want to do this. But the option is there if you want to take control and step out of what you see as a problematic situation.
GJC
Geoff Campbell - except the OS ISN'T upgradeable UNLESS the carriers approve of the update. It's nothing like Windows or Linux or Mac OS X - the updates in most of these Android devices have to be approved by the manufacturer. Can you imagine if Dell, HP, etc. had to approve every single Windows update? It'd be a total mess, but Android phones work in this way, unfortunately.
What we need is a mobile OS where the OS is completely separate from the manufacturer's stuff, so it'll be upgradeable by Google when they release it.
I just provided the link to the solution to that problem. Most phones can get stock Android with no manufacturer or operator cruft on.
Yes, I agree, the first-time installation is not as simple as, say, Windows 7, but there are step by step guides provided. Once you've done the first one, upgrading is generally just a matter of copying a zip file onto the phone, rebooting, and selecting the "upgrade me!" option from the menu.
GJC
> You want a phone, get a 6310i, it does the job *much* better. As it's a computer, the OS is upgradeable.
I both agree and disagree with Mr Campbell.
Many people don't WANT a pocket computer ( though I do) but they do want a pocket device that goes on the internet and plays Angry Birds. Something I have heard many times from the less IT savvy is that they don't like the way "things keep bloody changing as soon as I've just got used to them!" (Apple seems to know this, iOS and OSX look roughly like they always have done)
Technically, I'm sure Mr Campbell is correct- its self-evident that securing a smartphone is a far bigger challenge than securing a fine old 6210i- though it is itself a connected computer.
That said, my advice to old boys in the pub inquiring recently about getting a smart phone is: stick with your clamshell phone with big buttons and buy an [Android- 'cos of the price] 3G tablet (no long term contract) for checking the cricket scores and emailing grandchildren, and as a general email option for when your laptop starts playing silly buggers again. (This isn't a generalisation of the abilities of my senior fellow drinkers, but based on specific individuals talking about their eyesight, fingers and what they might want such a device for). Any input from Reg readers- or even a Reg article- on this subject would be appreciated.
Cheers
And Oxygen-ROM is very good if you have say an older HTC and need to get to the Land of Gingerbread ASAP.
According to my fuzzy memory I used Clockworkmod/UnRevoked to root it first.
http://forum.xda-developers.com/wiki/Oxygen_ROM
http://download.oxygen.im/roms/
And apparently some crazies are trying ICS on HTC Desire.....
http://pinappu.hubpages.com/hub/HTC-Desire-Update-with-Android-Ice-Cream-Sandwich-ICS-or-Android-40
be interested to know how well that works.
My HTC desire has never been better since I went with cyanogen mod. It wasn’t bad in the first place, but the lack of usable RAM was a problem once you installed a few apps. I expect HTC thought they had all bases covered and you wouldn’t need more than a couple of toys to add...
looking forward to my Samsung Galaxy note 2
There is some truth in that because of app store lock in though I am extremely happy with my iPad so my App purchases can be used there. If I decide to buy something else.
I was interested in the LG Optimus Vu as much as an eReader as a phone but it is not being released in Australia. I have certainly not been irritated by little things like I was on my previous Nokias.
I have a phone that works and does what I want, it will be tough to make me switch from that now.
You're now being held hostage by the manufacturer of your iDevice.
not only are they holding you hostage, but they have you by the balls and if you think about upgrading to a non i device they start to squeeze !!! just look at how much of a pain it is to transfer your contacts, apps and media.. your fruity friends will just find it less of a hassle to add a "s"
at least with an android device you can switch manufacturer as and when without too much difficulty....
There will not be much pain at all if I decided to switch from the iPhone.
My music, ebooks, audiobooks are all in formats that can be read by other software. The files are organised and easy to search. Finally for media Apple allows anybody to use the iTunes library with their phone syncing app they are not allowed to make their phone use iTunes directly like Palm was doing. Nokia have been doing that for years. I used to sync iTunes playlists to my N95 and N8 all the time.
Contacts. I have no problem syncing my address book contacts with my earlier Nokias in the past and do not think it will be a problem in the future. I gave away my N8 because it is a piece of rubbish and kept my N95 which is my emergency backup phone. I have not synced contact changes for a couple of months but will do so soon.
My contacts are duplicated in my Address book and in my Outlook address book, any new phone will be able to work with one of those applications.
There is only as much lock in as you want there to be, in my case bugger all.
I mean if there was a decent stable hardware platform for mobile phones, you could simply take a boot medium of your favourite operating system, in the version _you_ want, and install it. Alternatively the phone could boot from SD-card.
It's just not feasible having to port your operating system to every hardware platform, and outsourcing that work to the hardware manufacturers has been proven to be a bad idea. They have no interest in maintaining support for their older devices.
So at least do it like CP/M did it, have a common "BIOS", a layer of software, in ROM, which handles input and output for basic features like setting the correct mode on the LCD or accessing flash and SD or the GSM subsystem or USB. Then have something to enumerate the rest of the hardware.
Well, if not the OS maker, and not the device makers (who would have the most knowledge of the device), and not the community (which can't be trusted), then who codes the modules? In the meantime, device makers intentionally use different hardware to differentiate themselves from the competition. As Android relies on an open hardware model (in contrast to Apple which runs a closed integration model), it becomes a tradeoff, and it's one that's rather difficult to solve to everyone's satisfaction. Yes, even to the average consumer since even what "just works" varies from person to person.
Right! Being vulnerable to Gingerbreak is a feature, not a problem.
I think vendors are missing a trick not selling multiple versions of their phones. They could target those customers who "just want a phone" (whatever that means) by giving them a closed system that does whatever updates and security it does completely outside the customers' view. The same phone could be sold as an open version of the same; complete control is given to the owner. Or is there such a marketing plan - of which I am unaware - already out there?
I'm glad such exploits existed because without them people would have had a harder time gaining root on their android phones, no root would mean no custom roms which would mean you would be stuck depending on your carrier to push out an update and hoping their own junk they throw in doesn't slow you down to much or break much.
For all those ISheep who might prattle on about how the iphone doesn't have such things, how do you think iphones are jailbroken oh right people exploit a vulnerability in the ios. Every operating system has weak points no matter who makes it and without them at the moment we wouldn't have the freedom we currently have with our own devices.
Ofcourse there are holes in everything, there is a big difference though with holes that only work when you have physical access to the device compared to those that have not. And the lack of patching is not just regarding security holes, for most functionality patches, or timely upgrades for additional functionality would be fine as well.
It is a shame that many of the carrier and also the phone manufacturers shoot themselves in the foot with unnecessary personalisation to differentiate themselves. It makes it hard and systems become unsupported way too quickly.
In theory I tend to agree... but whose life-cycle?
The manufacturers? (Very short - so they can sell you the next latest and greatest 5 minutes after you've bought it)
The operators? (Very long - so you keep paying them through the nose for all eternity if at all possible)
Apple has done some good things with OTA iOS updates but you're still (as posted earlier) confined to running an OS with weaknesses baked into them.
In a way, at least you can guarantee that an iOS device has the same flaws as all of the other ones. Apart from, that is, the ones no longer getting updates.
Your personal data is mostly your problem, we're protecting corporate data in a way we're happy with. And I guess now we'll have to strike off the chance for someone to use an iPhone 3GS as it's orphaned from this week on....
Relax, have a beer. It isn't going to get any better. You're always relying on someone else.
And I'm surprised that this article hasn't managed to get the trolls out, it seems that might have been part of the motivation in writing it....
My phone came with Froyo (2.2) and we were promised an upgrade to Gingerbread (2.3) by LG. It took them 9 months to deliver, plus another 7 months for my carrier to add its bloatware and make an OTA update. I'm glad I only waited about 2 months before getting Gingerbread with CyanogenMod.
The weird thing is, LG had a minor update ready at the time, but it wouldn't install. LG was at a loss as to why it wouldn't work.
...It isn't!
Nexus is the Answer, proper fully patched Andriod.
The only way to get updates is to cut out the toss pots who cant be arsed. This is not a Google problem its a vendor and carrier problem.
The more layers you add the worse the support gets. Google are good at fixing the OS, the Vendors are worse than Google but better than Carriers.. the lower you go down the pyramid the worse the problem gets.
"Actually, Zero exploitable vulnerabilities so far in Windows Phone..."
I didn't say anything about Windows Phone. (Does anyone buy that anyway?) I was talking about Windows. In the news this morning:
http://www.independent.co.uk/life-style/gadgets-and-tech/news/microsoft-admits-millions-of-computers-could-be-infected-with-malware-before-theyre-even-out-of-the-box-8139437.html
Like many a phone user I dipped my toes in the Andriod world only to find on three seperate occasions that the gap between google, carrier and vendor is very wide.
In each case the fault was down to patching updates not being released by the carrier because they had not yet redeveloped and tested thier version on the base level OS or patch.
At which point its now time for phone upgrade. So the issue never gets fixed and the phone goes to recycling.
And this is why Iphone wins, its one OS and one lot of patch notes and only one interface for which if there is a frustrating bug you not on your own or pending a seperate vendor patch or fix.
The vast majorityof customers like simple one stop shopping and user experience to do their job, so until Andriod says no to vendor/carrier fiddles with the OS and make them add-on apps instead. Meaning that the base OS can always be patched directly without having to do some sort of jailbreak to load the latest OS; then i'm afriad as people tire of the experience they eventually even through Iphone hand me downs move to the apple experience.
And once you have had a bite of the apple there is no going back. I'm afraid to say that this is the hook which costs the extra bucks that eventually people end up willing to pay.
"The vast majorityof customers like simple one stop shopping and user experience to do their job, so until Andriod says no to vendor/carrier fiddles with the OS and make them add-on apps instead. Meaning that the base OS can always be patched directly without having to do some sort of jailbreak to load the latest OS; then i'm afriad as people tire of the experience they eventually even through Iphone hand me downs move to the apple experience."
And that will never happen. Android, unlike Apple, has no glamour. The carriers know that the iPhone series is the most sought-after mobile phone, full stop (sure, Android has more overall penetration, but it's spread out among several manufacturers, none of which approach Apple's single-vendor penetration). They have the allure that makes people buy them way over cost, imperfections and all. In a fantasy world, that would be considered glamour: the ability to alter the perception of the people around you. None of the other carriers have that kind of draw, which means the carriers can always walk away and pick company B instead. Indeed, until the iPhone, North America wasn't really that interested in smartphones, so that should give you another idea as to the singular power of Apple in the phone market. No other company can dictate terms to the carriers because no one wants to be without the iPhone.
You don't need root for a custom rom. (I would rather the holes be closed).
Unlocked Bootloaders are the important thing at least then you get the option to fix it if you want. (Regardless of anyone else).
(If you want to leave it unrooted you can fastboot boot clockworkmod and then apply the patched files to /system). (You are not likely to get a system with an unlocked bootloader that won't let you mod files in /system because you can replace the lot if you need to).
I agree with getting a 6310i problem is it is difficult to buy one these days that is not ebay seller refurbished (i.e using lots of junk 3rd party parts).
(I use a 6230i and a few Android Devices. The Nokia is streets ahead when it comes to bluetooth and being a good phone with good battery life).
Nah, you want a 3310.. those beasties are indestructible.
I have three here, the problem is the batteries are made of 24 carat unobtanium flangium oxide and you can't even get broken ones to recell.
I did look into retrofitting them with a little casing 3D printed with a MAX1555 to take a Nokia BL5C or 5B as those are slightly easier to find.
The phone works stably up to 4.8V so it is quite happy to run on a fully charged lithium but charging could be a problem.
Not so sure about the GSM though, that is due to be shut down due to the switch to 4G as it overlaps with the frequencies.
I did also work out how to add Bluetooth to such a dinosaur using the extra space in the battery compartment, and use the display as a wifi signal meter.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
