Microsoft phones
This is where apple and evrn Microsoft actually win over android. Even my elderly windows 520 is supported but a 2012 edition nexus tablet isn't.
More than a billion Android phones, tablets and other gadgets can be hijacked by merely previewing MP3 music or MP4 video files. Booby-trapped songs and vids downloaded from the web or emails can potentially compromise vulnerable devices, and install spyware, password-stealing malware, and so on. This is all thanks to two …
Yes Android = good idea, rubbish implementation. The licence should have forbidden any tailoring of the operating system by manufacturers and distributors to add their own features. Then everyone would have the same vanilla version and a patch to the codebase would actually make a jot of difference to the majority of users.
Except at the time the carriers pushed back and basically gave an ultimatum, "You let us lock our stuff in or your phones don't go in our stores. Deal or No Deal?" That meant Google couldn't pull an Apple (who could only do what they did due to their unique sirenesque appeal) as the carriers were willing to walk away and leave Android dead in the water. Know any other way to break into phone market in the late oughties?
As you say, Apple did exactly this - no carrier modifications. I cannot know whether Google even talked about this or considered it in their negotiations.
What other options were there for the carriers in 2008? My guess is that without Android we would all have Windows phones which would probably be a better place than we are in now.
I do not know if they have locked-in carrier modifications despite their lack of consumer appeal?
My guess is that without Android we would all have Windows phones which would probably be a better place than we are in now.
Have you not seen the cluster that is Windows phone? The only reason it's not rampant with viruses is because no one uses it. No sir, the handful of malware that can infect droids is better than what we'd have if Microsoft had Android's market share by far.
"the handful of malware that can infect droids is better than what we'd have if Microsoft had Android's market share"
Not sure if that's true. Not that I'm any fan of WinPhone but Microsoft certainly improved their security stance in Windows after going through the wringer time and again. Is it perfect? No. But it's far more responsive than it once was.
This is a lesson Google should have learned and after the first Stagefright debacle, the first and primary feature of Marshmallow should have been a cohesive update system, even if that meant delaying its release. Simply put, this is that important! My phone (LG G3) still hasn't seen a patch for SFv1. That's not critical since I can turn off MMS and ignore anything from unknown senders (which I tend to do anyway, now I just have a better excuse). This new exploit is critical since everyone wants to throw videos on their webpages.
Much as I've been a fan of Android, this could be a market killer for it.
This post has been deleted by its author
The licence should have forbidden any tailoring of the operating system by manufacturers and distributors to add their own features
Not necessary.
All that is actually required is for all the vendor-supplied mods to go into a separate partition - perhaps mounted on /opt. The core stuff would be pretty much common between all machines of a given architecture, so easily updated without needing the vendor to do much of anything.
Vic.
Carriers certainly have a history of putting conditions for selling Android phones. E.g Verizon Galaxy Nexus phones were the only ones not to have the Google Wallet feature, because Verizon was trying to push its own payment solution.
It's hard to believe now, but at some point in the past Android was an underdog, and Google had to convince carriers to sell Android phones.
Care tp back that up? I would be keen to know how/why Google is or would maintain various versions of the same version of the OS. II can see there being build variations within Google, but that is not the same as two versions of 5.1.1, or 4.4.2, or any other number you care to pull out of the air. OEMs who maintain their own unique flavour of Android don't count, because we're talking about a nexus device and the Google version would be the default.
Sony Xperia Z3, running Android 5.1.1 with both stagefright patches to date. Same patch level as a Google Nexus. How is that unsupported???
Pretty sure this one will also be patched in a timely manner.
Not that stagefright is anywhere near as bad as everyone with a vested interest is making out. Not a single real world occurance of any stagefright issue to date (after 8 weeks), which to me means 1 of 2 things
1. Overplayed by the press
2. ASLR is doing its job
Windows is the toxic hellstew, even apple are having problems. To date I have NEVER seen a single android device with malware, yet in the Windows world its rare to find a machine not infestated.
This is where apple and evrn Microsoft actually win over android.
Windows Phone, maybe, but this kind of attack (relying on an app's preview function to execute code) has been exploited in Outlook. Best practice there is to turn preview off. I would think a similar approach for Stagefright would help to mitigate the flaw.
Following the most recent set of vulns, Samsung pushed out a large update to my Galaxy S5 Mini. There was no information about the update and contacting customer support said they were unable to tell me the contents of the update.
Useful. Until evidence to the contrary, I can be assume that my phone is unpatched.
There are apps to check to see if you're vulnerable.
Samsung have pushed out fixes for the original Stagefright issue to stock (non-carrier branded) devices, but I haven't had an update for a long time on my EE S5 and it's definitely vulnerable.
I'm not sure about the stock S5 Mini.
As the article rightly says, Jelly Beans or older phones in general (3 years or so?) will probably see no updates whatsoever. In case of Samsung, their response to my inquiry as to whether updates/patches will be provided for my S3 in light of the original Stagefright was: nope sorry, got to buy a more recent phone. So I did... but it sure wasn't a Samsung this time around.
It's just another carrier scam to force you into 2 year rip-off contracts as opposed to purchasing an unlocked phone and do whatever the hell you want with it.
If I ever find the time and inclination to do so, I'll give CyanogenMod a spin on the S3.
My advice for Cyanogen on the S3 - don't. I've tried various different ROMs and the most stable one I've found is Archidroid, and even that has severe lag and FC issues at random.
Edit: Just five minutes after posting this comment, the gods of Cyanogen smite me with a random reboot, the third this week...
My advice for Cyanogen on the S3 - don't. I've tried various different ROMs and the most stable one I've found is Archidroid, and even that has severe lag and FC issues at random.
Edit: Just five minutes after posting this comment, the gods of Cyanogen smite me with a random reboot, the third this week...
I'll second that. On my S3 Cyanogen silently reboots so often that the space being taken up by reboot logs has become a serious issue. I have to go in and purge them every couple weeks or I start having lack-of-free-space related issues from the gigabytes they occupy. Cyanogen used to be a good custom ROM. Not so much these days.
Don't blame Cyanogen, blame Samsung. The former i9300 device maintainer wrote a series of Google+ posts explaining why; TLDR Samsung don't release the code and have rubbish dev relations with the open source community. It's why I'll never buy another Samsung phone.
That's a description either copied from a channel that isn't broadcasting any more or that 'i' should be a 'y'.
Possibly or so I've heard, not that I would know about such things, apparently, from what I have been told. By a friend. Who knew someone who had read about it.
Or I am deafened by the whoosh, in addition to already having gone blind...
Let's face it, Android is not a proper open system. All the actors including hardware chip, SoC, sensor and radio part vendors, phone/tablet manufacturers to Google itself along with software vendors and carriers have direct interests vested keeping their parts of the platform protected from everyone else in the industry. By extension, that means that users are basically in thrall to various companies and cabals. With everyone fighting to protect their own "intellectual property" and business models, it's no wonder that the whole ecosystem produces a product that is basically insecure by design.
By way of contrast, I've been a Debian user for a long time. One of the things I like most about it is that I can be running older versions of it and any major security updates still get back-ported. There's a clear understanding that users rely on the platform for stability and security. Keeping up to date with security is usually a trivial matter. Barring a few non-free components, I'm not beholden to hardware manufacturers or the people who sold me the system to fix defects or being stuck with Hobson's choice of either living with can't fix/won't fix problems or going through a painful migration to the next iteration of the platform. (Or worse: having to replace my hardware because there is no software upgrade path).
I like Android for the semblance of openness it has, but really the whole thing is rotten to the core.
Yup, I've been a Debian user for ages too, but now I'm taking it in the butt from systemd telling me I can't automount my camera, breaking support for my ancient Epson scanner and other things, so I'm moving on.
Heck, recently I wanted a cell-enabled Android tablet that was not carrier-locked, to use as a big-screen GPS among other tasks.
Apparently there is no such beast that isn't some one-off Chinese fly-by-night job, so I bought my first Apple product after being an Android user since Eclair.
It was almost impossible to discover particulars about various Android devices.
I'm repeating myself, but it will require some very large lawsuits to force Google, manufacturers, and carriers to fix this mess.
Each of those should be terrified to think that their customers are doing banking, stock trades, business email, and other sensitive business using devices that likely will never see security updates.
It's just a matter of time before something large and expensive uses an unpatched exploit to hammer hundreds of thousands of users on a scale that cant be ignored.
Have you checked out all the EULAs you agreed to on your Android phone? I know every time I get a new iOS version on my iPhone it is a ridiculously long - I just click Agree without even bothering to read it. I'm sure if they added something draconian El Reg the Apple haters will be on top of it in no time :)
I'll bet Google and Samsung et al have indemnified themselves against any consequences, and you've given up the right to sue. You'd have to agree to binding arbitration....good luck getting more than a $5 credit at the Play Store or a $50 discount on your next Android phone from the OEM!
@ Barry Rueger
> it will require some very large lawsuits to force Google, manufacturers, and carriers to fix this mess
Not necessarily ...
@ DougS
> Have you checked out all the EULAs you agreed to on your Android phone? ...
> I'll bet Google and Samsung et al have indemnified themselves against any consequences, and you've given up the right to sue.
Well this is where those of us in teh UK have an advantage - we have the Unfair Terms in Consumer Contract Regulations which basically blow many of the restrictions in an EULA out of the water. ANY contract term that seeks to remove a consumer's legal rights is automatically void - and so can be ignored.
Then we have the Sales of Goods and Services Act (which IIRC is superseded by something with a harder to remember name - but which gives the same protections) which lays down other requirements - specifically an implied contract term that the good will be "as described" and "fit for purpose" and "reasonably durable".
If you have a phone with this bug then it's very clear that it was a "manufacturing defect" - should be no problem showing that it was present when bought. And if the phone is not capable of receiving messages without getting "damaged" then it's clearly not fit for purpose.
Thus what we need to is for a large number of people to go back to whoever sold them the phone and demand it be "repaired" (or replaced, or refunded). The retailer is legally liable, this isn't something they can wriggle out of with disclaimers - they are responsible for fixing the problem, or replacing the faulty goods, or refunding the purchase price (less, if as is likely it's not nearly new, an allowance for the use that's been had from it).
If enough people push this, then the big sellers will push back at the manufacturers. The carriers and the Carphone Warehouse type operations have enough clout to make the manufacturers think again.
And the only time limit is the general statute of limitations for civil cases which is 6 years in England and Wales, 5 years in Scotland IIRC.
So no "big legal fights", just a "death of a thousand complaints". And this applies (by EU directive) to every country in Europe in some form or other.
Just think if (say) 10% of European users with unpatched phones did this :-)
The fix is easy. Stop believing everything you read on the Internet.
Buy RIGHT android device at its patched promptly, just like apple devices, just like nexus devices.
I have a Sony Xperia and its patches are bang upto date.
Security companies are snakeoil vendors, uplaying the significance of problems in the hope you will buy their product (we don't buy from companies that opt for this marketing strategy, as it shows deep dishonesty within their company).
How many Android devices have you seen affected by stagefright or any other malware?? It's an easy question to ask, and east to answer. However it seems many here aren't smart enough to see it.
Include a stagefright exploit in the daily Google Doodle. Patched phones would be unaffected but other phones will be pwned and accessed at root level, without the need for carrier intervention or jailbreaking/rooting the phone. The exploit will check all potentially vulnerable files. When any such file is found, the exploit will download and install a patched replacement, then reboot the phone.
Everyone goes to Google's home page once in a while, so there would be universal implementation of the patches.
:-)
Brilliant idea, but I could see this causing some issues with custom (and vendor modified) ROMs if it replaces a customized file with a stock one. Still it's probably the most workable solution to patching vulnerabilities in an ecosystem as fractured as Android as I've seen.
> Include a stagefright exploit in the daily Google Doodle
One teensy little problem there - it would be criminal (not just "not lawful", but explicitly prohibited) in quite a few countries (Computer Misuse Act in the UK). I know this is Google who seem to have a different idea of what should be legal, but I think even they'd find this hard to defend.
> Everyone goes to Google's home page once in a while
Err, I don't !
OK, I tell a lie - I've been there a couple of times this year when I've been told there's an interesting doodle.
Put the exploit on every page and that's a different matter.
I see the big problem here being the delay between Google making a patch and Manufacturers/Operators incorporating that into their patch. If the Google could just patch straight away and al devices were updated at the same speed as Nexus devices then this would go a long way to helping mitigate the problem. As it is, manufacturer patches are MONTHS behind urgent Google patches.
Now, I don't know how hard this is to do (even though I am currently learning Android and have written a couple of basic apps - doh!) but it simply has to be done. The firmware has to be compartmentalised such that a pure Google path can be done on every phone (and is done in cases like this).
This kind of security flaw really erodes faith and trust in the platform and we cannot go on like this.
You're not. What *every* article about this fails to mention is that the checker isn't checking for these vuls yet...
https://blog.zimperium.com/zimperium-zlabs-is-raising-the-volume-new-vulnerability-processing-mp3mp4-media/
"At this point, we do not plan to share a proof-of-concept exploit for this new vulnerability with the general public. Once a patch is available, we will update our Stagefright Detector app to detect this vulnerability."
"People owning the 20 per cent of devices running Lollipop or later are probably wealthier than others, and therefore more attractive targets."
Not entirely sure how any of the miscreants would deduce I'm wealthy, just because I have a $120 MotoG, that got upgraded to 5.1 a week or so ago.
Leaving this aside, CVE-2015-3876, and CVE-2015-6602 are not checked for in the stagefright detector app (thanks for the link). Are different bug reports assigned to the new threat?
As complexity increases, we're going to see more and more of this on all platforms. The only reason Windows phone users are mostly unaffected is because there are so few out there that malware writers are targeting more popular platforms. (Ironic if you think of all the malware that affects Windows)
I'm not sure what the solution is, but you can only add so much security to a device and platform before the usability is affected beyond any gain in security. I think the efforts to not be pwned have to come from the OS devs, the service providers, the app store overseers, and also the public has to be smart enough not to click on everything that comes their way. (of course there are idiots that will sleep with anyone and not use condoms either)
With millions of lines of code even in fairly simple games these days, much less an operating system, it's currently impossible to anticipate every crack that someone will find a way to stick their foot in.
@ratfox, agree that Google at one point had to make concessions in order to get Android adopted. That time has passed. I would think if it chose to, Google could fix this in the next MAJOR release: Encapsulate the code that hardware vendors and mobile carriers have access to. Then Google can patch the core OS via the Play store, and vendors can continue doing OTA patches for just their subsystems as they need to. This would be a huge effort, and a headache for vendors initially.
OTOH, not having a proper way to promptly patch security flaws is evil.
True, but it's also the norm for the phone makers. Why patch something when you just declare it obsolete and tell everyone, "Time for a new phone!" But Android as it's built now can't separate the two, and it's too late to fix Marshmallow, so it'll have to wait for Android N (Nougat? Nut Bar? Necco?), and given this would be almost a top-down teardown, it'll take a while.