back to article Android tops 2016 vuln list, with 523 bugs

Of any single product, CVE Details reckons, Android had the most reported vulnerabilities in 2016 – but as a vendor, Adobe still tops the list. The analysis is limited by the fact that only vulnerabilities passing through Mitre's Common Vulnerabilities and Exposures (CVE) database are counted. That's a statistically worthwhile …

  1. This post has been deleted by its author

    1. Anonymous Coward
      Happy

      Re: Owww.

      It keeps looking like the only truely smart option is not to buy a smartphone in the first place

      Well if you exclude good old poisoned SMS messages, you'll be fine

    2. Anonymous Coward
      Anonymous Coward

      Re: Owww.

      The only exploit on a phone I've personally seen was the the Nokia bluetooth trojan on their feature-phones which would completely take down the phone making it unusable.

    3. Evil Auditor Silver badge

      Re: Owww.

      ...the only truely smart option...

      Great for the "feature phone". But what really interests me is how you've connected your typewriter to the interwebs?! Or do you simply shout your comments towards your assistants and they type them?

  2. Brian Miller

    Cyanogenmod: not tested, or no vulnerabilities?

    Possibly Cyanogenmod (now Lineage OS) hasn't been tested in some time, but one vulnerability for 2012 is not bad.

    Yeah, I would feel better if my phone ran OpenBSD.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cyanogenmod: not tested, or no vulnerabilities?

      Its based on Android, so it would have almost all the same bugs. Your contention fails the 'duh' test - there's no way in hell they found and fixed all but one of those hundreds of Android bugs before Google or security researchers found them!

      The only way to make a secure mobile OS these days is to have it do almost nothing. Look at all the Android bugs around receiving MMS messages - the fix for that is to disallow MMS. The only fix for the various bugs everyone has where a web page with the right code can exploit the browser is to not support web surfing. Basically if you make your smartphone a feature phone that can't browse the web, can't run apps, can't do anything besides calls and SMS, you can probably make it bulletproof. You do everything a modern Android or iPhone can do, you are going to have to accept security issues as a consequence of that convenience.

      OpenBSD won't help you here, BTW. Perhaps it has a more secure userland, but that doesn't help if you are running Chrome or Firefox and getting all their bugs.

    2. chasil

      Re: Cyanogenmod: not tested, or no vulnerabilities?

      OpenBSD won't help you. These cellular modem chipsets have an iommu that can do DMA to any RAM on the device.

      "There are no secure smartphones."

      https://www.devever.net/~hl/nosecuresmartphone

      That appeared on Hacker News nearly a year ago.

  3. Daniel B.

    Interesting overlooked detail

    Java isn't in the Top 50 this time around. Maybe Oracle has finally fixed it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Interesting overlooked detail

      It just has a single flaw, it just happens to cover everything.

  4. Anonymous Coward
    Anonymous Coward

    The lack of update to phones is a bigger problem

    Software has bugs. I get that. What pisses me off is that mobile phone vendors rarely update the handsets to fix these issues.

    Microsoft are shit but at least patch tuesday comes around every month.

    1. Planty Bronze badge

      Re: The lack of update to phones is a bigger problem

      Not true, wife's phone got November 2016 security update on 4.4 a few weeks ago. Don't fall into the same flawed assumption that many plebs make, Google release monthly patches for 4.4, 5.x, 6.x and 7.x

      You do that need android 7 to be secure, you don't even need android 7 to run the latest stuff from the app store either, Google play services and Google compatibility libraries take care of that. If you have an older phone, essentially as long as you get security updates, you are better off with the OS the phone shipped with, rather than a bogged down, less tested full version OS update.

      1. chasil

        Re: The lack of update to phones is a bigger problem

        ...and I am still waiting for Samsung to ship a 4.4.2 security update. Slackers.

        1. Anonymous Coward
          Anonymous Coward

          The problem is not Google providing security fixes

          It is and always has been getting them to the phones. If your wife got really lucky with a purchase I guess she got one that is still getting updates for 4.4, but I'll bet that's true for less than 1% of all the phones that were sold with 4.4.

          Timeliness is also an issue. If Google issues a 4.4 fix tomorrow and a phone doesn't get it until July, that's a lot of time for hackers to reverse engineer the exploit that was fixed and use it against you.

    2. LDS Silver badge

      Re: The lack of update to phones is a bigger problem

      As a mobile phone vendor, MS AFAIK is no longer updating Windows Phone 8 as well...

  5. Anonymous Coward
    Anonymous Coward

    Come on let's crawl

    Gotta crawl, gotta crawl,

    To the ugly bug ball

    To the ball, to the ball

    And a happy time we'll have there

    One and all!

    At the ugly bug ball!

  6. Ian Joyner Bronze badge

    Linux trades security for performance

    Because of the Linux monolithic kernel architecture that provides speed instead of the inherent security of a microkernel, Linux is more susceptible to security flaws.

    Security is best built in intrinsically at lowest levels. Adding security as an after though still leaves the original problems there.

    While Linux has proven good for well-managed server systems where performance is required, it is bad for end users who don't maintain their machines or want the freedom to download apps and use their devices for 'fun'. These users want automatic security built in, rather than managed security.

    This does seem like a paradox that security is more important on end user devices than servers. However, it is how that security is provided - built in to the OS, or managed by IT professionals. When a user's machine is compromised, it does not just affect that user - hackers can mount DDoS attacks against servers. This also applies to unmanaged security on IoT devices.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021