back to article As the world descends into madness, it's good to see some things never change: Monthly Android patches

Google has emitted the August edition of its Android software security updates. This month's fixes include one remote-code-execution bug (CVE-2020-0240), present in the Android Framework. Google warns that the bug "could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an …

  1. chuckufarley Silver badge

    I hate to say it...

    ...But I won't be installing any of these updates. Why not? Because the Android phone I bought 3 years ago no longer gets updates. My next phone will either be a Jesus Phone (once I sell my liver and can afford one) or an Android LTS phone, which will be on the market shortly after I find and tame a unicorn.

    For the last year my phone has had wifi and bluetooth turned off for good. I have uninstalled every app that isn't baked into the firmware or made my Google. It never leaves my house, I never open text messages or email on it, and it most likely is a security breach waiting to happen.

    1. Anonymous Coward
      Anonymous Coward

      Re: I hate to say it...

      I have learned this the hard way - the total TCO of an iPhone is lower even if the initial cost is higher.

      If you want new shiny quick and cheap and are landfill-friendy, buy Android. Otherwise smartphones are just seeing incremental changes and reasons to upgrade are external.

      For a phone to use till it breaks, it's iPhone. The 6s from 5 years ago is still being updated and plenty snappy.

      My Android flagship from the same time has had no updates for three years, sluggish with the last os upgrade, and buggy with other free ROMs.

      1. Anonymous Coward
        Anonymous Coward

        Re: I hate to say it...

        The 6s from 5 years ago is still being updated and plenty snappy.

        I have a second-hand Samsung Galaxy S6, also 5 years old, running on an MVNO. I just pulled a system update for it.

        It works fine for my purposes and cost me around $100.

        Personally, I wouldn't touch an iPhone for any price; but in any case it's not true that there are no Android devices which are supported for 5 years.

    2. Sampler

      Re: I hate to say it...

      I got my monthly android update from my Note 8 yesterday, that's a three year old phone on the 23rd of this month.

      It's still listed under monthly support though one could imagine it moving to quarterly support after this month:

      https://security.samsungmobile.com/workScope.smsb

      Average lifespan of the non-removable batteries is three years so can't see them wasting much more time on it after that and four years support is an average for Samsung's higher end models, guessing you got a cheap model and got what you paid for.

      Note20's announced today/tomorrow (depending on your timezone) so probably time for an upgrade myself (even though there's literally nothing the Note8 can't do and no need to upgrade, I really don't see the point in 5g right now as 4g is fast enough for a mobile device, there's always the shiny shiny impulse..).

      1. stiine Silver badge
        Unhappy

        Re: I hate to say it...

        Damn. How old is my Galaxy S7? Of course, I only use it to make calls and press decline for incoming spam calls. Seriously, I must get 10 a day.

      2. Anonymous Coward
        Anonymous Coward

        Re: I hate to say it...

        With an iPhone you get an official battery replacement. And you get security updates, which aren't really optional.

        Also do not confuse the monthly 'security' updates (which would cover the android os issues here), with the driver and firmware issues in this article (likely kernel but below android in any case). Google won't deal with this. The monthly updates do not have this. Samsung only supports low level updates, including new os images, for two years.

        You're justifying your upgrade because the battery life is less (it is a different matter if it were dead in three years). What if I still find the reduced life acceptable? What if 5.1G++ is not wortwhile? What if I just want to service the battery and avoid ewaste? the answer remains the same - with an Android, my options are to either trust a random third party buggy os or accept walking around known and public security holes.

        I'm a captive in the Android system with a ticking timebomb from the day of purchase, I have to bin my phone or be happy to have banking apps, contactless and what not to be possibly compromised.

        Android's have a use-by date, while iphones have a best-before date.

        1. EnviableOne Silver badge

          Re: I hate to say it...

          your options are greater than that, there are Android phones available with removable batteries, and even some by samsung, and far more Android clones that are stable, as is always the case with OSS that matures.

          Also there are security tools available for android, that dont have a comparable for iOS as Apple wont make the access needed possible.

          Thats the big difference with Android over iOS, Android will run on any hardware that wants it to, feature availlability is goverend by market forces, and the numerous mods actually drive improvement in the base OS.

          Your iPhone 6 running iOS 8 was behind Android 5.1.1 there weremultiple options launched that year from Samsung,HTC, OnePlus, Sony, Huawei and others. the Galaxy S6 on 7.1.1 (its latest update) is probably more feature rich than your iPhone on iOS 12.4.8

          Unfortunatley, your phone also has the Checkm8 hardware vulnerability which is unpatchable, and if it was in an android phone would have been found sooner.

      3. Screwed

        Re: I hate to say it...

        Three years?

        My iPhone 6s from late 2015 still has 83% battery capacity. (Mind, I really wish it had higher capacity and were easily replaceable.) Eligible for IOS 14 though that will be the end of the line, I fear.

        Why, only a very few months ago, I sold a Samsung Galaxy S2 from 2011 with its original battery (plus a replacement with slightly higher nominal capacity). Despite having been left in a drawer for the best part of five years it charged and worked OK albeit with less life. And a Nexus 7 from, IIRC, 2013 which still had decent battery life - also left in the same drawer but for a slightly shorter time, three or four years.

        My biggest gripe about the S2 was lack of updates.

        I do have Samsung tablets which have been getting updates but keep expecting them to stop. I only got them for specific purposes for which they made more sense, especially given the relatively high prices of iPads. The SM-T850 is over four years old. (Just checked - last update 2 May 2020 - perhaps I have now hit the buffers?)

        What do you do with your batteries?

    3. seven of five Silver badge

      Re: I hate to say it...

      should have bought a fairphone...

    4. Anonymous Coward
      Anonymous Coward

      Re: I hate to say it...

      This week my partner has managed to break her phone this week...

      So I found my old Nexus 5X, and after a bit of scouting around installed LineageOS 17 + Google Apps onto it - so it is now running Android 10 patched up to July 2020. (OTA patches from Google stopped in 2018...)

      Its just coming up to its 5th birthday - and seems to be working well. OK, the battery doesn't last as long as it used to, but it'll do until she gets a new one...

  2. Lorribot Bronze badge

    Remember your money is important to us, but you information security is worthless.

    Android the OS that keeps updating now/next week/next month/quartely/maybe if you are lucky/never again*.

    *Delete as appropriate

    Imagine if Windows (the last ubiquitous OS) allowed hardware suppliers to customise the OS so that patches would have to be released by them?

    I know Google are redesigning the OS so it done properly rather the quick and dirty destroy MS and rule the world effort they did first time but that new OS will not be on 95% of existing hardware as non of teh manufactures will support it or distribute it. Google need to step up here and do something like offer an vanilla version that will work on older hardware, its not like there is a vast range of drivers like Windows supports natively (probably more windows printer drivers than there is Android drivers in total).

    1. tcmonkey

      Re: Remember your money is important to us, but you information security is worthless.

      The problem is that due to the way ARM works, what you want is essentially impossible. There are no standard hardware interfaces, no standard boot chains, no standard security model etc. Hell, on some devices the thing that you would call "the CPU" isn't even the one that's in charge of device operations.

      On a PC you can fall back to BIOS/UEFI to get some things done (drawing to the screen, reading mass storage etc) but that just doesn't exist on ARM devices for the most part. Until this is resolved, "universal" images for ARM are a pipedream.

  3. big_D Silver badge

    Samsung...

    I'm glad I'm using a Samsung Galaxy S20+. The Exynos chip means that the Qualcomm problems are not my problems. With the Kyrin chip in my company phone, I'm spared there as well. Although that might be because people are looking for problems in Qualcomm kit and Exynos and Kyrin are (currently) being ignored.

    On the good news front, Samsung have already issued the August patches for the S20 line, mine restarted over night after having installed the patches.

  4. Spanners Silver badge
    Flame

    Read this and started downloading update

    After it forced me to connect to a WiFi. I have unlimited data and the Wifis here are not great. No, 4G is not perfect either but it doesn't disconnect me if it feels I haven't been paying attention for too long.

    I have a couple of other apps with this annoying habit. Please give me an option to do everything on my SIM. Warn me, if you like, that phone companies can charge me for that (they don't).

    After this has downloaded its 106MB and rebooted, I will have to remember to turn off the WiFi so that things still work when I actually want them to! I averaged over a GB a day last month. I don't think that I need them to save me 0.1 of one in this way.

  5. Anonymous Coward
    Anonymous Coward

    Wish I could update

    I'm using a Galaxy J3V (2016 version). It reports "Android security patch level" as Jan 1, 2018, and last system update Nov 13, 2019. "Check for system updates" says it's up to date. Grrr...

    1. Neil 44

      Re: Wish I could update

      https://www.getdroidtips.com/lineage-os-17-1-galaxy-j3-2016/

      PS Don't try to install the "Stock" Gapps, go for "Full" if you get a choice (or less if you don't need/want some of the Google apps...) - you don't need the Pixel launcher and it probably won't work!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020