Slashdot Mirror
Wireless Carriers Put On Notice About Providing Regular Android Security Updates
msm1267 writes "Activist Chris Soghoian, who in the past has targeted zero-day brokers with his work, has turned his attention toward wireless carriers and their reluctance to provide regular device updates to Android mobile devices. The lack of updates leaves millions of Android users sometimes upwards of two revs behind in not only feature updates, but patches for security vulnerabilities. 'With Android, the situation is worse than a joke, it’s a crisis,' said Soghoian, principal technologies and senior policy analyst with the American Civil Liberties Union. 'With Android, you get updates when the carrier and hardware manufacturers want them to go out. Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.'"
Does Dalvik have the same security problems Oracle Java does? If so this is a serious problem
Some drink at the fountain of knowledge. Others just gargle.
Handset manufacturers should stop screwing with it so much, if they used pure android it wouldnt be so much work to get updates out.
And haven't had an update since the first year.
They (Verizon) should at least push updates while it's still under contract.
Every new revision of Android is this large, monolithic package that seems to take years to get right. If Android were more modular, you could have teams working in parallel on various modules, and releasing them as needed. This is what regular Linux does, so I don't see why Android doesn't do more of it. Other than the Google Apps package, everything else seems to be lumped together. (and yes, I know it's more modular behind the scenes, but if it isn't that way for the user, it's a moot point.)
--- Generation X: The first generation to have SIG lines inferior to their parents... ---
How about instead of spending money on modifying those new versions of Android to work on old models, offer ways to unlock the bootloaders so that people can get the security updates they desperatly need through third party ROMs such as Cyanogenmod?
"said Soghoian, principal technologies and senior policy analyst with the American Civil Liberties Union."
Finally, an article about the dangers of Android that quotes someone I'm prepared to listen to. I'm not entirely sure why the ACLU would be involved in this stuff, but I do have some respect for them and believe them to be objective in this matter.
I'm tired of the barrage of articles about the security problems with Android, and the need for anti-virus to resolve them - quoting people paid by the anti-virus companies.
Is this the reason why Google are having such a hard time selling Nexus devices? Are the hardware manufacturer + carriers reluctant to allow teh NExus 4 on the market at "Google prices"?
If the carriers were what most of us want, i.e. dumb pipes, then we could possibly own our phones and upgrade them in a much easier fashion (so long as the hardware manufacturer is still providing updates).
Verizon's treatment of the Samsung Galaxy Nexus has been an eye opening experience and I'm still trying to figure out an alternative solution.
Android really needs a system where security updates can be delivered outside of entire OS updates. Carries could enjoy their OS lock-in while users still manage to get security.
A novel idea! Maybe the carriers could stop f**king with the OS and make it easier to upgrade?
Really all the other advantages are a mystery to you?
Not everyone wants to live in a walled garden and pay a tithe to be allowed to program for their own device. Not to mention the lack of custom ROMS, and a whole host of other things.
Engineers are usually focused on the current version, and devices that are coming out in the next year.
So what you're saying is that it's absolutely PERFECT for the wireless industry, eh? Keep people wanting the future product that you have to buy before the end of your contract!
I wish I were joking.
Superior right up until the point when an update breaks an application you consider critical to using the gadget and the owner of the program (in this case, Stanza) refuses to allow it to be updated because it's a hundred times better than his precious Kindle.
I'm now two revs behind iOS and don't give a damn.
You have to keep an eye on both the manufacturer *and* the companies that provide applications to make sure they're not letting nose-in-the-air corporate rah-rah get in the way of taking care of their customers.
Really?
Because my iPhone 3G didn't get the last few updates. And courtesy of Apple, it no longer streams Netflix. Because crApple is so incompetent, they can't even manage app versions.
Case in point. I have iPhon4 and 3G. iPhone 4s are running iOS5 & 6. Which the new Netflix app requires. However, the 3G model is not able to update to iOS5. But iTunes only allows for one instance of an app. So you'll find that you're old phones are now updated to versions of applications they cannot run.
Get off your high crApple horse. The platform has major suckage. Want to bet $250?
Move a photo you take with your phone into another folder. (No, don't just create a reference. Actually MOVE IT!!!)
You're not forced to take the update, but at least it's available to you if you want it.
Depending on the specific manufacturer/phone, an Android device may get a few updates, possibly very late, or none at all.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources
How come the cyanogenmod people do a better job than everyone else in the industry?
I just upgraded a LS670 last weekend to cyanogenmod. CM9 if I recall. Its faster, looks better, more features, MUCH newer which would imply fewer holes, overall quite a massive improvement over stock. It no longer has cell service, I'm using this phone as a wifi microtablet, quite happily.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
I have ClockworkMod Recovery and it's a royal pain to update the OS. AT&T pushed an update to my Skyrocket a few months ago and I haven't updated yet because of it. And the whole re-rooting afterwards...
Karma: Bad
You can program for your own device without paying Apple for it. You're just spreading FUD.
I'm shocked that an easily rootable platform such as Android has security holes...
How is this unexpected? Unlike Apple phones and Microsoft phones, Android are a mishmash of some open source stuff, and some carrier specific stuff. This is part of the reason that I, at least, went with a MS Phone, instead of an Android phone. It reminds me of Linux: the core of it may all be the same, but by the time you slap all kinds of custom stuff on top of it, every single version is essentially different from every other version, and compatibility goes down the drain. So of course the carriers are going to be very delayed in updating everything: they have to juggle multiple versions of "Android" phones, and each update has to be tested and customized for each version. There IS a downside to the wide amount of customization that Android allows. Apple and MS phones, on the other hand, are true walled gardens, so they're much easier to update.
I don't respond to AC's.
The problem is Android phone manufacturers, rooted in traditionally consumer electronics oriented companies, are pumping out far more models than they could ever hope to provide adequate support for, as they aren't used to actually having to provide long term support for anything. This is one area they could really learn something from Apple, whose home computer roots have taught them what's involved with proper support. As consumer electronics get smarter, you're gonna see the same types of problems from everything these guys produce... next up, smart televisions. Those companies would have us just throw these perfectly good older devices away, and upgrade to a new ones, but I don't think consumers much like that idea - or at least, I know I don't.
Sadly, Baquack won't be sucking on anything today. Because you're the one sucking.
Google, Samsung, and Verizon have scarce resources? Are earning little from this? Bitch, please x2
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Really? I can write an iPhone app without buying a mac and a copy of xcode? I don't have to buy anything special to write for Android or BlackBerry or even Windows. It's a fact, not FUD.
In previous comments related to carriers and phones, I stated that I am done with carrier games.
I am done with carriers selling me "discounted" phones which are actually far over-priced when required and unwanted data plans are added to the mix. I am done with carriers and their spyware and bloatware. I am done with carriers controlling the obsolesence of my device by providing late updates or failing to update them at all.
Long ago I recognized the potential for security issues which predictably would not be managed by the carriers well or at all.
Apple has it easier and it was by design. There are fewer models of iPhone so everyone is happier. Users know what they've got. The accessory makers are better guaranteed sales of mass produced products. Apple's carriers don't get to corrupt the iPhone and therefore there is more sanity when it comes to user concerns like bugs and security.
I have a Google Nexus. Not quite my ideal phone, but less expensive than unlocked/unbranded Samsung Galaxy S3. It is more likely to get updates and fixes and within my power to install and use custom ROMs.
Carriers care more about themselves than their customers. It is clear and evident. Why keep hoping and demanding that they care? Know them for what they are and respond.
crApple? Jeez... I thought calling it Micro$oft was bad. Yes, the troll was a fanboi. But you bit and went the wrong way.
Apple is much better at having a consistent platform than Android is. You have phones coming out 4 months ago stranded with no updates. Your iPhone 3G goes back (possibly) 4 years, and a minimum 2 years. It's a much different situation.
I have an iPod touch, gen 2, which has been stranded. I wish I could get an update on it. but the CPU on it is too old, so they don't support CPU hog IOS5 on it.
Really?
Because my iPhone 3G didn't get the last few updates.
You missed the part that because that device is over two years old, you can get a newer device for free when you renew your contract.
Of course, it sounds like you're using it as a secondary device. In which case I'm going to counter with a rant about how my spare G4 Cube can't run the latest version of Mac OS, can't run Netflix, and blah blah blah...
Yeah it's not a perfect platform. But I prefer it because at least I know what I'm getting. I know the level of support Apple will give me, which is pretty good, even if they do sometimes drop support on old models. But what can I expect if I buy Android? It's really hard to research, figure out and predict. This is why Apple is killing the competition.
Not everyone with a Windows PC has had their identities stolen and bank accounts empties. Oh any by the way, "security" is just a convenient excuse for censoring apps. Look at the big stories of Apple censorship - they have nothing to do with security and everything to do with Apple enforcing their own morals.
Security my ass.
You are complaining that a five year old computing device isn't getting the latest OS updates? My five year old laptop won't run Win 8. There comes a time when technology advances require leaving older technology behind. To include your device would mean having to code for non-retina display resolutions, and for much slower and less capable processor capabilities.
You do have a point about iTunes should be able to recognize that you have a variety of devices and allow for older versions of apps to exist in your library as well as the latest and greatest.
You missed the part that because that device is over two years old, you can get a newer device for free when you renew your contract.
You assume the person is *on* a contract.
Not everyone wants to live in a walled garden and pay a tithe to be allowed to program for their own device. Not to mention the lack of custom ROMS, and a whole host of other things.
Most people don't do those things with their Android devices anyway.
For Android, updates only come with phone contracts.
So, if you buy a wifi Android device (similar to an iPod Touch), how do you get updates?
Answer: You don't. There is no business model for updating that kind of device.
Discuss.
I can write an iPhone app without buying a mac and a copy of xcode?
xcode is free and no, you don't need to buy a mac, especially if you already have one or you could install OSX on your PC or even in a virtual machine.
I don't have to buy anything special to write for Android or BlackBerry or even Windows.
Macs aren't special, they aren't any different to PCs, in fact you can even run OSX on PCs and in VMs and XCode is free.
Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.
That's pretty funny, because there's a small group out there that manages to provide nightly updates for almost EVERY PHONE ON THE MARKET for free... http://get.cm/?type=nightly
It seems to me like a carrier could simply let you switch to CM10 and get your updates from them as long as you agree that their updates are your problem and not the carriers... oooh... wait... the problem isn't updating Android... the problem is updating all their adware revenue bullshit to work with android, not the OS. I forgot. Sorry!
Not everyone with a Windows PC has had their identities stolen and bank accounts empties.
And not every person that has played russian roulette has been killed either.
But they still deserve to be.
Wow, that's ignorant.
I can create a free developer account, download Xcode and install any app I develop on my phone. No 'tithe' anywhere.
Custom iPhone roms:
http://whited00r.com/
But then, you probably knew that and just felt like trolling at the end of the day.
You have to buy a computer regardless.
Xcode is free.
You're an ignorant idiot.
no, you don't need to buy a mac, especially if you already have one.
no, you don't need to buy a mac, especially if you already have one.
no, you don't need to buy a mac, especially if you already have one.
That was so funny I had to repeat it three times.
Mactards, they're so cute when they're young...
The parent was patently wrong, however I'd like to point out the iPhone 3G is nearly five years old and only stopped receiving updates a couple years ago while most android phones stop receiving updates within a year or two.
you can get a newer device for free when you renew your contract
Oh you poor misguided consumer.
Are you in?
First, stating the obvious - Google acquired Android.
This means even Google cannot get it right.
The CyanogenMod community puts a lot of hard work into trying to support old models, but Google/Motorola will not release the information on how to unlock the bootloader.
Most modders view this as a serious hit to Google's "no evil philosophy".
Seeing your idiotic past posts and now seeing that you are unabashedly an Apple fanboi, things make a lot of sense. I mean, you made a post just to troll, which if you know anything about Android you know is factually incorrect. How old are you, 12?
If you ignore ACs because they are anonymous - you're an idiot.
So you'll find that you're old phones are now updated to versions of applications they cannot run.
This is wholly untrue. I was using an iPhone 3G up until last week and when I tried to update any app, I was told "Requires iOS 4.3 or higher" and the update failed. I was left with all of my apps able to run on my old phone as they were before iOS 4.3 was released.
It is more than just Google Android OS -> Phone Manufacturer but also then on to the Cell Carrier. Yes a new Android OS rolls out, and yes the Phone Manufacturer has to tweak drivers and what not. But after that the Cell Carrier then tries to splice on their apps other misc. clutter. This 3-phase pipeline is just murder for delivery. At each transition there is pushback. There had been, for example, discussion on the Droid BIONIC forums on how Verizon rejected a build from Motorola (for ICS) due to "poor quality."
You have phones coming out 4 months ago stranded with no updates
Yeah, no kidding, I bought a phone and was told I was lucky to have seen 6 months of updates. I never did get off of 2.3.x...
Right when there's new DMCA rules that don't allow you to jailbreak your phone. Yet, if a carrier refuses to patch their phones, one can't legally load a new firmware on it, right?
This is why Apple is killing the competition
"Android captured almost 70% global smartphone market share in 2012, Apple just under 20%"
http://venturebeat.com/2013/01/28/android-captured-almost-70-global-smartphone-market-share-in-2012-apple-just-under-20/#AOkdwU4cgQebLIbR.99
"I've got more toys than Teruhisa Kitahara."
Not everyone with a Windows PC has had their identities stolen and bank accounts empties.
Oh well, if there are still some that haven't been hit, that's OK then. Equally Afghanistan isn't dangerous, as not everyone who goes there dies.
But it's not factually incorrect. It's absolutely correct. That's why people who don't want it to be true get so upset about it.
And asking how old someone is in itself a childish argument.
The current version of Stanza is compatible with the current version of iOS.
Even if it wasn't it's still true that it's better to get the option to upgrade the OS than not get the option, or to get it late, both of which are par for the course for Android users.
If you want people to believe you are an Apple customer, it's pretty silly to call them crApple.
It's even more silly when you say something that isn't true:
Case in point. I have iPhon4 and 3G. iPhone 4s are running iOS5 & 6. Which the new Netflix app requires. However, the 3G model is not able to update to iOS5. But iTunes only allows for one instance of an app. So you'll find that you're old phones are now updated to versions of applications they cannot run.
iTunes does not install any application updates which are incompatible with the phone. If the phone is on iOS4, and the app requires iOS5, then iTunes does not transfer it to the phone. If you already had an iOS4 version of the app on the phone, then it will remain with that one.
Your claim that iTunes only stores one version of an app isn't even true. Go to ~/Music/iTunes/iTunes Music/Mobile Applications, and you can see multiple versions of apps, stored with the version number in the filename. Not all versions are stored here, only the ones that are needed to satisfy the fact that you have multiple devices, with different OS versions.
Wow - "deserve"?
Good thing you're not a god.
If an update bricked a phone and the owner died because even 911 wouldn't work, the carrier would be saddled with a slam-dunk loser case that would cost them at least $50 million dollars in settlements, fines, and legal fees.
This is very interesting in the context of the recent US ban on unlocking. As I understand it, the argument for banning unlocking has to do with the carriers wishing to retain at least partial ownership over your handset. As such, surely they're responsible for security implications? However, they're never keen on the effort involved in keeping older devices secure (which is more of a new threat in the age of android smartphone than it was on older proprietary non-app, non-data handsets).
So what happens when the handset is still in use but old enough that the carrier can't be bothered to support any more? Will they be faced to take responsibility for security issues? I don't know the average expected life of phones these days but I expect that a couple of years ties in with max contract length so is likely to be the support period.
In the UK, the sale of goods act covers the quality of goods sold and they must be "sufficiently durable" - if you can prove the manufacturers goods aren't up to snuff they have to fix them for you. Certainly in a phone I'd expect that leaving a known security hole with no patch should fall into this remit. And how long do the goods need to be "sufficiently durable"? Six years. That could prove a major headache here at least. I'm not sure what equivalent consumer protection laws there are in the US that could cover the same eventualities?
And the power users - the people who actually care about what they're buying are on iOS mostly, judging by web browser statistics. Yes, people who'll buy any old shit because its cheap, bugger whether it gets upgraded, are buying Android. Nobody makes money out of them. Apple makes money, Android often doesn't. Yes, Apple is killing the competition.
I have an iPod touch, gen 2, which has been stranded. I wish I could get an update on it. but the CPU on it is too old, so they don't support CPU hog IOS5 on it.
I hear people complaining about this, and I don't get it. Maybe they don't remember the 80s and 90s when your computer was out of date within a few months, and it wasn't long before you couldn't run the newest and greatest software. Today, computers have a much longer lifetime than they did back then. I point this out because that's where we are with these portable computers (iPhones, Android phones, tablets, etc.) - we're still in that early and fast update phase. Early on, each new iteration was leaps and bounds ahead of the prior one, and the pace is only starting to slow down now. The pace will speed up again if and when better battery technology shows up.
And, frankly, they pushed out updates for the Touch 2nd Gen for quite some time. Don't act like it was abandoned 3 weeks after they released it, because it wasn't. Updates were available for a long time for it.
This separation is what Firefox OS does actually.
There is the lower level linux kernel/Gonk layer and then Gecko running on top of that. So Gecko can be patched with small over-the-air updates (these may come straight from Mozilla). Either way the burden on a carrier would be notably less.
As a bonus Gonk is based on the same code Android uses, so if a carrier wants to port Firefox OS onto Android compatible hardware it should be relatively easy.
RDF mode ON...
If someone is stupid enough to take a chance at killing themselves for no reason at all, they do deserve to die because their brain doesn't work.
I tested the upgrade to 6 on an iTouch. Stanza blew out after the upgrade when I tried to change my settings, and locked up so hard I had to power down and up again to get the device back.
I'm in Stanza 90% of the time I'm using my phone and 100% when I'm using the pad. I will NOT upgrade to 6.anything until there's an official release of Stanza that is guaranteed compatible.
And options that blow out key components are WORSE than useless.
> they have scarce resources
If he said that he can't have any idea what's actually going on. I mean, the US wireless carriers are practically printing money. The fact that they don't update phones has a lot more to do with the fact that they're completely incompetent and most decidedly evil.
They should only be selling phones as stock Android if the carriers are unwilling to manage changes whenever a security update or new version of the Android OS is available.
xcode used to be free. it isn't any more. more significant, it has an onerous developer agreement that I will never agree to.
But ... it's OPEN!
Apple made 70% of the mobile handset profit last year, on 20% of the sales. And they became the largest handset manufacturer in the USA, capturing the majority of the sales in the country. It's quick to find if you do a google search.
So I think they're doing fine.
And this is exactly why I threw in the towel on Android. Two reference phones, bought unlocked, were abandoned. After the second one, and seeing my daughter's ancient iPhone 3GS continue to receive updates, I bought an iPhone 5. Perfect world? No. But I do get regular updates and it works with my iTunes/Apple TV. None of the phones worked perfectly in my Ford with SYNC, but sending text messages is limited to feature phones (reading on the iPhone was added in the latest Ford software update). Smartest thing Apple did was maintain control of updates.