Wireless Carriers Put On Notice About Providing Regular Android Security Updates

msm1267 writes "Activist Chris Soghoian, who in the past has targeted zero-day brokers with his work, has turned his attention toward wireless carriers and their reluctance to provide regular device updates to Android mobile devices. The lack of updates leaves millions of Android users sometimes upwards of two revs behind in not only feature updates, but patches for security vulnerabilities. 'With Android, the situation is worse than a joke, it’s a crisis,' said Soghoian, principal technologies and senior policy analyst with the American Civil Liberties Union. 'With Android, you get updates when the carrier and hardware manufacturers want them to go out. Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.'"

Java

[goombah99]

Does Dalvik have the same security problems Oracle Java does? If so this is a serious problem

Re:Java

[Qwavel]

No, it doesn't.

Re:Java

[supersat]

No. Even if it did, it doesn't matter because Android does NOT rely on Java for isolation or security. Each application runs as a separate Linux user, and the kernel enforces isolation between apps this way.

Because apps are isolated in this way, they can include native code.

Re:Java

[Miamicanes]

As of this moment, there is no known "Java" VM that runs under Android. Dalvik begins its life as Java sourcecode, but it's actually "double-compiled" by the time it runs on Android: Java source to Java bytecode, then Java bytecode is compiled to Dalvik bytecode. Lots of Android developers eventually get bitten hard before grasping the true meaning of "Dalvik Isn't Java" (ie, there ARE things that work in Java, but don't work in Dalvik. Runtime dynamic compilation to achieve dependency injection is one example that comes to mind).

Getting Java to run in any kind of compliant manner, with or without Swing, would be a HUGE undertaking that's also prohibited by Oracle and Java's open-source license. Remember, Java is encumbered by patents now owned by Oracle, and a license to use those patents is granted ONLY to users running compliant implementations of Java on x86/AMD64-architecture hardware. You can have a license to use software, without necessarily having a license to make use of patents embodied within it.

If you spent months of your life getting OpenJDK to work under Android (with or without Swing) and published it, you'd be instantly sued by Oracle for patent infringement. Even pre-Oracle, Sun charged shitloads of money to license Java for embedded applications (remember, that's what it was invented for in the first place).

Either way, Java applets under Android aren't happening. Period. Even if you solved the software problems & fought off the lawyers, there's still the tiny problem that Android browsers have no concept of an "Applet".

Stop screwing with it so much

[redback]

Handset manufacturers should stop screwing with it so much, if they used pure android it wouldnt be so much work to get updates out.

Re:Stop screwing with it so much

[ColdWetDog]

Like AT&T Maps; it's $10/month, the one time I used it was by accident because I confused it for Google Maps.

No, it's not by accident. It's by design. A significant number of people won't be able to parse the difference between AT&T maps and Google Maps. So they'll just pay the dollars until they wise up. If indeed you do wise up, then you have to change their contract to opt out. Then the contract timer starts again.

They get you coming or going.

Brilliant strategy.

Re:Stop screwing with it so much

[jtownatpunk.net]

Tell that to my Galaxy Nexus that's still running 4.1.1. So much for the idea that Nexus devices are on the cutting edge. They're abandoned as fast as any other phone.

Re:Stop screwing with it so much

[Frojack123]

I agree, to a certain extent.

But I also maintain that this is strictly Google's fault (The Open Hanset Alliance).

They took an operating system, Linux, which always has long the ability to put hardware drivers in dynamically loadable modules and built Android, where they compiled everything into the kernel in one huge binary blob. This is a huge retrograde step in OS design. The kernel should be replaceable without having to replace the driver for every radio, screen, sound chip.

After all, the radio didn't gain any new functionality between Android releases. The same carrier specific radio "rom" the phone was shipped with should suffice. Just call it dynamically rather than compile it into the kernel. Let us get our kernel updates directly from Google, or the handset manufacturer, and any carrier specific updates from the carrier.

This is a packaging error.

Re:Stop screwing with it so much

[tlhIngan]

Tell that to my Galaxy Nexus that's still running 4.1.1. So much for the idea that Nexus devices are on the cutting edge. They're abandoned as fast as any other phone.

Only the Verizon Nexues are "abandoned". If you got the HSPA ones, you should be at 4.2.x already.

If you're not, perhaps it's because you bought it from a carrier and have the default carrier firmware stuck to them with carrier firmware updates. In which case you need to go to Google, download the latest factory images and install them on your GNex. This will get updates as fast as Google pushes them out (the carrier ones actually have an update URL pointing somewhere else, while the Google ones point to Google).

An interesting note - when I did this, battery life shot up dramatically. The carrier GNex firmware isn't all that great.

Re:Stop screwing with it so much

[JonBoy47]

These Android-makers customize/skin the Android experience for the simple reason that it's just about the only thing preventing their product from becoming completely commoditized just like Windows PC's have been in the past few years. They also lack the clout to tell the carriers to pound sand. Thus we get Android handsets with carrier-dictated bloatware because the carriers get incremental revenue off that stuff. Be it someone using AT&T Maps and paying $10/month because they can't tell the difference from the Google Maps icon, or because someone is paying $0.50 a unit to have their app pre-loaded on the phone. All this bloatware, plus the additional QA the carrier does on each new build, is why Android releases are so delayed. Note that iPhones are devoid of these specific issues (though they have their own different issues). Apple wisely told carriers to shove it where the sun don't shine, and Google was wise to follow The Late Steve's lead with their Nexus devices.

Re:Stop screwing with it so much

[canadiannomad]

The moment you connect your car up to the internet, it too will need software updates.
In a car no-one is constantly trying to run you off the road or blow you up.
Not true online, you are almost always being probed to find out if you are susceptible to the latest car disabling technology.
Online it is an arms race, not a status quo.

Re:Stop screwing with it so much

[icebike]

Try writing software for a car. ... We ship modules that are never updated (ROM parts anyone?)

Hmmm, that's not my experience.
Both my prior car and my current car had software updates over their life, the new car within 5 months of delivery as required by a recall. Its still riddled with bugs that are obvious, and grousing to the dealer is of no use, because the software is out of their hands. If I install after-market software, my warranty is void on the entire vehicle.

Re:Stop screwing with it so much

[aztracker1]

If you aren't pushing bug fixes upstream, you are part of the problem...

Re:Stop screwing with it so much

[trparky]

Actually, minor changes (like that) to your plan do not reset your wireless contract clock.

American Civil Liberties Union

[Qwavel]

"said Soghoian, principal technologies and senior policy analyst with the American Civil Liberties Union."

Finally, an article about the dangers of Android that quotes someone I'm prepared to listen to. I'm not entirely sure why the ACLU would be involved in this stuff, but I do have some respect for them and believe them to be objective in this matter.

I'm tired of the barrage of articles about the security problems with Android, and the need for anti-virus to resolve them - quoting people paid by the anti-virus companies.

The carriers don't care.

[getto+man+d]

If the carriers were what most of us want, i.e. dumb pipes, then we could possibly own our phones and upgrade them in a much easier fashion (so long as the hardware manufacturer is still providing updates).

Verizon's treatment of the Samsung Galaxy Nexus has been an eye opening experience and I'm still trying to figure out an alternative solution.

Re:The carriers don't care.

[Andy+Dodd]

Solution: Buy from an MVNO that is a dumb pipe. Straight Talk's BYOD SIM plans are proving quite popular.

Nexus 4 from the Play Store + Straight Talk = device you control hooked up to a dumb pipe.

Re:Stalling?

[h4rr4r]

What lack of flash support?

Adobe killed flash for all devices post 4.0.

Re:Keep it Android!

[idontgno]

Nonsense. Why would carriers interfere with the current Android upgrade model: Buy a new phone with the current release of Android. And extend your contract at the same time.

The ACLU is complaining that the carriers are allowing the shackles to get all rusty and dangerous and uncomfortable, but they're not arguing for an Emancipation Proclamation: they just want the handcuffs to be adjusted and replaced regularly.

Re:Still using my Droid 1 going on three years

[poofmeisterp]

You are running stock on that device?
WHY?

Because they're trying to run the device from the perspective of the average end user. And that perspective has been clad in suckiness since the beginning.

Re:Not a problem for iOS.

[PortHaven]

Really?

Because my iPhone 3G didn't get the last few updates. And courtesy of Apple, it no longer streams Netflix. Because crApple is so incompetent, they can't even manage app versions.

Case in point. I have iPhon4 and 3G. iPhone 4s are running iOS5 & 6. Which the new Netflix app requires. However, the 3G model is not able to update to iOS5. But iTunes only allows for one instance of an app. So you'll find that you're old phones are now updated to versions of applications they cannot run.

Get off your high crApple horse. The platform has major suckage. Want to bet $250?

Move a photo you take with your phone into another folder. (No, don't just create a reference. Actually MOVE IT!!!)

Re:Keep it Android!

[MBCook]

If they don't tinker with the OS, how are they supposed to add value?

Why, with what you're suggesting, they would just be commodity dumb pipes. When has a phone company ever admitted that?

Cyanogenmod

[vlm]

Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources

How come the cyanogenmod people do a better job than everyone else in the industry?

I just upgraded a LS670 last weekend to cyanogenmod. CM9 if I recall. Its faster, looks better, more features, MUCH newer which would imply fewer holes, overall quite a massive improvement over stock. It no longer has cell service, I'm using this phone as a wifi microtablet, quite happily.

Re:Doesn't matter on rooted phones

[h4rr4r]

Why not just flash a new ROM instead of using the OTA update?

If you wanted to use OTAs, why flash Clockwork at all?

Re:Why isn't Android more modular

[AwesomeMcgee]

Go re-read why worse is better http://www.dreamsongs.com/RiseOfWorseIsBetter.html and realize any form of micro-architecture has long since been destroyed by the formidable drive of the monolithic design and it's ability to be simultaneously horrible and intractably irremovable from the minds of the vast majority of engineers, along with being faster to get out the door and therefore meeting all requirements of the business people who actually shove all this garbage down our throats.

Re:Why isn't Android more modular

[AuMatar]

Wouldn't matter. The problem is more political than technical. Carriers are the ones who push updates, and they don't care especially in the US. Check EU versions of US phones and you'll see many more updates that never make it out here.

Some of that is for a good reason. Carriers put phones through very rigorous acceptance testing that takes weeks to finish. It tests the phone as a whole, not individual modules. Trying to push out partial updates would screw with their process and cost tens of millions. It would also lead to people having versions of modules that were never tested together, an increased possibility of bricking your phone. When your device is seen as a consumer utility that just really isn't an option.

Re:Unexpected?

[Microlith]

Nonsense.

The core problem with Android is a core problem with ARM, namely that all of the nice plug-and-play stuff that lets a single kernel, and thus an Ubuntu live CD, boot on many systems doesn't exist in ARM. So each handset has to have the kernel adapted to it. And since this adaptation has to be done for every kernel Google releases, the handset vendors get lazy particularly as the kernel moves on and leaves their older, out of tree drivers behind.

This has little to nothing to do with regular Linux distros because compatibility across them is actually quite good and as of Jellybean there is nothing other than the kernel in Android that is used by other open source projects.

That they fail to push security fixes, let alone new Android versions, is because they just don't give a fuck.

This is one of many reasons why

[erroneus]

In previous comments related to carriers and phones, I stated that I am done with carrier games.

I am done with carriers selling me "discounted" phones which are actually far over-priced when required and unwanted data plans are added to the mix. I am done with carriers and their spyware and bloatware. I am done with carriers controlling the obsolesence of my device by providing late updates or failing to update them at all.

Long ago I recognized the potential for security issues which predictably would not be managed by the carriers well or at all.

Apple has it easier and it was by design. There are fewer models of iPhone so everyone is happier. Users know what they've got. The accessory makers are better guaranteed sales of mass produced products. Apple's carriers don't get to corrupt the iPhone and therefore there is more sanity when it comes to user concerns like bugs and security.

I have a Google Nexus. Not quite my ideal phone, but less expensive than unlocked/unbranded Samsung Galaxy S3. It is more likely to get updates and fixes and within my power to install and use custom ROMs.

Carriers care more about themselves than their customers. It is clear and evident. Why keep hoping and demanding that they care? Know them for what they are and respond.

Re:Keep it Android!

[AmiMoJo]

The real problem is that customers in the US get completely and utterly screwed by the carriers. Really, you guys take it hard in the arse and pay though the nose for the privilege.

In the UK you can get a phone on contract from a third party. You get the same contract deal as you would going directly to the carrier, although often for £5/month less. The phone is unlocked and unbranded, you get updates directly from the manufacturer and no pre-installed carrier crapware. There are some good deals on offer too, for example 3 do a really unlimited data plan. A friend of mine runs Android uTorrent on it.

Regulation has delivered this for us. It is really easy to switch provider and take your number with you. Contract terms are heavily regulated to make sure they are fair and reasonable. It isn't perfect by a long way but it saves us from the rip-off hell that the US mobile market suffers from.

Re:Not a problem for iOS.

[bhagwad]

Not everyone with a Windows PC has had their identities stolen and bank accounts empties. Oh any by the way, "security" is just a convenient excuse for censoring apps. Look at the big stories of Apple censorship - they have nothing to do with security and everything to do with Apple enforcing their own morals.

Security my ass.

But wait - now how much would you pay?

[cyanman]

The phone maker gets their profit from selling new phones. Updating your phones OS to a new version cost them money and delays your purchase of a new phone. How much effort would you put into raising your cost while costing yourself future revenue? The carrier makes money by locking you into a longer contract term. Often those new terms are at more $$ per month which happens when you buy a new phone. Updating your phone to a new version delays your commitment to a new contract term. I'm perfectly happy with my 3 year old android, especially since I updated it myself via an xda-developer ROM. But what if the manufacturer/carrier said "You want Gingerbread? Give us $20. You want Jelly Bean? Give us another $20. You want Key Lime? Give us another $20." They get cash in hand, you get renewed life on your phone.

Are you in?

Re:Not a problem for iOS.

[Skater]

I have an iPod touch, gen 2, which has been stranded. I wish I could get an update on it. but the CPU on it is too old, so they don't support CPU hog IOS5 on it.

I hear people complaining about this, and I don't get it. Maybe they don't remember the 80s and 90s when your computer was out of date within a few months, and it wasn't long before you couldn't run the newest and greatest software. Today, computers have a much longer lifetime than they did back then. I point this out because that's where we are with these portable computers (iPhones, Android phones, tablets, etc.) - we're still in that early and fast update phase. Early on, each new iteration was leaps and bounds ahead of the prior one, and the pace is only starting to slow down now. The pace will speed up again if and when better battery technology shows up.

And, frankly, they pushed out updates for the Touch 2nd Gen for quite some time. Don't act like it was abandoned 3 weeks after they released it, because it wasn't. Updates were available for a long time for it.