Slashdot Mirror
Fragmentation Leads To Android Insecurities
Rick Zeman writes "The Washington Post writes about how vendor fragmentation leads to security vulnerabilities and other exploits. This situation is '...making the world's most popular mobile operating system more vulnerable than its rivals to hackers, scam artists and a growing universe of malicious software' unlike Apple's iOS which they note has widely available updates several times a year. In light of many companies' Bring Your Own Device initiatives 'You have potentially millions of Androids making their way into the work space, accessing confidential documents,' said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the American Civil Liberties Union. 'It's like a really dry forest, and it's just waiting for a match.'"
iOS is a single target, get one sploit that works, you know it'll work on all of them. The recent exnyos sploit only worked on some Samsung chips. So.. hackers have more devices to attempt to hack! Though all this is a waste of time if people use non-standard app stores and/or download warez, then what do they really expect?
Waiting for an amusing sig.
Should have used a car analogy.
Not so long ago niche platforms and disparate architectures were slated to be good BECAUSE they were so diverse it wasn't worth the time to hack them individually...
I also remember a time not so long ago that Microsofties used to complain that the frequency and ease of attacks on public sites was due to their dominance and being a big target. I wonder what Linux admins say now, since they now dominate the data centre?
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
As long as any platform offers potentially free apps and upgrades there will always be this high risk for exploitation. Perhaps we should take the matter into our own hands and start a group to offer a safety certification?
The problem isn't vendor fragmentation. The problem is vendor laziness. If you produce an Android device there is no legitimate why you can't provide regular updates.
If there was either a common hardware platform, like on the PC, where every PC is essentially compatible with every other PC, you could easily update your operating system without the manufacturer of the hardware.
However SoC vendors don't want that, since it would mean that a device maker could easily switch from one SoC to another one. Plus they still use undocumented proprietary hardware in those SoCs, that's why you have binary device driver blobs which are hard to port.
The other problem lies within Google. They should have mandated some sort of "BIOS" which would have allowed any operating system to see what kind of hardware there is. This wouldn't have been more than a few hundred bytes in the flash containing the bootloader. That way you could have a generic operating system image, which would read out that ROM and execute routines found in it to use the hardware and then, perhaps at a later stage, use specialized drivers... just like it's done on the PC.
The sort of fragmentation we currently have in the Android market is simply bad, but a logical consequence from bundling hardware with the operating system. I just hope that one day the Chinese will wake up, and design a common hardware platform allowing the user to boot its own operating system from the SD-card, and even move it from device to device.
TFA author is an iPhone user, according to his twit feed https://twitter.com/craigtimberg
Trying to argue about fragmentation with people attacking Android is a losing battle. "Fragmentation" means there's too many different hardware form-factors. No, it means too many vendor-specific UIs. No, it means that we need to support multiple OS versions. No, it means that we can't guarantee what security patches have been applied.
Bah, from where I'm sitting, "fragmentation" means nothing more than "I don't like it" - a way of disparaging choice from those who don't want it.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
You get one exploit that works against Android Gingerbread, and you've got one that works for 2+ years against the still most popular version, by a large margin.
"Washington post parrots Microsoft talking points."
Linux has huge diversity among its many distributions, and yet it doesn't suffer from the security problems described in the article. So-called "fragmentation" isn't really a valid technical reason for lack of security at all. If a system is designed for security then it will be secure, regardless of the number of its variations.
The real reason why Android is lacking in security is because Google hasn't focused on security. They decided not to include iptables/netfilter (the Linux firewall) as a standard facility in Android, which would have been very easy to do. And they haven't allowed users to block privileges demanded by apps after install. Instead you're offered only a package deal, either let the app do whatever it wants or don't install it, period. Android users are hence pressured into a corner, and the end result is often worse security than they would wish.
Don't blame fragmentation. Instead point a finger at Google designers who seem remarkably disinterested in supporting the Android user's security and privacy requirements.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
Having everything all being exactly one way is one giant target for easy attacks. The more different, the better. They have this completely backwards.
That whole article reads like it could have been written by the Microsoft FUD division. It's either nobody uses Open Source or, if it is popular, then it has to be fragmenting ...
"Android also gives you tools for creating apps that look great and take advantage of the hardware capabilities available on each device. It automatically adapts your UI to look it's best on each device, while giving you as much control as you want over your UI on different device types."
"you can create a single app binary that's optimized for both phone and tablet form factors. You declare your UI in lightweight sets of XML resources, one set for parts of the UI that are common to all form factors and other sets for optimzations specific to phones or tablets".
"At runtime, Android applies the correct resource sets based on its screen size, density, locale, and so on."
AccountKiller
ba-dum-tish
But seriously folks, it's not that Apple releases updates several times a year that's the important bit. It's that those updates are available instantly, worldwide, to everyone, on every carrier, to every device younger than about four years old, and the update process is so easy and convenient that everyone (close enough) installs the updates.
The biggest install base for iOS is always "the latest version". The biggest install base for Android is what, Honeycomb? Shit.
What? Android bad for corporate security? BYOD bad for corporate security?
Excuse me sir... {smile}
Three Squirrels
Some of them aren't dumb, just poor.
I'm wondering if the solution would not be for OS updates to be on sale, at a low-ish-price, ie 5 or 10 bucks. That way, OEMs can recoup part of their investment, and users can put their money were their mouth is. I personally don't care that much about OS updates, my Xoom has gone from 3.x to 4.0 to 4.1 and I really didn't notice any difference.
The Cloud - because you don't care if your apps and data are up in the air.
First fix the two most known design flaws:
1. Security model. Most apps have the "internet" capability already but don't actually need it. Many have more than one capability not needed by the application. Some might need it for very small operations but the trust is already rendered useless.
2. Play Store. Quite similar as point 1 mentioned above. The end user should judge the "trust" level of an app by reading the comments. I once installed an app reading 6 pages of "this is wonderful app 5/5 stars!" and every 7th pages had "don't install it, it's a trap!". Despite of being a a malicious app it had 4/5 stars as the people giving the reviews were not enough to bring the average down (the 5/5 review spams).
3. Fix Java.
This is quite sad as the Android platform has some potential. And Google doesn't really care.
I always thought its the responsibilty of the manufacturer of the device to make a product which sticks to certain definitions. I dont see many android products listet with security as a feature, therefore i also dont assume that the design of the preinstalled sw goes into that direction.
Wait- who?
Google abandons stuff way early? Or you mean the vendors, who make the vast majority of abandoned devices and have every incentive to obsolete old hardware so they can sell new devices?
This "fragmentation" angle is a bullcrap attack on Android or Google. It *IS* a valid criticism of a bullshit FCC that prohibits unlocking phones and won't even give their explicit blessing via DMCA exemption to unlocking bootloaders so that people can update their tablet (and other devices)'s old operating systems. As if we should need anyone's approval.
The fucked up business models of the mobile cartels is the massive issue, not something inherent in Android or Google. And you can add the FCC's total ignorance regarding mobile devices that they are regulating, as they're supporting the anti-competitive status quo.
Some of us look forward to the inevitable shitstorm and think this kind of excitement is just... great!
Obligitory Animal House
from the Google Play store. It's free and quite powerful. Works on older versions of Android too. It's like the Swiss Army Knife of mobile security - Scans apps and SD card for malware; has an excellent privacy dashboard; and has real-time shielding of apps, web links, and messages to protect from malware. It has a firewall that can be set up on rooted devices; can block calls and SMS messages based on filtering rules; has a network meter; and has several anti-theft functions. Really a brilliant app, from a trusted security company. They also have an iPhone app, although that one seems to have some slightly different functions. I think anyone with a modern smartphone should have some malware protection on board, and this is an outstanding suite with the right price - free.
It's actually worse than mere security theater. Because the Android user has no visibility nor control over the sites with which the installed apps communicate, nor visibility of the data that is sent, nor visibility of the app code in most cases, Android provides a wide open vector for security and privacy leakage.
Google makes not even the slightest attempt to control this and gives users no such ability either (you can't turn permissions off for an app). Only those who root their devices and install extras have any measure of protection or control. The ordinary Android user (in other words the *vast* majority of users) have no protection nor control at all.
It's only by pointing out these issues that Google might perhaps be pressured into taking user security against apps more seriously. But if they continue to ignore this matter then security-oriented forks are coming, you can guarantee it.
Trying to argue about fragmentation with people attacking Android is a losing battle. "Fragmentation" means there's too many different hardware form-factors. No, it means too many vendor-specific UIs. No, it means that we need to support multiple OS versions. No, it means that we can't guarantee what security patches have been applied.
Boy, it sounds like the kinds of attacks on Android feasibility are splitting into a lot of different forms. If only we had a word for that.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I just love the idea that since you are protected every other Android user can just go to hell - it doesn't matter, your phone works!
Stupid ignorant LUsers, right? Ha Ha, watch them burn.
I love the idea of bringing all the foibles of the PC era forward into the realm of mobile to screw over a new generation of innocent tech users.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You said it's not unusual so please link us to the this supposed endemic problem in Google's Play Store.
The incredible speed and ease with which any developer can push an app into Play comes at a cost you know, even if you'll not admit it.
Google does scan binaries for viruses. But all the technical users know how effective virus scans really are.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
TFA author is an iPhone user
Well actions speak louder than words, so it guess it bears out what they are saying. If you found a platform to be incredibly insecure why on earth would you continue to run it?
Far more of a story would be if they were running Android devices day to day despite the concerns raised.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I just love the idea that since you are protected every other Android user can just go to hell - it doesn't matter, your phone works!
GP never insinuated anything like that.
Stupid ignorant LUsers, right? Ha Ha, watch them burn.
TROLOLOLOL.
I love the idea of bringing all the foibles of the PC era forward into the realm of mobile to screw over a new generation of innocent tech users.
And how, pray tell, do you feel about the lack of app-level firewall, app permission control, and inability to load a custom ROM on your precious iOS devices? Say what you will about Android, but at least solutions to these considerations exist on Android, technical though they may be.
A multitude of manufacturers, a myriad of differing hardware configurations, a only a single operating system, and lots of vulnerabilities.
Could be used to describe both the Android smartphone market, or the Windows home-computer market.
/ The Arrow
"How lovely you are. So lovely in my straightjacket..." - Nny
In the WaPo? They don't do hard news since Kaplan ( just another online education for profit ) they say news is NOT their primary role anymore at the Washington Post ... they say it on their own homepage and have for over a year now.
So they take Microsoft's PR piece about how bad bad Linux ( = Android ) is. Soften 'em up for tomorrow's WaPo PR piece about how GOOD GOOD Windows 8 phonz are. Or whatever monstrosity awaits us from the former Dell+MS.
According to Microsoft: Fragmented = bad. Monoculture = good.
Nature abhors a mono-culture. That's why Android (and Linux) fragmentation is good ( = survival ) and Microsoft monopoly ( = all the same stuff ) is bad because its so easily hacked if you can do one MS junk box you can do 'em all.
Personally, I a hope a Linux Mobile (perhaps on a Microsoft/DELL ARM device) will soon be enough all on its own as Google isn't contributing much back to the open end of the pool and for MS/DELL/ARM the box stripped of Windows may make it a fine platform for mobile standardization like the IBM PC in 1981.
Malware?
You're holding your phone wrong.
Yeah, and? Wake me up when this is actually a commonplace problem, and even all that noticeable amongst the storm of problems with iOS devices. I don't really follow handheld security like I should, but even I have heard of and experienced the fallout of multiple different iOS exploits and vulnerabilities in the past week - email spamming, sms spamming, and appointment deletions on Exchange amongst them.
I've heard of nothing like this happening on Android, even though most of the people I know use Android devices. Anecdotal? Sure. But it isn't half as anecdotal as 'fragmentation'. I'm sorry, when apps -mostly- work cross device as well as cross device generation, there's a unified app market, and efforts are being undertaken to scale the OS to handle device feature differences (eg. screen resolution) arbitrarily, I'm not sure exactly what kind of 'fragmentation' we're talking about. Especially when we've got efforts like Cyanogenmod which are starting to serve as a shared base for vendors while maintaining a high quantity of cross-commits with ASOP.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
A multitude of manufacturers, a myriad of differing hardware configurations, a only a single operating system, and lots of vulnerabilities.
Could be used to describe both the Android smartphone market, or the Windows home-computer market.
Except Android does not have loads of vulnerabilities. Apple on the other hand have Developers attacking 75% of its users, and Apple themselves calling its customers criminals.
http://en.wikipedia.org/wiki/Android_version_history#Android_2.3.E2.80.932.3.2_Gingerbread_.28API_level_9.29
Gingerbread is only 2 years old, and still supported by Google with its first party applications. To put that in some kind of perspective XP was released 12 years ago
For what it's worth....
I have been a big fan of Avast for many years, and heartily recommend them to anyone running a MS OS.
It plays well with Windows Defender[1], and in 'Game mode', does not interfere with anything that I know of.(YMMV)
I , as a fan, am glad to see that they have applied their mojo to Mac/Apple and Android...hopefully they can jump into the *nix world fully.
[1] or whatever it is called currently.
I currently dual-boot Kubuntu 11.04 and Win7, both 64 bit.
Win 7 for Fallout 3 and NV, and Oblivion and Skyrim, otherwise, I spend the balance of my PC time in Kubuntu.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
It is just the customization and vendor disinterest that prevents updates. It is as if Dell, Lenovo, HP, etc added their crapware so deeply into the Windows infrasture that Microsoft's security updates could not be applied and the vendors were not interested in creating or distributing adapted versions.
On the contrary, it is vendor interest that prevents updates.
The first thing to know is that Google does not create Android releases. Google does continuous Android development, and any time after release N.M, but before N.(M+1), or (N+1).0, for new major releases, the code base is called after the current tree version number. When a vendor wants to release a new Android cell phone, there may be parts of the code base they've contributed back for specific chip and peripheral support, but what they do is take a cut of the code base and freeze it. Then they apply patches and finishing touches which don't get integrated back to the main Android code base as part of taking it from the raw, unproductized Android code base to a productized version which can be shipped to customers.
The dirty little secret here is that all productization is done by the device vendors, and not by Google, and that Google itself is basically incapable of productizing an operating system like Android. Instead, they rely on the device vendor to do this, and the device vendor, wanting product differentiation, willingly cooperates, or even insists, on this happening outside of Google.
What that means is that "Android version 4.1" is a meaningless way to compare Android devices with one another, since Samsung's version of 4.1 may not have identical bits with Sony's version of 4.1, since they were most likely cut from different development versions of the source tree, even if they were cut only hours apart.
The bottom line here is that, even with a working security fix back-ported to "Android 4.1" is most likely going to result in a product reintegration, since the patch(es) will have to be rolled forward from the Google release branch of 4.1 (which has no additional changes past the Google release date) to the vendor's version of 4.1, which is a set of patches and productization on top of some code branch somewhere between Google's 4.1 and their 4.2. This is nearly as much effort as developing a new "model 720" phone with COGS-reduced parts, and based on the original "model 710" phone from that same vendor. The team which works on this "improved Android 4.1 for the 710" is a set of people who isn't working on the "model 730". As far as a vendor is concerned, that's spending good money to update a product for previous customers who aren't paying them money for the new improved version of the product, because "the old version is good enough".
The second thing to know is that the carrier marketing model in the U.S. effectively discourages the carrier from updating the OS, even if the handset/tablet manufacturer were willing to integrate the bug fix and provide an update.
In the U.S., a carrier locks you into a 2 year contract, and then offers you a 6 month "early update" to lock you into that carrier again for another two years after 18 months. The upshot of this is that they get to keep the captive user as a subscriber, in trade for a new handset, which is subsidized by the carrier, and the old handset has been fully paid for (and then some) by the monthly bill portion which pays for the "free" handsets in the first place.
The net effect of this is that, if they update an old phone, unless they have a new phone with some compelling new feature(s), the customer is more likely to "ride out" the remaining six months on their contract, and then just switch carriers. The only real compelling features that differentiate one Android phone from another these days are the version of Android they are running. Sometimes there are minor changes in hardware, but frankly, there's usually no hardware change that's compelling enough to get someone to NOT
Fragmentation is a problem as it undeniably results in a subpar experience
No quite the reverse choice, Choice for consumers [through competition] has driven manufactures to produce such compelling hardware, It outsells Apple 4X worldwide, causing its share price to plummet.
We know iOS insecure because its jail broken every other week. Ironically done to have similar functionality of Android.
Nope, unlocking your phone is - which is different to jailbreaking.
Your right Apple tried to make jailbreaking illegal and the EFF got an short *excemption*. Its still illegal for the iPad, and Apple still thinks its customers criminals.
one big problem wp8 and ios are too locked in and comes from two companies i do not trust
I think windows phone 8 as bigger problems...starting with its not very good, and ending nobody wants it. iOs on the other hand is failing because it has failed to fragment :).
I'm sorry in context of this article itunes is simply an extra security vector on my computer, and at best is bloat. It offers a poor service, and poor value [where are the free upgrades to flac]. On its own without the i*** its simply a poor product, my favorite music player at the moment is clemetine http://www.clementine-player.org/ I'll probably replace it with something else soon.
As for iOS...its simply looking tired.
Without providing specific examples of malware that's led to security breaches, the article could be describing any mobile platform. In my opinion, the greatest threat isn't which operating system is running on a device, it's all of the morons carrying their devices on them and leaving them lying around without using any lockscreen security. Slide-to-unlock is the biggest problem.
data's problem was.
I believe they actually CHOOSE the things they buy.
People will rather naturally choose freedom over tyranny.
it doesn't look tacky like android. I might be upset over flac if most of my music was flac but it's not and I can convert it to the open apple lossless format but in most cases
Sorry, Unlike Apples *police state* products, almost every part of Android is replaceable, you clearly have never used it. The fact that Apple does not support flac the industry standard, and again has gone off on its own standard says it all really...do you have to pay again to update to your DRM mp3's to this format?
Fragmentation is just another way for Android opponents to satisfy their OCD tendencies by saying "Look, it's not all the same". There isn't any platform under the sun which HAS NOT gone through revision changes, functionality changes, dictatorial UI changes, brainded patches and community "hacks" - jailbreaking/rooting included. Let's call a spade a spade; look at the versions of iOS which have come and gone and the problems that has caused for both applications AND development. Plenty of room to point a finger there and say "Umm.. you've broken your platform by changing something and therefore fragmented your application base". It's pointless to play the "fragmentation" card because in reality, every platform/OS has it to some degree.
Join the Slashcott! Feb 10 thru Feb 17!
Monoculture is always the weakest link.
I guess some retard with a lot of money doesn't like having to make a choice and risk it being wrong, therefore blaming the lack of choice on their hesitancy.
So how much did Apple pay the WaPo for this story?
Apple has really gotten into everyone's heads. "You still have the older version of the OS? You must have vulnerabilities, then! You must upgrade to iOS5! Er, Android iOS5..." security patches are made through my Android even though I'm still on Gingerbread.
When it comes to Windows, everyone mods up using XP ten years later, but it's different with smartphones somehow? If there is a problem, it's not the lack of getting a new OS like many here have suggested (while that is frustrating it's not an option), it's the lack of pushing out security updates.
I value security over freedom. But for most people with computers that is not possible to pull off without harm.
That's what you miss, is that iOS offers a choice. You can have security OR freedom depending on preference. It just ships with "security" as the primary focus by default.
Android offers no such choice. It's the same old BROKEN security model we have been using with traditional computers for years, which has spawned a sea of malware, viruses and pain for non-technical users.
Why should those poor people not have a REAL choice, to be able to use computational devices without concern?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
WTF? how do you get unapproved apps on an idevice?
Any iOS enterprise development account.
Or get a development account yourself and build for your device.
Or jailbreak and load any apps you like without any kind of development environment.
There are many paths.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
We could reach for the stars! Get some giant solar panels and use them as a space sail combined with energy gathering for EmPropulsion.
MP3's are so 90s.
You hipsters can move back to Vinyl if you want, but the rest of will live with the [almost] patent free format.
To take your analogy and run with it, your copies of Notepad and Paint have been updated, but not your OS or any 3rd party applications.
Not really unlike Windows...Android comes with some serious first party Applications [we won't talk about Internet Explorer], and unlike Windows *automagically* updates this party applications too...oh and Android has been releasing security patches too :)
run a random version of an operating system that might have several old exploits (but may also prove incompatible with payload code)
:)
or... Run the same version of the OS as everyone else and when an internet white list or similar "security" feature is implemented have no choice but to take it?
I think I'll take my chances with directed attacks thanks.
Since the government is monitoring all of our communications you'd think they'd have the ability to protect us from these exploits? I mean that's a pretty simple thing to add in... right?
Not that your ISP is an acceptable security provider... but it certainly seems like a plausible attack vector for more terrifying government/military style attacks.
I have this horrible sensation that my older computing and telecommunications hardware is more secure/unlikely to be targetted by big government than the newer stuff. In fact ideally it will have so little SPACE available that new poorly written exploits won't be able to run on it.
96MB isn't enough for big brother
When I joined Reuters London back in 2002, I bought an Archos Jukebox to listen to MP3s. At work I would sometimes download stuff and copy them over the USB to the 10G drive in the Archos. Then I realised that I could copy anything that I wanted, and for several years I did just that. After all, never know when it might be useful to have project planning documents to refer to when you need to write something similar at your new job.
I noticed that my coworkers were not nearly so subtle. They just emailed their mates at another company for a copy of a document, loaded it up in Word and used find/replace to localize it. A careful reader like me noticed where the find/replace didn't quite catch everything. One blatant example was the headers/footers which contained the name of the original company who wrote the document, and some misspelled company names from the second company to use it, which our lad did not manage to catch with his find/replace. So we were actually the third company to use this wisdom.
You do not have to be rooted to carry out realtime web scanning shields, real time messaging shields, scanning of downloaded apps and files for malware, etc. Rooted does give you some additional ability to install protective measures, but you should still be scanning for malware whether rooted or not. I chose not to root my phone. As far as this being an ad for Avast - the software is free, and I certainly don't work for the company, so the only people who may benefit from me posting some information about it is other users. And, there are several other security suites available - I would advise anyone to check around and use what's best for them.
...the reality is that the vast majority of people only use Android devices for texting or calling. Just like they did with their feature phones. They were simply upgraded to an Android handset because the salesperson got a bonus for doing so and it was probably a free p.o.s. that fit the budget of the buyer perfectly.
So, while it is "possible", it is very unlikely that the mass user base even know what can be done much less how to do it. Nor do they care.
And your opinion about the malware problem "seem"ing to be overblown is meaningless. The facts are that Android devices are being compromised all over the world and real damage is being done to millions of owners.
Using the Kindle Fire as your example of an Android device doesn't work. Amazon forked Android and the Fire's OS is nearly unrecognizable as an Android device. However, I do understand your point and appreciate it.
And thank you for taking the parent to task on the BS of what is legal on iOS.