Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fragmentation Leads To Android Insecurities

Posted by samzenpus on from the united-we-stand dept.

Rick Zeman writes "The Washington Post writes about how vendor fragmentation leads to security vulnerabilities and other exploits. This situation is '...making the world's most popular mobile operating system more vulnerable than its rivals to hackers, scam artists and a growing universe of malicious software' unlike Apple's iOS which they note has widely available updates several times a year. In light of many companies' Bring Your Own Device initiatives 'You have potentially millions of Androids making their way into the work space, accessing confidential documents,' said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the American Civil Liberties Union. 'It's like a really dry forest, and it's just waiting for a match.'"

10 of 318 comments (clear)

  1. missing disclaimer by Anonymous Coward · · Score: 3, Informative

    TFA author is an iPhone user, according to his twit feed https://twitter.com/craigtimberg

  2. Re:Or... by ahabswhale · · Score: 4, Informative

    Android phones rarely get updated. About half of all Android users are still running 2.3 or earlier and the uptake for new versions is glacially slow. This makes android extremely vulnerable. If someone discovers an attack for 2.x, it's game over for millions of phones. Android also has a leaky walled garden that allows users to easily bypass the Google Play store and go to any market place they may choose. Hell, it's not even unusual to find infected apps in the official Google Play store.

    --
    Are agnostics skeptical of unicorns too?
  3. Re:It's not the frequency, it's the penetration by Swampash · · Score: 4, Informative

    The biggest install base for iOS is always "the latest version". The biggest install base for Android is what, Honeycomb? Shit.

    Even worse, it's still Gingerbread.

    http://bgr.com/2012/12/04/android-version-distribution-december-2012/

  4. Re:Not vendor fragmentation by Anonymous Coward · · Score: 2, Informative

    Two reasons:

    1) Hardware component manufacturers don't provide updated drivers. Many of them are binary blobs that aren't compatible with newer kernel/Android versions. Especially Qualcomm and Nvidia chipsets.

    2) Carrier certification is *expensive*. Going through the effort of getting updates carrier-approved costs tens of thousands of dollars, per update.

  5. Re:Not vendor fragmentation by thegarbz · · Score: 3, Informative

    I call bullshit to your bullshit.

    Go have a look at the list of supported devices by Cyanogenmod and look up how many of those devices actually offer vendor upgrades to Jellybean. Hint: very few. My device stopped being supported at Gingerbread because the vendor says "it was too slow". I am now running Jellybean and thanks to Google's tweaks it's runs faster and smoother than it ever did.

    But hey let's not dwell on old hardware shall we? Jellybean was released in early July 2012. Just under 4 months later Samsung were still saying US customers will get their SIII update in "the coming months". You know when Cyanogenmod 10.1 supported the Galaxy S III? Within 3 weeks of release.

    The problem IS vendor lazyness.

  6. Re:Or... by Anonymous Coward · · Score: 3, Informative

    A quick search revealed these gems

    http://tech2.in.com/news/android/malware-found-in-updates-app-on-google-play/523862

    http://www.androidauthority.com/google-hosted-malware-on-its-play-store-during-q3-but-how-much-131309/

    http://arstechnica.com/security/2012/07/more-malware-found-hosted-in-google-android-market/

  7. Just download Avast mobile security by Andy+Prough · · Score: 4, Informative

    from the Google Play store. It's free and quite powerful. Works on older versions of Android too. It's like the Swiss Army Knife of mobile security - Scans apps and SD card for malware; has an excellent privacy dashboard; and has real-time shielding of apps, web links, and messages to protect from malware. It has a firewall that can be set up on rooted devices; can block calls and SMS messages based on filtering rules; has a network meter; and has several anti-theft functions. Really a brilliant app, from a trusted security company. They also have an iPhone app, although that one seems to have some slightly different functions. I think anyone with a modern smartphone should have some malware protection on board, and this is an outstanding suite with the right price - free.

  8. Re:Or... by semi-extrinsic · · Score: 5, Informative

    You should be aware of a new feature of Android that hasn't really gotten a lot of press, but is the solution to this problem: the latest upgrade of the "Play store" (market) includes something called "Google Play Services". This new app takes care of upgrading and patching all Google-produced apps (system apps, YouTube, browser, camera, etc.). It is back-ported both to Gingerbread and Froyo. It applies security patches and upgrades without needing user intervention, as I understand it.

    TL;DR: You may not be able to upgrade your Gingerbread phone to ICS, but Google still patches known vulns on your system.

    --
    for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
  9. Re:Or... by Count+Dante · · Score: 4, Informative

    jailbreaking your iphone in usa is against the law

    Nope, unlocking your phone is - which is different to jailbreaking.

  10. Re:Or... by bartron · · Score: 5, Informative

    If someone is using an iPhone, at some point it was connected to iTunes to activate it (or it wouldn't be working).

    That used to be the case but you can activate and iPhone or iPad without iTunes these days and never ever hook it up to a host computer.