Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fragmentation Leads To Android Insecurities

Posted by samzenpus on from the united-we-stand dept.

Rick Zeman writes "The Washington Post writes about how vendor fragmentation leads to security vulnerabilities and other exploits. This situation is '...making the world's most popular mobile operating system more vulnerable than its rivals to hackers, scam artists and a growing universe of malicious software' unlike Apple's iOS which they note has widely available updates several times a year. In light of many companies' Bring Your Own Device initiatives 'You have potentially millions of Androids making their way into the work space, accessing confidential documents,' said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the American Civil Liberties Union. 'It's like a really dry forest, and it's just waiting for a match.'"

68 of 318 comments (clear)

  1. Or... by MrDoh! · · Score: 5, Insightful

    iOS is a single target, get one sploit that works, you know it'll work on all of them. The recent exnyos sploit only worked on some Samsung chips. So.. hackers have more devices to attempt to hack! Though all this is a waste of time if people use non-standard app stores and/or download warez, then what do they really expect?

    --
    Waiting for an amusing sig.
    1. Re:Or... by ahabswhale · · Score: 4, Informative

      Android phones rarely get updated. About half of all Android users are still running 2.3 or earlier and the uptake for new versions is glacially slow. This makes android extremely vulnerable. If someone discovers an attack for 2.x, it's game over for millions of phones. Android also has a leaky walled garden that allows users to easily bypass the Google Play store and go to any market place they may choose. Hell, it's not even unusual to find infected apps in the official Google Play store.

      --
      Are agnostics skeptical of unicorns too?
    2. Re:Or... by DerekLyons · · Score: 5, Insightful

      Though all this is a waste of time if people use non-standard app stores and/or download warez, then what do they really expect?

      It's funny.... when Apple or Microsoft comes up, all the highly rated comments are about how Android lets you escape the walled garden and get your apps wherever you want from whomever you want. But let the story be about malware and security problems with Android - and all of the sudden it's the users fault for going outside the walled garden.

    3. Re:Or... by TheGratefulNet · · Score: 5, Insightful

      nexus one user, here. cm7.2 is 2.3.7

      likely, that will be all it ever runs.

      shame and pity that google designed this. they farked it up. would you tolerate a linux distro that ended just a few years after it started?

      that's how I feel. abandoned.

      I run linux hardware (x86) that is recent and I also have 10 yr old systems that are just fine (thanks) and I continue to get linux updates for them.

      but not android.

      stupid google. seriously. why do people give google a pass on shit like this? we would not put up with this on regular desk/server linux.

      --

      --
      "It is now safe to switch off your computer."
    4. Re:Or... by mjwx · · Score: 4, Insightful

      Though all this is a waste of time if people use non-standard app stores and/or download warez, then what do they really expect?

      It's funny.... when Apple or Microsoft comes up, all the highly rated comments are about how Android lets you escape the walled garden and get your apps wherever you want from whomever you want. But let the story be about malware and security problems with Android - and all of the sudden it's the users fault for going outside the walled garden.

      When given responsibility, people are expected to be responsible for themselves.

      Shock Horror.

      Whenever there is a thread on viruses for Mac's, Mac Fanboys always blame the user as malware is only found in pirated programs. Whilst this is not strictly true in any modern OS (OS X, Windows or Linux) almost all malware these days is (knowingly or unknowingly) installed by the user.

      The equivalent on relying on "walled gardens" for security is like trying to cut road accidents by mandating that people can only buy white Automatic Camry's with speed limiters. This ignores the fact that you can still crash a speed limited auto camry if you have no fecking clue how to drive.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    5. Re:Or... by icebike · · Score: 4, Insightful

      iOS is a single target, get one sploit that works, you know it'll work on all of them.

      The recent exnyos sploit only worked on some Samsung chips.

      So.. hackers have more devices to attempt to hack!

      Though all this is a waste of time if people use non-standard app stores and/or download warez, then what do they really expect?

      To be fair, a couple of exploits have slipped into the Android Market over time, but by and large you are correct, it is the dodgy pirate black market where users hope they can avoid paying the 99 cents charged in the legitimate market where you are likely to get hacked.

      Yet these stories, always couched in terms of "fragmentation" and "malware" always show up in the press whenever Apple needs a little diversion.

      Fragmentation, because apple wants you to think that only a monolithic OS is safe. The variety of the Android world scares them to death.

      Malware, because the they want to put the fear of alternative markets into the buying public. The emergence of alternative markets scares apple to death.

      So every 3 or 4 months Apple plants these stories in the press. And every time, there is, predictable, absolutely ZERO outbreak of malware, except for the same patter of cheesy hacks found on Chinese websites by people looking to save a buck.

      --
      Sig Battery depleted. Reverting to safe mode.
    6. Re:Or... by crutchy · · Score: 2

      can you imagine the security epidemic faced by routers and set top boxes that never get updated... omg its the end of linux!

    7. Re:Or... by an+unsound+mind · · Score: 3, Insightful

      This does not change the fact that a lot of Android phones are running vastly outdated versions of their firmware with several known security holes - and the people owning these phones do not have the option of updating their phones.

      Android is insecure, because of two factors - the manufacturers frequently simply don't give their users a way to update, and because the system requirements of the OS keep rising at an absurd pace, making many older phones incompatible with later releases of the OS.

    8. Re:Or... by dido · · Score: 4, Insightful

      Oh, I dunno. I kind of like having the choice of whether to stay in the walled garden or go outside every now and then at my discretion because I'd like to think that I know what I'm doing most of the time. Let's rephrase that a little: If someone decides to go outside the walled garden, well then, their security becomes their responsibility right? Perfectly reasonable thing if you asked me. Trouble is Apple doesn't like giving anyone this kind of choice, and that kinda makes you feel they're still trying to exercise ownership over your device even though you've paid them their ridiculous profit margins for it.

      --
      Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
    9. Re:Or... by denmarkw00t · · Score: 4, Insightful

      Mod parent up. iOS is a single platform, but new releases (major, point, all) are adopted relatively quickly, and support long lines on the hardware end. Android, however, is slow moving in upgrade adoption - while ICS or JB might have security fixes, most devices are stuck on Gingerbread with no apparent upgrade path from vendors. And, even when Google release major updates, and even if your phone is very capable, odds are you're locked out of doing anything yourself by the manufacturer (or in some cases by your carrier - gf's Xperia had "Untrusted Apps" disabled and locked from being enabled, that's an AT&T "feature").

    10. Re:Or... by icebike · · Score: 4, Insightful

      There is no epidemic of exploits.
      Most doors can be opened with a bump key. But that isn't happening either.

      --
      Sig Battery depleted. Reverting to safe mode.
    11. Re:Or... by thegarbz · · Score: 3

      Hell, it's not even unusual to find infected apps in the official Google Play store.

      Citation Needed.

      Not a one off either. You said it's not unusual so please link us to the this supposed endemic problem in Google's Play Store.

    12. Re:Or... by happymellon · · Score: 5, Interesting

      You mean like the Android humble bundles?

    13. Re:Or... by Anonymous Coward · · Score: 3, Informative

      A quick search revealed these gems

      http://tech2.in.com/news/android/malware-found-in-updates-app-on-google-play/523862

      http://www.androidauthority.com/google-hosted-malware-on-its-play-store-during-q3-but-how-much-131309/

      http://arstechnica.com/security/2012/07/more-malware-found-hosted-in-google-android-market/

    14. Re:Or... by semi-extrinsic · · Score: 5, Informative

      You should be aware of a new feature of Android that hasn't really gotten a lot of press, but is the solution to this problem: the latest upgrade of the "Play store" (market) includes something called "Google Play Services". This new app takes care of upgrading and patching all Google-produced apps (system apps, YouTube, browser, camera, etc.). It is back-ported both to Gingerbread and Froyo. It applies security patches and upgrades without needing user intervention, as I understand it.

      TL;DR: You may not be able to upgrade your Gingerbread phone to ICS, but Google still patches known vulns on your system.

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
    15. Re:Or... by SuperKendall · · Score: 5, Insightful

      When given responsibility, people are expected to be responsible for themselves.

      The corollary is that it is IRRESPONSIBLE to give the masses a technology where it is IMPOSSIBLE for them to be responsible.

      If Android were just being marketed at technical users, that would be one thing. But to claim it's superior because it allows so much more freedom than most non-technical people can realistically control, and then pushing it on those same people. is borderline criminal.

      The iOS model is far superior. Technical users able to properly manage an open system are also able to fully unlock the system. But the default shipping mode is safe for people with little technical aptitude.

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
    16. Re:Or... by nonicknameavailable · · Score: 2

      one big problem wp8 and ios are too locked in and comes from two companies i do not trust

      --
      Mendacem Memorem Esse Oportet
    17. Re:Or... by Count+Dante · · Score: 4, Informative

      jailbreaking your iphone in usa is against the law

      Nope, unlocking your phone is - which is different to jailbreaking.

    18. Re:Or... by TheRaven64 · · Score: 5, Interesting

      Bullshit. The problem is Android's notion of a system application. These are things that can't be uninstalled and must be on the internal storage. Some of these really are system services, but others are just shovelware. The 512MB on the Nexus One is more than adequate for a more recent Android, if you move some of the non-essential crap onto the SD card. The Nexus One came with a 4GB SD card and supports up to 32GB, so there's no reason not to do this, except that then you'd be able to uninstall some of the Google stuff.

      This model, by the way, is especially wasteful because often these system components need updating, and due to the design of the Android filesystem layout they can't overwrite the old components, so you end up having to have two copies of a load of stuff installed, and you can't delete the unused one even though that's the one on the smaller storage device...

      --
      I am TheRaven on Soylent News
    19. Re:Or... by an+unsound+mind · · Score: 2

      I already switched. I used Android, but I grew very tired of the dearth of OS updates - I was stuck on 2.2 despite buying my device when 2.3 was already out - and the poor selection and difficulty of browsing of the Market. Where the market has vastly improved and things like the Humble Bundle have significantly improved the selection, the phones ain't getting updated any more frequently.

      And if Google doesn't bite the bullet and make it mandatory for manufacturers and carriers to provide updates, Android stays off the list of mobile operating systems I'm willing to consider.

    20. Re:Or... by Anonymous Coward · · Score: 2, Insightful

      Technical users hoping for Apple to miss an exploitable bug or two and, thanks to Copyright Office, in US being able to legally jailbreak iPhone, but not iPad.

      Superior, right.

      It's not "default mode". It's only intended mode.

      I say, Internet's pretty unsafe for non-technical people, and we're just giving them more freedom than they can be responsible for with unfettered access. We should implement a country-wide whitelist, and technical people can always fully unlock it with an out of country VPS.

    21. Re:Or... by tuppe666 · · Score: 2

      Some of us didn't give the poor experience a pass and moved away from Android. More people need to do that and let google know we think it's shit.

      Some of us didn't like being treated like a criminal, and locked out of its hardware, forced to use proprietary [and I locked to ituned] software, and hardware, with it being stuck in incremental versions of both, found the loving arms of Android with offered arguably better hardware; software; standards and value.

      Want to buy my broken iPhone :)

    22. Re:Or... by thetoadwarrior · · Score: 2

      Firefox and Ubuntu phones are coming and there's blackberry.

    23. Re: Or... by limaxray · · Score: 3, Interesting

      There is nothing wasteful or unusual about Android's file system, it is perfectly normal for an embedded system like a phone. The objective is to make the device as durable as possible, immune to improper shutdown, negligent users, and other such things. For this purpose the core bits are on a partition mounted RO, with the user data stored on a separate partition. Generally the way you'd update such systems is to replace the entire RFS, but since that would require the OEMs efforts, Android uses the system it does. Maybe it's not ideal, but we can update a good amount of functionality without having to worry about battery pulls bricking the phone. Complaining that your old, early generation phone doesn't support the newest software is ridiculous. We are with mobile devices where we we with PCs 15+ years ago. You are running a 486 in an age of Pentiums. Not only does the Nexus One lack storage, it has a slow SoC and only 512 MB of memory. And, IMHO, it was the biggest pile of dog shit to wear the Nexus title (yes I've owned one).

    24. Re:Or... by bartron · · Score: 5, Informative

      If someone is using an iPhone, at some point it was connected to iTunes to activate it (or it wouldn't be working).

      That used to be the case but you can activate and iPhone or iPad without iTunes these days and never ever hook it up to a host computer.

    25. Re:Or... by kthreadd · · Score: 2

      Interesting. Does that include system components as well, like the kernel?

    26. Re:Or... by fredprado · · Score: 2

      It is quite possible for the masses to be responsible. The number of android phones is going up and well and most people are quite happy with them. Seem to me that this malware doom is severely overblown.

    27. Re:Or... by Dancindan84 · · Score: 2

      most devices are stuck on Gingerbread with no apparent upgrade path from vendors.

      Highlighting the part that I find most relevant. The problem isn't Android per se, it's vendors that lock you out of getting the most recent (security) updates to the OS. The play store has services that will keep even Gingerbread patched against known vulnerabilities (see comment 42829985). If your vendor blocks you from using that... time to pick a new vendor.

      --
      "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
    28. Re:Or... by drinkypoo · · Score: 2

      Most doors can be opened with a bump key. But that isn't happening either.

      Most doors can't be opened with a bump key in mass numbers from the comfort of your own home, or a McDonalds near you.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    29. Re:Or... by stenvar · · Score: 2

      Given that Android phones are usually a lot cheaper than iPhones, people can upgrade by buying a new phone and still come out ahead financially.

    30. Re:Or... by cbiltcliffe · · Score: 2

      Choosing your freedom is *always* more dangerous. That doesn't mean you shouldn't do it, though.....

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    31. Re:Or... by Dragonslicer · · Score: 2

      That facility didn't even come into existence until decades after the plaform beceme a malware magnet.

      Decades? Windows Update was available for Windows 95 and Windows 98. I don't think Windows was a malware magnet in the late 1970's.

      Don't take this as a defense of Microsoft in any way, but merely a correction in the interest of accuracy.

    32. Re:Or... by RaceProUK · · Score: 2

      Interesting. Does that include system components as well, like the kernel?

      That depends more on the device maker/carrier than Google.

      --
      No colour or religion ever stopped the bullet from a gun
    33. Re:Or... by dwpro · · Score: 2

      I think superiority is in the eye of the beholder. You value security over freedom. Not everyone shares your views.

      --
      Millions long for immortality who do not know what to do with themselves on a rainy Sunday afternoon. -- Susan Ertz
    34. Re:Or... by kthreadd · · Score: 2

      OK, I guess that means that there are some vulnerabilities that Google can't patch.

    35. Re:Or... by LateArthurDent · · Score: 2

      how many times did your girlfriend need "untrusted apps"?

      you're complaining about a "Feature" but when 99% of your userbase doesn't need it, then turn it off. that is, unless you still have telnet enabled on your system because "FEATURE!@$"

      Disabled by default? Sure, that's both reasonable and prudent Locked from being enabled? That's like saying I can't install telnet on my system, which is a completely different situation than enabling it by default. The fact that most people have no use for telnet, and enabling it by default would be a huge security issue doesn't say shit about whether or not I might need to enable it, and by doing so would take responsibility for securing my own system.

  2. I remember... by webmistressrachel · · Score: 4, Insightful

    Not so long ago niche platforms and disparate architectures were slated to be good BECAUSE they were so diverse it wasn't worth the time to hack them individually...

    I also remember a time not so long ago that Microsofties used to complain that the frequency and ease of attacks on public sites was due to their dominance and being a big target. I wonder what Linux admins say now, since they now dominate the data centre?

    --
    This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
    1. Re:I remember... by erice · · Score: 4, Insightful

      Not so long ago niche platforms and disparate architectures were slated to be good BECAUSE they were so diverse it wasn't worth the time to hack them individually...

      I also remember a time not so long ago that Microsofties used to complain that the frequency and ease of attacks on public sites was due to their dominance and being a big target. I wonder what Linux admins say now, since they now dominate the data centre?

      But these are not niche platforms or disparate architectures. They are all compatible from the point of view of applications and malware. It is just the customization and vendor disinterest that prevents updates. It is as if Dell, Lenovo, HP, etc added their crapware so deeply into the Windows infrasture that Microsoft's security updates could not be applied and the vendors were not interested in creating or distributing adapted versions.

  3. Not vendor fragmentation by rudy_wayne · · Score: 4, Insightful

    The problem isn't vendor fragmentation. The problem is vendor laziness. If you produce an Android device there is no legitimate why you can't provide regular updates.

    1. Re:Not vendor fragmentation by TheGratefulNet · · Score: 4, Interesting

      bullshit!

      google abandoned the 'bad old hardware' (gfx chips were 'too old').

      and so they stopped ALL updates of importance.

      its not the vendors. don't blame them. its the creator of android. those guys messed up the design (split of gfx and non-gfx) and so we get 'end of lifed' systems that are FAR too young to be put to pasture.

      sigh. really, deep sigh.

      --

      --
      "It is now safe to switch off your computer."
    2. Re:Not vendor fragmentation by Anonymous Coward · · Score: 2, Informative

      Two reasons:

      1) Hardware component manufacturers don't provide updated drivers. Many of them are binary blobs that aren't compatible with newer kernel/Android versions. Especially Qualcomm and Nvidia chipsets.

      2) Carrier certification is *expensive*. Going through the effort of getting updates carrier-approved costs tens of thousands of dollars, per update.

    3. Re:Not vendor fragmentation by DarwinSurvivor · · Score: 3, Insightful

      Is your old engine susceptible to remote control security bugs that can be activated by a teenager in Russia?

      Not everything is conducive to a car analogy.

    4. Re:Not vendor fragmentation by thegarbz · · Score: 3, Informative

      I call bullshit to your bullshit.

      Go have a look at the list of supported devices by Cyanogenmod and look up how many of those devices actually offer vendor upgrades to Jellybean. Hint: very few. My device stopped being supported at Gingerbread because the vendor says "it was too slow". I am now running Jellybean and thanks to Google's tweaks it's runs faster and smoother than it ever did.

      But hey let's not dwell on old hardware shall we? Jellybean was released in early July 2012. Just under 4 months later Samsung were still saying US customers will get their SIII update in "the coming months". You know when Cyanogenmod 10.1 supported the Galaxy S III? Within 3 weeks of release.

      The problem IS vendor lazyness.

    5. Re:Not vendor fragmentation by semi-extrinsic · · Score: 2

      The problem is vendors insisting on only a vendor-flavored OS on your phone. Imagine if Dell laptops only worked with Dell's specific version of Windows. Then you would have had to wait half a year after the release of Win7 to upgrade your Dell Vista laptop to Dell's version of Win7.

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
    6. Re:Not vendor fragmentation by Anne+Thwacks · · Score: 3, Funny
      If it is a BMW or Mercedes, then quite probably the answer is YES. If it is a clapped out old Nissan, the answer is definitely no!

      Disclaimer: my Fiat is definitely clapped out, and cant even be activated adequately by the ignition key!

      --
      Sent from my ASR33 using ASCII
  4. I blame the SoC vendors and Google by Casandro · · Score: 5, Insightful

    If there was either a common hardware platform, like on the PC, where every PC is essentially compatible with every other PC, you could easily update your operating system without the manufacturer of the hardware.
    However SoC vendors don't want that, since it would mean that a device maker could easily switch from one SoC to another one. Plus they still use undocumented proprietary hardware in those SoCs, that's why you have binary device driver blobs which are hard to port.

    The other problem lies within Google. They should have mandated some sort of "BIOS" which would have allowed any operating system to see what kind of hardware there is. This wouldn't have been more than a few hundred bytes in the flash containing the bootloader. That way you could have a generic operating system image, which would read out that ROM and execute routines found in it to use the hardware and then, perhaps at a later stage, use specialized drivers... just like it's done on the PC.

    The sort of fragmentation we currently have in the Android market is simply bad, but a logical consequence from bundling hardware with the operating system. I just hope that one day the Chinese will wake up, and design a common hardware platform allowing the user to boot its own operating system from the SD-card, and even move it from device to device.

  5. missing disclaimer by Anonymous Coward · · Score: 3, Informative

    TFA author is an iPhone user, according to his twit feed https://twitter.com/craigtimberg

  6. Fragmentation by LordLucless · · Score: 4, Insightful

    Trying to argue about fragmentation with people attacking Android is a losing battle. "Fragmentation" means there's too many different hardware form-factors. No, it means too many vendor-specific UIs. No, it means that we need to support multiple OS versions. No, it means that we can't guarantee what security patches have been applied.

    Bah, from where I'm sitting, "fragmentation" means nothing more than "I don't like it" - a way of disparaging choice from those who don't want it.

    --
    Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
    1. Re:Fragmentation by symbolset · · Score: 2

      This. They've actually been at it since before the first Android device was even launched, claiming it was a fatal ill. Despite the dire fragmentation it has succeeded handily.

      I'm kind of curious how many millions have been spent Android-slandering in this way. Has to be quite a few. Any self-respecting for-fee product slanderer would have switched to another strategy that was failing less spectacularly by now. His customer might have switched to another more effective slanderer in some sort of normal world.

      But, meh. It's not working and that's how I like it, so fine.

      --
      Help stamp out iliturcy.
    2. Re:Fragmentation by aztektum · · Score: 4, Insightful

      Whether to continue supporting a phone is not up to Google. Much of that decision is up to the carriers, then the vendors. Those same folks that want to roll out new devices every 6-12 months.

      If a vendor takes Android 4.0 and mods the fuck out of it for their device, is Google responsible for patching all the security problems they introduced? Should Google take on writing new versions of Android for that hacked up version?

      I like how you ultimately defend your post by suggesting anyone that disagrees is a clueless rube. Brilliant.

      You're blaming Google for what is simply the mess that is the cellphone industry. At least in the U.S..

      --
      :: aztek ::
      No sig for you!!
    3. Re:Fragmentation by LordLucless · · Score: 2

      Yeah. But when you address one, the issue shifts to another; when you address that, suddenly you're arguing about the next. Moving goalposts. Although I notice there are far you form-factor fragmentation arguments now that Apple's got at least three different form-factors under their belt...

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
  7. Or... by Anonymous Coward · · Score: 4, Insightful

    You get one exploit that works against Android Gingerbread, and you've got one that works for 2+ years against the still most popular version, by a large margin.

  8. Fragmentation is not to blame by Morgaine · · Score: 4, Insightful

    Linux has huge diversity among its many distributions, and yet it doesn't suffer from the security problems described in the article. So-called "fragmentation" isn't really a valid technical reason for lack of security at all. If a system is designed for security then it will be secure, regardless of the number of its variations.

    The real reason why Android is lacking in security is because Google hasn't focused on security. They decided not to include iptables/netfilter (the Linux firewall) as a standard facility in Android, which would have been very easy to do. And they haven't allowed users to block privileges demanded by apps after install. Instead you're offered only a package deal, either let the app do whatever it wants or don't install it, period. Android users are hence pressured into a corner, and the end result is often worse security than they would wish.

    Don't blame fragmentation. Instead point a finger at Google designers who seem remarkably disinterested in supporting the Android user's security and privacy requirements.

    --
    "The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
    1. Re:Fragmentation is not to blame by kllrnohj · · Score: 2

      Android's security is top notch, and your claim Google isn't focusing on it is bullshit. With every release it has gotten better than the one before it.

      And those permissions you complain about? Yeah, that's something desktop Linux doesn't even have. Android wins that by default. Your attempt to turn a very obvious and straightforward advantage into some sort of negative is ridiculous.

      iptables/netfilter doesn't help here in the least, by the way. They are completely pointless here.

    2. Re:Fragmentation is not to blame by Anonymous Coward · · Score: 3, Insightful

      Android's security is top notch

      I guess you didn't read the article then.

      With every release it has gotten better than the one before it.

      Which implies that every earlier release has had insecurities which Google had to fix.

      And those permissions you complain about? Yeah, that's something desktop Linux doesn't even have.

      Desktop Linux doesn't install insecure apps from unknown 3rd parties as Android encourages. Because Android's approach to apps is vastly more dangerous, it requires a hugely more comprehensive approach to security instead of relying on trust in an app provider. It's tailor-made for abuse.

      Instead we have almost nothing, just some requested permissions which are meaningless in practice. As many Android commentators have described, it's totally normal for app developers to request everything, and you can never tell what they are doing with that permission, nor block it. It's an insane package deal. Those permissions don't provide user security, they only deliver security theater. It's a sham.

      iptables/netfilter doesn't help here in the least, by the way.

      Don't be ridiculous. Controlling which sites your app is allowed to talk to is the very first step in network security.

    3. Re:Fragmentation is not to blame by um...+Lucas · · Score: 3, Insightful

      Your missing the point. Users aren't failing to update, they're not provided with any updates at all.

    4. Re:Fragmentation is not to blame by jvonk · · Score: 2

      The real reason why Android is lacking in security is because Google hasn't focused on security. They decided not to include iptables/netfilter (the Linux firewall) as a standard facility in Android, which would have been very easy to do.

      That's why I installed the free DroidWall app from Google Play. Now I have an Android iptables firewall that is very versatile.

      And they haven't allowed users to block privileges demanded by apps after install. Instead you're offered only a package deal, either let the app do whatever it wants or don't install it, period.

      That's why I built and installed the free PDroid framework into my free custom ROM. Now I can grant, deny, or spoof the permissions on all my apps.

      If anyone's interested, I currently recommend using Auto-Patcher as the tool to inject PDroid into your ROM. I also recommend using the OpenPDroid option in Auto-Patcher, with PDroid Manager as the front-end UI app.

      So, both of the Android security problems you cited have solutions. Yes, these solutions require rooting, and PDroid requires a custom ROM; however, since you were talking about Linux distros and iptables, I anticipated you might be able interested and capable.

      As an aside, being able to do things like this is why I will never consider iOS or (*shudder*) Windows Phone for my devices.

  9. Re:It's not the frequency, it's the penetration by Swampash · · Score: 4, Informative

    The biggest install base for iOS is always "the latest version". The biggest install base for Android is what, Honeycomb? Shit.

    Even worse, it's still Gingerbread.

    http://bgr.com/2012/12/04/android-version-distribution-december-2012/

  10. Meanwhile at TCFKA RIM by rueger · · Score: 2

    What? Android bad for corporate security? BYOD bad for corporate security?

    Excuse me sir... {smile}

    --
    Three Squirrels
  11. Hmm by drolli · · Score: 2

    I always thought its the responsibilty of the manufacturer of the device to make a product which sticks to certain definitions. I dont see many android products listet with security as a feature, therefore i also dont assume that the design of the preinstalled sw goes into that direction.

  12. Just download Avast mobile security by Andy+Prough · · Score: 4, Informative

    from the Google Play store. It's free and quite powerful. Works on older versions of Android too. It's like the Swiss Army Knife of mobile security - Scans apps and SD card for malware; has an excellent privacy dashboard; and has real-time shielding of apps, web links, and messages to protect from malware. It has a firewall that can be set up on rooted devices; can block calls and SMS messages based on filtering rules; has a network meter; and has several anti-theft functions. Really a brilliant app, from a trusted security company. They also have an iPhone app, although that one seems to have some slightly different functions. I think anyone with a modern smartphone should have some malware protection on board, and this is an outstanding suite with the right price - free.

    1. Re:Just download Avast mobile security by L4t3r4lu5 · · Score: 2

      Have their been any improvements since the scathing November 2011 report [PDF] stating that mobile AV is next to useless?

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    2. Re:Just download Avast mobile security by bartron · · Score: 4, Interesting

      What the hell?

      How can anyone say, with a straight face, that you need to run AV software on a goddamn phone? A PHONE! What manner of circumstances lead to this being considered something that is perfectly normal?

      If anything it just shows what a logistical clusterfuck Google created with the first few editions of Android and letting all and sundry create hardware without at least enforcing some form of automatic patching regime. Don't get me wrong, I think ICS is a wonderful OS for a phone, but to birthed straight into the world expecting to have to run AV software??? Look at yourself in the mirror and tell yourself that's a perfectly normal and rational thing.

    3. Re:Just download Avast mobile security by Dragonslicer · · Score: 2

      How can anyone say, with a straight face, that you need to run AV software on a goddamn phone? A PHONE! What manner of circumstances lead to this being considered something that is perfectly normal?

      The circumstances of these phones effectively being general purpose computers.

  13. Time Keeps On Ticking by SuperKendall · · Score: 2

    You said it's not unusual so please link us to the this supposed endemic problem in Google's Play Store.

    The incredible speed and ease with which any developer can push an app into Play comes at a cost you know, even if you'll not admit it.

    Google does scan binaries for viruses. But all the technical users know how effective virus scans really are.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  14. Updates are uneconomical by tlambert · · Score: 4, Insightful

    It is just the customization and vendor disinterest that prevents updates. It is as if Dell, Lenovo, HP, etc added their crapware so deeply into the Windows infrasture that Microsoft's security updates could not be applied and the vendors were not interested in creating or distributing adapted versions.

    On the contrary, it is vendor interest that prevents updates.

    The first thing to know is that Google does not create Android releases. Google does continuous Android development, and any time after release N.M, but before N.(M+1), or (N+1).0, for new major releases, the code base is called after the current tree version number. When a vendor wants to release a new Android cell phone, there may be parts of the code base they've contributed back for specific chip and peripheral support, but what they do is take a cut of the code base and freeze it. Then they apply patches and finishing touches which don't get integrated back to the main Android code base as part of taking it from the raw, unproductized Android code base to a productized version which can be shipped to customers.

    The dirty little secret here is that all productization is done by the device vendors, and not by Google, and that Google itself is basically incapable of productizing an operating system like Android. Instead, they rely on the device vendor to do this, and the device vendor, wanting product differentiation, willingly cooperates, or even insists, on this happening outside of Google.

    What that means is that "Android version 4.1" is a meaningless way to compare Android devices with one another, since Samsung's version of 4.1 may not have identical bits with Sony's version of 4.1, since they were most likely cut from different development versions of the source tree, even if they were cut only hours apart.

    The bottom line here is that, even with a working security fix back-ported to "Android 4.1" is most likely going to result in a product reintegration, since the patch(es) will have to be rolled forward from the Google release branch of 4.1 (which has no additional changes past the Google release date) to the vendor's version of 4.1, which is a set of patches and productization on top of some code branch somewhere between Google's 4.1 and their 4.2. This is nearly as much effort as developing a new "model 720" phone with COGS-reduced parts, and based on the original "model 710" phone from that same vendor. The team which works on this "improved Android 4.1 for the 710" is a set of people who isn't working on the "model 730". As far as a vendor is concerned, that's spending good money to update a product for previous customers who aren't paying them money for the new improved version of the product, because "the old version is good enough".

    The second thing to know is that the carrier marketing model in the U.S. effectively discourages the carrier from updating the OS, even if the handset/tablet manufacturer were willing to integrate the bug fix and provide an update.

    In the U.S., a carrier locks you into a 2 year contract, and then offers you a 6 month "early update" to lock you into that carrier again for another two years after 18 months. The upshot of this is that they get to keep the captive user as a subscriber, in trade for a new handset, which is subsidized by the carrier, and the old handset has been fully paid for (and then some) by the monthly bill portion which pays for the "free" handsets in the first place.

    The net effect of this is that, if they update an old phone, unless they have a new phone with some compelling new feature(s), the customer is more likely to "ride out" the remaining six months on their contract, and then just switch carriers. The only real compelling features that differentiate one Android phone from another these days are the version of Android they are running. Sometimes there are minor changes in hardware, but frankly, there's usually no hardware change that's compelling enough to get someone to NOT

  15. Or Even by tuppe666 · · Score: 4, Insightful

    We know iOS insecure because its jail broken every other week. Ironically done to have similar functionality of Android.

  16. iOs is poor by tuppe666 · · Score: 2

    I'm sorry in context of this article itunes is simply an extra security vector on my computer, and at best is bloat. It offers a poor service, and poor value [where are the free upgrades to flac]. On its own without the i*** its simply a poor product, my favorite music player at the moment is clemetine http://www.clementine-player.org/ I'll probably replace it with something else soon.

    As for iOS...its simply looking tired.