Fragmentation Leads To Android Insecurities

← Back to Stories (view on slashdot.org)

Fragmentation Leads To Android Insecurities

Posted by samzenpus on Thursday February 7, 2013 @05:30PM from the united-we-stand dept.

Rick Zeman writes "The Washington Post writes about how vendor fragmentation leads to security vulnerabilities and other exploits. This situation is '...making the world's most popular mobile operating system more vulnerable than its rivals to hackers, scam artists and a growing universe of malicious software' unlike Apple's iOS which they note has widely available updates several times a year. In light of many companies' Bring Your Own Device initiatives 'You have potentially millions of Androids making their way into the work space, accessing confidential documents,' said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the American Civil Liberties Union. 'It's like a really dry forest, and it's just waiting for a match.'"

9 of 318 comments (clear)

Min score:

Reason:

Sort:

Or... by MrDoh! · 2013-02-07 17:33 · Score: 5, Insightful

iOS is a single target, get one sploit that works, you know it'll work on all of them. The recent exnyos sploit only worked on some Samsung chips. So.. hackers have more devices to attempt to hack! Though all this is a waste of time if people use non-standard app stores and/or download warez, then what do they really expect?

--
Waiting for an amusing sig.
1. Re:Or... by DerekLyons · 2013-02-07 18:07 · Score: 5, Insightful
  
  Though all this is a waste of time if people use non-standard app stores and/or download warez, then what do they really expect?
  It's funny.... when Apple or Microsoft comes up, all the highly rated comments are about how Android lets you escape the walled garden and get your apps wherever you want from whomever you want. But let the story be about malware and security problems with Android - and all of the sudden it's the users fault for going outside the walled garden.
2. Re:Or... by TheGratefulNet · 2013-02-07 18:09 · Score: 5, Insightful
  
  nexus one user, here. cm7.2 is 2.3.7
  likely, that will be all it ever runs.
  shame and pity that google designed this. they farked it up. would you tolerate a linux distro that ended just a few years after it started?
  that's how I feel. abandoned.
  I run linux hardware (x86) that is recent and I also have 10 yr old systems that are just fine (thanks) and I continue to get linux updates for them.
  but not android.
  stupid google. seriously. why do people give google a pass on shit like this? we would not put up with this on regular desk/server linux.
  
  --
  
  --
  "It is now safe to switch off your computer."
3. Re:Or... by happymellon · 2013-02-07 19:32 · Score: 5, Interesting
  
  You mean like the Android humble bundles?
4. Re:Or... by semi-extrinsic · 2013-02-07 20:45 · Score: 5, Informative
  
  You should be aware of a new feature of Android that hasn't really gotten a lot of press, but is the solution to this problem: the latest upgrade of the "Play store" (market) includes something called "Google Play Services". This new app takes care of upgrading and patching all Google-produced apps (system apps, YouTube, browser, camera, etc.). It is back-ported both to Gingerbread and Froyo. It applies security patches and upgrades without needing user intervention, as I understand it.
  
  TL;DR: You may not be able to upgrade your Gingerbread phone to ICS, but Google still patches known vulns on your system.
  
  --
  for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
5. Re:Or... by SuperKendall · 2013-02-07 20:51 · Score: 5, Insightful
  
  When given responsibility, people are expected to be responsible for themselves.
  The corollary is that it is IRRESPONSIBLE to give the masses a technology where it is IMPOSSIBLE for them to be responsible.
  If Android were just being marketed at technical users, that would be one thing. But to claim it's superior because it allows so much more freedom than most non-technical people can realistically control, and then pushing it on those same people. is borderline criminal.
  The iOS model is far superior. Technical users able to properly manage an open system are also able to fully unlock the system. But the default shipping mode is safe for people with little technical aptitude.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
6. Re:Or... by TheRaven64 · 2013-02-07 21:24 · Score: 5, Interesting
  
  Bullshit. The problem is Android's notion of a system application. These are things that can't be uninstalled and must be on the internal storage. Some of these really are system services, but others are just shovelware. The 512MB on the Nexus One is more than adequate for a more recent Android, if you move some of the non-essential crap onto the SD card. The Nexus One came with a 4GB SD card and supports up to 32GB, so there's no reason not to do this, except that then you'd be able to uninstall some of the Google stuff.
  This model, by the way, is especially wasteful because often these system components need updating, and due to the design of the Android filesystem layout they can't overwrite the old components, so you end up having to have two copies of a load of stuff installed, and you can't delete the unused one even though that's the one on the smaller storage device...
  
  --
  I am TheRaven on Soylent News
7. Re:Or... by bartron · 2013-02-08 00:43 · Score: 5, Informative
  
  If someone is using an iPhone, at some point it was connected to iTunes to activate it (or it wouldn't be working).
  That used to be the case but you can activate and iPhone or iPad without iTunes these days and never ever hook it up to a host computer.
I blame the SoC vendors and Google by Casandro · 2013-02-07 17:45 · Score: 5, Insightful

If there was either a common hardware platform, like on the PC, where every PC is essentially compatible with every other PC, you could easily update your operating system without the manufacturer of the hardware.
However SoC vendors don't want that, since it would mean that a device maker could easily switch from one SoC to another one. Plus they still use undocumented proprietary hardware in those SoCs, that's why you have binary device driver blobs which are hard to port.
The other problem lies within Google. They should have mandated some sort of "BIOS" which would have allowed any operating system to see what kind of hardware there is. This wouldn't have been more than a few hundred bytes in the flash containing the bootloader. That way you could have a generic operating system image, which would read out that ROM and execute routines found in it to use the hardware and then, perhaps at a later stage, use specialized drivers... just like it's done on the PC.
The sort of fragmentation we currently have in the Android market is simply bad, but a logical consequence from bundling hardware with the operating system. I just hope that one day the Chinese will wake up, and design a common hardware platform allowing the user to boot its own operating system from the SD-card, and even move it from device to device.