Students, Start-Up Team To Create Android 'Master Key' Patch App

chicksdaddy writes "The saga of the application-signing flaw affecting Google's Android mobile phones took another turn Tuesday when a Silicon Valley startup teamed with graduate students from Northeastern University in Boston to offer their own fix-it tool for hundreds of millions of Android phones that have been left without access to Google's official patch. Duo Security announced the availability of an Android utility dubbed 'ReKey' on Tuesday. The tool allows users to patch the so-called 'Master Key' vulnerability on Android devices, even in the absence of a security update from Android handset makers and carriers who service the phones, according to a post on the Duo Security blog. Jon Oberheide, the CTO of Duo Security, said that ReKey provides an in-memory patch for the master key vulnerability, dynamically instrumenting the Dalvik bytecode routines where the vulnerability originates, patching it in-memory. Oberheide said that ReKey will also 'hook' (or monitor) those routines to notify you if any malicious applications attempt to exploit the vulnerability. Despite the availability of a patch since March, many Android users remain vulnerable to attacks that take advantage of the application signing flaw. That is because Android handset makers have been slow to issue updates for their handsets. For platforms (HTC and Samsung) that have been patched, carriers delayed the rollout to customers further. 'The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem,' said Oberheide. However, the fragmentation of the Android ecosystem is significant enough that it is no longer feasible for Google to take over responsibility for distributing patches. Third parties may need to step in to fill the void." A related article makes the case that the release of the Master Key vulnerability started an important conversation within the open source community.

Rooted Only

[nurb432]

Leaves out 99% of the devices out there.

Re:Rooted Only

face it android is a fail. we'll have 1 billion legacy insecure devices. it will be like windows XP all over again.

Re:Rooted Only

[kthreadd]

Not really. Windows XP is still supported. It's XP that will be like legacy Android all over again.

Re:Rooted Only

[hairyfeet]

Exactly, you can say a lot of shit about MSFT but the length of support is just incredible. Compare this with Android where many of the devices being sold today will NEVER get a patch or update, hell go to Walmart.com and look under Android to see how many 2.x devices they are selling RIGHT NOW and you just know those devices are never gonna see this patch or any other patch for that matter.

Like it or not, and personally i think Google made a pretty slick OS, but Android is by far the most fragmented and least supported of the mobile OSes. If guys want to know what a downside to FOSS is here ya go, because Google can't control the code they can't make the OEMs go with the safer latest and greatest, nor patch older versions, hell Google can't even get them to stop putting out 2.x devices.

Re:Rooted Only

[Yvanhoe]

You say it like not giving an incentive to change your phone is an undesirable effect to the seller...

Note as well that XP legacy computers were a problem for all the case where the computer was part of a critical system. It is arguably far less frequent for smartphones.

Re:Rooted Only

Funny - the world has been able ot jailbreak iphones due to vulnerabilities ever since it came out. guess you're saying that the iphone is a fail, too....

Re:Rooted Only

Open in all the wrong ways!

patching

[gronofer]

The patching thing is a bit of a joke. If I had an android phone, I'd want an equivalent to Ubuntu to provide a 3rd-party OS with regular updates. I think 3rd-party Android distributions are out there, do they handle security updates well?

Re:patching

Yes. I run a flavor of the AOSP (android open source project) and was patched virtually first day the code was given out by google. I'd recommend a nightly build for security, even if the dailies add new functional faux pas at points. they usually get fixed, but documented security stuff is fixed pretty quick. even if say google is informed, doesnt release code - if the android community at large is informed, it gets pushed into the larger releases pretty quick.

Re:patching

[Xicor]

yea, i use aokp and i love it. that being said, it isnt google's fault that they cant get the patches out to everyone as soon as they create them. the problem lies with the cell phone distributors who consistently take forever to install all their adware and crapware onto each patch before deployment. it takes at&t over a year to release the operating systems on their phones, whereas a rooted phone can get it instantly.

Re:patching

Indeed some do. Cyanogenmod is probably the most mature of them. By nature that means they're not always the fastest to new features, but they're reliable and thorough.

Check out the most recent weekly review post on their site; it mentions the security issues brought to light last week and the two point releases in response.

http://www.cyanogenmod.org/blog/this-week-in-cm-july-12-2013

Re:patching

[PerformanceDude]

Mind you, I have a stock Galaxy Nexus and it is yet to offer the patch. If Google can't even provide a fix to the core community, what hope does OEM users have?

Re:patching

[Ravadill]

The problem with the Galaxy Nexus is that Samsung are in charge of a updates for a lot of the variants of this phone. There has been some debate on whether it should be called a true "nexus" phone at all.

Re:patching

[mrbester]

Hmm. The BlueBox app is reporting that my phone isn't patched even though I'm on 10.1.2...

Re:patching

[RogerWilco]

Which in turn is Google's fault for designing Android to be sold that way. They deliberately choose not to have control over the fragmentation and issues like this.

Re:patching

[jeffmeden]

yea, i use aokp and i love it. that being said, it isnt google's fault that they cant get the patches out to everyone as soon as they create them. the problem lies with the cell phone distributors who consistently take forever to install all their adware and crapware onto each patch before deployment. it takes at&t over a year to release the operating systems on their phones, whereas a rooted phone can get it instantly.

Except, my "adware and crapware" laden Samsung Galaxy S3 from Verizon was patched a few days after the story was in the news, without me rooting or romming or anything. Nexus devices that get updates straight from Google (who has publicized the patched code) have not been patched via update yet. Phones running totally custom ROMs (which is very different from rooting, fyi) can obviously get the update whenever the ROM maintainer releases a patch, or if their ROM isn't maintained (a lot aren't) they can switch roms entirely, wiping their phone in the process (not a lot of fun). A user that is merely rooted without access to a patch is only making their phone that much easier to completely pwn, if they do get a malicious app that uses this exploit.

Re:patching

Who has time to patch your phone, in the future we'll be forced to patch out refrigerators, mixers, stoves, and thermostats and have no time to use them ....... patch, patch, patch, patch, patch, patch.....

Another attack vector

[derfla8]

Looks like a great way for someone to create a fake update and publicize it as a third-party patch. Google needs to make good on do no evil by proactively doing good.

Re:Another attack vector

Looking at a more recent Slashdot article: "If a Network Is Broken, Break It More".... :-/

Reviews are showing some problems

[Scoth]

The reviews on the Play store are showing a fairly high possibility of a bootloop. While I'm all for open source and public patches where appropriate, I expect I'll be passing on this one for now.

Odds Are

[Greyfox]

I'm guessing someone's going to sue them for their efforts. As we've seen time and again, no good deed goes unpunished.

Bluebox scanner and this don't agree

I have a Nexus 4 that shows up as unpatched by the bluebox scanner. After installing this, it still shows up as unsecure in that app. My Samsung S3 shows up as patched in the Bluebox scanner, but this app says it's vulnerable. Whom do I believe?

Both sides of his mouth

[__aaltlg1547]

'The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem,' said Oberheide. However, the fragmentation of the Android ecosystem is significant enough that it is no longer feasible for Google to take over responsibility for distributing patches. Third parties may need to step in to fill the void."

But, but, if it's no longer feasible for Google to provide patches, how come he says his company, with vastly fewer resources, can do it?

It stands to reason that if Google can't patch your phone because of "fragmentation of the ecosystem," nobody else can either. That makes me not at all anxious to install his patch.

Re:Both sides of his mouth

It is suppose to be open source, this is again why Gaagle is a joke. Not only is the system locked, but they refuse to stand up and lead the way in updates, even if they create a division for this specific reason. It makes me ask the question if Gaagle is behind this vulnerability? With everything that is coming out about the NSA and other agencies, this could very well be another exploit. Al tho I have yet to hear or read and security org., boldly making that claim.

Re:Both sides of his mouth

My Google sold phone gets updates on Day 1. Blame the carriers with their lock-in and bloatware. Blame the customers who insist on a contract and no money down. Hell, blame the handset manufacturers who could easily sell you a rooted phone. But blame Google? Makes you seem petty, like your reaching for any story that allows you to "stick it to the man" at "Gaagle".

Re:Both sides of his mouth

[gl4ss]

they aren't wiling to take the risk of bricking the phones.

you have to connect through adb or mitm the play store to exploit it anyways.

Re:Both sides of his mouth

[Rich0]

My Google sold phone gets updates on Day 1.

As far as I can tell, your phone that gets updates on Day 1 doesn't have an update that fixes this particular issue. I have two Nexus devices, and as far as I can tell the only one not vulnerable to this issue is the one running Cyanogenmod.

Re:Both sides of his mouth

My Google sold phone gets updates on Day 1.

As far as I can tell, your phone that gets updates on Day 1 doesn't have an update that fixes this particular issue. I have two Nexus devices, and as far as I can tell the only one not vulnerable to this issue is the one running Cyanogenmod.

I have a (by current standards ancient) Galaxy S3 from Verizon running all provided software and it was patched within a few days of the first news article (without an OS level update). How is it that Nexus devices aren't? This whole thing stinks of smoke and mirrors, and mostly from the fearmongers who "discovered" this issue.

Re:Both sides of his mouth

[Rich0]

I have a (by current standards ancient) Galaxy S3 from Verizon running all provided software and it was patched within a few days of the first news article (without an OS level update). How is it that Nexus devices aren't? This whole thing stinks of smoke and mirrors, and mostly from the fearmongers who "discovered" this issue.

Citation for the security release? I'm genuinely interested in this - I've yet to hear of any vendor updates for this issue that fix the root cause, but it isn't like they usually reference CVE's/etc so it isn't easy to tell when vulnerabilities are patched. The CVE for this issue is CVE-2013-4787.

Re:Both sides of his mouth

I have a (by current standards ancient) Galaxy S3 from Verizon running all provided software and it was patched within a few days of the first news article (without an OS level update). How is it that Nexus devices aren't? This whole thing stinks of smoke and mirrors, and mostly from the fearmongers who "discovered" this issue.

Citation for the security release? I'm genuinely interested in this - I've yet to hear of any vendor updates for this issue that fix the root cause, but it isn't like they usually reference CVE's/etc so it isn't easy to tell when vulnerabilities are patched. The CVE for this issue is CVE-2013-4787.

All I know for sure (based on numerous owner accounts) is that the S3 and S4 across all networks got patches "from Samsung" very shortly after the vulnerability went public.

Re:Both sides of his mouth

[Rich0]

All I know for sure (based on numerous owner accounts) is that the S3 and S4 across all networks got patches "from Samsung" very shortly after the vulnerability went public.

The question is whether those patches had anything to do with this vulnerability. I did find mention of S3 patches a few months ago, but no mention of this issue.

Obviously the solution is for phone OS vendors to do what every PC OS vendor does and have official release notes including CVE references, and then it is easy to know what vulnerabilities do and don't apply to any system. It is amazing how little care is given to security updates on mobile devices.

Why is there Fragmentation?

With desktop Windows and Linux, the latest version works on all (powerful enough) computers. Why can't it be this way on Android?

Re:Why is there Fragmentation?

[exomondo]

With desktop Windows and Linux, the latest version works on all (powerful enough) computers. Why can't it be this way on Android?

It is that way on Android, you can install vanilla Android from AOSP on just about any device that's powerful enough if the bootloader is not locked by the OEM. Problem - as I understand it - is most devices aren't powerful enough to run the latest version. Of course this is compounded by fragmentation within versions, for every version of Android most OEMs create their own version of that. That is why the Galaxy S didn't get an official ICS update, the official Android versions for it were forked versions of the AOSP versions and these Samsung forks required more RAM and ROM than the Galaxy S had even though the AOSP version of that Android version worked find on it, that is why fragmentation is a problem.

Re:Why is there Fragmentation?

[wierd_w]

Personally, for devices with crippled rom capacity, I would be willing to have the basic kernel image with the sdcard and FS drivers in the rom, and have the rest of the android platform in a filesystem on the sdcard, mounted in with symbolic links.

Alternatives are things like cramfs enabled kernels with cramfs packed rom block devices.

Re:Why is there Fragmentation?

[wierd_w]

Also, for devices with low RAM, tell the user it will run like ass, then make a build that loads zram, puts a swap partition on the /dev/zram0 device, then turns swap on. That can cut ram consumption by system daemons by nearly 50%, if the block device is sized sensibly, ans swappiness is set sanely. Because zram is a compressed ramdisk block device, the swap operations just munch a bit of CPU, and are quite speedy. Turning it on is commonplace in community rom builds.

Re:Why is there Fragmentation?

[FireFury03]

It is that way on Android, you can install vanilla Android from AOSP on just about any device that's powerful enough if the bootloader is not locked by the OEM. Problem - as I understand it - is most devices aren't powerful enough to run the latest version.

Most devices require closed source binary blobs to drive much of the hardware. So yes, you can install AOSP on any phone so long as you don't mind not having a working cellular radio, wifi, gps, screen, bluetooth, ...

Re:Why is there Fragmentation?

>It is that way on Android, you can install vanilla Android from AOSP on just about any device that's powerful enough if the bootloader is not locked by the OEM.

That is FAR from correct. You need binary drivers for almost everything (cellular radio, wifi, bluetooth, sensors, gpu, etc. etc.). Those drivers are often specific to a particular version of android. For the more popular phones, there are sometimes hacked or ripped versions (from other phones, international versions, etc.) of these drivers to support newer versions of android. However, those very often display stability, suspend/resume, performance, or battery performance issues.

There are only a few devices that can run the latest vanilla AOSP build with the included blobs on the AOSP page (usually the latest generation or two of nexus devices). Third party distributions, like cyanogenmod, support more phones, but they often include unsupported combinations of binary drivers, so your mileage will vary depending on the particular phone you have and how much progress has been made in the stable branch of that ROM version.

Even if you factor in the phones supported by both third party roms like cyanogenmod, and AOSP, there are TONS of phones forever stuck in gingerbread land due primarily to lack of manufacturer support.

Re:Why is there Fragmentation?

[exomondo]

Most devices require closed source binary blobs to drive much of the hardware. So yes, you can install AOSP on any phone so long as you don't mind not having a working cellular radio, wifi, gps, screen, bluetooth, ...

So explain how you believe all the custom android versions, ubuntu touch, firefox os run on various devices, or are you suggesting they only run on hardware that has fully open source drivers and no binary blobs?

Re: Why is there Fragmentation?

The custom Android versions you're talking about tend to run only on the most popular devices, and by popular I mean devices that are "currently" popular. So if you have one of those whitebox phones made by some no-name Chinese OEM, you're out of luck. On the other hand if you own an old phone that was once widely sold, you'll probably be stuck at the Android version that came out at the time of the phone. The Cyanogenmod developers can only release patches that are compatible with that Android base, since few would have the tenacity to engineer the "versioned" binary blobs or drivers. Thus, you're highly unlikely to get Cyanogenmod 10.1 (which corresponds to Jellybean 4.2) on a phone for which only Android 2.3 has been released.

Re:Why is there Fragmentation?

[FireFury03]

Most devices require closed source binary blobs to drive much of the hardware. So yes, you can install AOSP on any phone so long as you don't mind not having a working cellular radio, wifi, gps, screen, bluetooth, ...

So explain how you believe all the custom android versions, ubuntu touch, firefox os run on various devices, or are you suggesting they only run on hardware that has fully open source drivers and no binary blobs?

The custom android versions, such as Cyanogenmod, bundle the binary blobs for popular devices (which were extracted from the official images). Go try and run that stuff on a less popular device and you'll struggle. For example, the Samsung Captivate Glide was stuck with Gingerbread until Samsung released an ICS upgrade because the binary blobs in Gingerbread aren't compatible with ICS and Jellybean. Even now, there are various problems with the third party Captivate Glide firmwares due to bugs in the binary blobs (e.g. the GPS reports an incorrect number of satellites, and this is unfixable because that is handled by a closed source binary blob).

I have no experience of Ubuntu Touch and Firefox OS - I assume they either use the existing Android binary blobs, or only run on an extremely small number of devices.

Re:Why is there Fragmentation?

[exomondo]

For example, the Samsung Captivate Glide was stuck with Gingerbread until Samsung released an ICS upgrade because the binary blobs in Gingerbread aren't compatible with ICS and Jellybean.

Which is exactly the same as with desktop Windows and Linux, if you change the driver model and the manufacturer doesn't provide drivers then you're stuck whether it's desktop or mobile. If you don't change the driver model (like ICS->JB) then you're probably fine, again like on the desktop. Mobile is no different.

I have no experience of Ubuntu Touch and Firefox OS - I assume they either use the existing Android binary blobs, or only run on an extremely small number of devices.

Yes they use the existing ones.

Re:Why is there Fragmentation?

[FireFury03]

For example, the Samsung Captivate Glide was stuck with Gingerbread until Samsung released an ICS upgrade because the binary blobs in Gingerbread aren't compatible with ICS and Jellybean.

Which is exactly the same as with desktop Windows and Linux, if you change the driver model and the manufacturer doesn't provide drivers then you're stuck whether it's desktop or mobile. If you don't change the driver model (like ICS->JB) then you're probably fine, again like on the desktop. Mobile is no different.

Well, it depends - my machines aren't running any closed source drivers. In fact, its pretty easy to buy PC hardware that is entirely supported by open software, whereas the same is not true for mobile phones.

However, what you're saying doesn't really take anything away from my original point - you can't just install a brand new Android on any old phone because you're going to need compatible binary drivers which the vendors won't supply. Similarly, a PC that requires binary drivers also isn't very upgradable without the vendor's cooperation - the difference here is that the vendors are more inclined to release updated binary drivers for PC hardware than they are for mobile hardware. This isn't always the case though - I've been stuck unable to upgrade the OS for months on machines because nVidia wouldn't release compatible binary drivers, which is one of the reasons I don't buy nVidia hardware anymore.

TL;DR - there is no difference between PCs and mobiles when it comes to hardware that requires binary drivers - without the vendor's support for the upgraded OS you're screwed.

So no, the problem isn't "the device isn't powerful enough"; the problem is "there are no compatible binary drivers available".

Re:Why is there Fragmentation?

[exomondo]

Well, it depends - my machines aren't running any closed source drivers.

But the fact is performance and stability are rubbish because the drivers are generally just reverse engineered from the hardware, which you could just as easily do on mobile as well but the performance and stability problems are much more obvious on low performance device like them.

In fact, its pretty easy to buy PC hardware that is entirely supported by open software, whereas the same is not true for mobile phones.

Which ones outside of perhaps the Lemote Yeelong?

So no, the problem isn't "the device isn't powerful enough"; the problem is "there are no compatible binary drivers available".

Well no actually, many devices aren't powerful enough, but yes the fact that there are a lack of compatible binary drivers is a problem, and equally a problem on desktops, like i said, they're no different. I'm sure you'll find the vast majority of desktops - just like mobile phones - are not "entirely supported by open software".

Re:Why is there Fragmentation?

[FireFury03]

Well, it depends - my machines aren't running any closed source drivers.

But the fact is performance and stability are rubbish because the drivers are generally just reverse engineered from the hardware, which you could just as easily do on mobile as well but the performance and stability problems are much more obvious on low performance device like them.

Not really. The drivers are frequently written by the hardware vendor in an official capacity. For example, my graphics and wifi drivers were written by Intel - the same people who made the graphics and wifi hardware.

Also, I'm going to go with [citation needed] WRT the idea that reverse engineered drivers are unstable - in my experience, a lot of the reverse engineered Linux drivers have been of higher quality than the official Windows drivers from the vendors. Sure, sometimes reverse engineered drivers aren't as good, but I think the door swings both ways on this and you can't just equate "reverse engineered" with "rubbish" and "official" with "excellent".

In fact, its pretty easy to buy PC hardware that is entirely supported by open software, whereas the same is not true for mobile phones.

Which ones outside of perhaps the Lemote Yeelong?

Well, my crappy Acer Travelmate laptop is entirely supported by open drivers (ok, there is closed firmware running on some of the hardware, but I'm talking about stuff running on the CPU that has to be integrated into the OS in such a way as to prevent arbitrary OS upgrades without the vendor's help). I can install Fedora on that machine and it Just Works.

So no, the problem isn't "the device isn't powerful enough"; the problem is "there are no compatible binary drivers available".

Well no actually, many devices aren't powerful enough, but yes the fact that there are a lack of compatible binary drivers is a problem, and equally a problem on desktops, like i said, they're no different.

Sure, a lot of older devices aren't powerful enough. But the only reason a relatively top-end phone bought a year ago can't run the latest Android is because of closed drivers and the vendor's unwillingness to release new drivers compatible with the latest OS (and AFAIK even the Nexus devices require closed drivers for some of the hardware, so to some extent you're still at the mercy of Google).

I'm sure you'll find the vast majority of desktops - just like mobile phones - are not "entirely supported by open software".

Ah, I didn't say anything about the "vast majority" at all (although I wouldn't be surprised if most of the "non-gaming" PCs were entirely supported by open drivers - they tend not to have nVidia card, which are the current main culpret in the desktop world. That said, a lot of nVidia hardware is now supported by open drivers, albeit not as well as by the official closed drivers).

I said that it was relatively easy to get a PC that is entirely supported by open drivers. And it is, so long as you actually pay attention to what hardware you're getting rather than buying the first thing you see in PC World - there are a *lot* of PCs available that match this criteria from a lot of different vendors. Conversely, I think you'd struggle to find *any* mobile phones on the market that require no closed drivers so however carefully you shop around you're always going to be at the mercy of the vendor.

I would *love* to see a market where you can buy a phone and then install one of a variety of distros on it, regularly reinstalling with upgrades for the next 10 years. But we're no where near there yet, and the primary reason phones lose support is because they each require their own custom bunch of binary drivers which may not be compatible with the current OS and require a lot of custom fiddling about by someone interested to get it all working (which means your particular phone has to be popular enough to get the development time from third parties who aren't getting paid to do it).

Re:Why is there Fragmentation?

[exomondo]

Not really. The drivers are frequently written by the hardware vendor in an official capacity. For example, my graphics and wifi drivers were written by Intel - the same people who made the graphics and wifi hardware.

Outside of Intel, most of the hardware vendors don't do open source drivers and realistically intel graphics is the ass-end of desktop graphics hardware.

Also, I'm going to go with [citation needed] WRT the idea that reverse engineered drivers are unstable - in my experience, a lot of the reverse engineered Linux drivers have been of higher quality than the official Windows drivers from the vendors.

nVidia is prime example, they are unstable and lag behind in OpenGL support.

Sure, sometimes reverse engineered drivers aren't as good, but I think the door swings both ways on this and you can't just equate "reverse engineered" with "rubbish" and "official" with "excellent".

I didn't equate "official" with "excellent", but obviously reverse engineered drivers by their very nature are going to be behind the official ones in features, performance and stability.

Well, my crappy Acer Travelmate laptop is entirely supported by open drivers (ok, there is closed firmware running on some of the hardware, but I'm talking about stuff running on the CPU that has to be integrated into the OS in such a way as to prevent arbitrary OS upgrades without the vendor's help). I can install Fedora on that machine and it Just Works.

You can do that on just about any machine, it just doesn't work well and hardware support is mostly pretty crappy.

Sure, a lot of older devices aren't powerful enough. But the only reason a relatively top-end phone bought a year ago can't run the latest Android is because of closed drivers and the vendor's unwillingness to release new drivers compatible with the latest OS (and AFAIK even the Nexus devices require closed drivers for some of the hardware, so to some extent you're still at the mercy of Google).

Yeah I'll absolutely agree with that, any driver model change requires the OEM to update the older drivers and unfortunately with the speed of changes in technology and the turnover they just have no incentive to do so, which is pretty crap.

Ah, I didn't say anything about the "vast majority" at all

Well there are a minority of phones that are open source too that you could use if you wanted (Neos, Aava, the Tizen device), most people just don't want them.

Conversely, I think you'd struggle to find *any* mobile phones on the market that require no closed drivers so however carefully you shop around you're always going to be at the mercy of the vendor.

There are, it's just nobody wants them, which i suppose is understandable given the alternative operating systems are hardly attractive alternatives.

Re:Why is there Fragmentation?

[FireFury03]

Outside of Intel, most of the hardware vendors don't do open source drivers and realistically intel graphics is the ass-end of desktop graphics hardware.

I certainly wouldn't call them the "ass end" - it depends what you want. If you want a top of the line gaming machine that you have to fart around with tweaking drivers to make them work, etc. all the time then Intel isn't for you. If you just want a machine that can run a modern desktop and keeps working with no farting around then Intel hardware is excellent. I'm after the latter - I have absolutely no interest in gaming. Whilst PC gamers are a significant market segment, they are certainly not the majority of PC owners, so for most people Intel hardware is probably the best choice.

Plenty of other hardware vendors write drivers or release the specs allowing others to write drivers without reverse engineering - look at all the SATA and SCSI controllers, for example - mostly vendor-written drivers.

I didn't equate "official" with "excellent", but obviously reverse engineered drivers by their very nature are going to be behind the official ones in features, performance and stability.

This certainly isn't my experience - frequently the vendor written Windows drivers are bloatware, unstable with proprietary APIs whilest the reverse engineered Linux drivers are much higher quality. Certainly not always the case, but I don't think there's a lot of correllation between the quality of a driver and whether or not it was reverse engineered.

Well, my crappy Acer Travelmate laptop is entirely supported by open drivers (ok, there is closed firmware running on some of the hardware, but I'm talking about stuff running on the CPU that has to be integrated into the OS in such a way as to prevent arbitrary OS upgrades without the vendor's help). I can install Fedora on that machine and it Just Works.

You can do that on just about any machine, it just doesn't work well and hardware support is mostly pretty crappy.

Except on my machine it does work well, including all of the hardware. Which was pretty much my point - there's a lot of PC hardware out there that does just work perfectly with only open drivers.

Re:Why is there Fragmentation?

[exomondo]

I certainly wouldn't call them the "ass end" - it depends what you want.

Ok, generally "lowest performance" and worst graphics feature support.

If you want a top of the line gaming machine that you have to fart around with tweaking drivers to make them work, etc. all the time then Intel isn't for you.

If you believe that highend graphics machines requires tweaking drivers just to make them work then you're clearly doing something wrong.

I'm after the latter - I have absolutely no interest in gaming.

The idea that the only people interested in anything but lowend integrated graphics is gamers is just ignorant.

This certainly isn't my experience - frequently the vendor written Windows drivers are bloatware, unstable with proprietary APIs whilest the reverse engineered Linux drivers are much higher quality.

Which vendor-written ones are "bloatware" with "unstable proprietary APIs" compared to the "much higher quality" Linux drivers?

Except on my machine it does work well, including all of the hardware.

Just like on an openmoko handset or an aava.

Which was pretty much my point - there's a lot of PC hardware out there that does just work perfectly with only open drivers.

And in the end even if that is true it doesn't matter because just as the general populace doesn't care for open source drivers and running linux they also don't care about the available open source phones, both are confined to a niche. Moreover there's nothing to stop the development of open drivers for much of the available smartphone hardware but doing so and having it stable is another story.

Re:Why is there Fragmentation?

[FireFury03]

If you believe that highend graphics machines requires tweaking drivers just to make them work then you're clearly doing something wrong.

I used to use nVidia graphics cards before Intel appeared on the scene - I had far too many incidents of upgrading the kernel, or Xorg, etc. and discovering that the drivers no longer worked, then having to roll back the upgrade and wait for 6 months before nVidia got their finger out. Too many incidents of nVidia releasing broken drivers resulting in an upgrade breaking some functionality I was using. Too many bugs in the drivers that many people on the nVidia forums were reporting to be met with absolutely no response from nVidia, combined with a completely opaque bug reporting system. And finding that nVidia dropped support for old hardware long before I was ready to give it up (I don't like being forced into upgrading perfectly good hardware just because the vendor drops support).

Conversely, the Intel drivers are pretty much rock solid. When bugs are found, they can be reported and tracked using Intel's publicly accessible Bugzilla. Intel have (in my experience) resolved bugs rapidly and I've been able to check the progress of the bug fixing rather than having to sit on my hands for 2 years checking the change logs (which is what I did with nVidia), and when Intel finally decide not to support the hardware any more, the community pick up the slack to some extent because the drivers are open and well documented.

So I stand by my opinion that in my experience, nVidia hardware is more powerful but also a hell of a lot more hassle for the user, whereas Intel hardware is powerful enough to meet pretty much all non-gaming needs and Just Works.

I'm after the latter - I have absolutely no interest in gaming.

The idea that the only people interested in anything but lowend integrated graphics is gamers is just ignorant.

For home users, that pretty much is the case - there are only a few niche cases where high-end graphics are required outside of games.

Of course, for business use there are a few more cases (e.g. CAD work, etc) but still, it is a minority - we've standardised on Intel graphics because we don't need anything more powerful, they are a lot less effort, and we don't have to retire ancient hardware just because the vendor drops support.

Which was pretty much my point - there's a lot of PC hardware out there that does just work perfectly with only open drivers.

And in the end even if that is true it doesn't matter because just as the general populace doesn't care for open source drivers and running linux they also don't care about the available open source phones, both are confined to a niche.

That is irrelevant. The original question raised was "why can't we just install the latest OS like we do with PC hardware" and the answer I gave was "because there are no open drivers for much of the mobile hardware, whereas a large proportion of PC hardware does have good open drivers". None of this was about what the "general populace" cares about - I was simply explaining why phones and PCs can't currently be treated the same way in terms of software upgrades.

don't let carriers lock phones down or force them

[Joe_Dragon]

force them to give the unlock codes no questions asked even if you are on a phone payment plan.

Your fault.

[Areyoukiddingme]

And by you, I mean all you people who don't merely tolerate the behavior of the cellular phone companies, but actually encourage it by giving them silly amounts of money every month.

It's YOUR DEVICE. We've been down this goddamn road before. Nobody remembers Ma Bell? Nobody remembers Ma Bell owning all devices connected to their precious network? Nobody remembers what a debacle that was? How has this been allowed to arise again?

A smartphone is a stupid name for a pocket computer. And apparently, thanks to the cellular companies, it's going to behave just as badly as a desktop computer of yesteryear. It's like every Windows 98 machine ever shipped was connected to the modern internet yesterday. Madness.

And it's all your fault.

Re:Your fault.

[wierd_w]

My device had root and an unlocked loader within hours of purchase.

It has never had a major android upgrade.

Neither the foss community, the rom hack community, the carrier, nor the handset maker have released such a rom.

At the time, the device was comparable hardware wise to early galaxy handsets. It looked for all the world like the community would be able to support it with little effort as a windfall from supporting galaxy.

Turns out that wasn't the case.

Re:Your fault.

[nitehawk214]

It's your device when you drop it on the ground or it gets messed up by a bad update pushed by the telco, or it simply breaks after 2 years due to intentionally shoddy manufacture. It's their device when you want to root it or run some software they have not blessed via their app store or signing system, or want to transfer the device to another carrier.

It's the worst of both worlds for the consumer. And we are letting them do it to us via their uncompetitive practices and lock-in contracts.

Re:don't let carriers lock phones down or force th

[wierd_w]

This doesn't solve the actual problem in the handset world, especially with android.

That problem?

Closed source binary drivers for novelty features in specific handsets that are incompatible with newer android builds, due to improved/newer linux kernels being in them.

Take for instance, my horribly crippled, antique android device:
SGH-T839 (Sidekick 4G)

This device runs Froyo, and has been officially abandoned by T-mobile and Samsung for almost 2 years now. It has a 1ghz hummingbird cpu, and approx 512mb of ram, of which about 300mb is useable for programs. It has a strange camera driver, to make use of both rear facing and front facing cameras, and a strange hardware keyboard driver.

It is otherwise very similar inside to an older galaxy based device.

The only roms in existence for this device are recooked images of the (bloated as hell) stock rom. There is no CM support. There is no official ICS upgrade, despite it being theoretically possible. Nada. This, despite the complete source for the kernel of the device being GPLed by samsung when they EOLed it, and said sources being publicly available.

The device had a root access ad bootloader unlocker within weeks of release.

This community patch is the only security fix I have been able to apply to this handset in a very long time.

IMHO, better option is to require handset makers to offer at least one major android revision upgrade per device lifecycle.

This device was born froyo, it will eventually die froyo. I would rather it die ICS. Most times, EOLed devices are physically capable of running the next higher android release, but the maker refuses to sink the development money. I would pay 50$ extra or more for having the garantee of getting the next major android release during the product lifespan. The handset makers don't see that their refusal to provide extended support in this fashion hurts their brands, and hurts the device ecosystem. All they see is "the next big thing!" On the horizon.

They don't want to "waste time" with "old, legacy devices" like mine. They are much more interested in selling me a brand new device, that they will EOL in 1 year.

What's Google's excuse for not patching the N4?

[SuperBanana]

That is because Android handset makers have been slow to issue updates for their handsets.

I have a Google Nexus 4, supposedly gets all the updates right away, first to get new versions of Android, etc. I haven't seen an update since I bought the phone 6+ months ago. Samsung has apparently patched their phones; Google announced a code fix months ago.

What's Google's excuse for not patching my device? No carriers involved, current model, etc.

Re:What's Google's excuse for not patching the N4?

[Bieeanda]

They're probably trying to fold it into google+, like everything else.

Re:What's Google's excuse for not patching the N4?

[PerformanceDude]

Yeah - same here - and never mind that the latest version of Android on my Galaxy Nexus made Bluetooth inoperable in my car too. Google has hundreds of bug reports, but are yet to offer a fix or even acknowledge that there is a problem. Sadly Google are letting the very people down they should be giving most attention: The early adopters and Android enthusiasts.

Re:What's Google's excuse for not patching the N4?

[Yebyen]

Like everywhere else, you (the consumer) are not Google's customer.

They would honestly rather sell the devices to third parties who will support them and review/push patches and updates. The person selling the device for $100 is not incentivized to provide any support beyond what's required by law. Google charges $200 because you have higher expectations of them, and they are more visible. Samsung, ASUS, HTC, Sony, and the other big-name competitors in the tablet and phone markets can get away with charging upwards of $300-500 because they actually provide the support that the mobile carriers should be responsible for, given that they're the ones collecting all of the recurring fees (bargaining chips).

I have a Transformer TF-101 and I was not happy with the lack of vendor upgrades to JellyBean. So, what did I do? I flashed the device to EOS4, voiding my (admittedly limited groupon 90-day warranty), I nullified the support requirement (early) for the vendor. Now TeamEOS seems to have evaporated, lucky for me they are still providing their sources on http://git.teameos.org/ but jenkins is down and the nightly builds have slowed to about once a month.

Guess whose device is unpatched according to the Bluebox Security Scanner? (who's got two thumbs and a transformer that's out of warranty?)

Re:What's Google's excuse for not patching the N4?

[swillden]

Are you sure your phone hasn't been patched? My Nexus 7 has, according to https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner

Re:What's Google's excuse for not patching the N4?

The fix is in the next version of Android where they change the underlying Bluetooth implementation and also add BLE. It sucks that your Bluetooth is broken but as a software engineer, there is no way I'm going to backport an entire framework update to fix some issues with Bluetooth.

Re:What's Google's excuse for not patching the N4?

Only a software engineer would try to argue that we can't ever go back to the way things were, you need a new framework now, and the rest of your system is too old to do what it could do just fine the day before.

Ever heard of rolling back?

Re:What's Google's excuse for not patching the N4?

[nitehawk214]

A couple years ago an update merged the navigation volume control into the audio output volume control. Now it is impossible to use the device for navigation and playing music at the same time. The navigation volume is 10% of the music volume and there is no way to change it. There are hundreds of bug reports and google just doesn't care.

Not that they have ever cared about bug reports on their products. You and I are simply not their customer, in Google's eyes listening to us can only cost them money and not make them a cent. As long as the phone manufacturers still send them money to buy android they have no incentive to help us out.

Re:What's Google's excuse for not patching the N4?

[greg1104]

The last major Android update applied to Nexus phones was 4.2.2, which rolled out in Februrary. If you haven't gotten an update in six months, something is wrong with your setup. My Nexus phone has also gotten multiple revamps to various Play applications in the last few months, which was most noticeable to me in a complete redesign of the Play Music application. The last update there I know of was a month ago. I'm not certain what form (if any) the fix for this exploit has been pushed to the phones yet--could be a core update or fix in a play app--but your claim that they haven't changed anything recently isn't true.

Re:What's Google's excuse for not patching the N4?

Are you sure your phone hasn't been patched? My Nexus 7 has, according to https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner

Are you sure _your_ Nexus 7 has been patched? I have a Nexus 7 (wifi 32gb) running the latest updates and it has not been patched according to that same scanner. If you have a 3G carrier branded N7 maybe it was treated differently. The mud in the water is getting thicker on this issue, at this point I am ready to just start ignoring it since there are no exploits in the wild and the reports of where the problem is/isnt are varying so much.

In Soviet Russia

[Roachie]

... android patches YOU!!!!

Blame the OEMs this time

[Mr_Silver]

Whilst it's common (and often justified) to have a pop at the carriers for delaying or preventing updates to devices, it's worth pointing out that I've got access to a whole range of Android devices direct from a number of different OEMs and not a single one of them has yet received an OTA update to fix this vulnerability.

The carriers may still slow down this process, but it's already going slow enough with just the OEMs involved.

nice try but

As this will only effect 1% of the people who even know about the problem, and only 1% of those 1% have phones that can be fixed,
it answers the question why Google doesn't give a crap about you.

Vertical Integration hurting Android

[caspy7]

Thought I'd point out that it's the vertical integration design of Android that has led to this carrier conundrum in which updates and upgrades are forced to go through the carriers, but the carriers are focused on new sales not maintaining old hardware. So the engineering resources they're willing to invest are minimal, leaving users out in the cold.

This is something that's of interest to me in the design of Firefox OS, which completely separates out the the Linux kernel, and the two layers on top of that (the Gecko engine and the UI). All of these can be updated independently. Updates to the kernel require the carrier's knowledge of the underlying hardware, but most security, feature & performance updates will be to the top layers. So updates should be installable when they're first released. This should help to avoid a lot of what we're seeing with the carrier foot-dragging (or outright abandonment) hurting consumers.

I'm unfamiliar though with the the design of Ubuntu Touch and Tizen. Does anyone know if they have a similar advantage?

Re:Vertical Integration hurting Android

[Sockatume]

I'm not sure what you mean by "vertically integrated" here. Can you elaborate on that?

Re:Vertical Integration hurting Android

[PhilHibbs]

It's a standard term. It means that several components in the chain are all controlled by one company. Pretty much all smartphones are vertically integrated - Apple make the iPhone and the OS and control both. Samsung make the Galaxy and also control distribution of the Android software on it. If they also make the components, or just exert close control over the production of them, then it's even more vertically integrated.

Re:Vertical Integration hurting Android

[caspy7]

Sorry if the term was used in a confusing way.
The idea being communicated was that the different layers of Android (kernel, libraries, Dalvik, etc) are implemented in a way such that they cannot be separately updated. (Probably my understanding of the stack is flawed, I had been thinking that the code was perhaps not cleanly separate in the layers - hence the "vertical integration" idea.)

Either way, the point stands that Android cannot be updated piecemeal, thereby relying solely on carriers, greatly hurting the security and overall experience of users.

Re:don't let carriers lock phones down or force th

[Sockatume]

That'd unlock the SIM card slot, I'm not sure what it would do for getting new software onto the device.

Re:don't let carriers lock phones down or force th

[MrMickS]

Welcome to the mobile phone handset business model. This was the business model for these suppliers long before Android came along, do you really think they are going to change now? Instead of fixing older handsets they want to release new variants every few months to tempt the unwary with a new bright shiny thing.

The only company doing anything different, no matter how much Slashdot hate them, is Apple. The limited hardware targets they have to deal with allows them to provide longer support and its something that they've done since day one. Sadly the Android/iOS holy war prevents this advantage being seen.

AT&T One and Done

AT&T has never issued a software update for any of our Android devices. Not one. Once they release a phone, they wash their hands of it and never think about it again.

Re: AT&T One and Done

Not sure what you're buying, but AT&T updated both of my ATRIX 2s to ICS. Granted I had to use Kies to update my wife's Skyrocket, but that's on Jelly Bean now.

ICS needs more RAM than Gingerbread

[tepples]

As long as 4.x requires half a GB of RAM, there will still be 2.x devices.

Re:ICS needs more RAM than Gingerbread

[hairyfeet]

"As long as Windows 8 requires a GB of RAM there will still be Win98 devices"...see the problem friend? Google doesn't still support 2.x last i checked, so NO updates, NO patches, it would be NO different than selling Win9X today only much worse as the malware guys no longer target win9X but there is enough 2.x devices out there to make it a juicy target.

Again this is a downside of FOSS, whereas MSFT can refuse to sell licenses and thus get old no longer supported OSes out of the channel Google on the other hand has absolutely zero say when it comes to the OEMs, hell they can slap android 1.x on a phone and brag about their "$20 Android phones!" and when the customer gets pwned its NOT the shop that sold it that will get blamed, it'll be "that POS Android" that gets the hate.

Yeah, it's those darn google contracts...

Oh, no, it isn't, its you going to a seller of phones and buyng a shitty contract because you merkins don't have any customer protection and the phone companies can fuck you over every which way from sunday.

Don't buy a phone under a shitty contract and you're fine.

Absolutely incorrect.

There are scores of "Android" sellers, and several of them are as good or better than Apple at updating or not locking out the owner of the device.

YOU are taking the worst of the Android ones and comparing it to Apple so Apple appears better in comparison.

Re:Absolutely incorrect.

scores of them as good as Apple....????.... so now I'm listening....name some companies with good quality phones and massive app support that support their devices as long as Apple.....go ahead

Blame the carriers

[tepples]

Blame the carriers for charging as much per month for service on an unsubsidized phone as on a contract. Blame the CDMA2000 carriers for not using CSIM and refusing to activate phones they didn't sell.

Re:don't let carriers lock phones down or force th

. This was the business model for these suppliers long before Android came along, do you really think they are going to change now?

So how come Apple did it? My iPhone has no bloatware from AT&T. None. And I get regular updates from Apple, even my dads 3gs gets updates.

Face it. Google doesn't give a fuck about the users. All they care about is that the handset has all their proprietary google service crap added to the OS. Apple's only hope is to get money upfront and thats why their product is awesome and why still Android sucks compared to iOS. Google meanwhile gives out their stuff for free and then exploits users personal data to make money later on. I know which company I trust.. Hint: Not Google.

Google could stop shipping Gapps on 2.x

[tepples]

Google on the other hand has absolutely zero say when it comes to the OEMs

"Absolutely zero" is strong language. Google Play Store is not FOSS, and Google could sue any OEM that ships an infringing copy of Google Play Store on a device. Google licenses the Gapps only for distribution as part of the preload on devices that pass the tests for conformance to a particular Android version's Compatibility Definition Document. To get 2.x (and the underpowered hardware that needs 2.x) out of the channel, Google could declare a date after which Gapps are no longer available on new 2.x phones. I guess it doesn't do so because it depends on ad revenue from 2.x users who would have otherwise chosen a feature phone.

Re:Google could stop shipping Gapps on 2.x

[hairyfeet]

Think the OEMs give a rat's ass about a store that makes GOOGLE money but NOT them? Oh please, they all run their OWN apps stores where THEY get the appmoney AND the datamining money, in fact i can't remember ever seeing one of the 1.x or 2.x devices even having the Google store, they all have an ersatz being run on a server somewhere in Hong Kong.

So I'm sorry friend but this is one of the weaknesses of FOSS, open source means you can't say shit about that source and what is done with it, again look at places like Best Buy and walmart that are selling plenty of 2.x "Android" devices and Google can't say a damned word about it. Hell I doubt you'd even get a court to say shit, after all it IS running an OS called Android correct? Its not like they are claiming its ICS, just that its Android and that is what it is, its again like selling Win9X boxes only in this case not only is it a juicy target but unlike with Win9X most folks wouldn't know ICS from ice cream sundae.

Did you mean like what Amazon did

[tepples]

Think the OEMs give a rat's ass about a store that makes GOOGLE money but NOT them?

Say an OEM decides to go this route of shipping a device running outdated AOSP and its own store. How would it go about attracting Android application developers to its own store? In order to get its own 30% cut, such an OEM would have to spend time==money hosting, curating, and promoting its own store. I seem to remember only Amazon making a wholehearted effort at setting up its own store for the Kindle Fire. Other 1.x/2.x devices without the Gapps, such as seventh and eighth generation Archos tablets, ended up building a bad reputation once users discovered that they couldn't find their favorite apps in AppsLib (the store that Archos devices shipped with) or SlideME (a commonly sideloaded store).

Re:Did you mean like what Amazon did

[hairyfeet]

Uhhh...you have NEVER worked retail have your friend? I hate to break the news to ya but they don't give a wet fart about "attracting app developers" all they care about is having a few brand name apps, your angry birds and your cut the rope, hell since its being run from a server in Hong Kong it wouldn't surprise me if they are just using pirated versions, no copyright police to worry about over there.

But please do NOT take MY word for it, you have a Walmart near you, yes? Go in and look for yourself, they have a fricking TON of 2.x phones and tablets, all running badly out of date android but guess what? they ALL have angry birds and cut the rope preloaded! But you can see their "phone store" or "Tablet program shoppe" or whatever ersatz they are running, hell I've seen plenty of those knockoffs running appstore that is so obviously some Chinese ripoff (hell half the pages end up in Chinese) that it isn't even funny, the OEMs don't give a shit and Joe and Jane don't know the damned difference. Hell I should know, i was selling those $100 velocity Micro 2.x tablets for awhile until i got tired of dealing with the distributor, folks ate those cheap tablets up.

Nexus 4, and yes, still vulnerable

[SuperBanana]

I have a Nexus 4, not a Nexus 7, and yes, according to the scanner tool, it's still unpatched.