Slashdot Mirror
Old Apache Code At Root of Android FakeID Mess
chicksdaddy writes: A four-year-old vulnerability in an open source component that is a critical part of Android leaves hundreds of millions of mobile devices susceptible to silent malware infections. The vulnerability affects devices running Android versions 2.1 to 4.4 ("KitKat"), according to a statement released by Bluebox. The vulnerability was found in a package installer in affected versions of Android. The installer doesn't attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates. In short, Bluebox writes, "an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim."
The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.
Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.
Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
Phew, good thing Android is open source and these vulnerabilities will be patched right away be all those "for profit" companies, who wouldn't want their users to get angry!
Giggity
The patch already exists, now it's up to our cell carriers to distribute it.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Actually the patch is already distributed without any manufacturer intervention required. http://www.osnews.com/story/27...
So it doesn't affect 4.4 KitKat?
Couldn't this be patched as part of an update to the Google Services Framework? From what I understand, Google controls the Google Services Framework and can push updates even to phones/devices that haven't been updated by their network provider.
This is why I have a big problem with Android. The carriers have nothing to do with manufacturing or maintaining the phone. Why should they have anything to do with the update process. Updates should come straight from the manufacturer, and carriers should not have their own custom firmware. Or even better, all updates should come straight from Google. The only customizations at the manufacturer level should be applications which can be reinstalled (or uninstalled) at the customer's discretion. Apple does it, Windows phone does it. Why can't Android do the same thing.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
This only works if the exploit isn't hidden in some way.
If "Verify Apps" worked as good as some claim, 10% of the Google Play store wouldn't be malware. It'd be a much, much smaller number.
JESUS FUCKING CHRIST, I know this is Slashdot, but were you totally unable to read even the second sentence of the summary?
Um if you read TFA it says Google is using code that was discontinued years ago. So one has to ask Google how they could be so stupid.
My karma is not a Chameleon.
And a lot of android is open source. And it's used by many parties.
There were fewer eyes back then...
There are craploads of devices discontinued by the manufacturers. Are they covered by the patch?
I don't know much about Java and virtual machines and all that (I'm just a graphic and media designer), but I constantly hear the programming guys at work saying that the Java virtual machine is more secure than just normal software codes. I know I've disabled it in my Safari but why didn't it stop this bug on Android? The guys at work who like Android told me I should get a Samsung Android phone next time instead of an iPhone because Java is more secure than whatever iOS uses for apps. But after reading about this bug, which sounds really serious to me I think, I don't know if I want to get an Android phone. I was going to get one but will it be secure if it has the Java on it?
At least Nokia won't be tarnished by this! Glad I went with Windows Phone!
Sticking with Nexus devices gets you close to the Apple model. Carriers still push the updates, but my Nexus 5 (and the 4 before it) receives very quick carrier updates (within a day, 2 at most) on AT&T and Sprint. Not as seamless and my wife's iPhone, but close enough for me.
And every day, those assholes at Google are closing off more and more of it.
The summary says "native Android libraries that are based on Harmony code" but that confuses me a lot. Harmony is Java code, right? And Java is not native code, right? Java runs on a VM, right? So how can it be a native library if it's written in Java? Doesn't a native library have to be written in C or C++ or assembly or some other lang that gets compiled down to native machine code? How can Java code be native code?
Why are we blaming yet another coding mistake on Native Americans?
Native Americans are just as good as anyone at programming. I'd even say the Apache tribe has some top notch C++ people. Yes, the computers don't last long in the sweat lodges, but that's the price you pay for that "Made by real Americans" label.
Why can't Android do the same thing.
It can, but the carriers and the manufacturers have decided to "enhance" the Android experience. They believe their "value add" software gives them a competitive advantage. Blame greed (it is always about the money).
10% of the Google Play store wouldn't be malware.
It's not. That claim was typical hyperbole by an AV vendor desperately trying to find a market to sell their snake oil in now that Windows is in decline. The report they used even showed the Google Play Movies application as malware... They've since backed off the claim, but of course the mud (as intended) still sticks.
http://www.techrepublic.com/ar...
Because you are the product with Android. That includes the carrier making a cut from the software on your phone. This means that carriers have to be able to ensure their crapware work with your handset.
Kind of strange how all these reports of Open Source vulnerabilities are increasing recently. Despite the fact that, as in Heartbleed, hyped to the max, very few actual bad things seem to happen. Almost as if it were coordinated.
I don't know the fine details of this bug, but am I the only one appalled at how obvious this bug sounds? It doesn't even properly check the certificate? I mean buffer overflows and such are one thing, but not properly testing your certificate code seems unforgivable.
While I am there I cannot resist promoting my own paper on TLS hardening, for the administrator and the developer, or to anyone missing the basics to understand security problems like the one reported here. From the summary:
This document presents TLS and how to make it secure enough as of 2014 Spring. Of course all the information given here will rot with time. Protocols known as secure will be cracked and will be replaced with better versions. Fortunately we will see that there are ways to assess the current security of your setup, but this explains why you may have to read further from this document to get the up to date knowledge on TLS security.
We will first introduce the TLS protocol and its underlying components: X.509 certificates, ciphers, and protocol versions. Next we will have a look at TLS hardening for web servers, and how to plug various vulnerabilities: CRIME, BREACH, BEAST, session renegotiation, Heartbleed, and others. We will finally see how the know-how acquired on hardening web servers can be used for other protocols and tools such as Dovecot, Sendmail, SquirrelMail, RoundCube, and OpenVPN.
We assume you already maintain services that use TLS, and have basic TCP/IP network knowledge. Some information will also be useful for the application developer.
Um if you read TFA it says Google is using code that was discontinued years ago. So one has to ask Google how they could be so stupid.
Mature (old) code is not the problem. Bad code is. Security related code is notoriously hard to review, whether that code is new, or old, and once written (and the review is done) tends to not be reviewed again. Openssl is the poster child for this.
I only said 10%, not 70% or any of the other high numbers in the July 2014 trend micro report.
I am SO tired of these incompetent Indian programmers fucking things up for us!
I tell, there's been many times when offshored programmers have sent me on a Trail of Tears!
And I sit back and just have to say, "How."
Ok. So how do I patch my system without doing an OS upgrade. I don't want to upgrade because then I get all of Google's other malware additions.
Why can't Android do the same thing.
Literally, because Google doesn't care.
They want eyeballs. This is how you get eyeballs. Cheap, carrier modified devices will always be pushed by the carriers.
If you have any of Google's apps installed, you'll also have Play Services installed - and this has already been updated to detect attempts to use the specific vulnerable certificates involved. If you only get your apps from the Play Store, you're fine, as they've already all been scanned (and no exploit attempts detected). Even if you sideload, so long as you left the Verify Apps checkbox on (default setting), then Play Services will scan any sideloaded apps too (no exploit attempts have been detected that way either).
While the vulnerability is a serious one, it's not something that will concern the vast majority of Google's Android users. It's probably a lot more significant for companies like Amazon, who will have to develop their own response, and (inevitably) for all those millions of Chinese users of generic non-Google Android derivatives.
Why would anyone engrave "Elbereth"?
Relying on Java for anything fundamental is going to bite you in the butt.
#DeleteChrome
Luckily, it's entirely because they have been "taking android back" that they've been able to issue a (closed-source) Play Services response to the threat so quickly, to all Google-using android phones regardless of carrier.
Why would anyone engrave "Elbereth"?
And a lot of android is open source. And it's used by many parties.
As soon as you put open source code into your product, it's part of your product, and the quality is your responsibility. If you are a small time developer, you can use "Google used it as well, and they didn't find the problem" as an excuse. If you are Google, that excuse doesn't work.
Not just that.. its already reasonably moot.
http://www.osnews.com/story/27868/Another_day_another_sensationalist_unfounded_security_story
"First, a patch been sent to OEMs and AOSP, but with Android's abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed"
Google reacted to this disclosure rapidly and well.
Of course such a vulnerability would probably never be FOUND in iOS or WinPhone, since they are closed source, and almost certainly never disclosed if it was.
Just update your play store, and you are safe unless you are sideloading (never a great idea)
If you are sideloading then if you leave verify apps on, its also no problem.
Google are also scanning all apps on Google Play to check no one has been trying this.
Yawn, another google/Android beatup trying to wag the dog. Not hard to guess where the spin is originating.
What did Apache expect when their code was written by Cowboys?
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Find a popular ROM at XDA derived from whatever version you want to stick with and flash it (with a compatible kernel) to your phone.
Until you have a few months of reflashing experience, DO NOT attempt to flash any ROM that requires repartitioning the flash, and don't ask the recovery manager to wipe /system unless you really know what can happen & have a plan for dealing with it. This goes DOUBLE for anybody with a Samsung Galaxy S3.
Long story short: the eMMC is kind of like a SSD controller, and there are MAJOR known bugs (and plenty of poorly-understood ones, too) in the firmware. Basically, it's as if you tried to use Linux to create a new filesystem, but a bug caused it to just make all the old directories owned by some undefined user with impossible permissions instead... and do it in a way that made the drive initially LOOK reformatted, but spontaneously resurrect those corrupted files as more and more writes occurred.
Now for the bad news (if you have a Galaxy S3) -- the eMMC firmware installed with stock roms older than 4.3 is dangerously buggy with AOSP-derived ROMs, and getting rid of enough of those bugs to semi-safely do wholesale repartitioning almost requires installing a stock-derived (but hacked so it doesn't enforce Knox) ROM first to get the eMMC firmware updated. More confusingly, the eMMC firmware is part of the radio modem firmware, even though it doesn't really have anything to do with the radio modem itself. So, if you're running a 4.1 stock ROM and want to install a 4.1 AOSP-derived ROM, tread VERY carefully, and pay special attention to any warnings at XDA that involve the word "eMMC".
I only said 10%,
Then where does the 10% claim come from?
Oh right - it was made up by AV vendors trying to scare peopple into buying their products.
Unless you’ve had your head under a rock you’ll have noticed the latter is fast becoming the weapon of choice for Google’s rivals in attempting to curtail the former. On paper it should. Android malware rose from 238 threats in 2012 to 804 new threats in 2013. What was the combined total of new threats for Apple iOS, BlackBerry OS and Microsoft Windows Phone in that time? Zero. The remaining 3% came from Nokia’s axed Symbian platform.
All of which poses a very valid question: how do you stay safe on Android? Perhaps surprisingly the answer is: easily. Why? Because here’s the part Google’s rivals don’t want you to know: the figures are misleading.
Let’s be clear. From a statistical viewpoint researcher and security specialist F-Secure got them right. Android does account for 97% of all mobile malware, but it comes from small, unregulated third party app stores predominantly in the Middle East and Asia. By contrast the percentage of apps carrying malware on Google’s official Play Store was found to be just 0.1%
http://www.forbes.com/sites/go...
So that one's busted. Anything else you'd like to sell?
cell carriers? I have a google nexus (one) and it was abandoned BY GOOGLE, not the carriers, 2 years ago. no security fixes, no nothing. stuck at 2.2.something.
google fucked us over by saying that nexus phones are upgradable and supported. they are not - not by any reasonable definition of 'supported'. I can have linux kernel, ip-stack (etc) updates (at least for security) for 10+ yr old linux pc's. but a few yr old phone - NO WAY. google has the attention span of a 5 yr old.
should I have to throw away a $300 paid for phone that still works, electrically (at least)? this is why I hate android and hate google even more. they use the word 'linux' a lot but they bastardize it and abandon it and tell you 'go re-buy your phone'. sorry, that's not acceptable. not on a device that is less than 5 yrs old and still in perfect working condition. the only issue is the poor software and that will NEVER be fixed, it seems.
I hate google. totally fucking hate their whole development model for phones. (and that leaves me no choice since I also hate apple and their whole scheme of lock-in).
wish there was another choice. the whole mobile data thing really unnerves me with how bad the scene really is.
I guess I can't (or wont) install any apps since the certs can't be trusted (or the code that checks them) and so whatever apps I have now, that's what I have and won't ever have any more on this phone.
(and I fully expect the google fanboys to mod me down. they always do when I yell about their most holy and blessed google.)
--
"It is now safe to switch off your computer."
Wow.
Not in a long time has usable code been identified.
The likes of Apple have been down grading Net BSD since after Tiger. I guess the last X in OS X X is an emulation layer running XP SP3.
"The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged." This is evidence of a Master at work. Gwa-Dang I'm getting a boner.
This code IS for me !
Because Android jumped onto the market primarily by being two things:
1. Hey, manufacturers that aren't Apple! You can sell a modern smartphone platform!
2. Hey, carriers that aren't AT&T! You can sell a modern smartphone platform!
The whole point was that manufacturers and carriers were free to do whatever the hell they wanted so long as they followed Google's certification guidelines. They've tightened up a slight bit since then, you can't release new devices on 2.x anymore, and they somehow got Samsung to stop modding the hell out of Android all the time. But the underlying idea behind Android was for Google to get a foot in the door for mobile by basically giving away a smartphone platform, and they could get access to it's app store by just making sure that Google everything was preinstalled on the phone.
They're moving away from this. The new Android platforms they announced at I/O this year (TV, smartwatches, and automotive) have much stricter limitations on what the manufacturer is allowed to put on the device. And all of them tether to the phone rather than having a mobile radio in them directly so carriers have zero say as to what goes on in them either.
Despite the rooting fun, what happens when hostile apps start using root to sidestep Android security? Can Google screen and block the use of a Linux system call?
Not as seamless and my wife's iPhone, but close enough for me.
Which just goes to prove that women really are smarter than men.
Essentially, what Java sandboxing is designed to do is to completely separate different apps, so for example your text messaging app doesn't have access to your browser's password storage. On a regular OS, traditional applications have access to all of your files and all of your hardware, meaning one piece of malware can get everything on your computer. Sun hasn't done a great job of implementing the sandbox in their Windows Java plugin. Google may have done a better job on Android.
In Android, you specially allow each app to have access to different things. If a flashlight app requests permission to read your text messages, you don't install that flashlight, because a flashlight has no legitimate reason to be reading text messages.
This bug isn't directly related to sandboxing, but sandboxing does reduce the impact. This bug allowed the author of an app to lie about who they are, about who made the app. So Joe Hacker could have marked his app as being made by Microsoft. If you trust Microsoft, you might install the app thinking it was made by Microsoft, but it wasn't really. So you go to install Microsoft Flashlight and the system says "Microsoft Flashlight wants to read your text messages". You'd click the "fuck off" button because a flashlight app doesn't have any business reading your text messages - even a flashlight app made by Microsoft. So while the bug allowed them to lie about who made the app, you can still see what the app is trying to access and deny if if doesn't make sense.
You weren't abondoned, the core apps still receive updates. The N1 is fine on GB so long as youre using play and updating apps.
If you want a full OS build then look for an aftermarket ROM like Cyanogenmod. I use my Desire Z (cousin of the n1) with Cyanogen 10 and it is fantastic. Do a bit of homework and leave your flaming for reddit.
That's all good and fine but just realise that you are in fact the minority. 2 years is not an accepted life span for many devices, but for many phones it most definitely is. You can thank contracts that last that long and come with a "free" phone.
Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems.
It's a good thing most actors aren't good at programming.
Seriously, why do we feel we must constantly reel words, which were perfectly content in their familiar habitat, into the jargonic fold? "Actor"? Couldn't we have used one of dozens of words already used in everyday English: programmers, hackers, thieves, people? That last suggestion brings up another question: which of the two instances of the word "malicious" could safely be removed from the sentence? Both. After a long introduction about a security hole, we're so ready for a scenario about villainy that we would be positively thrown off otherwise. At least they said "could create" and not "could potentially create."
Someone could put a fake certificate from Adobe into their mobile app.
There.
The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.
After the lawsuit from Oracle and now this, if I were the one who chose Java as Android's language, I would be kicking myself just about every day now.
The Nexus One was abandoned because Google said the hardware was too old. And they have a point - you have to jump through some major hoops to get a modern ROM onto it.
The N1 has 512 MB internal flash, and the way it was partitioned meant Android 4.0 was larger than the N1's system partition. Its partitioning scheme dates from the days when apps couldn't be moved to the SD card, so the system partition is only barely big enough to hold Android 2.3 to allow the maximum possible space for apps. Sure, you can plug it into a PC, repartition and format, load a new system image onto the phone from the PC, use a hack so all apps get silently redirected to an SD card, etc... but there was no way to do an OTA update.
In short: the Nexus One has a critical hardware issue in that it only barely has enough internal space to store its own OS.
Google is your friend.
Couldn't this be patched as part of an update to the Google Services Framework?
It is and has been.
There is close to zero chance that anyone will be affected by this "Android mess". It's a beat up.
I can thank contracts? this was bought outright and from google. it used to be their flagship (yes, a long time ago, but that's not relevant). what is relevant is how google ACTS vs what they SAY. their action speaks volumes and if it wasn't google, with 10's of thousands of employees who are, supposedly, best-in-the-world - they SHOULD have at least one person to support older phones, at least for security and major bugfixes. to this day (and on its birth day) it had a problem with x,y screen calibration. after a few hours of use, it buzzes at you if you touch the screen to click something. from DAY ONE it did that and it never got fixed. flagship phone, has to be reset (power cycle) to reset the x,y calibration. I don't mean the just-loaded-software (touch corners to calibrate) - but I mean that a power cycle will cause the x,y locations to stop vibrating at you and accept your input.
this is just one of the many bugs in the nexus one. I will never buy another nexus now that I see how short google's attention span really is. I don't care what their marketing says, from personal ownership experience, they are shit and they abandon stuff for whatever reason - but the end user is screwed.
there's lots of reasons to hate carriers, but all of this that I mentioned is nothing to do with them and everything to do with google's product mgmt. they decided to pull people off the n1 project and abandon it, leaving major holes in the software. pathetic. I'd expect this from a 10 or 50 man company but NOT from the almighty google. seriously!
--
"It is now safe to switch off your computer."
bullshit excuse. I don't want or need new features. I want the 512 meg stuff TO WORK and not buzz at me when I touch the screen. or reboot (showing the shimmering X) during gps car use! or have their maps route me into a downtown (redwood city) when I'm really going from south san francisco to san jose. that is a pure route101 trip and yet, time after time, it sends me thru downtown RC when I didn't need to do that.
gmail app is broken (I have to use k9 to read my gmail) - gmail app won't even poll for new messages anymore.
we're talking HUGELY EMBARASSING BUGS here. and yet, they act like the platform is 'done' and the tell you 'just buy another phone, rich guy'. yeah, right, feed the landfills by throwing away functioning hardware.
fucking google... sigh ;(
--
"It is now safe to switch off your computer."
You are unbelievable!
Every security vulnerability in closed source you treat as proof that closed source is bad. Every security vulnerability in open source you treat as proof that open source is good because it was discovered. Oh, and those open source vulnerabilities are all moot, spin, and no problem.
You are seeing what you want to see and suffer from a terminal case of confirmation bias. I've never seen, NEVER, any statistically compelling evidence that open source is superior to closed. Not for security and not for bugs generally.
Do you think that all those Microsoft patches, thousands of them to date, were not "discovered"? That their closed source origins meant that they were not patched? What planet are you on?
Fix your bugs. Get on with doing your work and protect your users. Stop claiming some kind of metaphysical superiority when it's more than clear that open source has an equivalent set of problems to closed source. Not necessarily equal, but certainly equivalent. "Those who live in glass houses should not throw stones." You lack the wisdom contained in this statement.
Otherwise you are just spreading FUD and acting unprofessional.
Updated software won't fit on the device is a bullshit excuse for not putting updated software on the device?
So what you're saying is, Verify Apps works?
Even if we were to accept your 10% number, there's a gigantic difference between verifying a certificate chain and verifying an executable program.
Um. Google is continuing it? With a lot more resources than it had originally? Unless you think Android is discontinued, but at that point I really can't help you.
Calling the Android Java Libraries discontinued because Apache isn't involved anymore is like calling Libre Office discontinued because Oracle isn't involved anymore.
This doesn't fix the underlying vulnerability; it merely scans for known ways to exploit it. I'm sure some clever people will find a way to thwart these scans and exploit the vulnerability, unless it gets fixed.
The only way this sort of thing can be taken care of is if Google or some governments in countries with a large market share will mandate vendors of phones or their manufacturers to provide security updates for devices for at least the duration of the contract, but preferably for the expected life of the device. Devices tend to keep working for three or four years, so that way Android users would get a similar security experience as iOS users.
I was promised a flying car. Where is my flying car?
No, *his wife* has the iPhone...
I can thank contracts? this was bought outright and from google.
Irrelevant. The market place in general works on 2 year contracts. Just because you do something different doesn't magically mean a company should support you for it.
In my experience they acted perfectly fine. Compare say your Nexus which received 2 years worth of updates, to *any other Android phone* which never received any updates from the manufacturer.
As for the calibration, I wonder why you didn't return the phone under warranty? You had a problem? Well 200000 other people didn't. There was no major public outcry, and the phone was rated highly in its prime. So why did you sit there waiting for a software fix for a problem only a handful of people experienced?
There were fewer eyes back then...
So it was mpossble?
Only 804 new threats a year? That shows remarkable constraint. I remember a few years ago they were claiming around 50,000 new viruses per day for Windows. Presumably they were counting every slight morphing of a given virus as a new, unique strain.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
If security fixes take up significant amount of additional space, then something's being done wrong. Very very wrong.
Cell carriers don't have to distribute it. Google could use their Play service and patch devices regardless of what the carrier did. They could even scan devices for active use of the exploit.
I'm pretty certain Google has systems in place (as well as an after the fact kill function) to eradicate malicious apps that find their way onto the app store. Doubtless there are some there but they're background noise.
Not as seamless and my wife's iPhone, but close enough for me
And not as long either, Google only provides updates for 18 months. If you buy a phone on a 2 year contract (as many people do) and you get the new Nexus the day it is released, you still have 6 months in which you will not receive (security) updates.
Completely unacceptable.
At the end of the day, android gives users the freedom to choose where they get apps from. But freedom implies the freedom to do stupid things. It won't stop a user installing warez if they want, but if they get owned it's their own damned fault. Not much different from what happens on a PC or Mac really.
That said I don't think Android does enough to protect users from malicious or rogue apps, e.g. allowing the device to deny a permission to the app even if it claims to need it. Cyanogenmod demonstrates it can be added, but Google haven't seen fit to provide that functionality in the stock android code.
It's more like you install a 17 gig OS on a 17 gig disk, and then they release a free service pack that adds a ton of stuff. From Face Unlock to data usage limits to VPNs to support for new screen dimensions. And it needs more space for all the extra code. And then they offer security updates that assume you have the free service pack. They didn't release security fixes for Windows XP SP3 and also backport the fixes to SP2 and SP1.
I can only assume that you rarely talk to non-geeks. I upgrade my phone roughly every 3 years and most of my non-geek friends have significantly older phones than me. Many of them get new phones only when a geeky relative upgrades and hands down their old device, so the least technical users end up with the least secure devices...
I am TheRaven on Soylent News
The report they used even showed the Google Play Movies application as malware
To be fair, that app is capable of downloading Uwe Boll films so you can make a case for it being a bit malwareish.
> wish there was another choice. the whole mobile data thing really unnerves me with how bad the scene really is.
http://jolla.com/ ?
The last major security flaw in iOS was found in open source parts of iOS.
http://nakedsecurity.sophos.co...
And all phones released since 2009 received the patch. (iPhone 3Gs and up)
No not all of Android is open source and Google is close sourcing more and more of what is considered "Android" by most people.
Well, there *is* an unofficial CM11 port. It sounds like the limited memory and storage was a bit of a deal-breaker for everyone trying to support the Nexus One (even the alternate ROMs) until KitKat came along with its reduced resource needs. I suspect installing the Google Play Services stuff to get the app scanning might be asking a bit much.
But yeah, generally speaking I don't disagree with your premise. The Nexus series, of all devices, would be something I'd expect Google to go above and beyond to keep working. I can sorta understand OEM's dropping their flagships pretty much as soon as the conveyors on the production lines stop spinning (and fuck-you-very-much HTC), but I'd hope that platform champion number one could do a little better than that.
Log in or piss off.
Excellent advice! I'll just go tell my mom ....
Faster! Faster! Faster would be better!
In that case tell her.. nothing. It's already fixed if you have a phone with Google Play Services (aka a phone your mom would buy). Just look at one of the dozens of other posters here that already explained this.
For the common person installing Warez, they're probably not aware enough to deny said permissions anyway so it won't make a difference.
LOL, still pushing this? With APL devices, you are both the product and the consumer, so you get screwed in both ends.
What? You think their i Ads system magically pulls user info used for their targeted advertising out of their ass?
Or people don't want to pay for it since they switch phones every two years because it's "free" anyway.
Why would I want to pay a company for maintaining my phone for 5 years when I know I'm going to be upgrading to a new one before then?
Also, wasn't there an article on here about how i things are perceived as slowing down with each new OS update? Shouldn't you stop when it's really affecting the user experience (you know, what they're supposedly known for?)
I have a Nexus One I still keep around as an unlocked phone.
Never had a buzz.
I experienced your X,Y calibration like once, maybe twice since. I have no idea where you're getting this "touch corners to calibrate" because that's for resistive touchscreens and doesn't exist on capacitive ones
During it's lifetime, it upgraded from 2.1 to 2.2, 2.2.1, 2.3, 2.3.3 up to 2.3.6, so about 5 "major" updates. It still receives updates to Google Play services and most built in apps. Which other phone has had more than 5 updates? Sure, it was all compacted into two years, but Google moves pretty fast in terms of features.
It sounds like you should have replaced your defective unit. It happens.
The reason why the N1 didn't get any upgrades was pretty obvious to me (and I'm pretty sure they specifically said that as well) - it had an low amount of internal memory. In exchange, it was one of the first to have a 1GHz processor, SD card support, and an aluminum body and beat even the next gen i-devices in web rendering speed.
I have no idea what the hell you're doing to your phone. I still have a Nexus One (it's not my primary phone anymore) but I've had no problems with it as long as I've kept at least 20ish MB free. (Do NOT ignore the low disk warning). I even have a big scratch down the middle of my screen from it pressing up against a bolt on a roller coaster in my pocket.
Gmail still syncs as long as I have the sync option turned on. I've had reboots but only because I've ignored the low space warning - after I removed stuff, I think it crashed maybe once.
Compare this to the number of times I've seen programs crash, lock up (so that it would not respond to any touch), have terrible battery life on i Things? NTY.
because unlike iOS which requires an upgrade of the OS to get a new Appstore, even on devices running 2.3, the Google Play app and Google Play Services can be updated to the latest release without any manufacturer or carrier involvement.
If you're savvy, you can download the latest SDK and compile it yourself. My devices are all patched up :)
No, you got a defective product and were too stupid and/or stubborn to return it. My Nexus One never had the issues you speak of, and of my three friends that also had one, they never had any issue at all similar to what you're saying. This is akin to someone buying a defective iPhone and railing about how terrible all iPhones are because of your one defective product.
Well no, the excuse will be that google don't want to backport fixes from their 4.2 branch back to their 2.2 branch. And I can't blame them, such backporting is usually alot of work and everybody hates doing it. Plus of course there would be no direct revenue from the engineering effort, other than a certain amount of 'goodwill' (which can apparently be put down on the balance sheet, but that seems a bit nuts to me).
So there's two problems, one - the new Apps/OS won't fix on your device and two - no-one wants to backport the fixes to the old Apps/OS.
Result: Useless device that is not fit for the purpose that it was originally sold for. Does the US have 'not fit for purpose' laws? Perhaps you can return it?
Constraint is not restraint. Go back to kindergarten and start over on the learning-how-to-communicate thing.
Quite the opposite. Most "Geeks" I know bail out of their contract to get a new phone. The only person I know who doesn't have a phone on a plan is my mother. In every other case you get the latest phone for effectively free. That's how the brain works when you go from paying $40/month, contract expires, keep paying $40/month and a new phone arrives.
Maybe your non-geek friends are on different relationships with their telecom companies than my .... err whole country.
Ah, you're in the USA? Here, most people have pre-pay plans (being locked into a contract is generally seen as negative, unless it comes with some really good deals) and so get the phone that they bought along with their SIM and then hang onto it until it breaks or someone gives them a new one. I don't think I know anyone who pays close to $40/month on a phone bill (a fifth to a tenth of that is common and it's hard for a contract that comes with a new phone to be that cheap). At that price, I'd probably do without a mobile.
I am TheRaven on Soylent News