Samsung To Push Monthly Over-the-Air Security Updates For Android

wiredmikey writes: Smartphone maker Samsung said on Wednesday that it soon will implement a new Android security update process that fast tracks mobile security patches over the air when security vulnerabilities are uncovered. The South Korea-based maker of popular Android smartphones said that it recently fast tracked security updates to its Galaxy devices in response to the recent Android "Stagefright" vulnerabilities uncovered late last month by security firm Zimperium. News of the initiative is great for Android users. For years, wireless carriers and phone manufacturers have been accused of putting profits over protection and dragging their feet on regular operating system updates, making Android users vulnerable to malware and other attacks. Nexus is also joining the monthly OTA update club.

I'll believe it when I get the notification.

[Sowelu]

Promises, promises, promises...

Re:I'll believe it when I get the notification.

[Scragglykat]

https://www.youtube.com/watch?...

Re:I'll believe it when I get the notification.

[bobjr94]

Pretty much. We got a few galaxy relays when they first came out about 3 years ago, in that time there was 1 update. Im now running a 3rd party rom, debloated, many new security updates and features with longer battery life an faster performance as a bonus. Why offer updates for old phones when people can just go buy a new one.

Re:I'll believe it when I get the notification.

[Penguinisto]

...better hope it demands to be on wifi before transferring, else a few folks are going to get a bit of sticker-shock on the next phone bill...

Re:I'll believe it when I get the notification.

Promises, promises, promises...

I'll see your promises and raise you:

Developers, developers, developers, developers...

Re:I'll believe it when I get the notification.

just checked updates on my Note 4 on sprint, bugfix for stagefright, so there you go

Re:I'll believe it when I get the notification.

Can they be disabled? Microsoft Windows 10 comes with spyware, ads and automatic updates built in, none of which can be disabled.

Re:I'll believe it when I get the notification.

Microsoft Windows 10 comes with spyware, ads and automatic updates built in, none of which can be disabled.

Which means the Year of the Linux Desktop is right around the corner!

Re:I'll believe it when I get the notification.

[erice]

Promises, promises, promises...

Not even specific promises.

I would bet it is only for the first year after a model is released and even then, only if the carrier cooperates.

Re:I'll believe it when I get the notification.

[antdude]

Basically, prove it!

Re: I'll believe it when I get the notification.

I wish there was no insistance to agree to many pages of terms to get updates

Re:I'll believe it when I get the notification.

Just checked updates on my Note 3 on Spark NZ - no updates for months... Supposed to get Lollipop at some point officially... I think they prefer me go buy a Note 4 or S6...

Re:I'll believe it when I get the notification.

And hollow promises at that. It's never going to happen, because...

Samsung said that it is currently discussing the new approach to addressing security flaws with carriers around the world, noting that more details about the specific models and timelines will be released soon.

In other words the carriers have to sign off on it. Which they never will.

Re:I'll believe it when I get the notification.

[youngone]

I'm in NZ too, on Vodafone with a Galaxy S4. I got Lollipop on Monday, v 5.01. Better late than never.

Re:I'll believe it when I get the notification.

[tlhIngan]

Good point.

Because I mean, they said Galaxy line, which is a LOT of phones. In 2014 alone, Samsung released around 2-3 new phones a week. (They released about 1 new tablet a week, too - 54 different models!)

We're talking well over 100 new Android phones in 2014 alone. Granted, a lot are just variants for carriers, but that's still a LOT of phones and models and builds.

Yes, Samsung has a HUGE software development force - larger than Google, Apple and Microsoft combined (well over 100K software developers), but still, we're talking a huge number of builds, and a huge amount of testing.

And many of those phones are basically sold at disposable prices because they were built to basically be free.

The story would be more believable if they only kept to say, the Galaxy S6 or Note 5 or Edge 6, the three flagships, even though that's only around 10% of their sales.

But what about profits?

[ausekilis]

I'm curious how they'll "encourage" users to upgrade to the latest shiny if the slightly tarnished shiny is still up-to-date...

Re:But what about profits?

[0123456]

I'm curious how they'll "encourage" users to upgrade to the latest shiny if the slightly tarnished shiny is still up-to-date...

Android's hardware requirements grow more than fast enough to encourage users to upgrade every couple of years.

Re:But what about profits?

They'll issue security updates to the current OS, not update Android as a whole. That way you never get anything new without paying but they won't be accused of not fixing security issues.

Re:But what about profits?

Not updates to Android, just security patches. They wouldn't dare give you free feature updates.

Re:But what about profits?

Except of course the free updates Google does, absolutely routinely, hand out for their all their apps (and almost every Android user out there).

Patches to an otherwise stable OS and a bunch of new applications for as long as they will run is an absolutely reasonable way to proceed.

Re:But what about profits?

[Sowelu]

Google's app upgrades are a minefield at best and a disaster at worst. Chrome seems to get slower every update (typing a website now hangs for a couple seconds after the first letter while it populates the history, and sometimes before you start typing at all, and loses letters typed during the pauses), plus the interface changes at random (pulling down at the top of a page reloads it now, which works great with websites that want you to swipe to control them). Chat->Hangouts drops a lot of information about contact status. Maps, similar issues to their web version.

Re:But what about profits?

[darkain]

It is as simple as this: "We push security updates more often than our competitors" - it isn't just about retaining market share, it is about acquiring it from competitors. This is a highly requested feature from users that handset makers and carriers have been fucking up for years. So if a company delivers on this, it could very well easily be the tipping point between otherwise seemingly similar devices on the market - especially in the enterprise/government sector.

Re: But what about profits?

Use Sleipnir

Re:But what about profits?

Opera on Android is much faster than Chrome.

Re:But what about profits?

[exomondo]

I'm curious how they'll "encourage" users to upgrade to the latest shiny if the slightly tarnished shiny is still up-to-date...

Same way Apple does. Add new features to the hardware and software which also results in higher requirements for the system. Your older systems are still up to date but they run slower and lack newer features but at least they don't have critical bugs.

Re:But what about profits?

I'm curious how they'll "encourage" users to upgrade to the latest shiny if the slightly tarnished shiny is still up-to-date...

Android's hardware requirements grow more than fast enough to encourage users to upgrade every couple of years.

Yep. My Galaxy 3 can't be upgraded to Samsung's release of Kit-Kat, because it "only" has 1GB of RAM. Apparently, for Kit-Kat and Lollipop, the Galaxy series needs 2GB. This illustrates the amount of bloat in the Samsung releases, as Kit-Kat officially needs only 512MB.

Re:But what about profits?

[ArmoredDragon]

Yeah I was about to mention that. Kitkat lowered the hardware requirements back to what Gingerbread needed.

Honestly words can't express how much I hate Samsung's variant of Android. Every time I hear somebody say "android is slow and buggy compared to X" (be that ios/wp) the first thought that comes to my head is: "Oh, you're using a Samsung."

Re:But what about profits?

[blind+biker]

Let me also mention Gmail: some half a year ago I upgraded Gmail on my Samsung Galaxy S3, and was so thoroughly disgusted by the bugs and the useless UI changes that I promptly proceeded to downgrade it. At least Android allows me to keep the version of the app I prefer.

Yes, I also use a relatively old version of Maps.

Re:But what about profits?

Kit-Kat needs only 512MB in the same sense WinXP needed only 64MB - it boots, but good luck doing anything.

Re:But what about profits?

that method worked in the desktop/windows business for 20 years. since requirements plateaued (vista, released over 8 years ago, and later versions have essentially same hardware requirements) -- people have landed on a favorite, windows 7, and stay there. 8 sucks, 8.1 sucks a little less, 10 sucks a lot more (and i'm not just referring to how it, by default, will suck your internet connection and cap, dry).

nobody is moving off 7 voluntarily.. new computer sales yes, computer breaks? they're buying what's available, sadly that will be win10 now, as 8.1 is withdrawn, retail/dsp 7 also removed from marketplace, and 7 downgrades getting harder to find and more expensive..... but not upgrades.. at least not upgrades of anyone with at least half a brain and a functional windows 7 computer.

Re:But what about profits?

Kit-Kat needs only 512MB in the same sense WinXP needed only 64MB - it boots, but good luck doing anything.

Yeah, I remember NT3.5 needed 16MB... yeah, after 2 minutes to get the login prompt the hard drive was crunching for another 5 minutes after paging stuff, and if you were lucky you could maybe run Solitaire on it with any decent performance.

Re:But what about profits?

[AmiMoJo]

They understand their market. Most people don't upgrade their phones whenever a new model comes out, they get them on contract and upgrade on a two year cycle when the contract ends. Consumers are looking at phones that they think will last them two years, or just buying whatever seems the most shiny at the time their contract happens to end.

Re:But what about profits?

[tepples]

Kitkat lowered the hardware requirements back to what Gingerbread needed.

And Lollipop raised them again. "System" processes on my Nexus 7 (2012) are using more RAM under Lollipop than they were under KitKat.

Re:But what about profits?

I "upgraded" by going from W7 to OS X 10.10.x.

No spyware, no crap phoning home that shouldn't (and Little Snitch will show that is the case), with VMWare Fusion, Web browsing is done in a nice, well armored sandbox. Backups are taken care of transparently and easily with a Time Capsule (every month, I buy an external HDD, plug it into the TC, tell the TC to do an archive, then toss that drive in a safe place.)

Only downside is not using Thunderbolt until Apple gets off its derriere and gets an update out... but USB 3 is OK for drives for now.

Re:But what about profits?

[mlts]

That is a double edged sword. Security patches only is one thing. Security patches plus bloatware that can't be disabled... I'll pass.

Of course, the ideal would be if CM would get OTA updates, since it is is one of the best ROMs to be using on an Android device anyway.

Re:But what about profits?

[mlts]

The good thing about Android is that you can replace most components. I've moved to Dolphin Browser, which works well, and has a good choice of extensions. Hangouts gets replaced by a secure SMS application. Even the launcher gets tossed and replaced by Nova Launcher.

The only real app that I cannot find a replacement for is the default mail one, as it works well with both Exchange (mail, calendaring, contacts, tasks), and IMAP.

Re:But what about profits?

[mlts]

I'm concerned about this being a double edged sword. A "security update" can be something to get rid of root or harden the bootloader against the user just as much as something to block a remote attack. Heck, a "security update" could also bring along bloatware with it.

Re:But what about profits?

[Octorian]

Except that was during an era when most users only had 4MB of RAM, maybe 8MB if they were lucky. Oh, and RAM was actually expensive back then. Like more expensive than a whole smartphone is today.

Re:But what about profits?

[kmoser]

Security updates can also introduce more bugs.

Re:But what about profits?

[ArmoredDragon]

And Lollipop raised them again.

Not by much.

the networks could just block MMS

it's so simple; but where's the profit?

Re:the networks could just block MMS

[Forever+Wondering]

A possible workaround ...

When I first saw this bug, I changed my Galaxy S3 [running 4.4.2] to disallow MMS from unknown senders. Start the [default] Messaging app, click the left soft key, select "Settings", scroll to bottom and click the check box for "Block unknown senders". I don't know if this actually will provide a true workaround, but it's the only thing I could find.

Reportedly, Google Hangouts has a similar option. In short, whatever app you're using for messaging might/should have this option.

Samsung needs to offer custom roms for there phone

Samsung needs to offer custom roms for there phones there don't void any warranty when installed over the carrier roms of there phones. As well the rooting tools if needed to install a custom rom.

updates, updates, ...

[hjf]

Does anyone remember the time when software just WORKED? When you didn't have an update of something every single day? What is it with phone users? I know everyone seems to want the latest and greatest. But DOZENS of app updates a week is just boring. And when the phone is updating you can barely use it.
I thought the future was going to be full of ads. It seems the future, actually, is just full of updates...

Re:updates, updates, ...

[krelvin]

If an app is built for just that phone then you have a point, but they aren't. They are built for many phones, different versions of Android and as such there is a constant update process to fix issues with the app working on one thing or the next. What phone are you using that makes it so you can barely use it when it is getting an update? Perhaps you have too many apps?

Re:updates, updates, ...

[ledow]

Has software ever "just worked"?

I can name bugs in 30+ year old software that made it into a production release and could never be patched because of the capabilities at the time.

And that was when the "app" was the only thing running on a single processor with complete "kernel" access to the entire machine, so not at all complicated by filesystems, process interactions, security mechanisms, etc. The days when software COULD take advantage of the timing of a particular processor, and even things like undocumented opcodes.

Software is an inherently "unfinishable" product. Just as everything works, something will break somewhere - you get your app going in DOS and then all your clients move to Windows, you get it working on Windows, and then all the Windows versions move to NT-based kernels and the like. It's a never-ending game.

And, with security particularly, there is no point at which you can call the software finished. There isn't a piece of software in existence that is "unbroken" on a general purpose modern machine - even those released dozens of years ago. Nobody was considering timing-based memory cache attacks back then.

Software that stays static is THE WORST culprit of exactly this kind of shit - unfixed bugs that propagate and hang around for years undiscovered until they become much more serious and affect devices that can no longer be commercially-viable to update.

Software is not static, and mainly because our expectations, operating systems and even hardware aren't static either.

You think Word 2.0 for DOS is somehow magically "secure" or better programmed than modern stuff made with optimising compilers that warn about everything and do proper memory separation?

Re:updates, updates, ...

[0123456]

Has software ever "just worked"?

Somewhat. My Sun workstation ran for years with no software updates. It had bugs, but nothing that required a new operating system or application software.

The big difference was that it was behind a firewall and a 19.2k modem, so there wasn't much anyone could do to attack the--probably numerous--security holes.

Re:updates, updates, ...

[Grishnakh]

Does anyone remember the time when software just WORKED?

I remember those days well. It was just like yesterday.

However, back in those days, our computers ran MS-DOS, and weren't connected to the internet. For the few people who did have internet access (mainly college students), they usually didn't have their own computer hooked up to the internet, they shared some VAX or Unix machine, and mainly used it just for email, USENET, and maybe exchanging files via FTP. Some people used Gopher, though I don't remember what for. Since so few people used networked computers, hacking wasn't much of a problem, and was mostly an activity done by bored college students to see if they could.

Also, I do remember some updates back then, mainly to DOS games. Even back then, the games were buggy, but not too much. I remember some of them using some kind of utility (was it called "Patch"?) to update their software, so the updates could be distributed on BBSs. This software actually worked quite well: it only contained the parts that had changed, and the utility would actually modify the binaries on-disk as necessary. I haven't seen anything like it since, which is a shame since we do so many updates these days. For some strange reason, all our updates now involve distributing a bundle that includes all the changed files (rather than just the changed part of a file), so the update bundle is much larger than it needs to be. If some pathetically slow circa-1992 DOS machine could handle modifying binaries on-disk, why can't modern machines? It would save a huge amoung of bandwidth.

Re:updates, updates, ...

[SleepyHappyDoc]

No, nobody remembers that time. I remember when Windows couldn't run more than a few days without crashing. I remember when getting a program to work required arcane knowledge and steps bordering on voodoo. I remember when getting a wireless card working on Linux was the realm of super hackers. I remember Sasser.

Re:updates, updates, ...

[ledow]

And I bet even that firewall and modem had bugs that exposed more of an attack surface than you ever wanted it to.

Systems don't "stop running" without updates. They stop being secure. And now that systems are all online, all the time, it's more important to be secure than almost anything else.

Re:updates, updates, ...

Yeah. Back in the 80s.

Had systems that were damn fucking rock solid. and would seemingly take a bullet and keep going. They had wonderful, solid monochrome green screen serial terminals and nothing changed. Ever.

Now these pesky users want color, graphics, local storage, sound, mice and other pointing devices, portable workstations, handheld computers, printers, and customizable everything. Worst of all they want to connect to this huge world-wide network called the internet! There's no way at all to control what goes in and out there!

Fucking users. If it wasn't for them our systems would be perfect.

Re:updates, updates, ...

[fustakrakich]

Does anyone remember the time when software just WORKED?

Yeah, when it was printed on ROM. Writable memory will kill us all!

Re:updates, updates, ...

[0123456]

No, nobody remembers that time. I remember when Windows couldn't run more than a few days without crashing.

That's what you get for buying cheap crap. In that same era, the first time I rebooted my Sun was for a CPU upgrade... but it cost at least 5x as much as a Windows PC.

Re:updates, updates, ...

The fact that updates need to be done for "ever changing" units is the fault of the API developers for being shit and not having basic foresight.
APIs are SUPPOSED to shield developers from constantly changing parent software, be it a browser or an OS.

This pisses me off to no end because it happens everywhere.
Look at how insanely annoying it is with Firefox to see why it is stupid.
Mozilla have pissed off near enough every single extension developer for constantly shitting over their APIs and breaking more than half the damn extensions out there.
Chrome, oddly enough, is about one of the few things that seems to have gotten this common problem and said "no" and done away with it. There are still stupidly old Chrome extensions that work on newest release because they actually took the time to make a good API.

I refuse to even call it an API. It is an insult to good developers who actually take more than 5 seconds to sit down and think, "HMMM, you know, changing this would break literally everything, better not do that!"
Meanwhile at Mozilla, "hmm, you know, this will break everything, OOOOHH WELL, lets re-arrange these parameters for NO REASON AT ALL. Let's still continue using function parameters because that is totally a good idea for an API."
FUCK.

note to developers: Stop writing shitty APIs!

Re:updates, updates, ...

The big difference was that it was behind a firewall and a 19.2k modem

ping -c 3 -p "+++ATH0"

Many haynes clone command sets (and even a couple bugged haynes firmwares) did not require the 300ms pause between the +++ "I want to send a command" pattern, and the actual command to the modem. You just had to get the remote system to reply with that command pattern to disconnect.

The best was against email servers. Send an email you know will bounce with a +++ATH0H1DT1900xxxyyyy number under your control and the bounced emails will make the modem hang up and call your toll number over and over, until an admin manually cleared it from the mail queue.

Re:updates, updates, ...

[Lord+Apathy]

I remember those days well. Fuck That Shit. I had an Amiga 500, I couldn't scratch my ass with out it falling over. I had to reformat the HD at least once very few months because the god damn file system was so fucking fragile.

Fuck that shit.

Re:updates, updates, ...

They stop being secure.

They were never secure, unless proven bug-free

Re:updates, updates, ...

i remember when mistyping an website meant you had to reinstall windows.

Re:updates, updates, ...

[Dutch+Gun]

For some strange reason, all our updates now involve distributing a bundle that includes all the changed files (rather than just the changed part of a file), so the update bundle is much larger than it needs to be.

This is a bad idea in case the target image doesn't match exactly what you expected it to be. For instance, the target file may be one of several previous versions... which version do you create a diff against? Or do you bundle ALL possible diffs? Oops, we just lost our advantage in size, and we made things a hell of a lot more complicated or ourselves and the user. Or what happens if the file has been somehow altered unexpectedly, via corruption or malware? No way to solve that little issue.

It's far safer and simpler to simply distribute the entirety of the new files, at the expense of some potentially wasted bandwidth.

Re:updates, updates, ...

[swillden]

Has software ever "just worked"?

Somewhat. My Sun workstation ran for years with no software updates. It had bugs, but nothing that required a new operating system or application software.

The big difference was that it was behind a firewall and a 19.2k modem, so there wasn't much anyone could do to attack the--probably numerous--security holes.

So, if we just disable all network interfaces and keep our phones physically secure behind locked doors, updates won't be needed.

Brilliant!

Re:updates, updates, ...

[swillden]

They stop being secure.

They were never secure

Is a system with no security defects known by anyone secure?

This might appear to be a philosophical maundering like "If a tree falls and no one is around to hear it, does it make a sound?", but it's not. It's a very serious question, with real implications... and the answer is yes.

Consider FakeID, a serious vulnerability in the Android app signing infrastructure that basically allowed any app to be claim to be from any provider -- including claiming to be signed by the OEM, to obtain system privileges. The bug was introduced in 2.2.1 in 2010 and existed in all versions of Android until 2014.

But no one knew.

Once the flaw was revealed Google was easily able to go back and examine the certificates of all apps uploaded to Google Play during the entire period of time between when the vulnerability was introduced and when it was fixed. Google also examine the contents of other app stores, and non-store app repositories. There wasn't a single instance of an app with a faked certificate chain, anywhere, until the public disclosure of the bug. Snowden's documents gave no hint that the NSA knew of it. Hacking team's archives had no hint of it. If anyone, anywhere, knew of the bug they were incredibly circumspect and careful with their usage. The more reasonable conclusion is that no one knew.

During those four years, all Android devices were vulnerable to this serious security hole, but none of them were exploited. So, the Android app signing architecture was effectively secure even while it was technically broken.

And as I said above, this is not just a semantic quibble. If your definition of "secure" (under some defined threat model) assumes that the system must have no security defects, then no system of any complexity ever has been or ever will be secure. Security is only meaningful within a defined context, and that context includes the knowledge of the adversaries. Of course, we can never know what the attackers do or do not know, but we can reasonably suppose that if they don't use a devastatingly effective attack it's because they don't know about it. This means that systems actually do get less secure over time, unless they're maintained.

(Note, BTW, that the mere existence of a known security defect also doesn't necessarily make the system insecure. That also depends on threat model and on whatever other mitigations may be in place. For example, take the libstagefright bug. 90% of Android devices in the world are running Ice Cream Sandwich or higher, and have ASLR enabled in their kernels which makes a bug like the one in libstagefright very hard to exploit.)

Re:updates, updates, ...

[matthewv789]

Yes, I remember the time before computer networks.

Re:updates, updates, ...

I miss the days where software companies HAD ONLY 1 CHANCE to get it right, Nowadays they ship their software incomplete and patch it when you install it and many times thereafter.

Re:updates, updates, ...

[FlyHelicopters]

That's what you get for buying cheap crap. In that same era, the first time I rebooted my Sun was for a CPU upgrade... but it cost at least 5x as much as a Windows PC.

No, that is what you get for running a crappy OS... :)

A modern $400 Dell machine will run 24/7 for almost ever now... rebooting only for Windows Updates...

That is a nice change... :)

Re:updates, updates, ...

But no one knew.

How can you be so sure? Just because it wasn't public doesn't mean that nobody knew or that anyone was exploiting it.

Security through obscurity is not reliable.

Re:updates, updates, ...

Is a system with no security defects known by anyone secure?

If it has a security defect not known by anyone ... no, it isn't secure. Not unless you can guarantee that the defect will be found and patched before it's exploited.

Re:updates, updates, ...

[wbo]

Actually steam does distribute patches as delta updates if the copy of the files currently on disk matches one of the versions in the steam database. If the files that need to be updated don't match any of the hashes in the database or are missing then the entire file is sent.

The launchers/updaters for many MMOs also work the same way. I know Final Fantasy XIV and Lord of the Rings Online both distribute updates as deltas from known versions whenever possible.

The MSI installer framework that many Windows-based applications use also supports delta patches for binary files, although I have only seen a few non-Microsoft applications actually distribute updates in the form of MSP files to take advantage of this.

Re:updates, updates, ...

[sociocapitalist]

And when the phone is updating you can barely use it.

Have you considered upgrading your hardware? :-)

Re:updates, updates, ...

[sociocapitalist]

"But no one knew. "

That you know of.

Are you not making an assumption that an entity like the NSA, had they known, would have shared their findings with the vendor or make it public?

Re:updates, updates, ...

Has software ever "just worked"?

Usually, yes.

Of course, you have to make some choices. Don't go with anything that has a bad track record - particularly anything from Microsoft. (Avoid both their OS and their apps - good alternatives exists for all.) Linux has worked for me the past 2 decades - if you want something more mainstream & polished, then I hear that Mac stuff isn't so bad either.

Re:updates, updates, ...

[swillden]

You didn't read my post.

Re:updates, updates, ...

[swillden]

I see that you didn't read my post.

Samsung may promise

Samsung may promise timely over the air security updates, but will the carriers deliver?
My Samsung Galaxy Alpha is from AT&T and the "Check for updates" is also labeled "AT&T Software update" NOT Android/Samsung update, so I am still at the mercy (such as it is) of AT&T for the security of Android on my phone.

Re:Samsung may promise

[XanC]

Just buy the unlocked international version of the phone you want.

Re:Samsung may promise

The carrier was selected by my employer, not me. I did get a choice of phones and elected to stay away from Apple.

Re: Samsung may promise

stay away from Apple.

And here I am, about to ditch Samsung for Apple because, updates, that's why.

device not eligible

[Lead+Butthead]

Device released prior to not eligible for updates.

Re:device not eligible

[Frobnicator]

The devices I can see were launched within the past two years. Looking a few of them up, the oldest I see was launched November 2012 and discontinued November 2014. In my view these should all be getting standard support anyway. We're not talking about an announcement to patch phones from 2007 or 2010.

Supporting a two-year-old product SHOULD be non-news, the true problem (sadly) is that it has become such.

Hopefully, they'll be able to bypass the carriers

[glsunder]

Samsung can make all of the updates they want, but if Verizon and other companies just sit on them, it won't do us much good.

Re:Samsung needs to offer custom roms for there ph

[CodeArtisan]

Yes, that would be a great way to lose business from every single one of the carriers they do business with.

Misleading, OTA Updates

Samsung is just as good at abandoning Android updates as ever but they do have "Security policy updates" they can roll out whenever they like.

Now, someone else flesh this out, 'cause I have to go.

Not quite clear on this

[fustakrakich]

So with my otherwise perfectly functional 2011 plain old Nexus that hasn't seen an upgrade since Jellybean I'm out of luck? Eh, life in the big city, I guess.

This is proper behaviour

This is how Android can survive as a reliable platform. Props to Samsung for promising to honor the payments I make monthly basis for support.

Its not all about profit, its about service. Right? Thats what will differentiate the better carriers, in addition to the coverage, bandwidth and oh.. yeah.. HARDWARE!!

Re: This is proper behaviour

So the proper behaviour is to claim they've fixed the issue, without actually doing so? My Galaxy S4 still hasn't been patched.

SwiftKey?

[dwheeler]

What about the disastrous SwiftKey vulnerability? It makes Samsung Android systems vulnerable too. Samsung said they'd fix it back in June, but we still have no patch.

When buying an Android phone: Measure how many days it takes from the vulnerability report (at least publicly) until it's patched in phones already used by customers. Focus on phones more than 2 years old, since your phone will be that age someday. Then: Don't buy from unresponsive makers. I suspect that if a few buying guides included those numbers, some manufacturers and service providers would start paying attention.

Re:SwiftKey?

[0123456]

What about the disastrous SwiftKey vulnerability? It makes Samsung Android systems vulnerable too. Samsung said they'd fix it back in June, but we still have no patch.

Didn't they block it with a security policy update until the patch was available?

It's hard to tell, since there doesn't seem to be any way to figure out which changes are in which policy updates.

Re:SwiftKey?

[dwheeler]

I've been googling around and can't find any evidence that it's blocked or mitigated. I know it *was* vulnerable, and can find no evidence to the contrary, so I have to presume it's still vulnerable. Blech.

Re: SwiftKey?

If I followed that policy, I'd never be able to buy an Android device again.

Re:SwiftKey?

[tepples]

Measure how many days it takes from the vulnerability report (at least publicly) until it's patched in phones already used by customers. Focus on phones more than 2 years old, since your phone will be that age someday. Then: Don't buy from unresponsive makers.

And if it turns out that the only responsive maker is Apple, then what? If I'm developing apps for a device, I won't be able to verify my compiler toolchain using diverse double-compiling because only Xcode can sign apps for execution on an iOS device.

(Note to moderators: dwheeler popularized diverse double-compiling, a method of ensuring that a compiler is unlikely to contain self-propagating malware by bootstrapping it with other implementations of the same language.)

Re:SwiftKey?

[Trogre]

or just buy what you want and install CM.

Re:SwiftKey?

[sad_]

When buying an Android phone: check if it is supported by different open custom rom projects. Who cares about those horrid default Android installs that come with the phone.

Re:SwiftKey?

[q4Fry]

And then wait for CM to stop issuing stable (or even "snapshot") builds for your model. I can do without the newest shiny features, but I want the security updates backported to the latest stable version. CM is beholden to no one.

Re:Samsung needs to offer custom roms for there ph

That or just not push out steaming piles of garbage like the Lollipop update for the S5.

Re:Hopefully, they'll be able to bypass the carrie

Plus it only helps if the users install them.

Some users aren't fond of having the root access they got (sometimes after risks or struggle) taken away on a monthly basis.

Re: Samsung needs to offer custom roms for there p

People buy phones from a carrier? Wow. So 90s.

Re:Hopefully, they'll be able to bypass the carrie

[idontgno]

Came here to say this.

The problem has never really been Android's willingness to correct and publish security-related patches; the problem is that the carriers control OTA and therefore limit OTA update support for phones that are fairly new. According to the carrier, if you want a secure phone, you'll just have to buy a new one from them.

Yes, I remember when we didn't care about bugs.

[Sloppy]

Does anyone remember the time when software just WORKED? When you didn't have an update of something every single day?

You mean back before it was networked (or otherwise shared data with potentially-hostile parties) so that the bugs didn't matter? And before people really started looking very hard for the bugs?

Sure, I remember then. You had shitloads of bugs, but you didn't know about most of them, and when you did know about one ("if you type too long of an answer in this char[40] blank, it makes weird things happen, so make sure to keep your answer 40, oops, I mean 39 characters or less"), you had little reason to care about them. (And if a bug is unmanifested, is it really a bug? 1985 answer: no. 1995 answer: yes.)

Re:Hopefully, they'll be able to bypass the carrie

[Sloppy]

Imagine that happening on a computer that didn't fit in your pocket. "I can't upgrade my desktop from 12.04 to 14.04 because Comcast won't let me." It would almost be enough to make you stop buying PCs from your ISP!

Phone defect tracking opportunity?

[jmac880n]

When buying an Android phone: Measure how many days it takes from the vulnerability report (at least publicly) until it's patched in phones already used by customers. Focus on phones more than 2 years old, since your phone will be that age someday. Then: Don't buy from unresponsive makers. I suspect that if a few buying guides included those numbers, some manufacturers and service providers would start paying attention.

It would be very helpful if there were a website that tracked cellphone support information, such as outstanding defects, and average defect correction time. I don't know of any such existing site, but suspect it would be a splendid opportunity to attract a large number of clicks.

This is a new update mechanism

[Forever+Wondering]

This is a new update mechanism for security updates [and bug fixes, hopefully] for the device firmware (e.g. kernel) that makes it less painful for phone vendors and carriers to implement.

A few things to note [most of this is conjecture on my part, as software engineer, until the details emerge]:

- Android source code (e.g. kernel, dalvik, etc.) is maintained via git (with a Google wrapper program called "repo"). I regularly update a source tree via this.

- git has extremely powerful branching and merging capabilities. Thus, it's very easy to create a fix in one version and get git to apply the resulting patch/delta to other branches of the tree. That is git's forte. For example, do the security fix in the latest under development branch and then propagate it to all older branches [can be automated easily].

- Because you're just changing a small portion [we hope that the bug fix is only a hundred lines of code or so], the patch can easily be applied.

- Because the change is relatively small (e.g. 4.4.2 to 4.4.2.1) vs. going from 4.4.x to 5.0.0, it's far less QA testing as the old rev has been extensively QA'ed as a whole.

- This will encourage vendors/carriers to adopt this, even for old phones, because it's just a bug fix and not feature creep that might require more powerful hardware.

- This mechanism won't cut into margins because it is [will be] an automated way to apply just security updates (e.g. [gasp] Windows update). This could still have been done in the past, but it wasn't as easy [as Google seems to want to make it].

- Vendors/carriers will still be able to "up sell" to the latest and greatest for new features. So, no conflict/disincentive.

- Vendors/carriers will be encouraged because it's now easy to do, everybody will be doing it, and [a serious] black eye for any vendor/carrier that doesn't [far more so than in the past].

- And the legal liability for Google, vendors, and carriers for the MMS vulnerability is so severe, that any company that does not implement this could be sued into oblivion. For example, in the PC world, would any motherboard vendor decide they would prohibit critical security bug fixes via Windows update?

Re:This is a new update mechanism

Dalvik was jettisoned some time ago. ART is the new runtime.

Re:This is a new update mechanism

Completely agree. Good write up.

Re:This is a new update mechanism

[jittles]

- git has extremely powerful branching and merging capabilities. Thus, it's very easy to create a fix in one version and get git to apply the resulting patch/delta to other branches of the tree. That is git's forte. For example, do the security fix in the latest under development branch and then propagate it to all older branches [can be automated easily].

What kind of world do you live in where you think its safe and practical to automatically merge fixes into old versions of software automatically? Especially when it comes to kernel level bug fixes! Depending on the area affected by the change, an automatic merge may not even be possible, yet the bug may still exist. If it were just a simple matter of an automatic git merge then RHEL would not need any active developers. That's one of the silliest things I have read all day. Git is great at branching and makes life much easier with a large development team, but branching alone would not solve the problem of maintaining every single Android release from gingerbread all the way to lollipop.

- And the legal liability for Google, vendors, and carriers for the MMS vulnerability is so severe, that any company that does not implement this could be sued into oblivion. For example, in the PC world, would any motherboard vendor decide they would prohibit critical security bug fixes via Windows update?

This is a bad analogy. The Android world is more closely related to the world of Linux distros. If you're running Ubuntu and they fail to pick up a security fix that you need you have two options: wait for them to fix it or patch it yourself. It's the same thing when Samsung fails to release a security update for your phone. You can either wait, or root your phone and get a patch yourself. We're not talking about the phone hardware physically preventing you from installing an update. Instead, it's an issue with the update not being available for your distribution.

Re:This is a new update mechanism

[jbmartin6]

Could you clarify how you concluded this is a security patch only process? From what I see in the article this is simply regular full Android updates. In a linked article about Google's Nexus lines, they hint at a patch-only process but only after a device ages out of regular full Android updates.

Re:This is a new update mechanism

[tepples]

I thought this effort was in part to continue security updates on phones manufactured "some time ago", especially pre-Lollipop devices.

Re:This is a new update mechanism

[Forever+Wondering]

From the first line of my post:

This is a new update mechanism for security updates [and bug fixes, hopefully]

Also, see http://arstechnica.com/securit...

Google also announced changes to the way the company distributes Nexus security updates. Starting Wednesday, Nexus devices will receive regular monthly security updates.

There is already a mechanism to push full Android updates. That's been the problem. It's all or nothing [if the vendor doesn't want to re-QA the entire update] (e.g. going from 4.0.0 to 5.0.0).

It may involve sending a full load [if that makes sense]. But, with just the necessary patches. It will be done monthly and not just when a new version [with new features] is stable and available. Since Android already does a.b.c versioning for features/fixes, we may see a.b.c.d versions for the monthly updates.

Just like Windows update, if there's a security flaw in [say] IE, a patch to IE is sent. If the IE fix involves fixes to five underlying DLLs, they will be part of the update. But, all of WinX doesn't get updated. Current Android updates are like going from Win7 to Win8. The new update process will be more like Windows update for a given version.

This new mechanism should have [and could have] been done years ago. There wasn't as much incentive.

The MMS security flaw is so dangerous that it forced this. It is so bad that the FTC [and/or FCC] might fine Google, vendors, and carriers. Under its authority, the FTC can issue fines of up to $11,000 per device in the field. With 100 million [or more] phones in the field, this total fine can be one trillion dollars.

Recently, IIRC, either Chrysler/Fiat [for failing to implement a recall], or AT&T [for misrepresenting "unlimited" plans] got a $100M fine. The agency said [effectively] "large enough to be painful, but not enough to do serious harm to [bankrupt] the company.".

Re:This is a new update mechanism

[Forever+Wondering]

I've been a kernel developer for 40 years [and when you can top that, you can mouth off]. And, I have plenty of experience with diagnosis, bug fixes, patches, multiple supported revs in the field, and automated build and testing. And, have created tools to do all that.

When Linus gave his original talk on git, he said it was all about merging. git has powerful branching [everything is a branch], but what really sets it apart is its merging.

Recommended best practice is to enable automatic rebasing on a pull. That really increases the chances that it will apply cleanly.

The actual updater may git, or git + something google has cooked up to ensure the patch will work (e.g. repo or "android security updater").

Let's say there are 100 different versions in the field. If you patch one, it may apply to all. Fine and good. Or, you might have to manually apply it, starting with some cherrypicking, to a subset (e.g. 2.0.0 tree, 3.0.0, etc.). After that, it will apply cleanly to derivatives of the "top" rev. That's because the point revs [probably] don't change the file in the exact area that the patch needs to change.

This is exactly what core kernel developers do. If the patch applies, they test it [which can be automated].

Google makes the generic changes to the kernel to suit Android needs. The vendors usually just add their platform specific device drivers. So, after Google patches all revs, there's a good chance that when they push, the changes will apply cleanly.

BTW, RHEL doesn't just package things. They do active primary kernel development. So, no RHEL developer need fear for his/her job.

git is even powerful enough to create a temporary branch just to merge in the patch. If applying the patch doesn't work because the existing changes cause conflicts, you can find the common starting point and apply the new patch before the others that already exist [out of chronological order] and then replay the existing patches from the history. That is, you're doing "Back To The Future" style change. The tail of the temp branch is added as the new tail to the original branch.

The better analogy. The FTC/FCC have the authority to fine a company up to $11,000 per device in the field. Given 100 million phones, that's a trillion dollars.

Re:This is a new update mechanism

For example, in the PC world, would any motherboard vendor decide they would prohibit critical security bug fixes via Windows update?

You must be new here.

Re:Hopefully, they'll be able to bypass the carrie

[jwdb]

According to the carrier, if you want a secure phone, you'll just have to buy a new one from them.

Hang on a second... I understand what you're saying, and I'll definitely believe it applies to phones originally bought from a carrier. However, if I were to buy a Samsung directly from the manufacturer and then use it with a carrier, I'm not beholden to the carrier for updates, right? Since it's not a carrier-branded phone, I can just get updates over any valid internet connection, right?

Or does what you're saying even apply to non-branded unlocked phones? If it does, wow... I didn't realize the update regime was *that* screwed up.

Re:Debloated

Makes me wonder whether they are including garbage like "Uber"-type-installations in these "security updates". I didn't want Uber, it was forced on me by the carrier, "ChatOn", which judging by the autostarts app is hooked into every possible event, was provided by Samsung. Though I have never even opened the app it still runs at boot and receives notification of everything that happens on the device. As it is "system software" it cannot be removed. Carriers can fuck off, my next phone will be nexus or related, directly from google.

Can We Finally Get This for Laptops Too?

[celest]

Great, awesome, now can we finally get updates for laptop video cards now too? You know, especially the ones marketed as "gaming laptops" that only ever get one driver release and are incompatible with the chipset manufacturer's source drivers?

Re:Can We Finally Get This for Laptops Too?

[jittles]

Great, awesome, now can we finally get updates for laptop video cards now too? You know, especially the ones marketed as "gaming laptops" that only ever get one driver release and are incompatible with the chipset manufacturer's source drivers?

If you're running Windows and have an Nvidia card then you typically just need to modify an INI file that ships with the drivers from Nvidia. Their drivers are pretty universal and the drivers on their site do not include a hardware identifier that is specific to your laptop manufacturer. Of course, the last time I dealt with this was when Vista shipped with all laptops, so perhaps things have changed.

How about ..

[nickweller]

How about a read-only switch on the device ..

Re:Samsung needs to offer custom roms for there ph

[tepples]

Among the four major U.S. networks, are there still any that don't have a carrier that itemizes the price of the phone and service?

MVNOs have been itemizing hardware and service for a long time. Among non-virtual U.S. carriers, T-Mobile led the way with its "Even More Plus" plan that did not include a handset, which eventually evolved into its current "un-carrier" pricing structure. Ting, an MVNO, started on the Sprint network and has expanded to be a T-Mobile MVNO as well. But what MVNO is any good for "unlocked" phones on Verizon (now that it's using UICCs for CDMA+LTE) or on AT&T?

Nexus 7 is unusable while installing updates

[tepples]

What phone are you using that makes it so you can barely use it when it is getting an update? Perhaps you have too many apps?

My Nexus 7 (2012) tablet running Lollipop is unusably slow while an app is being installed or updated.

Undefined behavior

[tepples]

APIs are SUPPOSED to shield developers from constantly changing parent software, be it a browser or an OS.

Supposed to, yes, but a lot of app developers unwittingly end up depending on behaviors that the API specification called undefined, unspecified, or implementation-defined. Such dependency is a defect, but that doesn't stop applications from being published with hidden defects.

It is an insult to good developers who actually take more than 5 seconds to sit down and think, "HMMM, you know, changing this would break literally everything, better not do that!"

How about "the way we designed it it three years ago is vulnerable to a certain class of attacks that was discovered a couple months ago"? Windows Vista, for instance, had to break compatibility with interactive services because of the Shatter attack.

Terrific

[jbmartin6]

So once a month you can lose root, have all new problems with data speeds, battery life, etc. introduced, and have new permanent applications installed. All wrapped up in nice shiny gratuitous interface changes.

It was patched before exploit

[tepples]

Not unless you can guarantee that the defect will be found and patched before it's exploited.

The FakeID bug was patched before any exploit. Read again what swillden wrote: "Google also examine the contents of other app stores, and non-store app repositories. There wasn't a single instance of an app with a faked certificate chain, anywhere, until the public disclosure of the bug." Even when Google made like Flo from Progressive Insurance, scanning its own app store and those of its competitors, it still found no exploitation of this particular defect.

Re:It was patched before exploit

Are you suggesting that the NSA is limited to public app stores? Open your mind tepples, Google can only do what it is aware of. The Three Letter Agencies play by different rules.

It's not hard to imagine a TLA implementing a MIM attack, redirecting people to a fake app store, and the provisioning customized, hacked apps. Perhaps this is a directed attack more than mass subversion, but still.

CDMA2000 carriers

[tepples]

How about "I can't connect this computer bought elsewhere to Comcast's network because Comcast won't let me"? Good luck getting anything other than a Verizon or Sprint phone working on Verizon, Sprint, or Sprint MVNOs, because these networks use CDMA2000 instead of the more widespread GSM/UMTS.

carrier-grade?

you won't get updates if you rooted the galaxy. *naya*naya*.
can we get a link to official galaxyupdate.com website?

When will they remove Baidu firmware trojan?

My Samsung was recently updated with the latest AT&T update that came out.

I started getting hits on my firewall for traffic going to Chinese IP addresses on TCP port 5287. Some sites are saying this is a RAT (remote access tool) and that it was "included" in the latest android firmware update from AT&T.

Since my AT&T phone is "locked" and I can't get root access, I won't be able to install a proper firewall on the phone to block this traffic when away from my wifi. I will need to keep an IPSec/VPN tunnel open to my firewall to ensure all traffic goes through my policy enforcement. What a pain...

None of the mobile anti-virus software detects the baidu malware/trojan:
Malware Bytes: NOPE
Avast: NOPE
Kaspersky: NOPE
Yet I see the traffic banging on my firewall constantly. This makes me wonder if the mobile anti-virus/malware software actually does anything???
Have you ever seen anything like an app that does a netstat report to show you where your phone is "phoning home" to ? How about an app that would work essentially like NTOP but for your phone, so you can see all the places your device is going and where you might not want it to go?

Re:Hopefully, they'll be able to bypass the carrie

[idontgno]

However, if I were to buy a Samsung directly from the manufacturer and then use it with a carrier, I'm not beholden to the carrier for updates, right? Since it's not a carrier-branded phone, I can just get updates over any valid internet connection, right?

I did forget about the possibility of BYOD, but as far as I know the big carriers get really passive-aggressive about putting your device on their network. I guess if you contract with an MVNO, or sign up for their poorly-publicized BYOD programs, they may not be as bad. And then, possibly, the manufacturer can update without interference from the carrier.

But I suspect that BYOD phones on wireless networks is a vanishingly small minority compared to the far more typical "go to carrier, buy contract and (locked-in) phone at the same time" scenario.

Re:Mfgrs don't sell them for disposable prices

[billstewart]

The US wireless carrier may be selling the phones for disposable prices, but they're paying the manufacturer the real price (with highly negotiated discount rates and volume plans, I'm sure, but the manufacturer isn't selling them below cost.)
I've got a Galaxy S4 Mini, because it was smaller than the newer phones they had on the market at the time, and I wanted a phone that would fit in my pocket. Probably should have gotten an Apple iPhone instead.