Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung To Push Monthly Over-the-Air Security Updates For Android

Posted by samzenpus on from the air-security dept.

wiredmikey writes: Smartphone maker Samsung said on Wednesday that it soon will implement a new Android security update process that fast tracks mobile security patches over the air when security vulnerabilities are uncovered. The South Korea-based maker of popular Android smartphones said that it recently fast tracked security updates to its Galaxy devices in response to the recent Android "Stagefright" vulnerabilities uncovered late last month by security firm Zimperium. News of the initiative is great for Android users. For years, wireless carriers and phone manufacturers have been accused of putting profits over protection and dragging their feet on regular operating system updates, making Android users vulnerable to malware and other attacks. Nexus is also joining the monthly OTA update club.

7 of 126 comments (clear)

  1. updates, updates, ... by hjf · · Score: 3, Interesting

    Does anyone remember the time when software just WORKED? When you didn't have an update of something every single day? What is it with phone users? I know everyone seems to want the latest and greatest. But DOZENS of app updates a week is just boring. And when the phone is updating you can barely use it.
    I thought the future was going to be full of ads. It seems the future, actually, is just full of updates...

    1. Re:updates, updates, ... by krelvin · · Score: 3, Interesting

      If an app is built for just that phone then you have a point, but they aren't. They are built for many phones, different versions of Android and as such there is a constant update process to fix issues with the app working on one thing or the next. What phone are you using that makes it so you can barely use it when it is getting an update? Perhaps you have too many apps?

    2. Re:updates, updates, ... by ledow · · Score: 4, Interesting

      Has software ever "just worked"?

      I can name bugs in 30+ year old software that made it into a production release and could never be patched because of the capabilities at the time.

      And that was when the "app" was the only thing running on a single processor with complete "kernel" access to the entire machine, so not at all complicated by filesystems, process interactions, security mechanisms, etc. The days when software COULD take advantage of the timing of a particular processor, and even things like undocumented opcodes.

      Software is an inherently "unfinishable" product. Just as everything works, something will break somewhere - you get your app going in DOS and then all your clients move to Windows, you get it working on Windows, and then all the Windows versions move to NT-based kernels and the like. It's a never-ending game.

      And, with security particularly, there is no point at which you can call the software finished. There isn't a piece of software in existence that is "unbroken" on a general purpose modern machine - even those released dozens of years ago. Nobody was considering timing-based memory cache attacks back then.

      Software that stays static is THE WORST culprit of exactly this kind of shit - unfixed bugs that propagate and hang around for years undiscovered until they become much more serious and affect devices that can no longer be commercially-viable to update.

      Software is not static, and mainly because our expectations, operating systems and even hardware aren't static either.

      You think Word 2.0 for DOS is somehow magically "secure" or better programmed than modern stuff made with optimising compilers that warn about everything and do proper memory separation?

    3. Re:updates, updates, ... by Grishnakh · · Score: 3, Interesting

      Does anyone remember the time when software just WORKED?

      I remember those days well. It was just like yesterday.

      However, back in those days, our computers ran MS-DOS, and weren't connected to the internet. For the few people who did have internet access (mainly college students), they usually didn't have their own computer hooked up to the internet, they shared some VAX or Unix machine, and mainly used it just for email, USENET, and maybe exchanging files via FTP. Some people used Gopher, though I don't remember what for. Since so few people used networked computers, hacking wasn't much of a problem, and was mostly an activity done by bored college students to see if they could.

      Also, I do remember some updates back then, mainly to DOS games. Even back then, the games were buggy, but not too much. I remember some of them using some kind of utility (was it called "Patch"?) to update their software, so the updates could be distributed on BBSs. This software actually worked quite well: it only contained the parts that had changed, and the utility would actually modify the binaries on-disk as necessary. I haven't seen anything like it since, which is a shame since we do so many updates these days. For some strange reason, all our updates now involve distributing a bundle that includes all the changed files (rather than just the changed part of a file), so the update bundle is much larger than it needs to be. If some pathetically slow circa-1992 DOS machine could handle modifying binaries on-disk, why can't modern machines? It would save a huge amoung of bandwidth.

    4. Re:updates, updates, ... by swillden · · Score: 3, Interesting

      They stop being secure.

      They were never secure

      Is a system with no security defects known by anyone secure?

      This might appear to be a philosophical maundering like "If a tree falls and no one is around to hear it, does it make a sound?", but it's not. It's a very serious question, with real implications... and the answer is yes.

      Consider FakeID, a serious vulnerability in the Android app signing infrastructure that basically allowed any app to be claim to be from any provider -- including claiming to be signed by the OEM, to obtain system privileges. The bug was introduced in 2.2.1 in 2010 and existed in all versions of Android until 2014.

      But no one knew.

      Once the flaw was revealed Google was easily able to go back and examine the certificates of all apps uploaded to Google Play during the entire period of time between when the vulnerability was introduced and when it was fixed. Google also examine the contents of other app stores, and non-store app repositories. There wasn't a single instance of an app with a faked certificate chain, anywhere, until the public disclosure of the bug. Snowden's documents gave no hint that the NSA knew of it. Hacking team's archives had no hint of it. If anyone, anywhere, knew of the bug they were incredibly circumspect and careful with their usage. The more reasonable conclusion is that no one knew.

      During those four years, all Android devices were vulnerable to this serious security hole, but none of them were exploited. So, the Android app signing architecture was effectively secure even while it was technically broken.

      And as I said above, this is not just a semantic quibble. If your definition of "secure" (under some defined threat model) assumes that the system must have no security defects, then no system of any complexity ever has been or ever will be secure. Security is only meaningful within a defined context, and that context includes the knowledge of the adversaries. Of course, we can never know what the attackers do or do not know, but we can reasonably suppose that if they don't use a devastatingly effective attack it's because they don't know about it. This means that systems actually do get less secure over time, unless they're maintained.

      (Note, BTW, that the mere existence of a known security defect also doesn't necessarily make the system insecure. That also depends on threat model and on whatever other mitigations may be in place. For example, take the libstagefright bug. 90% of Android devices in the world are running Ice Cream Sandwich or higher, and have ASLR enabled in their kernels which makes a bug like the one in libstagefright very hard to exploit.)

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. Re:But what about profits? by Sowelu · · Score: 3, Interesting

    Google's app upgrades are a minefield at best and a disaster at worst. Chrome seems to get slower every update (typing a website now hangs for a couple seconds after the first letter while it populates the history, and sometimes before you start typing at all, and loses letters typed during the pauses), plus the interface changes at random (pulling down at the top of a page reloads it now, which works great with websites that want you to swipe to control them). Chat->Hangouts drops a lot of information about contact status. Maps, similar issues to their web version.

  3. SwiftKey? by dwheeler · · Score: 4, Interesting

    What about the disastrous SwiftKey vulnerability? It makes Samsung Android systems vulnerable too. Samsung said they'd fix it back in June, but we still have no patch.

    When buying an Android phone: Measure how many days it takes from the vulnerability report (at least publicly) until it's patched in phones already used by customers. Focus on phones more than 2 years old, since your phone will be that age someday. Then: Don't buy from unresponsive makers. I suspect that if a few buying guides included those numbers, some manufacturers and service providers would start paying attention.

    --
    - David A. Wheeler (see my Secure Programming HOWTO)