Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung To Push Monthly Over-the-Air Security Updates For Android

Posted by samzenpus on from the air-security dept.

wiredmikey writes: Smartphone maker Samsung said on Wednesday that it soon will implement a new Android security update process that fast tracks mobile security patches over the air when security vulnerabilities are uncovered. The South Korea-based maker of popular Android smartphones said that it recently fast tracked security updates to its Galaxy devices in response to the recent Android "Stagefright" vulnerabilities uncovered late last month by security firm Zimperium. News of the initiative is great for Android users. For years, wireless carriers and phone manufacturers have been accused of putting profits over protection and dragging their feet on regular operating system updates, making Android users vulnerable to malware and other attacks. Nexus is also joining the monthly OTA update club.

9 of 126 comments (clear)

  1. I'll believe it when I get the notification. by Sowelu · · Score: 4, Insightful

    Promises, promises, promises...

    1. Re:I'll believe it when I get the notification. by Anonymous Coward · · Score: 5, Funny

      Microsoft Windows 10 comes with spyware, ads and automatic updates built in, none of which can be disabled.

      Which means the Year of the Linux Desktop is right around the corner!

  2. Re:But what about profits? by 0123456 · · Score: 4, Informative

    I'm curious how they'll "encourage" users to upgrade to the latest shiny if the slightly tarnished shiny is still up-to-date...

    Android's hardware requirements grow more than fast enough to encourage users to upgrade every couple of years.

  3. Re:updates, updates, ... by ledow · · Score: 4, Interesting

    Has software ever "just worked"?

    I can name bugs in 30+ year old software that made it into a production release and could never be patched because of the capabilities at the time.

    And that was when the "app" was the only thing running on a single processor with complete "kernel" access to the entire machine, so not at all complicated by filesystems, process interactions, security mechanisms, etc. The days when software COULD take advantage of the timing of a particular processor, and even things like undocumented opcodes.

    Software is an inherently "unfinishable" product. Just as everything works, something will break somewhere - you get your app going in DOS and then all your clients move to Windows, you get it working on Windows, and then all the Windows versions move to NT-based kernels and the like. It's a never-ending game.

    And, with security particularly, there is no point at which you can call the software finished. There isn't a piece of software in existence that is "unbroken" on a general purpose modern machine - even those released dozens of years ago. Nobody was considering timing-based memory cache attacks back then.

    Software that stays static is THE WORST culprit of exactly this kind of shit - unfixed bugs that propagate and hang around for years undiscovered until they become much more serious and affect devices that can no longer be commercially-viable to update.

    Software is not static, and mainly because our expectations, operating systems and even hardware aren't static either.

    You think Word 2.0 for DOS is somehow magically "secure" or better programmed than modern stuff made with optimising compilers that warn about everything and do proper memory separation?

  4. Re:updates, updates, ... by 0123456 · · Score: 4, Insightful

    Has software ever "just worked"?

    Somewhat. My Sun workstation ran for years with no software updates. It had bugs, but nothing that required a new operating system or application software.

    The big difference was that it was behind a firewall and a 19.2k modem, so there wasn't much anyone could do to attack the--probably numerous--security holes.

  5. Hopefully, they'll be able to bypass the carriers by glsunder · · Score: 4, Insightful

    Samsung can make all of the updates they want, but if Verizon and other companies just sit on them, it won't do us much good.

  6. Re:updates, updates, ... by SleepyHappyDoc · · Score: 4, Informative

    No, nobody remembers that time. I remember when Windows couldn't run more than a few days without crashing. I remember when getting a program to work required arcane knowledge and steps bordering on voodoo. I remember when getting a wireless card working on Linux was the realm of super hackers. I remember Sasser.

    --
    Stasis is death. Embrace change.
  7. Re:updates, updates, ... by ledow · · Score: 4, Insightful

    And I bet even that firewall and modem had bugs that exposed more of an attack surface than you ever wanted it to.

    Systems don't "stop running" without updates. They stop being secure. And now that systems are all online, all the time, it's more important to be secure than almost anything else.

  8. SwiftKey? by dwheeler · · Score: 4, Interesting

    What about the disastrous SwiftKey vulnerability? It makes Samsung Android systems vulnerable too. Samsung said they'd fix it back in June, but we still have no patch.

    When buying an Android phone: Measure how many days it takes from the vulnerability report (at least publicly) until it's patched in phones already used by customers. Focus on phones more than 2 years old, since your phone will be that age someday. Then: Don't buy from unresponsive makers. I suspect that if a few buying guides included those numbers, some manufacturers and service providers would start paying attention.

    --
    - David A. Wheeler (see my Secure Programming HOWTO)