Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Safely Use Older Android Phones?

Posted by timothy on from the nest-of-vipers-jump-right-in dept.

An anonymous reader writes: Like many people reading this site, I have several older phones around as well as my newest, fanciest one; I have a minimal service plan on one of these (my next-to-most-recent), and no service plan (only WI-Fi, as available) on the others. Most of them have some reason or other that I like them, so even without service I've kept them around to act as micro-tablets. Some have a better in-built camera than my current phone, despite being older; some are nice on occasion for being small and pocketable; I like to use one as a GPS in the car without dedicating my phone to that purpose; I can let my young relatives use an older one as a camera, etc. Besides, some people have only one phone at all, and can't reasonably afford a new one -- and that probably means a phone that's not cutting edge. So: in light of the several recent Android vulnerabilities that have come to light, and no reason to think they're the last of these, what's a smart way to use older Android phones? Is CyanoGen Mod any less vulnerable? Should I be worried that old personally identifying information from online transactions is still hanging around somewhere in the phone's recesses? I don't want to toss still-useful hardware, but I know I won't be getting any OS upgrades to 3-year-old phones. How do you use older phones that are not going to get OTA updates to address every security issue?

22 of 133 comments (clear)

  1. install another operating system by FudRucker · · Score: 3, Interesting

    hopefully some clever x-google employee or a current google employee will so do some work on the side at home and build a customized debian or slackware port that is easily installed in any android device, most are locked down so this cant happen but i bet somebody has the key to unlocking these android phones that have so far been uncrackable at the firmware/hardware level

    --
    Politics is Treachery, Religion is Brainwashing
    1. Re:install another operating system by Kernel+Kurtz · · Score: 2

      Like Linux on Android! ;-)

      http://linuxonandroid.org/

    2. Re:install another operating system by maestroX · · Score: 2

      I doubt this will happen with the many proprietary chip drivers and dead batteries after 3 years.
      Come to say, why not get a lithium battery standard fitting modern devices.
      You know in the old ages, like AAA, AA , C etc.

  2. Re:Therapy? by FudRucker · · Score: 3, Insightful

    if it is good hardware why not put a new operating system on it and make it work for a few more years, no sense in filling the landfills up just because the software became obsolete,

    the computer i am typing this on was built by me in 2000, i used to dual boot a copy of windows 2000 and Linux Slackware-8 when it was new, today windows is gone and i am running Debian Jessie on it, the hardware is old but it works good so why not put a new operating system on it

    --
    Politics is Treachery, Religion is Brainwashing
  3. Old phones by Travis+Mansbridge · · Score: 2

    It's unlikely you can keep anything running a version of Android 4.4 truly secure, and even that won't be secure for much longer. The best idea if you're worried these still have some sensitive personal information on them would be a factory wipe (from the phone's recovery mode, not within the OS as this will leave internal storage in-tact). This should protect you from what most malicious parties are looking for, though if the phone is on your local network there's always the opportunity for them to use the compromised phone as a pivot point to compromise other machines on your network, but you'd probably need to be in someone's crosshairs for them to be doing this.

    1. Re:Old phones by AmiMoJo · · Score: 4, Interesting

      Actually, the security issues have been vastly over-stated by click-bait driven media. Ever notice how we don't see stories about vast Android bot-nets or millions of people being the victims of exploits? The only successful malware relies on the user enabling installations from other sources and ignoring all the warnings, and even then on any 4.x version the OS will scan the app for known vulnerabilities.

      The OP unfortunately doesn't say what version he is running, but my advice would be to install Cyanogen if available (simply to get the latest possible features and minimal bloatware) and not worry about it. If the OP is really paranoid there are anti-virus products for Android, but they are not really necessary.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Old phones by AmiMoJo · · Score: 2

      Sure, but Stagefright was not very severe. That's my point - it was made out to be this huge problem, but actually all Android versions since 2.0 have had ASLR enabled in the kernel and it mitigates Stagefright. At worst an attacker could perform a really expensive DOS on your MMS app, but taking over your phone is virtually impossible because every MMS only has a one in tends of thousands chance of guessing the right address.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Old phones by TheRaven64 · · Score: 2

      ASLR on a 64 bit device is a different story.

      Well, sort of. The blind ROP stuff works by realising that exec triggers re-randomisation, but fork does not. Server processes like nginx are vulnerable because they fork children to replace any that have crashed and each child has the same layout. Even with a 64-bit address space, it's possible to probe (some things, like PLTs, are relatively easy to find and full of gadgets). Unless it's changed recently (I've not been paying attention, so it's possible), Android reduces app startup time by having a zygote process for the Java runtime environment, forking a copy of it, setting the UID / filesystem namespace, and then loading the app. This means that the address space will be different to other devices, but will have the same layout across multiple runs on the same device. BROP does require a two-way communication channel, though it only requires one-bit communication out (did this attempt crash or infinite loop the target?).

      The real mitigation is not the ASLR, its that only 0.0001% of the population can write ROP exploits

      Anyone can write ROP exploits. You don't need many gadgets to get a Turing-complete execution environment and there are compilers available that will take a binary, derive a Turing-complete virtual machine from them, and compile arbitrary (more or less - in some cases you may have a limited number of jumps, but it's usually more than enough to create a shell) code to run on them.

      --
      I am TheRaven on Soylent News
  4. Re:Therapy? by NatasRevol · · Score: 3, Insightful

    Because time is a real cost. Sometimes more than throwing out something old & buying something new.

    And time can encompass a lot of issues - build, install, security, speed, opportunity cost.

    --
    There are two types of people in the world: Those who crave closure
  5. Re:Jesus Christ... by Anonymous Coward · · Score: 5, Insightful

    First world problems!

    This is Slashdot, everything by definition is a first world concern. If you want to read stories about how to chase down buffalo and antelope to make clothing/food/shelter for the approaching dark months you're on the wrong website.

  6. An image for dedicated use would be nice... by chaoskitty · · Score: 2

    It would be nice if phone vendors didn't treat old phones as if only good for landfills. I know I'll never go back to Android because there's no assurance that even a brand new phone will be upgradable to the latest software even a month later (it's already happened to me). So the idea of just installing the latest OS and installing some specific apps doesn't seem doable.

    The inability to upgrade Android phones is a HUGE problem.

    Perhaps some enterprising people will create dedicated OS images for various hardware that remove all the cruft and just run specific things. For instance, I'd love to use an old phone as just a navigation system for my car - nothing else. I'd pay for that software if it existed.

    Now only if Android vendors and developers knew about software portability...

  7. micro-tablets by flacco · · Score: 2

    I want a micro-tablet. I want a cell phone without the phone to hold my shopping list, music, and podcasts. I don't want the phone.

    Why doe this not exist?

    --
    pr0n - keeping monitor glass spotless since 1981.
    1. Re: micro-tablets by ganjadude · · Score: 4, Informative

      it does. ipod touch

      --
      have you seen my sig? there are many others like it but none that are the same
    2. Re: micro-tablets by Bing+Tsher+E · · Score: 3, Interesting

      An ipod touch costs 3-4 times as much as a non- contract cheap Android phone for Virgin or Boost or whomever that you never activate. The Android phone also has an SD slot, and you can even skip registering it with Google and sideload or use the Amazon app store if you like. The lonely little niche in the store with the ipod display is an "are you kidding?" deal. Apple probably pays the stores for wasting the space.

      My first mobile device was a 32g iPod touch. I would NEVER do that again.

  8. Re:Jesus Christ... by Blaskowicz · · Score: 3, Interesting

    An insecure old phone for rural Africa, where the first application is probably online banking, is not that desirable. Dumb phones are probably more secure and sufficiently poor people are willing to repair them.
    Well, millions of discarded smartphones would be ideal too, with people willing to do a LCD replacement job, battery job, soldering a connector etc. but the OS sticks out as the main issue, like that 233MHz iMac I put back in the junk after I failed to boot a linux installer (perhaps something could be done but I didn't know better)

  9. Re: CyanogenMod has nightly updates by Anonymous Coward · · Score: 2, Informative

    1. Disable automatic retrieval of mms from the messaging app you use (e.g. Hangouts, handcent, messages). If you get any mms messages from an unknown person, delete it without downloading.
    2. Root and disable your carriers built in remote assisstant tool (google your phone and carrier to find out how). Or install a custom ROM.

  10. Re: Jesus Christ... by savuporo · · Score: 2

    The first application is not online banking. The concept of "banking" is not well developed in these areas, much less online banking.
    the first application is almost exclusively simply communication. and watching pictures on the net ( no reading - language barrier ). also taking pictures.
    I was in southern parts a year or so ago. gave away a phone, footwear and some shirts in person to some kids - they were super grateful.

    --
    http://validator.w3.org/check?uri=http%3A%2F%2Fwww.slashdot.org Errors found while checking this document as HTML5!
  11. Make the device read-only .. by nickweller · · Score: 2

    Is it possible for the hardware manufacturers to put a read-only switch on the device that would protect certain core files from being overwritten?

    1. Re:Make the device read-only .. by drinkypoo · · Score: 3, Interesting

      It's not just possible, it's easy. It does, however, cost a little bit. You'd need to have the system and the user data area on separate flash devices, so that you could use the hardware write protection on the device. Android already sees these as separate things, even when they're just separate partitions of the same flash, so there's little to no software work to be done there.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  12. Often old hardware is more convenient. by Futurepower(R) · · Score: 2

    Wow! CyanogenMod has become amazing since I last looked at it.

    New hardware? Steve Jobs got people to believe that, if they don't have the newest version of DTT, Digital Turnip Twaddling, they are horribly disadvantaged.

    Buy an Apple watch? For $1,000.00? An Apple employee showed me his watch and said the software was unfinished.

  13. I was just about to install Replicant ... by Ungrounded+Lightning · · Score: 2

    ...on the international Samsung Galaxy S3 I bought for the purpose. (The international version uses a different chipset, which is one of the few supported by Replicant, which is a fully-open CyanogenMod derivative that doesn't use a number of closed binary blobs (if you don't install them yourself to use a couple of the phone's features), some of which are known to have backdoor-capable hooks.)

    Then these two flaws came to light.

    So I'm waiting for Replicant to figure out whether they're vulnerable and if so what needs to be done to fix that.

    As I understand it, the Replicant project is down to mostly one guy with a day job - AND is the closest thing to a fully open-source, pretty much secure, smartpphone load out there. (This is the project that DISCOVERED the Samsung backdoor...) IMHO it would be a good project for those who want to work on a secure-AND-open smartphone to contribute to (or fork from).

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  14. Safe use of old phone? by dbIII · · Score: 3, Funny

    Safe use of old phone?

    Externally.