Samsung Decides Not To Patch Kernel Vulnerabilities In Some S4 Smartphones

An anonymous reader writes: QuarksLAB, a security research company, has stumbled upon two kernel vulnerabilities for Samsung Galaxy S4 devices, which Samsung has decided to patch only for recent devices running Android Lollipop, but not Jelly Bean or KitKat. The two vulnerabilities (kernel memory disclosure and kernel memory corruption) were discovered in February 2014 and reported to Samsung in August 2014, affecting the samsung_extdisp driver of Samsung S4 (GT-I9500) devices. Bugs break ASLR and lead to denial of service (DoS) state or even elevating attacker privileges.

The new normal for Android

The number of exploits is increasing exponentially but the vendors are scaling back security patches across the board.

MBA's FTW.

Re:The new normal for Android

[sexconker]

Yup, Android is no longer a platform I can recommend.
Of course, iOS isn't either, and MS burned all bridges with Windows 10, so fuck it, I'm not buying any shit from you assholes anymore.

Re:The new normal for Android

[AK+Marc]

Android is safer if you root it and abandon the official versions. TouchWiz isn't that good anyway. Every other maker's UI is better than TouchWiz. My S3 was abandoned on an old version of Android, but I'd have to go boot it to see what. So Samsung has a habit of abandoning older generations. And iOS isn't any better, with less than 1 year support for my 3G, about the same as I got on my S3.

Android has the slight edge, because I can root it and go with a generic, or use a maker like Oppo with weekly OS updates, if you want to update that often.

Re:The new normal for Android

I need a new phone, my current one has an almost dead battery... I'm either getting a Nexus device or seeing what Microsoft comes up with in the next few months... yeah...

Re:The new normal for Android

Of course, iOS isn't either, and MS burned all bridges with Windows 10, so fuck it, I'm not buying any shit from you assholes anymore.

There are many reasons why iOS shouldn't be recommended, but one thing that Apple actually should have some cred for is that they provide updates for fairly old devices. As far as I know Apple still supports the current version of iOS on devices as far back as iPhone 4s (released in 2011). That's quite remarkable to even have two years of supported updates in the Android world.

Re: The new normal for Android

[cyber-vandal]

Great if CM support your phone. I've got a Note 2 and there's been no new milestone for a year. In any case isn't this a bug in the Samsung drivers so I'm not sure how CM would be able to fix this one.

Re: The new normal for Android

[drinkypoo]

Great if CM support your phone. I've got a Note 2 and there's been no new milestone for a year. In any case isn't this a bug in the Samsung drivers so I'm not sure how CM would be able to fix this one.

Forget CM, go to XDA and look for other ROMs for your phone. Based on a quick glance over the appropriate forum, I suggest Resurrection Remix. Yeah, the names of these things are ridiculous. I'm running something called "KatKiss" on my Asus Transformer Prime. You can have it with a choice of three kernels, two without fsync (internal flash is abysmally slow) and one with. I am using the one with because data is more important to me than a couple more frames per second.

Re: The new normal for Android

Please don't use bots if you detected there's less posts. It adds nothing to threads and Slashdot looks like jumping the sharks...

Why not create instead a new ranking system to promote good AC messages? Bots here are just like playing chess against a computer.

Re:The new normal for Android

[Lumpy]

Arduino phone....

http://www.instructables.com/i...

If you control the source.... you control the spice....

Re: The new normal for Android

[dotancohen]

Forget CM, go to XDA and look for other ROMs for your phone.

I would love to know how to do this. Go ahead and call me an idiot, but I've gone through the ROMS for about a day and a half and then asked on the forums for suggestions, but I got no help on that:
http://forum.xda-developers.co...

How does one "look for other ROMs" and know if those ROMs support the needed features? Especially for devices such as the Note which have exceptional hardware that may not be supported in the ROM (S-Pen).

Re: The new normal for Android

[meadow]

I just upgraded to an S4 recently but after rooting and installing TWRP recovery on the stock kernel, MetroPCS no longer allows OTA updates. I've been playing with different ROMs. Cyanogenmod 12.1 is good but is missing Wifi Calling feature. I also actually miss the Samsung camera app which has more features.

Another ROM similar to CM is Candy5 which has a few more bells and whistles. Another popular one is AICP. The one I'm trying now and actually liking a lot is Albe95 S6 PORT 3.5. It is basically backported Galaxy S6 for the S4.

Re: The new normal for Android

[drinkypoo]

I would love to know how to do this. Go ahead and call me an idiot, but I've gone through the ROMS for about a day and a half and then asked on the forums for suggestions, but I got no help on that

OK, here is your short short short form of how to change your ROM.

Step 1, find your ROM. First, you go to XDA-Developers and find your device, then you look at the first page or so of the applicable "Android Development" forum at the different active threads. If you have an enormously popular device, you will also want to look at page 2. Look for threads with high post counts. The thread titles should tell you which version of Android the ROM is based on. Check inside the threads to see what is working/nonworking.
Step 2, follow instructions. They usually look something like this and come with links to the things you need:

1. Unlock your bootloader. Usually done with an app from the handset/tablet maker. Many cheap devices come with an unlocked bootloader. Sometimes you need to do something extra-secret to accomplish this, so this can be outside the scope of the install instructions. Usually you can find unlock instructions someplace in your device forum.
2. Install a fancy recovery, usually CWM or TWRP. The recovery is a minimal Linux using a kernel for your device which supports the hardware. It makes and restores backups, installs ROMs and other stuff from ZIP files, wipes and converts partitions, etc.
3. Use your new recovery to make a "nandroid" backup, a dump of all partitions but the sdcard.
3a. Backup virtual sdcard if present
4. Install ROM from recovery

Even if you don't install a custom ROM, a custom recovery is a wonderful thing to have on your phone, so that you can make backups, fix perms if they get mangled (rare) and so on. You can even mount partitions and twiddle files. If you're confused about which ROM is good, you can just make a backup and then try some different ROMs. If you don't like any of them, no harm done; just restore your backup.

There are subtleties to various platforms, but if you can handle computer maintenance, you should be able to work this out. It's a ton easier than it was back in the feature phone days, because all Android devices tend to have a lot in common, whereas a handset maker used to have two or three different platforms and all of them sucked.

Re:The new normal for Android

[BronsCon]

Android is fine if you get a Nexus device and either install something like Cyanogen or make sure you install Google's updates as they're released. I took the latter route and the updates are flowing.

Sure, they only promise to keep those updates flowing for 18 months after they stop selling it (or 3 years from when they started, whichever is longer) but I'm likely to have already replaced this phone by that point, anyway; and if not, Cyanogen.

Re:The new normal for Android

[BronsCon]

Get the Nexus 6 and a HOTG SD reader if you need SD card support. You won't regret it.

Re:The new normal for Android

Android is safer if you root it and abandon the official versions. TouchWiz isn't that good anyway. Every other maker's UI is better than TouchWiz. My S3 was abandoned on an old version of Android, but I'd have to go boot it to see what. So Samsung has a habit of abandoning older generations. And iOS isn't any better, with less than 1 year support for my 3G, about the same as I got on my S3.

Android has the slight edge, because I can root it and go with a generic, or use a maker like Oppo with weekly OS updates, if you want to update that often.

Unfortunately with the new SafetyNet API apps are going to start checking for root/custom ROMs and locking you out of them.

Re:The new normal for Android

[scsirob]

Yup, this really p*sses me off. I have recently bought a Samsung S5 Mini Duos. It runs Android 4.4.2. Samsung refuses to release an update for my phone even though it is less than 6 months old and the device itself was released less than one year ago.

Re:The new normal for Android

And iOS isn't any better, with less than 1 year support for my 3G, about the same as I got on my S3.

iPhone 3G
Released: June 9, 2008
Discontinued: June 7, 2010

It originally came with iOS 2 and was supported through iOS 4 (2010). iOS 4 was supported through June, 2011; that's three years of support for iPhone 3G. The only way to have "less than 1 year support" was to buy it used or after it was discontinued. If you bought it new, you would have had a minimum of one year of support.

http://www.everymac.com/systems/apple/iphone/specs/apple-iphone-3g-specs.html

Re: The new normal for Android

[ArmoredDragon]

You didn't answer his second question though, which was finding out which features a rom supports. On my Galaxy Note 4, basically no AOSP roms support the fingerprint sensor (not a big loss, admittedly) they don't support call recording apps (and before somebody rants, yes, it's legal to record your own calls in 40 states even if the other party isn't aware) and they don't support amr wideband (aka HD Voice.)

I presently use AICP on my Note 4. It has a call record option in the dialer app, but it isn't automatic like I prefer and that some apps provide.

Personally though, I'm never going to buy another non-Nexus device again. I didn't realize just how much Samsung's smartphones sucked until I actually had one.

Re: The new normal for Android

[drinkypoo]

You didn't answer his second question though, which was finding out which features a rom supports.

Yes I did. "Check inside the threads to see what is working/nonworking."

Re:The new normal for Android

[AK+Marc]

Sold as new in June 2010. Last update or patch, 4.2.1, November 2010. 6 months support. No patches after that.

Re: The new normal for Android

[macs4all]

OK, here is your short short short form of how to change your ROM.

OMG, I feel like I' m taking Crazy Pills!

Let me get this straight: (And this is to all of those who are advocating "Custom ROMS") :

1. There is a Security Vulnerability in the "stock ROM" of some Device.

2. OEM abandons said device.

3. Device is on a platform with a longstanding and nearly Universal practice of doing exactly this same thing, time and again.

4. Suggested Solution is to remain on said Platform, and purposely and permanently break Device's bootloader's security in order to install random, unsupported, un-vetted "Custom ROM" from the Internet.

Given that the Custom ROM could very well be a Trojan itself, doesn't this cycle seem like the "cure" could be just another disease?

And even if that isn't the case for a particular iteration, doesn't the next vulnerability simply end you up at Step 1, above, but simply with the "Custom ROM" instead of the OEM ROM?

Re:The new normal for Android

[macs4all]

Of course, iOS isn't either, and MS burned all bridges with Windows 10, so fuck it, I'm not buying any shit from you assholes anymore.

There are many reasons why iOS shouldn't be recommended, but one thing that Apple actually should have some cred for is that they provide updates for fairly old devices. As far as I know Apple still supports the current version of iOS on devices as far back as iPhone 4s (released in 2011). That's quite remarkable to even have two years of supported updates in the Android world.

And on the Tablet side of things, Apple has continuously supported the iPad back to the iPad 2 (2011), too, up through the present, even doing updates specifically designed to improve performance under a newer version of iOS.

Re: The new normal for Android

[dotancohen]

OK, here is your short short short form of how to change your ROM.

Step 1, find your ROM. First, you go to XDA-Developers and find your device, then you look at the first page or so of the applicable "Android Development" forum at the different active threads. If you have an enormously popular device, you will also want to look at page 2. Look for threads with high post counts. The thread titles should tell you which version of Android the ROM is based on. Check inside the threads to see what is working/nonworking.

Thank you, I see that you really are trying to help. The issue with checking what is working/nonworking is that each thread has on average hundreds of replies, some in the tens of thousands. I _have_ gone and read them, and I still don't know what has been resolved or not. Examples, from the current first page of results:

XDA: DEVDB [ROM] [5.1.1] DarkLord Note 5 Full Port (Fastest, Smoothest) [03/10/2015] 1 2 3
Replies: 10,717

XDA: DEVDB [ROM][AOSP]Minimal OS HLTE Unofficial 2015/10/01 1 2 3
Replies: 38

[ROM][5.1.1r18][HLTE] Resurrection Lollipop v5.5.6 [21/09/2015] 1 2 3
Replies: 1,001

[ROM] 03.10.15] [5.0] [Stock] [N9005.../OC3/OEA/OF3/OH3/OI6] QS-N9005-LP 1 2 3
Replies: 698

XDA: DEVDB [ROM]AryaMod V7.2 TW Lollipop Official POF3 | OTA Update [14 August 2015] 1 2 3
Replies: 13,180

NOTE 3 SM-N900W8 deathnote v10 snapdragon, Dervish Rom marshmallow 5.0.1
Replies: 3

[HLTE/TMO/SPR/VZW][ROM][CM12.1][5.1.1_r16] Temasek's UNOFFICIAL Build v17.3 1 2 3
Replies: 18,757

[Rom][5.0.2][S6 Port][Xposed][18.09.2015] Phronesis Rom v2.0. Stable, Lag Free. 1 2 3
Replies: 895

XDA: DEVDB [ROM,TW][03/23/2015] Note 4 port 5.0.1 - DarkLord rom v2.2 N910F BOB4 by Samsungviet 1
Replies: 6,593

[ROm]Note 3 base (tazzy) Aurora-Note3-Full-G9200-Port.v3-Stable,lightening fast. 1 2 3
Replies: 639

[ROM] [BOI6] Lollipop And Port Rom [Darklord Note 5 RC Port][10/02]Aurora Note4 Light 1 2 3
Replies: 701

[Rom][5.0.2][S6 Port][Xposed][19.09.2015]Norma Rom S6 V15 English 1 2 3
Replies: 6,565

MIUI V7 Note 3 N-9005 v 5.9.25 modded by ENIAC & Atrankas. 1 2 3
Replies: 615

XDA: DEVDB [Rom][5.0.1][Note 4 Full port][01.09.2015]AuroraRom Note 4 V6 English 1 2 3
Replies: 2,476

XDA: DEVDB [ROM][OFFICIAL][5.1.1_r18] BlissPop 4.0.3 by Team Bliss [hlte/xx] 1 2 3
Replies: 350

[ROM] [hlte] [5.1.1] [official] [CM-based] **crDroid** 1 2 3
Replies: 145

[ROM][KERNEL][N9005][OI3][5.0 LOLLIPOP]AUDAX L v29.0[26/09/15] 1 2 3
Replies: 4,096

XDA: DEVDB [ROM][AOSP][5.1.1] Slim ROM Beta 0.7 #Back2Basics [Unofficial][2015-September-21] 1 2 3
Replies: 447

Poll: (Xposed) DeathNote Rom Based on Darklord N4 port 1 2 3
Replies: 932

XDA: DEVDB [ROM][Official] Tesla by Team Validus [2015/Sep/23] 1 2 3
Replies: 802

Choice is good, information is good, but _too_much_ information is just as bad as not enough information. I have seriously tried to go through all those posts but - with no offence to the ROM builders - the ROM builders are busy building ROMs and not documenting their work. We see this all over the open source community: features exist, bugs are filed and fixed, but nothing is documented other than in random, often-contradictory forum and blog posts.

I'm not complaining, I'm just pointing out that the emperor has no clothes: the open source community is does great work, but it is for hobbyists. If I cannot find clear documentation about Foobar ROM, then Foobar ROM is a hobby. I'm looking for something more substantial, and I'll happily pay for it. Maybe Redhat should get into the Android ROM business.

Re: The new normal for Android

[ArmoredDragon]

Yes I did. "Check inside the threads to see what is working/nonworking."

That rarely if ever covers that though. Take for example the HD Voice and voice recording features. None of the roms mention that those don't work, you just have to find out after installing it.

Re: The new normal for Android

[drinkypoo]

That rarely if ever covers that though. Take for example the HD Voice and voice recording features. None of the roms mention that those don't work, you just have to find out after installing it.

Sorry you've found that to be the case. For all four of my android devices covered on XDA-Developers (nobody there cares about the mk908, you have to go to freaktab) the information is quite good.

Re: The new normal for Android

[drinkypoo]

4. Suggested Solution is to remain on said Platform, and purposely and permanently break Device's bootloader's security in order to install random, unsupported, un-vetted "Custom ROM" from the Internet.

Who's gonna steal your antique phone?

Given that the Custom ROM could very well be a Trojan itself, doesn't this cycle seem like the "cure" could be just another disease?

You don't think anyone would notice? I do.

And even if that isn't the case for a particular iteration, doesn't the next vulnerability simply end you up at Step 1, above, but simply with the "Custom ROM" instead of the OEM ROM?

Nothing is supported forever. When Apple drops an iDevice, you're just fucked. When an Android device is dropped, at least there's hope.

Re:The new normal for Android

[davester666]

w.t.f? The iPhone 3G started with iOS 2, and was supported up to iOS 4.2.1, which is 2 years.

What did you do, pick one out of the garbage bin when Apple stopped selling them?

And, if you look at https://en.wikipedia.org/wiki/List_of_iOS_devices, you might notice that it's getting longer.

The 3GS and 4 went up to 3 years, and the 4S is currently at 4 years [it's the oldest device supported by the current version of iOS].

Google doesn't even support their own Nexus devices this long.

Re: The new normal for Android

[macs4all]

4. Suggested Solution is to remain on said Platform, and purposely and permanently break Device's bootloader's security in order to install random, unsupported, un-vetted "Custom ROM" from the Internet.

Who's gonna steal your antique phone?

WTF are you even talking about?

Given that the Custom ROM could very well be a Trojan itself, doesn't this cycle seem like the "cure" could be just another disease?

You don't think anyone would notice? I do.

Maybe, maybe not. Depends on a bunch of factors, not the least of which is the User's ability to look in the right place, get the download from the right place, etc. Far too many variables for something so critical.

And even if that isn't the case for a particular iteration, doesn't the next vulnerability simply end you up at Step 1, above, but simply with the "Custom ROM" instead of the OEM ROM?

Nothing is supported forever. When Apple drops an iDevice, you're just fucked. When an Android device is dropped, at least there's hope.

Ah, but that's the difference that makes ALL the difference: Almost ALL Android Devices are "Abandoned" on the day you buy them; but almost ALL, if not ALL, Apple Devices are supported for two years or more; by which time, most users are shopping for an Upgrade anyway.

YOU brought up length-of-OFFICIAL-Support. you lose.

Re: The new normal for Android

[drinkypoo]

Almost ALL Android Devices are "Abandoned" on the day you buy them;

Literally the only Android device I've got which got no updates is the Sony Xperia Play. I learned my lesson, and Sony can DIAF. (They explicitly promised ICS for it, but never delivered.) Every other device I've got has had at least two substantial upgrades, or will be getting them. TF201 got two. Moto G had one, is getting another. Nexus 4, not a problem. My crappy MK908 TV stick had two updates. All of these devices got at least a couple of years of support.

YOU brought up length-of-OFFICIAL-Support. you lose.

You don't even understand the argument, iFanboy. The argument is that once official support is over, your iDevice is garbage. At least there's a chance that someone will support your Android device. Now go throw your old Apple devices in the landfill and shut the fuck up.

Re: The new normal for Android

[macs4all]

Almost ALL Android Devices are "Abandoned" on the day you buy them;

Literally the only Android device I've got which got no updates is the Sony Xperia Play. I learned my lesson, and Sony can DIAF. (They explicitly promised ICS for it, but never delivered.) Every other device I've got has had at least two substantial upgrades, or will be getting them. TF201 got two. Moto G had one, is getting another. Nexus 4, not a problem. My crappy MK908 TV stick had two updates. All of these devices got at least a couple of years of support.

If this is such a non-issue, then why have there been hundreds, if not thousands, of posts by frustrated Android users, and dozens of articles ( including the one you and I are posting under), that say differently?

YOU brought up length-of-OFFICIAL-Support. you lose.

You don't even understand the argument, iFanboy. The argument is that once official support is over, your iDevice is garbage. At least there's a chance that someone will support your Android device. Now go throw your old Apple devices in the landfill and shut the fuck up.

Well, at the expense of possibly making part of your argument for you, even after Apple ends Official support for a particular Device, which is almost always long after that device is pretty-much completely out-of-circulation, you aren't screwed. For example, Apple produced iOS 5.1.1 in May, 2012, which was compatible clear back to the first iPad, and the iPod Touch, 3rd Gen, iOS 6.1.6 in February, 2014, which was compatible with the iPhone 3GS, and the iPod Touch 4th Generation, and iOS 7.1.2 in June, 2014, which supported iPhone 4 (with a separate release of TVOS that worked with 2nd gen AppleTV). Anything newer is fully supported up through the present iOS 9.0.2.

But even after that completely reasonable length of OFFICIAL support, those few that are still rockin' that "antique" kit are free to Jailbreak their iOS devices, and take their chances with "Custom ROMS" from sources like Cydia.

I don't endorse that, because it opens a User (and their data) up to the same things I was arguing against for Android; but it does somewhat negate your argument, et that, once IOS Devices are EOLed, they should IMMEDIATELY be "Landfilled".

Re: The new normal for Android

[JonJ]

Discussing with someone who's so deluded he thinks the XDA developers forum is a good place to get ROMs is meaningless anyway.

Re:The new normal for Android

So what you're saying is that Samsung is excused for doing the same 5 generations later? Your suggesting that iOS is "just as bad" is plain ridiculous.

Re:The new normal for Android

[AK+Marc]

Nope, the wife, who loves Apple, got one on discount. No mention of "discontinued" at the time. 6 months support on a new device. That's my experience with Apple. Funny how so many here try to convince me that reality is wrong.

Re: The new normal for Android

[drinkypoo]

If this is such a non-issue, then why have there been hundreds, if not thousands, of posts by frustrated Android users, and dozens of articles ( including the one you and I are posting under), that say differently?

Because there are so many more Android users than iOS users, and because they are less willing to give Google a free pass than iOS users are Apple.

But even after that completely reasonable length of OFFICIAL support, those few that are still rockin' that "antique" kit are free to Jailbreak their iOS devices, and take their chances with "Custom ROMS" from sources like Cydia.

Cydia offers an alternate app store, not iOS updates. It's equivalent to rooting, not to reflashing.

Re: The new normal for Android

[macs4all]

If this is such a non-issue, then why have there been hundreds, if not thousands, of posts by frustrated Android users, and dozens of articles ( including the one you and I are posting under), that say differently?

Because there are so many more Android users than iOS users, and because they are less willing to give Google a free pass than iOS users are Apple.

Boy, anyone who has hung around Mac-oriented Forums knows what a larf-riot THAT comment is! Apple Users are some of the pickiest mofos you'll EVER see!

But even after that completely reasonable length of OFFICIAL support, those few that are still rockin' that "antique" kit are free to Jailbreak their iOS devices, and take their chances with "Custom ROMS" from sources like Cydia.

Cydia offers an alternate app store, not iOS updates. It's equivalent to rooting, not to reflashing.

Meh, I will admit I never was interested enough to really know what Cydia was, and wasn't.

Re: The new normal for Android

[macs4all]

Discussing with someone who's so deluded he thinks the XDA developers forum is a good place to get ROMs is meaningless anyway.

I defer to your superior knowledge on that subject!

I assume there are perfectly conscientious makers of Custom AOSP builds, and that some of them might even have good enough compatibility for a few handsets to make it tempting to load them; but even without the Trojan factor, there still are significant compatibility problems with enough Devices that it seems dangerous to mess with unofficial ROMS.

Re: The new normal for Android

[drinkypoo]

Boy, anyone who has hung around Mac-oriented Forums knows what a larf-riot THAT comment is! Apple Users are some of the pickiest mofos you'll EVER see!

Nonsense. They will cry about things they don't like, like the Macintosh developers of old complaining about every little change Apple made, but they won't actually do something about it and leave the platform. They're not picky at all, they're just whiny.

Meh, I will admit I never was interested enough to really know what Cydia was, and wasn't.

But you were happy to present incorrect information about it as if you knew what you were talking about anyway. One button 4 life!

Re: The new normal for Android

If you go to a custom ROM, the custom ROM maker should be the one offering OTAs.

Have you tried grabbing the Samsung APK for the camera and installing it into your device?

Re:The new normal for Android

And you'll see that they didn't really do a good job. Do a google for "slow _____ after update" and watch the complaints flow in.

That's one of the main things about Android -- the hardware and support software / features come in fast and hard... After two years, things start getting slower because of new features.

Re:The new normal for Android

[macs4all]

And you'll see that they didn't really do a good job. Do a google for "slow _____ after update" and watch the complaints flow in.

That's one of the main things about Android -- the hardware and support software / features come in fast and hard... After two years, things start getting slower because of new features.

It pretty much follows this cycle with iOS:

Version x.0 comes out. People bitch to high-heaven about broken/slow stuff, battery drain, etc. REAL bugs are present. Only the brave and foolhardy install this version.

Version x.0.1 comes out, usually within a week. Some bitching subsides, some continues. Version x.0.2 comes out about 2 weeks later. Most bitching stops. A few random people still have (imagined?) issues. Version x.1 comes out about a month or so after x.0. Bitching ends from all but the small group of "Those who liked it better before [x] was changed". Cautious people start upgrading.

With iOS 9, we're at the 9.0.2 point as of last Wednesday, IIRC, with a "Beta" 9.1 release also available.

Oh Yeah, and the complaints about broken features come in fast and hard on each Major Android Version, too, just like you complained of on iOS. The problem is, the FIXES don't come out in a TIMELY manner, if at all. THAT's the difference that makes ALL the difference!!!

And if you want to REALLY see some "broken/unsupported features", just look at the comments following pretty much any of the "Custom ROMs". for Android. Wow!

Samsung != Apple

Samsung isn't apple. You can't expect them to patch things more than a year old.

Re:Samsung != Apple

[AK+Marc]

Apple doesn't either. I bought a 3G at about the end of its sale, and got one year support.

Re:Samsung != Apple

I have a 4 year old iPhone that's running the latest version of iOS. Updated without a hitch.

Re:Samsung != Apple

[peragrin]

bullshit.

Software wise apple supports out to at least 3 years and with iOS 9 out to 5 years of previous build models.

if you bought a 3 year old phone and then expected updates you got what you deserve.

Android models rarely get one year of updates, and almost never get 3-5 years of bug fixes.

Re:Samsung != Apple

[phayes]

Most android phones already have outdated software when sold and only go downhill from there because they are never updated.

Re:Samsung != Apple

[Bing+Tsher+E]

If a phone is available in the store at full retail, the clock for EOL has not started ticking. Now, we know that a true fanboy lines up to buy the phone at launch, and for Apple, those are the people who it's important to keep squealing with glee.

I had a 3 Gen iPod Touch 'go out of support' for new iOS versions less than a year after I bought it. I shouldn't be penalized that way for buying an Apple product late in the period when it is being foisted off on the market as 'current.' Incidentally that iPod is probably the last Apple hardware I will ever buy. There were two iPods that I bought before it.

Re:Samsung != Apple

[Bing+Tsher+E]

Android phones are not driven in obsolescence by a team at Apple who urges developers to move onto the new API as soon as possible. So the App Store doesn't stop having current apps for Android phones for much, much longer than with Apple. Look at the number of current-version apps you can still get to run on a KitKat phone, and compare that to the apps you can get for a 3G iOS device today.

When you buy an iOS product you are buying from a company determined to make it obsolete within a year or two of you buying it.

Re:Samsung != Apple

[drinkypoo]

Look at the number of current-version apps you can still get to run on a KitKat phone, and compare that to the apps you can get for a 3G iOS device today.

I still have a device running Gingerbread because it only has 512MB RAM and that's a bit tight. It's just a clock now, and occasionally plays some music or acts as a Kodi remote, so no problem. It's kind of amazing though how much software will still run on that, or at least, doesn't require any later API support. Who knows how well it will run on a 1.5 GHz (OC'd) single core, even if it does have a decent Adreno.

Re:Samsung != Apple

[phayes]

Snort, talk about trying to turn lemons into lemonade... Apple supports it's devices for multiple years and has been successful in drawing users to upgrade their OS as time goes on. Not everyone rushes out to buy the latest iDevice. Many, like me forgo 3 or 4 cycles -- and yet we still have the latest OS. The reason so much android software still supports antique OSes with multiple well known security weaknesses making them a security nightmare is precisely because Android has been able to do the same.

Oh goody, I can still install the original angry birds on my android device, that more than makes up for it's popping up unrelated ads when I surf the net & sniffing my credentials when I connect to my bank...

Re:Samsung != Apple

[Lumpy]

HTC ONE M8.... still stuck on the craptastic 5.0... HTC and AT&T suggests throwing it away and buying a new phone if I want updates.

Re:Samsung != Apple

[BronsCon]

popping up unrelated ads when I surf the net

Yes, we know iOS has ad blockers now. Don't worry, Android has had them for years. Not sure WTF you're talking about here.

sniffing my credentials when I connect to my bank

Or here. Elaborate?

Re:Samsung != Apple

[BronsCon]

It's not that they're no longer updating it, but rather that they're going to update directly to Marshmallow. If you don't get that update when HTC releases it, perhaps it's time to switch to a carrier that doesn't block updates in the name of selling phones.

Also, what do you find so craptastic about 5.0? And shouldn't that be 5.0.1 if you're actually up to date? Nothing really changed (on my Nexus 6 at least) from 5.0.1. to 5.1.1, so you're not really missing out on anything exierience-wise. As for security, AT&T pushed HTC's patch for Stagefright (and other known and already-patched-in-AOSP vulns) back in August, it was a patch coming in between 28 and 55MB depending on device configuration, so I'm not sure what you're considering craptastic there, either.

If your complaint is that you're not on Marshmallow (which we were told would be out last quarter) yet, can it. Neither am I and I'm running a Nexus 6. Know why? Because it isn't out yet.

Re:Samsung != Apple

[Lumpy]

Bluetooth stability, phone stability, etc... A LOT of phones have problems with 5.0.x

Re:Samsung != Apple

[BronsCon]

Sounds like a phone problem, not an Android problem. Shoddy drivers, perhaps? Google doesn't write (most of) those. My N6 is rock solid.

Re:Samsung != Apple

[UnknowingFool]

I had a 3 Gen iPod Touch 'go out of support' for new iOS versions less than a year after I bought it. I shouldn't be penalized that way for buying an Apple product late in the period when it is being foisted off on the market as 'current.' Incidentally that iPod is probably the last Apple hardware I will ever buy. There were two iPods that I bought before it.

Let's look at your claim: You had a iPod Touch 3rd gen. It was released Sept 9, 2009 and discontinued Sept 1, 2010 when the iPod Touch 4th gen was released. It started out with iOS 3.1.1 (July 2009) and could be updated to 5.1.1 (May 2012). For only one year was your model "current". The OS was updated for almost 2 years after it was discontinued. I'd have to say your claim is shakyt. For your claim to make sense you would have to buy it after May 2011 in which the current model would be the 4th gen.

Re:Samsung != Apple

[0123456]

When you buy an iOS product you are buying from a company determined to make it obsolete within a year or two of you buying it.

Can't talk about phones, but my girlfriend's iPad had been out for a year or two when I bought it for her a couple of years ago, and it's still getting the latest iOS releases. I believe only the original iPad has been made obsolete by Apple so far.

Meanwhile, the local electronics store is still selling the Nexus 7, which probably gets its last OS upgrade from Google next week.

If Google don't fix this crap, they're going to toss the cheap phone/tablet market to Microsoft.

Re: Samsung != Apple

[Karlt1]

Android phones are not driven in obsolescence by a team at Apple who urges developers to move onto the new API as soon as possible. So the App Store doesn't stop having current apps for Android phones for much, much longer than with Apple. Look at the number of current-version apps you can still get to run on a KitKat phone, and compare that to the apps you can get for a 3G iOS device today.

Xcode 6 supports iOS back to 6.0. That includes every iPad introduced except the first one and every iPhone introduced since the 3GS in 2009.

How many developers would waste time trying to support the iPhone or iPhone 3G - both had 128MB of RAM and a 400Ghz single CÃte processor.

Re:Samsung != Apple

[AK+Marc]

The last day to buy a brand-new iPhone 3G from Apple was June 2010. The last iOS update was November 2010. 6-months of support, for those who bought them near the end of the run. Brand new phones, sold as the *only* iPhone available at the time, so I bought the newest, best available, and got about 6 months support on it.

https://en.wikipedia.org/wiki/...
https://en.wikipedia.org/wiki/...

My Samsung got very little support. I didn't get a single version upgrade on it, and there were maybe two bug fix patches.

What does get support is rooting Android and using a generic package. Though that option isn't available for iPhone, so you are left with phones abandoned the moment they aren't sold anymore.

Re:Samsung != Apple

[AK+Marc]

The last day to buy a brand-new iPhone 3G from Apple was June 2010. The last iOS update was November 2010. 6-months of support, for those who bought them near the end of the run. Brand new phones, and got about 6 months software support on it.

https://en.wikipedia.org/wiki/...
https://en.wikipedia.org/wiki/...

So what he described did happen. It happened to me, with the iPhone 3G. I didn't realize that the "minor" upgrade from the 3G to the 3GS would make the 3G obsolete and unsupported. At the time, Apple made it sound more like they would be two versions of the same phone, the "S" a minor upgrade of camera and such, not a replacement that would make the 3G worthless. They wanted to sell their last 3G phones. So I picked up one on sale. And got 6 months support, and years of Slashdotters telling me that Apple supports their products for 5 years, and reality isn't real if it contradicts their opinion.

Re:Samsung != Apple

[JackAxe]

Apple stopped supported my first gen iPad after 2 years and I have not received any updates since. But in comparisoin, my Nexus One -- which got its last OS update at 2.3.6, a phone that's about 5 years old -- I was still given the option to update Google's services up until I retired the phone this year.

It's a mixed bag with Android and one that's overall better IMO, as the OS since early on has had so many useful features, some of which Apple only more recently implemented into iOS and others that they'll never do so -- like true access to the file system. I absolutely prefer the fact that Android is not a locked down OS, has features more inline wiht actual computers, and that Google's latest services -- so the newest Maps as an example -- are always offered up to older versions of it.

I really don't care if my device is running the latest OS whatever, if that OS hobbles what I can and can not do with "my" device.

Re:Samsung != Apple

[macs4all]

Android phones are not driven in obsolescence by a team at Apple who urges developers to move onto the new API as soon as possible. So the App Store doesn't stop having current apps for Android phones for much, much longer than with Apple. Look at the number of current-version apps you can still get to run on a KitKat phone, and compare that to the apps you can get for a 3G iOS device today.

When you buy an iOS product you are buying from a company determined to make it obsolete within a year or two of you buying it.

Another of your bullshit half-truths, as usual.

One of Apple's Terms and Conditions for entering the IOS App Store is that your App MUST SUPPORT the most recent version of iOS.

Another of the T&C for an App to REMAIN in the iOS App Store is that your App must be UPDATED in a timely manner TO SUPPORT the latest version of iOS.

NOWHERE does Apple MANDATE that an App MUST NOT remain Compatible with an OLDER Version of iOS .

Prove me wrong.

In fact, one of the reasons that there is an issue with iOS "App Balooning" is that, as time goes on, Apps are having to carry a greater and greater amount of "baggage", just to support multiple device configurations and OS versions.

Re:Samsung != Apple

[macs4all]

When you buy an iOS product you are buying from a company determined to make it obsolete within a year or two of you buying it.

Can't talk about phones, but my girlfriend's iPad had been out for a year or two when I bought it for her a couple of years ago, and it's still getting the latest iOS releases. I believe only the original iPad has been made obsolete by Apple so far.

Meanwhile, the local electronics store is still selling the Nexus 7, which probably gets its last OS upgrade from Google next week.

If Google don't fix this crap, they're going to toss the cheap phone/tablet market to Microsoft.

Or to Apple, which now sells the still-supported iPad mini 2 and iPhone 5 for relatively low prices.

And yes, the original iPad is the only unsupported iPad, as I sit here typing this in my still-supported iPad 2, and my still-supported iPhone 4s sits waiting for me to "re commission" it as for iPod Touch-like duty (not going to use the phone part anymore) for my roomate's use.

Re:Samsung != Apple

[UnknowingFool]

The last day to buy a brand-new iPhone 3G from Apple was June 2010.

What does the iPhone 3G have to do with his iPod Touch 3rd gen? He made a specific claim which appear not to be supported by facts.

Re:Samsung != Apple

[phayes]

Androids are getting Powned left right & center due to their abysmal security & Bronsco thinks I'm talking about ad blockers?!?! Just how deep in the "sand" do you have your head stuck in?

Re:Samsung != Apple

[phayes]

Until you get a malicious SMS or your phone gets Powned in one of the myriad of other ways Android is vulnerable... But that wouldn't happen to you, you're too low in the food chain to be of interest -- until you do get infected... I've seen it happen.

Re:Samsung != Apple

[BronsCon]

Examples, please? I've seen iPhones pwned by malicious SMS, as well. It happens to the best of us, get over yourself. What's funny about it is that even after my best friend fell victim to one of several iPhone SMS vulns, he still swears the platform is secure. He refuses to let facts cloud his argument and I don't expect you'll be any different.

Re:Samsung != Apple

[BronsCon]

You're right phase, this Bronsco guy sounds like a real douche. Care to point to the specific vulnerabilities you're referring to, along with any documented cases of them being actively exploited? No, 3rd-party browsers injecting their own ads do not count; it's easy to avoid that by not being the idiot that uses that browser, and it's certainly not a vulnerability in the platform.

I asked you to elaborate, that's precisely the opposite of sticking my head in the sand. I know my platform is no more or less secure than any other; that's why I take steps to safeguard my own security; something made more difficult on iOS (which is why my iPad is reserved for specific non-sensitive uses). If I had my head buried in the iOS garden, like you seem to, I might be a bit less secure with my iPad.

So I'll ask you again, please elaborate about all these instances of random ads popping up while browsing the web and all the credential theft that happens on Android. I keep looking for it (no, not in the sand) and I'm just not seeing it. You'd think, though, knowing about 5x as many Android users as iOS users (even accounting for overlap), I'd see at least 5x as many Android phones get pwned than iOS devices (actually more if, as you claim, Android is less secure), but it seems the reality is that iOS gets compromised more frequently outside of China (where people install sketchy shit on their Android phones just as often as they do on their iPhones; if you get to ignore China when talking about how secure iOS is, we must ignore it when discussing Android, as well).

Re:Samsung != Apple

[macs4all]

The last day to buy a brand-new iPhone 3G from Apple was June 2010. The last iOS update was November 2010. 6-months of support, for those who bought them near the end of the run. Brand new phones, sold as the *only* iPhone available at the time, so I bought the newest, best available, and got about 6 months support on it. https://en.wikipedia.org/wiki/... https://en.wikipedia.org/wiki/... My Samsung got very little support. I didn't get a single version upgrade on it, and there were maybe two bug fix patches. What does get support is rooting Android and using a generic package. Though that option isn't available for iPhone, so you are left with phones abandoned the moment they aren't sold anymore.

Your particular iPhone 3G situation is an admitted Outlier. However, unless you are a total liar, you will have to admit that Apple's OS Update support for both iOS AND OS X is second to none.

The current, just-released version of iOS, 9.0.1, is compatible with iPhone 4s to 6s, iPad 2 to iPad Pro, and iPod Touch 5 and 6. OS X 10.11, El Capitan, also just released, is compatible with almost all Macs introduced since 2007.

And if you compare that sort of support with the Russian Roulette style of "Updating through Random ROMS" you are advocating for Android, you are either a liar or are delusional.

Re:Samsung != Apple

[phayes]

You come to France & sign the NDA's my clients have had me sign & we'll talk.

Oh, do keep your head up where it's been hiding and deny that any problem exists, after all, you not falling victim to Android's multiple failings means that they doesn't exist, right?

Re:Samsung != Apple

[BronsCon]

I never said they don't exist, just that I've never seen them exploited as I've seen the (supposedly fewer and less serious) vulnerabilities in iOS exploited. You sure talk a big game for someone who can't even spell a username correctly that's on the screen right in front of him. But you're right, this is a prime example of my denial that any issue exists:

I know my platform is no more or less secure than any other

Right. That's denial right there. Dumbass.

Re:Samsung != Apple

[AK+Marc]

He gave a bad example. I gave a better one. Apple has done it as well. That was his point. I supported his point, even if I didn't address his facts.

Re:Samsung != Apple

[AK+Marc]

Your particular iPhone 3G situation is an admitted Outlier.

It's just one I happened to live through. Screw *ME* once, shame on you... Apple did screw me with that one. It wasn't a hypothetical. It actually happened to me. So it matters more to me than the examples you bring up.

And if you compare that sort of support with the Russian Roulette style of "Updating through Random ROMS" you are advocating for Android, you are either a liar or are delusional.

Yeah, the forums filled with complaints on iOS9 wiping devices didn't happen. And if you close your eyes and update random ROMs, you'l have bad results. Most people find one they like, and stick to regular updates from a popular and well supported line of ROMs.

Re:Samsung != Apple

[UnknowingFool]

No he didn't and you missed the point. I questioned whether or not his example is actually a fabrication. As for your example, it is the only case that that Apple has done whereas many, many Samsung models barely are updated as it is also up to the carrier. In relevance to this story some US carriers have not updated S4. I do however find it curious that someone so anti-Apple would ever purchase an iPhone.

Re:Samsung != Apple

LMFAO...

Even assuming you were big client serving thousands of customers (you're not), you're thinking that a handful of your clients outweigh the hard-on the media has for Android vulnerabilities?

It's always "BILLIONS OF ANDROID DEVICES AFFECTED" vs "jailbroke and non-jailbroken devices"... and we're suppose to believe someone who refuses to back up their claims who can't even tell us what company they work for? Or is that NDA too? You must be some secret service guy or some shit.

Re:Samsung != Apple

[phayes]

I know my platform is no more or less secure than any other

Right. That's denial right there. Dumbass.

Lol, that right there is stupidity masquerading as rank ignorance. "no more or less secure"... Only if a bicycle is "no more or less fast" as a sport motorcycle.

Hey sparky, I am not your your mother or your wetnurse. Go talk to Cisco. Go talk to Check Point, Go talk to Palo-Alto. Go talk to the TippingPoint people now at HP. You'll have to show that there is something in it over and above overcoming your ignorance to get answers.

In short, put some effort into discovering just which mobile platform is causing the most problems to security professionals. Given your history the answer will surprise you.

Re:Samsung != Apple

[BronsCon]

It's not like iOS was just hit with ad-blasiting malware or anything. By the way, how does Marshmallow hold up? I'm asking out of genuine curiosity, having just updated, but I'm not expecting any more from you than geneal puffery.

Also, is it the platform or the retarded skins and apps every manufacturer wants to bake into their distributions that cause most of the issues? I aske because I'm aware of a number of issues caused by Touch-Wiz and Sense. These issues don't exist for Nexus devices.

I'd apologize for calling you a dumbass but I'm still not sure if you were purposefully ignoring my admission that there are vulnerabilities in Android (just like every platform) or if you were just too dumb do see it with out having it pointed out to you. You talk a big game but can't be arsed to back it up, though, so I'm still leaning toward the latter; and I don't expect that to change for my current round of questions, either.

How much is Tim Cook paying you to soread his FUD now that iOS vulnerabilities are making a more public appearance?

Re:Samsung != Apple

[BronsCon]

Gah... typos... this is why i don't post from my phone...

Re:Samsung != Apple

[phayes]

You're an android user admittedly ignorant of how the repeated and generally unpatched critical vulnerabilities of his cherished platform have made Android into a security nightmare. You compare iOS vulnerabilities for people that downloaded code from unvetted third parties or from Chinese developers that performed the same bone-headed move with innate Android bugs that in most cases will never be corrected until people replace their phones with new models so that their maker will be motivated enough to update them. The vulnerabilities that Touch-Wiz, etc have are severe but most android malware targets the OS level bugs because that makes the exploits work on more devices.

Again, I am not here to educate you & I have signed NDAs that prevent me from talking about them or just what problems they encountered in anything but the most general terms. Android's adoption rate of the most recent OS has stagnated for years in single digit adoption percentages even in corporate environments. Until that changes and the current avalanche of new Android security vulnerabilities every month tapers off, Android Security will continue to be a joke right up there with Military Intelligence.

As for you calling me names ? I couldn't care less that you are unable to show more control than most small children.

Re:Samsung != Apple

[BronsCon]

You're an android user

Thanks for highlighting that incorrect assumption. I didn't give you my full bio but, in addition to being a user, I am also a developer (apps and roms alike) and, in addition to Android, I also use iOS, Windows, several distros of Linux, a couple of BSDs, and my primary OS of choice is OSX. Hardly a fanboy.

Android bugs that in most cases will never be corrected until people replace their phones with new models so that their maker will be motivated enough to update them.

Are you implying that newer versions of Android aren't affected by the vulnerabilities you know of? That's what it sounds like; if that's the case, I don't know what we're arguing about. Older versions of iOS are vulnerable, too. Apple controls the upgrade path for iOS just like Google controls it for Nexus devices; if other manufacturers don't privide patches and OS updates, that's an other-manufacturer problem, not an Andriod problem.

To clarify my point, only Apple makes iOS devices, so we have no example of how 3rd party devices would receive updates. All that exists for this is conjecture. As a result, we can not legitimately compare the update process of iOS devices with the update process of non-Nexus Android devices and pin the results on Google. Likewise, we can not compare the security of iOS devices and non-Nexus Android devices and pin those results on Google, either.

And, as a user of a fully updated Nexus device (and several Apple devices including two iPads) thats, quite conveniently, all I care to discuss.

Again, I am not here to educate you & I have signed NDAs that prevent me from talking about them or just what problems they encountered in anything but the most general terms.

Then I guess it's good that I was asking a very general question, isn't it? I'll restate, in that context: By the way, how does Marshmallow hold up? That's pretty general; yes, it's about a specific version, but if your argument boils down to "all Android versions, combined, are less secure than the current version of iOS" I'm afraid my initial comment regarding the intelligence of your posterior appears to be correct.

It's a simple concept, really; when comparing a specific property of two or more things (in this case, security), you make those things as similar as possible, and you only compare those things. iOS: only distributed by Apple. Easy, only compare with Android on Nexus devices. Latest iOS? Only compare with latest Android. iOS in default configuration? Only compare with Android in default configuration. iOS fully locked down? Only compare with fully locked down Android.

Sure, this doesn't give you a broad picture of the landscape, for that you do have to compare all iOS versions and all Android versions currently in widespread use, in aggregate; that's not what we're talking about here, though. Here, we're talking about Nexus devices, which are updated by Google directly and, as a result, will mostly be running the latest version, much like iOS devices, so the comparison should be limited thusly.

I couldn't care less that you are unable to show more control than most small children.

You must not have kids (or friends with kids). Most small kids would not have waited for you to call them by the wrong name, take an insulting tone with them, insinuate that they're in denial about something they've already openly acknowledged (head in the sand or up... where, exactly?), and refuse to address (acknowledge, hell, not even answer) their questions, before calling you a doo-doo head. I could have displayed a bit more restraint, but the name would have come out in this post anyway.

Re:Samsung != Apple

[phayes]

You can quit attempting to put words into my mouth, I have no intention of falling for your strawmen.

Android's abysmal adoption rate of new OS versions is well known. Marshmallow is and will be irrelevant for months until it's adoption rates become significant & given how frequent new & different attacks have been released for android over the past few years I have little confidence that marshmallow will bring significant change because any new bug is still no more likely to be patched by upgrading to a fixed version than present versions of Android have been.

That someone with the experience you claim would be so apparently clueless as to ignore these points and to keep bringing up "but how's marshmallow" like it makes any difference just shows that you still haven't understood the problem.

My children are adults now. During their childhood they were often complimented on how well behaved they were for their ages but I've seen what bad parenting does. Your lack of self-control and justification of how that is supposed to be normal in particular for an adult does not speak well for how you were raised.

Re:Samsung != Apple

[BronsCon]

You can quit attempting to put words into my mouth,

Where have I done this?

I have no intention of falling for your strawmen.

What strawmen?

Android's abysmal adoption rate of new OS versions is well known.

I never argued this.

Marshmallow is and will be irrelevant for months until it's adoption rates become significant

I don't care about anyone else's devices, only my own. The adoption rate for Marshmallow is 100% for the devices I am concerned about. That's as significant as it gets.

given how frequent new & different attacks have been released for android over the past few years I have little confidence that marshmallow will bring significant change because any new bug is still no more likely to be patched by upgrading to a fixed version than present versions of Android have been.

That's getting a little closer to what I've been trying to get out of you. Since it seems you have no concrete information regarding what I actually care about, I suppose time will tell.

That someone with the experience you claim would be so apparently clueless as to ignore these points and to keep bringing up "but how's marshmallow" like it makes any difference just shows that you still haven't understood the problem.

No, I understand the problem quite well. There are a number of known vulnerabilities in versions of Android that I don't use, which makes it not my problem. I am asking about the version I do use, because those vulnerabilities are my problem.

My children are adults now.

Then you must be old enough to have acquired the wisdom to discern when you and the person you are conversing with are talking about two different things, from two different perspectives. Please apply that wisdom here, as I've pointed this out several times by now.

During their childhood they were often complimented on how well behaved they were for their ages

As as I.

but I've seen what bad parenting does.

We all have. It often leads to discussions like this.

Your lack of self-control and justification of how that is supposed to be normal in particular for an adult does not speak well for how you were raised.

I don't lack self-control, I simply have no tolerance for people like you who try to get by in indirect insults as if that's any better than calling someone a dumbass. As for the words you claim I am putting in your mouth, I can only assume you are referring to me saying the following:

Most small kids would not have waited for you to call them by the wrong name, take an insulting tone with them, insinuate that they're in denial about something they've already openly acknowledged (head in the sand or up... where, exactly?), and refuse to address (acknowledge, hell, not even answer) their questions, before calling you a doo-doo head.

Well, I'm not sure how that's putting words in anyone's mouth. Here are the quotes detailing you doing each and every one of those things:

"by the wrong name": Androids are getting Powned left right & center due to their abysmal security & Bronsco thinks I'm talking about ad blockers?!?!

"take an insulting tone with them" and "insinuate that they're in denial about something they've already openly acknowledged" are covered by the next two:

"head in the sand": Just how deep in the "sand" do you have your head stuck in?

"or up... where, exactly?": Oh, do keep your head up where it's been hiding

And, to that, I'll reiterate: Where, exactly? I'm sure your mother would be proud. As for your refusal to address my questions, well, I'm not going to quote our entire conversation; you can go back and read it yourself.

Re:Samsung != Apple

[BronsCon]

As as I.

Should read:

As was I.

I might also add that, while your children (why would you drag them into this? but you did, so I digress) may be well-behaved, that offers no indication that you are; this conversation actually hints to the contrary.

Re:Samsung != Apple

[phayes]

Where were you attempting to put words in my mouth and then knocking down strawmen?

Are you implying that newer versions of Android aren't affected by the vulnerabilities you know of?

So, have you stopped beating your wife and abusing small children yet? You know, this isn't the 1950's anymore and punishments are severe nowadays for these acts.

I don't care about anyone else's devices, only my own.

The key admission which makes every single statement you have made up to this point defending Android as a platform a fraud. How unsurprising that in addition to your puerile name calling that you are also a liar only interested in yourself.

Re:Samsung != Apple

[BronsCon]

Hahahahahahahahahaha you're truly and honestly a dumbass.

Are you implying that newer versions of Android aren't affected by the vulnerabilities you know of?

That's an honest question. An affirmative response means yes, you are implying that, a negative response means no, you are not implying that; noting more, nothing less.

So, have you stopped beating your wife and abusing small children yet?

This, on the other hand, is actually a strawman. An affirmative response means yes, you admit to having beaten your wife and abused small children, while a negative response mean you are still doing those things. It's an indirect way of getting someone to admit to something they don't realize they're admitting to, and my answer is that I never started doing those things, so your question is irrelevant. Mine, on the other hand, was an honest question. Is that what you are implying? I didn't say you were implying that, I didn't even imply you were implying that; either of those things would have been putting words in your mouth, but I did neither. What I did do was ask a direct question. No words put in your mouth and no strawmen. That you don't want to answer, however, is very telling; were it a strawman, you'd be able to come up with an answer similar to the one I gave, above, rather than skirting it altogether. Yes, or no?

The key admission which makes every single statement you have made up to this point defending Android as a platform a fraud.

First of all, you are taking that out of context to bolster your weak position and I don't think anyone with an IQ over 70 is falling for it. Second, why should I care about someone else's device? Does caring that they made a poor purchasing decision and won't be getting updates that fix these vulnerabilities suddenly and magically grant them updates or some form of protection from those vulnerabilities? No. So why waste the effort caring? I can (and do) show them the light, when I have the opportunity to do so, lead them to water so to speak, but I can't make them drink. Beyond that, what good is done by belittling them for being part of the problem? I'd rather simply be part of the solution and get on with it.

How unsurprising that in addition to your puerile name calling

Again, I'll ask, just where were you implying I had my head stuck and how proud would your mother be of that remark? Pot, meet kettle.

that you are also a liar

And is that not a name, which you are calling me from atop thine high horse? Point out one lie I have told. Don't limit to this conversation, go through all of my comments, everything you can find, and point out one lie. Not one piece of misinformation or a misquote or something else not purposely stated to deceive, but an actual, honest-to-God lie I told with the intent of deceiving or defrauding anyone. Do it. Go on, do it.

only interested in yourself.

Right, because of one out-of-context remark. Grow the fuck up.

strict product liability

The only way we are going to end up with secure infrastructure. Anyone who sells a product with software should be in the hook for a multiple of the sale price. Unlimited damages if they did knowingly sold something insecure.

Re: strict product liability

That would only work if someone was actually punishing people who bought insecure products.

Oneplus Two it is.

Thanks Samsung, you've jsut made that decision pretty easy for me.

Re:Oneplus Two it is.

[AK+Marc]

http://www.oppo.com/en/smartph... What about the Oppo?

What kind of dumbass company...

[tlambert]

What kind of dumbass company is going to spend money porting a new version of an OS to an old platform, with no payday for doing so?

Mobile phone vendors make their money selling new phones. You want a new Android, get a new phone. Your contract will be up in 2 years, and at 18 months, you will be offered a new phone with early renewal, so just wait until the contract is up, re-up the contract, and get the new phone with the fix.

KTHX BAI.

Re:What kind of dumbass company...

[philip456]

I think that the point is that we shouldn't have to wait 18 months, with an insecure, defective phone.

Re:What kind of dumbass company...

[TheRaven64]

Mobile phone vendors make their money selling new phones. You want a new Android, get a new phone.

Sure, but the new phone I get will be from a vendor that I can trust to support it for its lifetime. I may upgrade my phone after 2-3 years, but I'll probably hand the old one off to someone else or use it as a spare. If the phone becomes useless after 1 year, then I'll factor that in when I calculate the value of the phone - if I can amortise the cost over 4 years rather than 2, then the cost of the phone is not as good.

Your contract will be up in 2 years

What kind of idiot signs a 2-year phone contract in 2015?

Re:What kind of dumbass company...

[hvdh]

Your contract will be up in 2 years, and at 18 months, you will be offered a new phone with early renewal

That is soo yesterday. Today, I choose and change my contract as I like and buy the phone models I want at the time I want. There's no reason contract and phone(s) should be tied together.

My last contracts ran for 4 years (telephony only, no base fee), 3 years (telephony + 500MB data, 10€ base fee), and my current contract is 5€/month for 1GB LTE data, 50 minutes call time and SMS flat. I can switch contracts within 6 weeks if I find a better offer. Likewise, I bought an interesting Chinese phone model directly from China because it was not available here, and there's no way in hell providers would offer it.

Re:What kind of dumbass company...

[Threni]

> What kind of dumbass company is going to spend money porting a new version of an OS to an old platform,
> with no payday for doing so?

Well, that's kind of the point. Companies should be forced to state up front how long the phones are going to be kept up to date (from both a security and Android version point of view) and if they don't they can be sued for breaking the terms under which people bought the phones in the first place.

No-one expects Microsoft to provide updates for windows xp, but they do expect them for 7, because of the published support timelines. Android needs the same; it's no different just because it's not a desktop or a laptop.

Re:What kind of dumbass company...

[jeremyp]

What kind of dumbass company is going to spend money porting a new version of an OS to an old platform, with no payday for doing so?

Apple.

Well, OK there must be a payday. Perhaps they see the fact that you can put the latest iOS onto a 4s as a selling point. i.e. if you splashed the cash for one in 2011 you would feel better knowing that, theoretically, you could still have the latest OS four years later even if unreality you replace it after two years.

Re:What kind of dumbass company...

>KTHX BAI.

I think I just threw up in my mouth a little.

Re:What kind of dumbass company...

[Lumpy]

Port it? are you really that completely clueless?

You simply fucking compile it with the same compiler flags you used for the first version. Compiling android 5.1 for a 4.4.4 phone is absolutely trivial.

And how about just release the god-damn bootloader lock so if people want to do it themselves on out of warranty hardware, they can. HTC and Samsung HATE their customers by locking the bootloader down so hard it's insane. Latest samsung phones are deemed to never EVER be able to run a full cyanogenmod.

Re:What kind of dumbass company...

[BronsCon]

The problem is the stupid skins manufacturers are putting on top of Android to "diferentiate" themselves from the competition. Those need to be updated to work properly with whatever has changed under the hood in the new Android version. And they don't want to do it.

Not sure what you're talking about re: HTC locking down their bootloaders, they have a developer site where you enter your IMEI and get instructions for unocking your bootloader. Unless you're on AT&T or Verizon; they *require* locked bootloaders, but that's your carrier requiring it; and before you say HTC doesn't have to pander to the carriers, yes, they do if they want the carriers selling their phones. You can actually buy bootloader-unlocked phones directly from HTC, though, so it's somewhat of a moot point.

Samsung, though. Yeah. Fuck Samsung.

Re:What kind of dumbass company...

[thegarbz]

What kind of idiot signs a 2-year phone contract in 2015?

Was this a rhetorical question? Because the answer is most people.

Re:What kind of dumbass company...

He is talking about S-ON that is a security measure to stop a real bootloader from being loaded.

Re:What kind of dumbass company...

[BronsCon]

What advantage do you get by changing to a different bootloader when the one on the device will load whatever you tell it to anyway? S-ON also prevents malicious entities (or software) from modifying your bootloader (e.g. to inject malicious processes at boot time) and radios (e.g. to force connection to rogue towers), in case you're an interesting enough target for those types of attacks. For the record, S-OFF is possible on HTC models that I have seen; I had it on my M7 and my friend's M8, so I'm not sure what the problem is.

Personally, I moved from HTC to LG, then on to Nexus devices when the N6 came out. I do my research before buying and buy the least restrictive device with the highest-end specs I can find so I get the most use out of the device before it needs to be replaced. If someone else doesn't do their research and select the device that actually fits their requirements, well, that's on them.

The N6 marked the moment a Nexus device met both of my criteria, a great day for Android, IMNSHO.

Re:What kind of dumbass company...

Well, most people are idiots

Re:What kind of dumbass company...

[TheRaven64]

Really? Where on earth do you live? I'm not sure anyone in this country still offers two-year contracts. Most people are either on pre-pay or one month rolling contracts. 18 months is about the longest, and they're rarely much cheaper than the one-month version, so there's little incentive to sign up for them (especially given that you're likely to get a better deal in six months, so being locked in for 18 months doesn't make sense even if it is cheaper at the start).

Re:What kind of dumbass company...

[macs4all]

What kind of dumbass company is going to spend money porting a new version of an OS to an old platform, with no payday for doing so?

Mobile phone vendors make their money selling new phones. You want a new Android, get a new phone. Your contract will be up in 2 years, and at 18 months, you will be offered a new phone with early renewal, so just wait until the contract is up, re-up the contract, and get the new phone with the fix.

KTHX BAI.

Why, as shown by this chart, that most evil of evil companies (according to many Slashdotters), that's who!

Re:What kind of dumbass company...

[mfuzzey]

It's not that simple unfortunately. Problem with that is you often don't have all the source code. Especially for stuff like GPU blobs. It can happen that the blob depends (maybe accidentally) on some aspect of the Android or kernel version it was tested with. When that happens it can break if you try using it on an updated Android. I had this happen to me moving from 4.1.1 to 5.1.1 on some custom hardware. Turned out to be a change in the bionic mmap() implementation introduced in lollipop for 64 bit support that broke the way the GPU blob used it. Once I'd figured that out I was able to patch bionic to get it to work. But it could have been much worse - if the new version of Android's surfaceflinger had exercised a buggy code path in the blob that had gone undetected till then for example...

Re:What kind of dumbass company...

Vodafone, O2, Meteor

Here in Ireland all contracts are now 24 months where there used to be some for 18 months. Personally I stick with pre-paid sub-€200 like the Vodafone Smart Ultra 6

Re:What kind of dumbass company...

[thegarbz]

Australia, Europe, China, a few years ago Canada. The vast majority of the people are on 2 year contracts which come with a phone. The 2 years is up (well in reality the 1 year and 11 months is up because god forbid a carrier lets a competitor offer you something first) and you get a "free" phone (which isn't really free but people believe it anyway while they keep paying). The people on pre-paid schemes are school kids who can't legally sign up to a contract but are able buy a phone and pre-pay, and the people who rarely need a phone and don't need the benefit of contract specific plans i.e. different contracts give you different benefits depending if you're data hungry, call hungry, or spend all day sending SMSes.

The system works because 2 years is about a good time where a phone gets beaten up enough to warrant replacing. For some people 2 years is almost a bit too long and on the edge of comfort where not having the latest is a social stigma. I'm also willing to bet even if 2 year contracts were not the most popular contract type that a large number of phones wouldn't make it to the 4 year mark. It's actually amazing and disappointing at the same time that people don't seem to realise you can get the screens on these thins fixed.

Re:What kind of dumbass company...

[tlambert]

Port it? are you really that completely clueless?

You simply fucking compile it with the same compiler flags you used for the first version. Compiling android 5.1 for a 4.4.4 phone is absolutely trivial.

You obviously do not *get* how Android partner companies deal with porting android. Most of the bits for various phones do *not* get integrated back into the main line sources.

Any given android version on any given phone is generally a stable snapshot of whatever was top of tree when the work on the phone started, plus local additions for device support.

Internally, Samsung treats each new phone as a one-off porting job. They've got an entire group that does nothing but one-off ports of whatever is a top of tree to the new phone hardware they are coming out with.

I know you'd love for this not to be the case, but it pretty much is the way things are.

Why aren't there lawsuits over this?

[Rainbow+Nerds]

I don't understand why phone manufacturers and carriers don't get sued for things like this. Carriers have typically required two year contracts for phone subsidies, and normally it's possible to buy a phone two years old and get it free. At least that's how it is in the US. That means you can buy a phone that's as much as three years old and have a reasonable expectation to use it for two years because that's the contract with your carrier. That means manufacturers and carriers should provide support for a minimum of five years. That means a phone released in October 2015 should have support until October 2020. I think a customer has a reasonable expectation of this. If nothing else, that should be grounds for a lawsuit against manufacturers and carriers. There's also the issue of delays in fixing vulnerabilities both with the manufacturers and then the carriers. Again, I think there's a reasonable expectation for security updates in a timely manner. Also, when phones ship with locked bootloaders and customers can't choose to unlock them, it makes it very difficult to install a patched version of the OS. This also voids the warranty if you're able to do it. Customers are screwed no matter what they do in this situation, which is why carriers and manufacturers should be sued in the absence of specific laws to protect customers.

I can't help but wonder if the decision to not provide software updates to older phones is partly because people don't see a huge difference between models and this is one way to push people to buy newer and more expensive phones. I can't say it for certain, but it wouldn't surprise me if that's part of the decision process.

Re:Why aren't there lawsuits over this?

I would argue that this kind of bugs constitute a defective product. Then I could invoke my rights for compensation/repair (at least based on EU law regarding sales of defective products).

Re:Why aren't there lawsuits over this?

[business_kid]

In the EU, there's a law requiring parts to be available for items sold for 10 years. That probably excludes software updates. Samsung don't do it because they don't have to. Imagine a modern developer being tasked to patch these things. He'd be unemployable in 2 years, after living in the past with the old models.

Re:Why aren't there lawsuits over this?

[Rainbow+Nerds]

I would argue that this kind of bugs constitute a defective product. Then I could invoke my rights for compensation/repair (at least based on EU law regarding sales of defective products).

I agree it's a defective product and I started thinking about this after I made my post. My idea was to try to force manufacturers to honor their warranty, which is supposed to protect against defects. Also, because Samsung knew about this vulnerability in August 2014 and continued to sell the Galaxy S4, they're knowingly selling a defective product. That ought to be more serious than simply selling a defective product.

Re:Why aren't there lawsuits over this?

[AmiMoJo]

There is nothing to sue over. Unless you can show that you were attacked by malware or forced to stop using the device because of proven, legitimate fears then you have nothing to sue for. What loss have you suffered from this vulnerability?

That's the thing about most of these supposedly critical flaws in Android. They are never that bad, we never see massive botnets because of them, we never see massive identity theft or any kind of practical, in the wild exploit. The people who do become victims do it to themselves, usually by installing some dodgy app store and disabling the Google malware protection.

Re:Why aren't there lawsuits over this?

[drinkypoo]

The people who do become victims do it to themselves, usually by installing some dodgy app store and disabling the Google malware protection.

The whole point of sandboxing is to protect me whether the software is malicious or malfunctioning. If it doesn't do that, then it's defective — especially if there's a known defect with a known mechanism. I've had to go around manufacturers for fixes for these problems because Motorola is not what you would call responsible about bringing out updates, nor is Asus. A bit frustrating, really. On the other hand, I was able to do that. Can't do that with Apple.

Re:Why aren't there lawsuits over this?

I for one would like to see new federal laws mandating warranties for certain new products. Such products should include smartphones, TVs costing more than $299, washers and dryers, computer monitors costing more than $199, etc. But the main reason would be to prevent unnecessary electronic waste.

Re: Why aren't there lawsuits over this?

In other news, att finally pushed lollipop t9 my s4 last night.

Re:Why aren't there lawsuits over this?

[AmiMoJo]

I understand your feelings but for there to be a lawsuit there has to be some harm done. You can't just sue because someone does something to don't like.

Since there are no viruses making use of this flaw it seems entirely theoretical at this point.

Anyway, the latest update they released fixes it. It's your own fault if you didn't install it when offered (it's OTA).

Re:Why aren't there lawsuits over this?

[drinkypoo]

I don't understand why phone manufacturers and carriers don't get sued for things like this.

They do, when they make promises to bring out updates until a date, or a certain number of updates, etc, and when the affected class is sufficiently sizable to attract leeches, I mean lawyers. But when no promises are made and no damages can be proven it's difficult to squeeze blood out of a corporation.

It's OK - Android is open!

the definition of open: "mkdir android ; cd android ; repo init -u git://android.git.kernel.org/platform/manifest.git ; repo sync ; make"

You can just patch your own phone!

Re: It's OK - Android is open!

[cyber-vandal]

How do you fix bugs in the proprietary closed source drivers?

Re: It's OK - Android is open!

[Anne+Thwacks]

Even those of us whose phones are not directly affected are indirectly at risk. Surely we can join a class action against the people responsible for polluting the phonosphere with pathetically insecure software. If the manufacturer wishes to end support for a phone - he should be required to open source ALL the code, and release ALL hardware documentation. Or face fines that would obliterate the company instantly in each and every country where phones could conceivably work.

And if a company dies, the IP of all its products go to the official receiver - who should put them in the public domain.

Everyone with a phone should be entitled to join a class action against any manufacturer who does not provide a way to fix security problems - so long as the phone is capable of operation: ie until physical death of said phone.

Separately, there ought to be a law preventing sale of undocumented hardware to the general public. If you don't know what it is you own, how do you know it is safe to own it? If the manufacturer prevents you from knowing, surely he takes responsibility for its safety, and should be required to place a bond with the government covering the maximum possible risk (of being sued by all phone owners, everywhere, repeatedly, with the highest legal costs that lawyers can imagine).

Re: It's OK - Android is open!

[drinkypoo]

If the manufacturer wishes to end support for a phone - he should be required to open source ALL the code, and release ALL hardware documentation.

I'd like to see that as much as you would, perhaps even more. But that's not SOP in any industry, what makes you think we have a hope of getting that for mobiles?

Re: It's OK - Android is open!

[fustakrakich]

Instead of making more laws, the best way is to remove copyright/patent protections for unsupported devices, consider them abandoned and in public domain.

Re: It's OK - Android is open!

[fustakrakich]

Sorry redundant - asleep at the wheel...

Re: It's OK - Android is open!

A disassembler and a hex editor, you pleb

Re: It's OK - Android is open!

[Hognoxious]

In my day we used a magnetised needle and a microscope. And we had to grind our own lenses.

Article is FUD

[the+Hewster]

This article makes no sense. It says the vulnerability affects the Galaxy S4 but only if you are running an outdated firmware (like Kit kat). However, there is an official (pushed OTA) update to Jelly Bean on this device, so all you have to do to not be vulnerable is apply the update! Same as usual: if you want to avoid vulnerabilities, update your stuff regularly.

Re:Article is FUD

[msauve]

You make no sense. The summary says "Samsung has decided to patch only for recent devices running Android Lollipop, but not Jelly Bean or KitKat" and the article says "Samsung just confirmed to us that the JB and KK families will not be patched and that the vulnerabilities are only patched on the LL family."

So, explain how "an official (pushed OTA) update to Jelly Bean" fixes things.

Re:Article is FUD

[the+Hewster]

Actually, there is also a Lollipop 5.0.1 update (also pushed OTA) for the Galaxy S4 i9500 (the phone of the article). I have it running currently on my S4. source: http://www.sammobile.com/firmw...

Re:Article is FUD

Not all versions of the S4, some carrier versions do not get it. Yea yea blame the carrier, but I blame you for poor reading comprehension and rampant fanboy defence squad-ism.

Re:Article is FUD

[Walter+White]

... only if you are running an outdated firmware (like Kit kat). ... update to Jelly Bean on this device ...

You apparently did not know that Android versions are named in alphabetical order. Jelly Bean (4.1) predates Kitkat (4.4) You cannot "upgrade" to Jelly Bean from Kitkat.

Apologies if your post was sarcasm. I interpreted it as ignorance.

Re:Article is FUD

[msauve]

...and is the vulnerability at issue fixed in that update? Do you know there will be another to address it?

Re:Article is FUD

[ohnocitizen]

This should not be modded up. Samsung leaves their older devices without upgrades. I'm still using an S3, and I shouldn't have to buy a new phone because the locked down device I purchased was made by a company that refuses to upgrade their older phones.

Re: Article is FUD

No one is forcing you to do anything.

the kind of company that wants my $$$

[mschaffer]

These "dumbass" companies have a few more generations of device sales before this becomes a major problem. Then something has to give.

Because lawsuits aren't for justice

[rsilvergun]

they're to put money in a lawyers pocket and a $5 off your next phone coupon in yours. It'd probably be too hard to sue over something like this. It's too hard for a jury of 50 somethings (who are the only folks that could take 6 months off for the trial) to understand. How's that joke go? 10 people too dumb to get out of jury duty...

Unless you are in T-Mobile which did not update S4

T-Mobile pulled usual case of not upgrading S4 to Lollipop.
Since it is second phone that I had with them that they did not bother to update - I recommend other vendors.

Samsung does patch kernel vulnerabilities ..

[nickweller]

Considering the current version is fully patched, I don't understand how you would spin this into Samsung not patching kernel vulnerabilities.

"Samsung has decided to patch, but only for recent devices running Android Lollipop, and not for those with Jelly Bean or KitKat."

I want an update

[msobkow]

I want an update for my old SNES. Just because.

Remember when things were sold "as is" and there was no such thing as an "update"?

just asking...

With all the screaming over trademarks (eg Pokemon), are the candy manufacturers ever going to go after Google over Android version names? Kitkat for example is trademarked. Oh hang on, the big swine on the Animal Farm don't sue one another.

Nonsense

iOS is worth recommending, at least to the least technical, if only because Apple *DOES* support it long-term