Google Fixes Zero-Day Kernel Flaw, Says Effect on Android Not Really That Bad

itwbennett writes: Google has developed a patch for Android in response to a flaw in the Linux kernel and has shared it with device manufacturers. That doesn't mean the patch will hit users' phones right away, though. It might take weeks. But that's ok, says Google, because most Android devices are unlikely to run vulnerable kernel versions, and those that do are protected by SELinux.

Ridiculous

If there's a security fix for iOS, I can download and install it right away. There's no reason that shouldn't be the case for Android. This is ridiculous. And what if the manufacturers have disabled SELinux or set it to be permissive? It's a matter of time before a worm like Blaster hits Android and does some serious damage. Fix your damn security model!

Re:Ridiculous

[phantomfive]

If there's a security fix for iOS, I can download and install it right away. .... Fix your damn security model!

Some people would say that security doesn't depend on fast updates: security depends on not having security vulnerabilities in your software to begin with.

Re:Ridiculous

[Harlequin80]

Out of interest can you point to any in the wild infections for Android?

Re:Ridiculous

[SirSlud]

You're right. Some people would say that security depends on being perfect. Those people however are living in a dream world where trying to prevent mistakes and fixing mistakes are somehow physically mutually exclusive.

Re:Ridiculous

[phantomfive]

You're right.

I have to say we are in total agreement.

Some people would say that security depends on being perfect.

Whether perfection is possible or not: that is a philosophical question.
More practically, we can easily do better in security than we are doing now by an order of magnitude.

Re:Ridiculous

Nobody can deny the the Android update situation is a complete mess. But Apple aren't exactly security darlings here. Sure, you get the updates immediately... when Apple gets around to it. You still have to live with years-old known vulnerabilities, and major issues being held back for more product-cycle friendly release timescales.

Re:Ridiculous

Google updates Android, folds in fixes submitted through AOSP and pushes them out to Google devices. That is where their responsibility ends. Google cannot make any hardware manufacturer push those updates out.

The hardware maker is the one who is supposed to take Google's updates, negotiate terms with the carriers and push them out to their devices. The end user is also free to manually install updates themselves and many do, which is why so many unofficial firmwares are available through places like xda devs.

Re:Ridiculous

[shawn2772]

what if the manufacturers have disabled SELinux or set it to be permissive?

Then those manufacturers' devices cannot pass the Android Compliance Test Suite, and they have no right to call their devices Android and cannot use Google's apps. SELinux, in enforcing mode and with the Google-defined configuration (mostly; OEMs can make tweaks in some areas, but not the ones relevant to this vulnerability) has been a formal Android compliance requirement since Lollipop.

It's a matter of time before a worm like Blaster hits Android and does some serious damage.

I doubt it. Android is vastly more secure than Windows was (or even is... and Windows is much better than it was when Blaster hit). The lack of updates delivered by OEMs has caused the Android security team to focus on defense in depth, and the system is working pretty well (see last year's report -- or wait a bit for the new report which should be out in a few weeks). In particular, less than 0.1% of Android devices that use the Play store have any potentially harmful apps (PHA) installed, and that PHA definition is much broader than just traditional malware. Of the PHA apps, only about 5% try to exploit vulnerabilities; the rest focus on social-engineering the users.

So, 0.005% of Android devices have some exploit-using malware on them. And AFAIK there are no Android worms. So, I really, really doubt Android is ripe for a Blaster.

Fix your damn security model!

The Android security model is actually very good... with one glaring exception, which is the update problem. But Google has committed to a monthly patch cycle for Nexus devices, and several other OEMs have hopped on that patch train. Thanks to that, carriers are being forced to get updated software through QA faster, and the focus on monthly updates is pushing OEMs to simplify their offerings to make updating them more practical (you probably won't see a visible reduction in number of offerings; but in the future I expect each model will have a handful of SKUs, at most, rather than hundreds as is often the case today).

The update problem isn't going to get fixed overnight, but I think it is getting fixed, at least from top manufacturers. The next step is for consumers to insist on well-defined and sufficiently-lengthy support and update policies as a condition of purchase, to force all of the rest to get with the program.

In the short term, if you want the most secure and up-to-date Android device, buy Nexus, but I expect soon others will be challenging Google for that spot.

(Full disclosure: I'm a Google engineer, on the Android security team.)

Re: Ridiculous

[io333]

Google could require that manufactures subscribe to some sort of security update model as a requirement before using android software. By not doing this, Google is opening itself up to tremendous liability should something bad ever happen. You may not think so, but some jury someday may think differently. I know of what I speak, though I would prefer not to give full disclosure.

Re:Ridiculous

[cfalcon]

Well, given that we're discussing a case where Android has a vulnerability, then the speed of the update is pretty relevant.

Re:Ridiculous

[jrumney]

If there's a security fix for iOS you don't even hear about it until Apple is ready to ship on all devices they are still supporting.

Re:Ridiculous

[thejynxed]

No they won't, because too many of them insist having everything their way once you guys sign off on their use of Android. This leads to everything from locked bootloaders, out of date kernels, no OS patches at all, etc. This isn't getting better, it has been steadily getting worse, with the number of devices updated by OEMs and carriers to Lollipop and Marshmallow being lower than any previous versions of Android. Many places are still selling flagship models with Lollipop that don't even have Marshmallow in the upgrade pipeline. It's just ridiculous.

Re:Ridiculous

[ChunderDownunder]

In the short term, if you want the most secure and up-to-date Android device, buy Nexus, but I expect soon others will be challenging Google for that spot.

Except when Google discontinues your device support. :(

Please encourage your superiors to release official Marshmallow images and updates for the Google Nexus 4.

Re: Ridiculous

[cyber-vandal]

You are a pathetic fanboi with no grasp on reality at all.

It's not the fault of the users that Google has failed to set up an ecosystem where they're protected from security flaws.

It's not the fault of the users that carriers and OEMs don't give a shit about their customers.

It's not the fault of the users that they can't buy Nexus devices in their country.

If Microsoft tried this bullshit they'd be torn a new one on here but because it's Linux under the hood it must be defended to the death.

Re: Ridiculous

[cyber-vandal]

How are consumers going to demand that when all the OEMs are varying levels of useless. Google has the power to pressure them to be better but doesn't seem to want to use it.

Re:Ridiculous

[thegarbz]

Thanks to that, carriers are being forced to get updated software through QA faster

Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?

Re:Ridiculous

[Flavianoep]

Should they wait for one and then act?

Re:Ridiculous

[arglebargle_xiv]

However, I have a big problem with some of the other software that resides on my phone, including apps and software that I don't want and especially a program called DT Ignite.

There's an app for that. Also, the carriers claim the bloatware downloads are zero-rated, although that's been a bit hard to verify.

Re:Ridiculous

[jeremyp]

There is a reason why it shouldn't be the case for Android. The reason is that Google doesn't make the phones. This patch will have to be tested on each manufacturer's devices before it is made available. Google isn't going to do that, the manufacturers are. Well, you'd hope the manufacturers are.

This is the fundamental difference between the Android and iOS ecosystems, Android is fragmented, iOS is monolithic.

Re:Ridiculous

[Errol+backfiring]

The next step is for consumers to insist on well-defined and sufficiently-lengthy support and update policies as a condition of purchase

That would be nice if a user had anything to say about the stuff he would buy. You can demand every reasonable thing in the world, but "then don't buy it" is the only answer you will ever get.

Not buying a phone might give you a good feeling for living up to your principles, but it will not result in a phone with reasonable support.

Re:Ridiculous

[Letophoro]

Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?

You would think so. Unfortunately, the way it is unless you have a Nexus phone is that first the manufacturer has to vet the patch, then the carrier has to vet it. In part because both pile useless software onto the handset that might rely on whatever is being patched. Even more unfortunately, neither of them have any vested interest in actually applying the patch because they would rather sell a new handset and get you into another contract instead.

While I am not an Apple fan, I think their model of removing other actors from the security equation is beneficial. The Google -> Nexus model is essentially the same thing and is partially why I have a Nexus phone.

Re:Ridiculous

[kbg]

Yes here is the list of manufacturers that offer timely updates:
  * None

Re:Ridiculous

[MachineShedFred]

Yeah, because in the history of software development, there are exactly zero products that have shipped, and are 100% free of bugs and flaws. So don't worry about how fast you can patch it.

Re:Ridiculous

[MachineShedFred]

That's a fantastic excuse for a horrible model.

If Google actually wanted to get serious about this, they would contractually obligate their OEMs to send security-related updates in a timely fashion. Yet they don't, and *their* platform continues to have this god damn mess.

Throwing up your hands and saying "that is the OEM's problem" is a fantastic way to be selling devices that are actively exploitable, and ruin the reputation of your brand. Even Microsoft recognizes that.

Re:Ridiculous

[Merk42]

Please write something more complicated than "Hello World" that has no vulnerabilities. Also it must be invulnerable to unknown future attack vectors.

Re:Ridiculous

[Merk42]

If there's a security fix for iOS you don't even hear about it until Apple is ready to ship on all devices they are still supporting.

no, but if there is a security vulnerability you do hear about it..

Re:Ridiculous

[BronsCon]

Or, as a user, educate yourself and buy a Nexus device which, much as the iPhone gets its updates directly from Apple, gets its updates directly from Google. I've noticed that Google is generally quicker to update my Nexus 6 than Apple is to update my iPad Air when a flaw is publicly disclosed; I would assume the same when the flaw is not publicly disclosed but there is not frame of reference for this.

Re:Ridiculous

[BronsCon]

You mean this?

These types of worms also rely on social engineering to convince the user to click on the link and run the malware.

So, not a worm, but a trojan, which iOS also has.

Re:Ridiculous

[shawn2772]

Also, I do prefer the iOS permissions model, in which users are specifically asked to enable permissions for particular apps as needed.

Android moved to that model in Android Marshmallow.

Re:Ridiculous

[shawn2772]

In the short term, if you want the most secure and up-to-date Android device, buy Nexus, but I expect soon others will be challenging Google for that spot.

Except when Google discontinues your device support. :(

Please encourage your superiors to release official Marshmallow images and updates for the Google Nexus 4.

Two years of updates and three years of security patches is better than anyone else is offering. Apple sometimes does a bit better than that, but they don't make any promises.

Re: Ridiculous

[shawn2772]

How are consumers going to demand that when all the OEMs are varying levels of useless. Google has the power to pressure them to be better but doesn't seem to want to use it.

Google has a lot less power than you think. We have to tread carefully to keep the ecosystem unified and moving forward together. If Google is too heavy-handed, some of the bigger OEMs are totally capable of taking AOSP and going their own way.

Re:Ridiculous

[BronsCon]

those are typically lagging behind in hardware

I wouldn't say the Nexus 6 is lagging behind in hardware, even comparing to the generation of devices released after it. Actually, for the first time I've owned a phone for over a year and still see nothing compelling on the market. Just saying.

Sure, a fingerprint reader would be nice, but that's something I'd use for a grand total of a couple seconds per day, versus the display I'd be giving up, which gets used much, much more. The Nexus 6P is comparable, but trading wireless charging for a fingerprint reader and USB-C seems silly when the performance gains of the device are relatively small and the current model still handles everything I throw at it without a hiccup and likely will until the mid-range catches up with it in several years. That sure sounds like a device that's lagging behind, no?

Re:Ridiculous

[shawn2772]

Thanks to that, carriers are being forced to get updated software through QA faster

Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?

Hell if I know. It makes no sense to me, either.

Re:Ridiculous

[shawn2772]

Unfortunately, the way it is unless you have a Nexus phone is that first the manufacturer has to vet the patch, then the carrier has to vet it.

Same on Nexus, actually, though Google has managed to streamline the process a bit. The manufacturer vetting step is mostly cut out. Mostly.

While I am not an Apple fan, I think their model of removing other actors from the security equation is beneficial.

It's worth noting that Apple also has to go through the carrier vetting step.

The biggest difference between Apple/Nexus and other OEMs, IMO, is variety. Samsung, for example, has thousands of different system images to update, and each one has to be validated by the carriers. Nexus and Apple keep it down to a handful. The OEMs have done this to themselves, obviously, and they're working on fixing it now that it's becoming clear that users do care about updates.

Re:Ridiculous

[shawn2772]

Yes here is the list of manufacturers that offer timely updates: * None

Not true. Nexus devices get monthly updates. So do some Samsung devices. I know there are some other manufacturers. It seems like the list the AC is asking for is something Google could potentially provide.

Re:Ridiculous

[shawn2772]

There's an interesting ongoing case in the Netherlands in that regard: A Dutch consumer organisation is suing Samsung for neither providing updates nor making it clear for how long a new phone will be kept updated. (I'm personally imagining best-before dates on the packaging, like on food).

Cool. We do need companies to tell you before you buy what you're going to get, and then back it up. Glad to see that's happening.

However, Samsung actually has committed to a regular update cycle on their new flagship devices, after Google did it for Nexus. So they're getting it. I don't know if it's a result of this suit or what, but whatever it takes to make this happen, I'm for it.

Re:Ridiculous

[BronsCon]

That's a fantastic excuse for a horrible model.

And if you were at all familiar with the restrictions mobile operators place on device manufacturers, you'd understand that's it's a factual one, as well. Even Microsoft recognizes that.

We work closely with our carrier partners, and encourage them to test our software as swiftly as possible. But it’s still their network, and the reality is that some carriers require more time than others. By the way, this carrier testing is a common industry practice that all of our competitors must also undergo. No exceptions.

That said, this only applies to devices which the carrier has customized in some way. As far as Nexus devices go, that only includes the T-Mobile Nexus 6 and, even then, the customization was done by Google and T-Mobile allows them to push updates directly and without approval. Every other Android device sold, by literally any carrier, is customized with carrier apps and features and requires the carrier's approval for updates.

Re:Ridiculous

[BronsCon]

although that's been a bit hard to verify

and probably in violation of net-neutrality regulations.

Re:Ridiculous

[BronsCon]

with the number of devices updated by OEMs and carriers to Lollipop and Marshmallow being lower than any previous versions of Android

specifically because, starting with Lollipop, carrier apps are installed on first boot (based on the inserted SIM, so no carrier apps if no SIM is installed) and can be removed by the user once installed. They're no longer part of the firmware, thus no longer require carrier customization. which removes the carrier's ability to require their approval before updates are pushed by the OEMs. While this makes it easier for OEMs to push updates, they can only do so where standalone versions of the carrier apps are available; e.g. they can't update a KitKat device to Lollipop without carrier approval, but once the device is running Lollipop or newer, they can push their own updates. Carriers don't want to give up this control where they can avoid it, so they don't approve those updates for devices shipping with KitKat or older.

This problem will solve itself as those devices fall out of use.

Re:Ridiculous

[BronsCon]

They support their phones for at least as long as Apple. In fact, they've made a legally binding commitment to supporting devices for at least a certain period of time: major version updates for at least 2 years from date of first sale; security updates for at least 3 years from date of first sale or 18 months from date of removal from the Google Play Store, whichever is longer.

Meanwhile, Apple and Microsoft have done no such thing. I'm not sure of Microsoft's track record regarding device support, but I know Apple's done fairly well; there's nothing indicating they'll continue to do so, however, and no requirement that they do. With Google, you know how long to expect device support and anything beyond that is icing.

Re:Ridiculous

[BronsCon]

Wrong.
* Google (Nexus devices)

Re: Ridiculous

[BronsCon]

It is the fault of the users that they bought into it, though. Grasp that reality and take responsibility for your own decisions, maybe then you'll realize that it's important to learn exactly what it is you're buying before you buy it. The information was clearly available, as many of us made use of it when deciding to buy Nexus devices over all else. Those of us who live in a country where Nexus devices aren't available can still learn which devices ship with unlocked bootloaders and load vanilla Android ourselves. If lacking the technical knowhow to load a 3rd-party firmware, the iPhone is still an option. Failing the availability of the iPhone, Android isn't going to be an option either, rendering further extrapolation unnecessary.

There is no situation in which a user's only option is an Android device with OEM firmware that will never see updated. Literally none. It's a user choice, pure and simple; it may be made in ignorance, by users who don't know any better, but that ignorance is a user choice, as well.

Re:Ridiculous

[tlhIngan]

Thanks to that, carriers are being forced to get updated software through QA faster

Why is that even a thing? I can understand changes to the modem being an issue but isn't Android modular enough that things like a kernel patch, or some updated software can be delivered without a carrier having to vet anything?

No, because some carriers get anal and demand things work in certain ways.

It's a lot better now, but in the past, things like the color of the send button must be a certain shade of green, for example. Then there are the test commands that carriers want, and how many bars correspond to certain signals (remember when AT&T demanded that Apple show "4G" on the iPhone 4S when doing HSPA?).

Then there are other things like phones must not show things like call timers or data counts or must adjust them somehow so it more reflects how the carrier counts, etc.

Re:Ridiculous

[phantomfive]

This topic has been brought up before. DJB showed with qmail that a substantial program can be written with no serious vulnerabilities.
OpenBSD shows we can do better on security by an order of magnitude (and if you listen to the techniques they use, it's not super-hard).

There's no excuse for the garbage, vulnerable software we are subjected to.

Re:Ridiculous

[phantomfive]

The Android security model is actually very good....but Google has committed to a monthly patch cycle for Nexus devices,

If you have to release security patches every month, then your security model is definitely NOT good. You have serious problems with your code.

Re:Ridiculous

[phantomfive]

Because carriers make their own, modified distribution of Android. Which of course, git is set up to handle, but sometimes the carriers make a mess of things.

It's not entirely the carrier's fault, because sometimes Google makes some pretty big changes in the core OS. So, for example, imagine if the carrier had to change the screenshot utility to work with their hardware (surprisingly common). Then in a later version of Android, google changed the internal screenshot system. In order to update to the latest Android, the carrier would need to figure out how to get screenshots working again.

That's just one example, there are similar small changes throughout the Android system. So to make sure everything works with an updated version can be a lot of work for a carrier.

Re:Ridiculous

[Merk42]

Both OpenBSD and qmail have had vulnerabilities, so I guess they're garbage too.

Re:Ridiculous

[phantomfive]

Android had more vulnerabilities in the last month than OpenBSD has had in the last decade. If you can't see a difference here, you need to have your brain adjusted. There is some sloppy programming going on in Android that doesn't need to be.

Re:Ridiculous

[phantomfive]

True, the patching system can be improved.

Re:Ridiculous

[Merk42]

Security through obscurity!
Seriously though, I'm not the one that said "security depends on not having security vulnerabilities in your software to begin with."

Re:Ridiculous

[phantomfive]

Seriously though, I'm not the one that said "security depends on not having security vulnerabilities in your software to begin with."

Yeah, it's true. A fully patched Android system is still vulnerable. Any attacker who wants to put in the effort can find a vulnerability.

Re:Ridiculous

[shawn2772]

The Android security model is actually very good....but Google has committed to a monthly patch cycle for Nexus devices,

If you have to release security patches every month, then your security model is definitely NOT good. You have serious problems with your code.

Utter nonsense.

There is no way that any system as large and complex as a modern personal computing operating system is going to be completely bug-free. If you believe otherwise, you're either clueless or living in a fantasy world.

Re:Ridiculous

[phantomfive]

Utter nonsense.

You're wrong. Even if you were correct in your assumption that large systems can't be secure, then you would still be wrong in saying that such security is good. Bad security is bad security, even if you think it's the best possible. Software with many vulnerabilities is not secure.

If you believe otherwise, you're either clueless or living in a fantasy world.

I like the fact based, well-reasoned argument you have there. It's so convincing.

Re:Ridiculous

[shawn2772]

You've clearly never tried to build large-scale secure software systems. There's no point in discussing this with you.

Re:Ridiculous

[shawn2772]

Oh, something for you to consider: http://www.openbsd.org/errata5...

OpenBSD is much smaller and simpler than any mainstream OS, and has had a laser focus on security for years. Security is their number one goal, above usability, features or anything else... and yet they need more-than-monthly updates to fix security defects. That should give you an indication of just how hard a problem this is.

Re:Ridiculous

[phantomfive]

That's the most insightful comment you've made so far, and it actually has data in it. So good job.

Re: Ridiculous

[cyber-vandal]

Samsung, HTC and various carriers have already done that to a degree and that's part of why updates aren't provided in a timely manner. The Android ecosystem is a mess leaving consumers vulnerable and Google is the only org that can pull it together again. I don't envy you having to do that but the current status quo is not good enough.

Re: Ridiculous

[cyber-vandal]

Are you taking the piss? It's the fault of the user that they don't load some random firmware that doesn't support all the functions of their phone via Odin which isn't exactly user friendly. In a world like that how soon would it be before malware infested firmwares were everywhere. You fanboys are mental.

Just buy a Nexus is not the answer, the answer is for the OEMs, the carriers and Google to give a shit about their customers.

I'm not attacking the OS. I had a Nexus 6 (which wasn't cheap) and it was great. Google needs to sort out the fragmented ecosystem for the benefit of customers and developers. As it is only the OEMs and the carriers are benefiting from the status quo.

Re:Ridiculous

[thegarbz]

It's a lot better now, but in the past, things like the color of the send button must be a certain shade of green, for example.

That's not relevant. A lot of those features especially the candy is controlled by individual apps. There's no reason a whole kernel upgrade should have any visible impact on the user or any of the applications at all. My point was why isn't the system modular enough that these customisations aren't a problem. It's not like I have to rebuilt my linux server every time a new package or security fix is released.

Re:Ridiculous

[thegarbz]

I'm talking about minor updates and fixes here not API changing modifications. One should be able to apply a kernel patch without wondering if the entire system is going to melt into a puddle as a result.

Re: Ridiculous

[BronsCon]

Odin works (for some definitions of "works") for Samsung, there are better tools for HTC, LG, and Motorola. Beyond that, dedicated community members tend to build full-function firmwares for popular devices and yes, it is the user's fault if they can't be assed to learn this stuff before purchasing a device, if security is a concern to them and other options are available.

Yes, the carriers and OEMs share in the blame, and Google gets their fair share as well for not requiring that the OEMs conform to some standardized update schedule (as a minimum, of course the OEMs could go above and beyond that schedule) in order to ship Google Apps with their devices (AOSP should remain unrestricted as it currently is), but let's not kid ourselves by saying the users bear no responsibility for their purchase decisions. Android isn't the only option; and, even if it were, OEM firmware and phones locked to such are not the only options in the Android world. This is true everywhere. And for users who may be concerned about security and, for whatever reason, are incapable of learning which phones can run alternate firmwares and/or how to load them, there is sure to be a friend or family member who can help.

But no, you'd have them keep giving their money for locked devices that will never see updates, when other options are available. Clearly, you disagree that their dollars would be much better spent on devices that are capable of community support when the OEM backs down from updates, then applying a bit of knowledge (or asking a capable friend or family member to do so) to extend the useful secure life of the device, rather than rewarding the OEMs and carriers for their shit-show by buying new devices to get the newest software.

You don't have to tell me the Nexus 6 is great, I absolutely love mine. I've had it since it was released and not only is this the longest I've kept the same phone since I got my first phone in 2000, this is the longest I've gone without looking at what's on the market for any purpose other than to help a friend select the phone that is the best fit for them. That is to say that, in 16 years of cellphone ownership (and all flagship devices, mind you; I even had the first MP3 player phone to hit the market, released by Samsung, and the first phone with an OLED display, released by BenQ Seimens), the Nexus 6 is the first device I've owned that has met and exceeded my long-term expectations for a tool of its nature. It's actually all but replaced my iPad Air for all functions not requiring the pressure sensitive pen (Adonit Jot Touch) that just so happens to be iPad-only.

Beyond that, yes, I agree that the fragmented ecosystem needs to get sorted out and you are correct that only the OEMs and carriers are winning the current game. But, again, let's not pretend that users can't vote with their dollars and stop giving money to the OEMs for devices they're not allowed to take actual ownership of. It just takes a little bit of common sense and forethought, both of which seem to be lacking in today's society; globally.

Re:Ridiculous

[kbg]

Tell that to Google Nexus 4 owners.

Re: Ridiculous

[BronsCon]

You mean the Nexus 4 that has the most recent updates available? I think you meant Galaxy Nexus, and that phon was supported for over 4 years, except on Verizon, who blocked the last update.

Re:Ridiculous

[phantomfive]

One should be able to apply a kernel patch without wondering if the entire system is going to melt into a puddle as a result.

That's true, especially since the kernel team is really good about maintaining backwards compatibility.

Re: Ridiculous

[kbg]

This page only lists that the Nexus 4 has 5.1.1 not 6.0, so no it doesn't have the latest updates.

Re: Ridiculous

[BronsCon]

Derp, posting before fully awake... forgot 6.0 was out. That said, Google guarantees major version updates for 2 years from first sale and security updates for the longer of 3 years from first sale or 18 months from discontinuation. Lollipop was released more than 2 years after the Nexus 4 went on sale (November 13, 2012) and more than 18 months have passed since the Nexus 4 was discontinued (and no longer available from the Google Store) on November 1, 2013. They've lived up to what they promised; in fact, considering that Lollipop 5.1.1 was released on January 4 of this year, they've provided over 3 years of major version updates, going well above and beyond that promise. If the promised support duration wasn't enough for you, why did you buy the phone?

Re: Ridiculous

[kbg]

That is one of the problems with Android your phone can only be used for 2 years until it is completely outdated and can't be updated any more. Now that wouldn't be a problem if Google wasn't constantly changing Android and coming up with newer and newer versions making it impossible to install new/updated apps from app store. The problem is that Google doesn't care about backward compatability and is constantly deprecating and messing up things for no reason. I understand if the newer phone has some new hardware that your phone doesn't have but this is software we are talking about there is absolutely no reason why it shouldn't be able to install a new version on older phone. Google is just lazy.

Re: Ridiculous

[BronsCon]

You do realize that nothing you just said is true, right? Your example phone, the Nexus 4, was still getting updates after more than 3 years and. In fact, 6.0.1 was released in the first week of December 2016, while 5.1.1 was released in the first week of January 2016. Ignore version numbers for a moment and realize that means that the Nexus 4 has been updated more recently than the Nexus 5, Nexus 6, Nexus 5X, and Nexus 6P, all of which came out long after the Nexus 4. And anything that works on 5.x works on 6.x and vise-versa. Meanwhile, you go on to attack Google for "deprecating and messing things up for no reason" while Siri was an app that wan on the 3Gs and newer iPhone until Apple integrated it into iOS and only allowed it to work on the 4s and newer. Likewise with split-screen multitasking in iOS 9, which the iPad Air is more than capable of supporting in hardware (hell, Android devices with much more restricted resources have been doing it for years) but, yet, it only works on the Air 2; I know this because I have both devices. And no, the sidebar "multitasking" is not the same; both models do that, I'm talkign about the side-by-side, 2 apps actually fully running at the same time split-screen multitasking. My first Android phone, over 4 years ago now, cold do that, hell, it even had a dock that it plugged into that let it operate as an Ubuntu laptop *alongside* its android phone functionality. If the Motorola Atrix could do it, why can't the iPad Air? It's not the Apple isn't interested in the functionality, because the Air 2 does it; it's all in software and both devices run the same software, so what gives?

I think you're the one who's lazy. Or maybe just blind. I'm not sure. Do you just not see that you can unlock your Nexus 4's bootloader (Google gives you instructions, they allow it, they even encourage it once support has ended) and install Marshmallow on the damn thing, or are you too lazy to do it?

To clarify, what I'm referring to is the following:

there is absolutely no reason why it shouldn't be able to install a new version on older phone

And you're oh so right. There is no reason you shouldn't be able to. With about 2 minutes worth of research, you'll find that you can, actually.

Re:Ridiculous

[kmoser]

Some people would say that security doesn't depend on fast updates: security depends on not having security vulnerabilities in your software to begin with.

Security doesn't depend on not having security vulnerabilities in your software to begin with; security depends on preventing people from discovering and exploiting your existing security vulnerabilities.

Re:Ridiculous

[phantomfive]

security depends on preventing people from discovering and exploiting your existing security vulnerabilities.

That's a bandaid that definitely works sometimes.

Re: Ridiculous

[kbg]

You talk about Apple but Apple is not an excuse because they are bad themselves, yes Apple also sucks.

Do you really think a normal user will be able to unlock or install Marshmallow on his phone with these unnecessary complex instructions? I have rooted and installed a few Android mods myself and I can tell you that it is very easy to make a small mistake or that the third party instructions are not clear enough so you end up with a bricked phone. I am not talking about myself, you or other technical people. My sister, mom or my grandma will not be able to install this crap.

If the company can't support a highly expensive device for more than 2 years then the install process should be as simple as dowloading a Google app that will update the phone. This is something that Google could easily do if they would just get of their asses and stop being evil.

Re: Ridiculous

[BronsCon]

You talk about Apple but Apple is not an excuse because they are bad themselves, yes Apple also sucks.

I talk about Apple not to excuse Google, but because everyone always brings up Apple as an example of "doing it right". If that is incorrect (as I've shown) then, perhaps, people should stop doing it. If you weren't slyly hinting at Apple, and I know you weren't pointing to Microsoft of Blackberry, just who is the shining beacon of "doing it right"? And if nobody, who is doing it best? I'd venture that Google isn't doing too horribly if your requirement is the ability to buy a device from any number of suppliers and avoid Apple's vendor-lock. Mind you, I willingly submit to that as an iPad owner, but that's essentially become a glorified digitizer tablet since I got my Nexus 6.

I am not talking about myself, you or other technical people. My sister, mom or my grandma will not be able to install this crap.

So, you're saying you wouldn't help your sister, mom, or grandma with this? I know I would, as wold most technical people who wish to encourage their friends and family to be more secure.

If the company can't support a highly expensive device for more than 2 years then the install process should be as simple as dowloading a Google app that will update the phone.

And then every app and piece of malware would have fill write access to /system/ along with the update app. You don't think that would make things less secure? It would, by a lot. I'll remind you that I'm talking about unlocking your bootloader and flashing a new ROM to /system/, not rooting and installing things to /bin/ and /usr/bin/. In many cases, rooting an Android device is actually much more complicated than flashing a new ROM, though you can flash a pre-rooted ROM if you're flashing one anyway.

This is something that Google could easily do if they would just get of their asses and stop being evil.

You mean it's something Google cold easily do if they would just stop write-locking /system/ during the boot process to prevent malware from completely pwning Android devices. You must not realize that this is a security measure, and a very strong one at that; it's literally as simple as it could possibly be without opening the door to all kinds of nasty malware we currently don't have to deal with. The only thing that might make it easier is a GUI, but that would also make it easier for people to install malicious ROMs without really thinking about it; having to type it out makes you think about what you're about to do before you press enter.

Well, maybe not you, but most people.

Re: Ridiculous

[kbg]

So, you're saying you wouldn't help your sister, mom, or grandma with this? I know I would, as wold most technical people who wish to encourage their friends and family to be more secure.

I will help them as much as I can but I refuse to be a technical support for Google just because they are incompetient and don't care.

You mean it's something Google cold easily do if they would just stop write-locking /system/ during the boot process to prevent malware from completely pwning Android devices. You must not realize that this is a security measure, and a very strong one at that; it's literally as simple as it could possibly be without opening the door to all kinds of nasty malware we currently don't have to deal with. The only thing that might make it easier is a GUI, but that would also make it easier for people to install malicious ROMs without really thinking about it; having to type it out makes you think about what you're about to do before you press enter.

No Google controls the system. They already have a lot of system apps that can whatever they want. This is just a simple implentation of crypto signing the app. If the app is signed by a specific key by Google then they can give the app access to stuff like this. You talk about like this is something impossible to do? If you control the system like Google does you can have it any way you like.

Re: Ridiculous

[BronsCon]

Keys can be forged or stolen, we've seen it happen. I'll keep my hardware write lock, thanks, and you can have your insecure softlocked toy.

The bug

[phantomfive]

In case anyone cares, the bug was improper deallocation. Sloppy programming.

if OEM disabled security. Tautology

[raymorris]

> what if the manufacturers have disabled SELinux

Yes, if an OEM disabled the security model, that would be a security problem. Tautology much? That hasn't happened on any relevant device.

Oh I know, if the manufacturer installed a botnet malware and gave access to spammers, that would be a problem too! Oh my, a manufacturer could mess up the device the manufacturer!

Re:if OEM disabled security. Tautology

[ArmoredDragon]

That hasn't happened on any relevant device.

I really doubt it ever would because of the whole SEAndroid architecture built on top of it. An OEM would seriously have to go out of their way to not have it working.

Re:if OEM disabled security. Tautology

[BronsCon]

Right? And here's the thing: Apple fans (I'm a user, but not a fan, it's a tool and it does a job, it's not deserving of fandom) will insist that issues that affect rooted or non-Nexus Android devices are worse than issues that affect jailbroken iOS devices, but they're really one-in-the-same. The reality is that rooting an Android device is a departure from the vanilla Android binaries and configuration provided by Google, as is a manufacturer replacing Android binaries and configurations with their own or adding their own binaries for additional features or interface layers, just as jailbreaking an iOS device is a departure from the stock binaries and configurations of iOS. To a logical person, that would indicate that the only possibly non-compromised iOS devices are the non-jailbroken ones and the only possibly non-compromised Android devices are those running vanilla Android (e.g. Nexus devices) which have not been rooted.

Mind you, this is largely because rooting and jailbreaking are, in and of themselves, compromises of the device. From the perspective of the user, they're not actually compromised until some bit of malware makes its way onto the device, which generally only happens in either class of device when the device's OS has been modified; again, that means rooted, jailbroken, or tampered with by the manufacturer. Allowing for that, both classes of device are equally secure, which is to say their radios have direct and unfiltered network connections and direct memory access, you can extrapolate whatever you want from that.

That doesn't mean .....

[frovingslosh]

That doesn't mean the patch will hit users' phones ever, though.

There, I fixed it for you.

The problem with a root kit is that it's a root ki

[raymorris]

Lenovo's root kit wasn't bad because of some obscure bug in Windows. Lenovo's root kit was bad because it was a root kit.

Once you assume that the manufacturer is going to purposely ruin the security the security of the device, unrelated bugs don't have much effect on that.

In other words, if the manufacturer puts a tautology on your device, your device will have a tautology on it.

Weeks?

[cyber-vandal]

How about months or never. The upgrade situation on Android is a joke unless you buy from Google.

Re:Weeks?

[nnull]

Samsung and Verizon devices will probably never get an upgrade. Took forever to get an update for my Note 12.

Re:Weeks?

[thegarbz]

How about months or never. The upgrade situation on Android is a joke unless you buy from Google.

Yes but so are most attack vectors. When a problem gets discovered in Windows, IE, Flash, Acrobat etc it's sometimes a matter of hours / days before exploits are in the wild, sometimes the exploits are out before the the problem is discovered.

In the Android world I've yet to actually hear of a wide spread exploit self propagating between devices and turning them all into mass zombies. Typically we only hear about devices that were compromised via some dodgy app with questionable permissions, which is a far easier attack vector than any of the others which are theorised.

My phone isn't up to date yet on the whole I feel safe.

Re:Weeks?

[drinkypoo]

How about months or never. The upgrade situation on Android is a joke unless you buy from Google.

Not only is Motorola pretty good about updates, but I can get an AOSP build for pretty much any of their phones. I don't know if there are any other manufacturers as reputable, but I've been happy enough with Moto that my next phone will probably also come from them.

Re: Weeks?

[cyber-vandal]

The problem with Android is that even when the flaw is fixed by Google it doesn't make it onto the majority of the phones out there. That's not good enough. Microsoft would never escape criticism for ignoring flaws but for some reason Android OEMs seem to get a free pass.

Re: Weeks?

[BronsCon]

It's good enough for the Nexus device in my pocket. I don't own the majority of Android devices out there and neither would an educated consumer. Those OEMs aren't getting a free pass, I voted with my dollars and made them irrelevant, so it's not worth my time to jump on them.

Re: Weeks?

[thegarbz]

The free pass is given due to the attack vector. I would give Microsoft a free pass too when their bugs have very little impact or are incredibly unlikely to be exploited.

Just like I gave Linux a free pass when the malware was discovered last week and we all couldn't help but joke at the fact that parts of it didn't work, and when they did work it didn't do so very widely.

Re:Hey Mr. "Google Engineer", I'll take that bet

[shawn2772]

HELL - LOOK @ ALL THE VULNERABILITIES & PROBLEMS ANDROID HAS HAD SINCE IT'S VERY PUBLIC RELEASE & INCEPTION!

Yep. And look at the utter lack of Blaster-style mass infection.