Slashdot Mirror

← Back to Stories (view on slashdot.org)

Motorola Confirms That It Will Not Commit To Monthly Security Patches (arstechnica.com)

Posted by msmash on from the security-woes dept.

If you are planning to purchase the Moto Z or a Moto G4 smartphone, be prepared to not see security updates rolling out to your phone every month -- and in a timely fashion. After Ars Technica called out Motorola's security policy as "unacceptable" and "insecure," in a recent review, the company tried to handle the PR disaster, but later folded. In a statement to the publication, the company said: Motorola understands that keeping phones up to date with Android security patches is important to our customers. We strive to push security patches as quickly as possible. However, because of the amount of testing and approvals that are necessary to deploy them, it's difficult to do this on a monthly basis for all our devices. It is often most efficient for us to bundle security updates in a scheduled Maintenance Release (MR) or OS upgrade. As we previously stated, Moto Z Droid Edition will receive Android Security Bulletins. Moto G4 will also receive them.Monthy security updates -- or the lack thereof -- remains one of the concerning issues that plagues the vast majority of Android devices. Unless it's a high-end smartphone, it is often rare to see the smartphone OEM keep the device's software updated for more than a year. Even with a flagship phone, the software update -- and corresponding security patches -- are typically guaranteed for only 18 to 24 months. Reports suggest that Google has been taking this issue seriously, and at some point, it was considering publicly shaming its partners that didn't roll out security updates to their respective devices fast enough.

18 of 162 comments (clear)

  1. Easy... by Anonymous Coward · · Score: 2, Insightful

    It's actually pretty easy to roll out regular patches, especially considering the upstream testing... ... unless you're adding a ton of vendor/carrier crapware. Testing and maintaining *that* might be an issue.

    Yet Motorola's solution is (apparently) not "DONT FUCKING DO THAT" but instead "don't bother with patching". Yay. Go team dumbass.

    1. Re:Easy... by tripleevenfall · · Score: 2

      If we patch our OS, people can remain on it and be happy with their existing phones. If we leave them behind with a millstone around their neck, they'll upgrade. Profit.

  2. Fuck you Motorola/Lenovo by LichtSpektren · · Score: 4, Insightful

    You specifically advertised the 2015 Moto E with the following line: "And while other smartphones in this category don't always support upgrades, we won't forget about you, and we'll make sure your Moto E stays up to date after you buy it."

    Then you stopped providing updates for it (of ANY kind) after 219 days.

    Fuck you, fuck you so hard. I've made it very clear to everybody I know that they should never, under any circumstances, buy any Motorola or Lenovo products.

    1. Re:Fuck you Motorola/Lenovo by thegarbz · · Score: 2

      That shiny new software smell?

      No just not software that smells like year old Swiss cheese complete with all those huge holes. Android 6 rolled out to my device last week. Nothing really changed. The software isn't wonderful and new. It still works like it did before. It is however nice knowing some security issues were fixed.

      This is slashdot. If you think people want updates to get that lovely new software smell then you don't belong here. If anything we want the software to change as little as possible with only security back ported. There is an expectation that even a $99 device won't suddenly expose all my data to the world.

    2. Re:Fuck you Motorola/Lenovo by tlhIngan · · Score: 2

      Why would anyone want a Motorola/Lenovo anyways? After all, they're dropping the headphone jack too...

      (Some "innovation" Apple. You got out-innovated by the competition over a rumor).

  3. Sad but unavoidable by bhcompy · · Score: 2

    This is what the ecosystem allows. You want to be open, that means that you're stuck with this, unless you can write the updates in ways that allows patching through the app store without affecting the vendor "customizations".

    Perhaps Google should rethink its strategy of how they offer software and encourage some type of buy-in on updates for support in the hardware and software dev process

    1. Re:Sad but unavoidable by macs4all · · Score: 3, Insightful

      It's not Google's choice. Vendors want the ability to make customizations to the OS, to "add value".

      Wrong! It IS Google's choice.

      I'm sure that "Vendors" wanted the ability to make "Customizations" to the iPhone, too. It's just that Google COULDN'T CARE LESS about anything other than Datamining. Every Android install is nothing more to them than more Click-bait, more Datamining, more Privacy incursions.

      Google could end this RIGHT NOW. But they won't.

      Ever ask yourself why?

    2. Re:Sad but unavoidable by Archangel+Michael · · Score: 2

      My take on the whole "we can't be bothered to patch or upgrade our phones" a complete line of bullshit. The fact that CM runs on so many devices kind of makes that case laughable. These are semi-pro volunteers at best who are able to manage to get the thing running on hardware, often without access the Manufacturer has to hardware level programming, and make (often) a better product than the manufacturer. If I were any one of these companies CEO, I would call it embarrassing.

      The second point is, they could bring in CM team to bring a clean version of Android for older phones for almost next to nothing, AND it would create a very good selling point for current phones. "Buy our $FLAGSHIP_PHONE today, and we'll make sure you have the current version of Android as long as you have the phone. We'll support our super special version for up to 2 years, and after that, we'll let you put on CM version of your choice. "

      My biggest problem is with CyangoenMod INC, which has been one clusterfuck after another. The moment they took funding from Microsoft, I knew they were doomed. And it has been one bad decision after another, all in the name of $$$ .... Selling out your soul to the devil for a buck rarely works out for the one who no longer has a soul.

      I love my Nexus 6P, but I would REALLY like to have a choice of pure Android, with no crap and bloat. I realize that lots of people don't give a rip about "pure android" and are happy with the crap VZ puts on their Samsung Phones (both have their own crapware)

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  4. Then UNLOCK OUR BOOTLOADERS! by emil · · Score: 5, Insightful

    No exceptions. A phone is a critical communications device, and if the OEM won't supply critical upgrades, then they must allow others to do so.

    DMCA exceptions should be established, and vendors should not be allowed to sell phones within the U.S. without providing all required unlock keys into an escrow. Upon 6 months of patch inactivity, the keys go public.

    1. Re:Then UNLOCK OUR BOOTLOADERS! by TheGratefulNet · · Score: 4, Insightful

      if we had ralph nader types working for us, it would be a law that any series of skipped or delayed security patches (some threshold in a row) would mandate that you unlock bootloaders and let people do the patching themselves.

      man, I wish we had people working FOR THE PEOPLE as our government. the fact that they sold all of us out and stopped caring, that's going to be part of our total demise as a nation. not the main part, but a huge part.

      there were short periods in time (sorry to say, usually under D control) where our congress and senate worked to make things better for regular people. I can't remember the last time this happened, though.

      too bad our lawmakers have no balls to stand up to the power of money and bribes and 'election campain money'.

      we surely deserve better than this.

      --

      --
      "It is now safe to switch off your computer."
    2. Re:Then UNLOCK OUR BOOTLOADERS! by future+assassin · · Score: 2

      hear hear!

      --
      by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
    3. Re:Then UNLOCK OUR BOOTLOADERS! by viperidaenz · · Score: 2

      Motorola let you unlock their phones.
      They have instructions on their website.

  5. And I commit not to buying their products. by gweilo8888 · · Score: 2

    It saddens me, as a one-time Motorolan myself, but when other vendors are perfectly capable of providing timely security updates, I'm not going to buy products from a company that willfully ignores its customers' security.

    If it is too much work, Motorola, then you fix that problem. You don't just pass the buck to the end user. If it is taking too long, that means you're adding too much bloated cruft to the OS. Get rid of it and do your job properly, or suffer the consequences of anyone who knows a little about security avoiding your products, and recommending friends, family and colleagues to do the same.

  6. cheap bastards, that's all by TheGratefulNet · · Score: 2

    However, because of the amount of testing and approvals that are necessary to deploy them, it's difficult to do this on a monthly basis for all our devices.

    no one disagrees that it takes manpower to do full regression tests after patches. but the thing is, for most of the time you are NOT writing the patches, just integrating it!

    now, that aside, we all know that world labor is less than dirt-cheap. YOU HAVE NO EXCUSE TO AVOID GETTING THINGS DONE in this cheap-as-chips world labor market.

    fuck you. you claim you are poor? double fuck you for lying about it and we all can see that, too.

    --

    --
    "It is now safe to switch off your computer."
  7. This is an Android Problem by purpledinoz · · Score: 3, Interesting

    In my view, this problem can only be solved by improving the Android OS itself. They need to carve out way more things out of the core OS and make them updateable through the Play Store. Microsoft manages to do this via Windows Updates, I don't see why Google can't figure it out. What makes things worse are carrier specific builds. Apple managed to do tell them to F off, Google should too.

    1. Re:This is an Android Problem by swillden · · Score: 2

      I don't see why Google can't figure it out

      (Android security team member here)

      It's not that Google doesn't know how to do that. It's that Google can't do that while also having a free and open source OS. Every piece that's moved out of the OS and into Play services is another piece that is no longer open. Moreover, if Google does too much of that sort of thing and removes the ability of OEMs to customize and differentiate their devices, they'll ignore Google completely, filling in the missing bits with their own code. Removing components from the OS is a last resort, not a first choice.

      What makes things worse are carrier specific builds. Apple managed to do tell them to F off, Google should too.

      AFAIK, Google doesn't do carrier-specific builds for Nexus devices (though I know there is some carrier-specific testing). Google can't control what other companies do. Their devices have to pass the tests to prove compatibility or they can't use the Google apps (including Play, which is the biggest carrot), but that's the full extent of the control Google has.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  8. The iPhone 3 still gets support? by emil · · Score: 3, Insightful

    According to wikipedia, Apple took this phone out behind the woodshed in 2012.

    Any phone vendor who cuts support for a model should be REQUIRED to open the platform for 3rd-party maintenance. A phone is not a general purpose computer, and there should be special rules for it.

  9. This is google's problem... by QuietLagoon · · Score: 2
    Google has lost control of the Android environment and, apparently, has little or no concern about the security of the devices using its operating system.

    .
    Unless google changes its stance on Android security, Android will not be patched regularly ... or secure to use.