Slashdot Mirror
Some Android Device Makers Are Lying About Security Patch Updates (phonedog.com)
An anonymous reader shares a report: Security patches for smartphones are extremely important because many people store personal data on their devices. Lots of Android phones out there get regularly security patches, but according to a new report, some of them are lying about the patches that they've actually gotten. According to a study by Security Research Labs, some Android phones are missing patches that they claim to have. Wired explains that SRL tested 1,200 phones from more than a dozen phone makers for every Android security patch released in 2017. The devices tested include ones from Google, Samsung, Motorola, LG, HTC, Xiaomi, OnePlus, Nokia, TCL, and ZTE. The study found that outside of Google and its Pixel phones, well-known phone makers had devices that were missing patches that they claimed to have. "We found several vendors that didn't install a single patch but changed the patch date forward by several months," says SRL founder Karsten Nohl.
Boardroom banter: Why should we provide free updates, when we can sell them a new phone...
dont buy it
Your phone is obsolete the day it leaves the factory.
This is because Google won't write a universal Android unlocking tool... As long as the unwashed masses can't really tell what the manufacturer did, why bother with anything difficult? ........There's a name for it...... Security through Deniability?
Is anybody even remotely surprised?
One of the huge problems with Android is it is now so fragmented, and every vendor has filled it with their own custom shit and they've done god knows what to the core of it.
As soon as it's shipped, they move on to the next product. They have neither the time, resources, nor inclination to maintain older versions of phones -- because they want you to buy a new one.
The reality is, there are as many versions of Android as there are phones and companies who make them. And companies aren't going to spend the resources on a shipped product, because they've been paid for it already.
So, yeah, they don't to updates, don't plan to do updates, and refuse to admit that it was abandonware before you even got your hands on it.
To me, this is the greatest failing of Android.
Plenty of the blame goes on carriers. If you have the new hotness, expect fairly regular updates. If not, good luck. Planned obsolescence is a load of crap perpetrated by carriers and manufacturers. I'd actually put more of the blame on carriers now that you pay full price + interest for phones in the US.
manufacturers need to say to no to carriers roms or let us load the manufacturers rom with no knox trips.
Some missing info from the sumamry about the average number of missing patches per device from each manufacturer
Average missing patches per device from each manufacturer
0 or 1 - Google, Samsung, and Sony
1 to 3 - Xiaomi, OnePlus, and Nokia
3 to 4 - HTC, Huawei, LG, and Motorola
4 or more - TCL and ZTE
Time to offend someone
Isn't it a crime for a company to tell such blatant lies to the public? Can't customers sue the companies for endangering their sensitive data? Is the no regulatory oversight for this?
Debate is a form of harassment. Do not question my truth.
until the current crop of devices are bought and used up, or recalled and destroyed, i dont want to buy another PC,. laptop or a phone or tablet until all this heartbleed, or meltdown (the CPU bug) is resolved,
Politics is Treachery, Religion is Brainwashing
me
bait
The majority of Android phones sold aren't even running the latest version of Android at the time of sale.
Why would we presume that security updates are current?
It's only what you get for buying from those idiots.
IANAL but this sure sounds an awful lot like fraud. They claim to be providing a service but don't actually provide it? The FTC should come down like a load of bricks on these companies.
Anons need not reply. Questions end with a question mark.
The question is how they know the devices are missing the patch. Did the test all of the problems covered in the patch, on 1,200 different devices? Seems unlikely.
Because of vendor specific code changes, patches don't always apply cleanly and need changes, or the issue may have been fixed by the vendor in a different way, or even not relevant to the vendor's dist.
Google has made abuse part of its business by allowing users of Google Android to abuse customers.
Apparently no one on Google management realized that abuse would eventually cause damage to Google's reputation.
..."We found several vendors that didn't install a single patch but changed the patch date forward by several months,"...
If a phone that falsely indicated patches were installed were taken over by malware because of the lack of patches, would that phone manufacturer be liable because of the lies?
It is expensive to provide patches so the makers of budget smartphones don't really want to be bothered with it. I am not surprised that ZTE made the list. What does surprise me is that the manufactures will outright lie and just provide a date patch. Money makes the world go round .... honesty gets thrown out with the bath water.
Every month I backport all the patches, but I don't think anyone in our company ever bothers to update the patch date.
Not that our customers would ever check.
I was wondering why my Moto Z Force was still vulnerable in lab testing even after patching it. I submitted an email to their security team and nobody responded, so I thought maybe I was a snowflake case. This is even more of a case to only purchase google made android devices.
Mine is 3 years and a half old. I've been using it without problem, except the usual : it was getting slower and slower.
After 3 years, I decided to make a full factory reset.
Before : I had control over more things, many application were completely disabled, including Facebook (I never created an account) and Evernote.
After : I got back some battery life and speed, although it's not consistent, I have to reboot from time to time. But the most annoying is that I lost control over many applications. I can no longer disable Facebook or Evernote. Thanks Samsung. And I'm always getting the updates, although I disabled automatic update in the Play Store.
Samsung, give me control over the phone I gave you money to own !
Sadly, there is no LineageOS for the Note 4. There are for older models, and even for the Note 8, but not for the 4.
Will I buy a Note 8 ? Guess what Samsung : I will not pay nearly 50% more for a phone that probably cost you less than the Note 4 did !
Totof
If they were lying about patch levels, why is my Moto X4 still on 1 August 2017?
The only thing they're lying about is updating it to Android 8. Apparently "pending partner support" - it's a retail model. No carriers are involved. Who the hell are the partners they're waiting on?
The PhoneDog article is just a wrapper for the Wired article. It says:
We found several vendors that didn’t install a single patch but changed the patch date forward by several months," Nohl says. "That’s deliberate deception, and it's not very common."
What exactly does the patch date mean? Does that mean it has all the patches up to that date? Or does it merely mean that it was patched on that date? What if the manufacturer has a patched version of a library or driver, and they haven't merged that patch into their library or driver yet? That might be irresponsible, but it doesn't mean that patch date is wrong or that they are being malicious.
Oh wait, that's because they never patch anything so they don't need to lie about the patch levels.
Tried to install SnoopSnitch (https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch) on my device to see how bad my OEM is and all I get is "Your device isn't compatible with this version."
Can anyone tell me what its installation requirements are beyond Android 4.1 (I'm on Android 6 - allegedly).
One amazing thing about the report is how widespread this is. These companies do not collaborate in non-implementation of patches and lying about it. They probably invented this way of cheating the customer independently.
I've owned an ASUS ZenFone 3 for almost a year now and I've been impressed on the amount of updates I've been getting with it. For starters, it came with Android 6 and was immediately able to upgrade-able to 7. About 2 months later I took a trip to Canada and got a SIM card there for the phone, as it can use 2 SIM cards. I got a text message about 2 days later saying my phone and Android 7 had problems with the 911 service. I called up ASUS service center to let them know about this, and a few days later I got a patch to fix that problem. About 2 months or so ago, I got an update to Android 8. To me, that's impressive to have a phone that has gone from Android 6 to 8. Other than Google's phones, which other manufacture does this?
whereas, according to you, Apple is not working on new phones that they want you to buy, instead they are maintaining all their old phones?
yeah, right
Thanks to Project Treble the Android fragmentation problem is solved. People already demonstrated this by running generic Android OS images on top of even some obscure phone models, which actually comply with Treble. Treble compliance is mandatory for any device with Oreo and upwards. What treble is - basically complete separation of OS and HAL. It is now possible to update Android regardless of the oem as long as bootloader is not permalocked.
I gladly rather live in a "walled garden" than in an open dump. I would not be surprised if Androids are the majority of devices in botnets these days. Certainly will be sooner or later.
Lineage website does not list independent roms built from their source code, only official ones, and there are TONS that are unofficial, so just because a model is not listed doesn't mean a version of Lineage doesn't exist. You need to go onto XDA (best place to look) and look for not just your model, but part number and carrier. You may even have to look at your specific firmware version.
If you have a locked bootloader you can still use a modified rom however you need to retain the stock kernel, which severely limits your options. Some people have modded the stock rom to work and look like Lineage while using the stock kernel. My old S4 was running a modified stock rom but being a Verizon model it had a locked bootloader. When i bought my S5 I made sure it was an unlocked T-Mobile variant and it currently runs Lineage.
Samsung works with carriers and will lock the bootloader and sim depending on the carrier's wishes.The S4 has been the bane of rom builders because Samsung refused to help unlock it and and did a darn good job on it. Later models have actually been a bit easier as they eased up on their restrictions a bit. The S4 was caught in the middle of being hackable like previous versions and Samsung being willing to work with us instead of against us and got left behind.
Who does what? Verizon has an unlocked sim, but a locked bootloader.
AT&T locks both the bootloader and the sim however the very first AT&T S4 had an unlocked bootloader, the first update locked it down. 2 years ago ones with original firmware carried a 40% premium over almost all other models.
Sprint locks the bootloader, the sim and deletes the sub menu for sim changes. (seriously, F- Sprint.)
T-Mobile however locks nothing but you will pay a premium for used T-Mobile and unlocked phones for the very fact that they are unlocked.
BEWARE. Being impulsive with a Samsung is a very quick way to owning a nice paperweight. Flash the wrong modem and your phone is permanently bricked and not all rom builders know how or that they are supposed to strip that out, I lost an S3 this way testing a rom for someone. If you want to flash a Samsung you need to pay attention when you buy (get a T-mobile model) and be prepared to read a lot before you start hacking because otherwise it will not end well. Nice phones, but they are one of the bigger pains in the neck and are some of the least forgiving when it comes to hacking. You can almost always save an LG or HTC, but a Samsung is very quick to hard brick.
Lineage website does not list independent roms built from their source code, only official ones, and there are TONS that are unofficial
Water isn't oxygen and hydrogen; it's something a fair bit different, despite being derived from those two elements, but you might not get my point from that example, so here's one relating to operating systems: Ubuntu, Grml, Kali, PureOS, and Tails aren't Debian, though they're derived from Debian. LineageOS is LineageOS; anything derived from LineageOS is something else. This is an important distinctions because, as you state, flashing the wrong thing can easily and permanently brick some phones.
Oh, and if you want accurate documentation and support, well, you'd probably better know what your OS is called so the documentation you find includes things that differ from its derivative base and the people you contact for support can actually help.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Not exactly.
LineageOs (and even Android in general) is not handled the same way as Ubuntu and Debian which I will get to in a second. The official ports are usually derived from creators building unofficial versions which then get adopted as official after a few months of running well, if the builder submits it.
https://wiki.lineageos.org/sub...
As for naming, this has to do with how Android is compiled vs how an normal OS is compiled. If you compile Ubuntu yourself you have Ubuntu, but Ubuntu works on lots of computers and has lots of drivers pre-installed. It's meant to be universal, unlike Android which is built on a per phone basis. While you use the same framework, you need to change the drivers and kernel a bit in order to make it work on each phone variant. This why it's a port and not a separate OS as you would find on Ubuntu vs Debian. A port is a port, a distro is a distro, it's not the same thing. Android is the OS, LineageOs is the distro, and your rom is a port of that distro.
As for support, because roms are built on a per phone basis, you are almost always directed to the rom builder who can better tell if the problem is on their end or the the main code base in general and then ramp it up the chain.
Any vendors providing long term support phones?
or any vendor has gone to Google/Qualcomm etc negotiated a long term support for phones released by major vendors (likely to be Nexus anyway)?
Its a shame Nexus are going out of support later this year and the replacement Pixel are too high end with price to suit but still no LTS like apple.
Uh... LineageOS for various phones is still LineageOS. A derivative for any of the same phones is... still LineageOS? So they're no different, then? That's what you're saying? No, sorry, that doesn't follow, but that was a good stream of nonsense that I'm sure might confuse enough people into going along with your incorrect line of reasoning.
If you take LineageOS and change the launcher or some of the defaults and repackage it, it is no longer LineageOS; that's what differentiates Ubuntu from Debian, as well. The drivers, of course, are not part of the LineageOS distribution itself but are, rather, a required addition and bundling your own additions do LineageOS doesn't make it something else, much like bundling your own additions with Debian doesn't make it something else.
Unless, of course, you can point me to something authoritative that shows that the only difference between LineageOS and Resurrestion Remix is the drivers that come bundled within. Of course, that's not the case, so you can't.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Too bad we dont hold them legally liable for any and all security breaches of our accounts. then see if the CEO board room banter changes its tune on cybersecurity.
It may even end those pesky fake caller id scam calls.
~N~