Android Security

Discussion in 'mobile device security' started by rm22, Jun 23, 2016.

  1. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    I was looking at the display of Android tablets in Wal-Mart the other day, every one of them was outdated. Some had Android 5.1 on them, Some had Android 6.0.
     
  2. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,033
    It's a shame, but it's hardly surprising. The Android TV Box, I just bought, was released in June of last year and runs Android 6. Its third firmware update is being released very soon. No doubt, the new firmware will still be running Android 6.
     
  3. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,292
    Location:
    USA, MICHIGAN
    Android is terrible for updates, My s5 is way out dated. The one thing I like about apple they get constant updates even older devices.
     
  4. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia
    It's not so much the version that's the issue with me but the fact that they just stopped security updates after just over two years. In fact I'm running 7.1.1 and the Nexus device was sold as a flagship model that would get the latest updates first. Which it did for two years then ..... nothing!

    Repeating myself, I find this totally unacceptable but Google seem to think otherwise.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,715
    Location:
    U.S.A. (South)
    Yeah i still am running Lollipop on one of my smarts but it's rooted and set up with my own customized security simply because they are slow as turtle to get with the program. Plus i almost never do browsing except on occasion and with AdBlock Private browser and for short stints only. I use it for WiFi callings and weather checks and little else.

    Am simply not interested in modding an entire phone O/S all the time since it takes oodles of days and weeks and months to fine tune it to optimum levels for both security and performance. It's tweaked well enough for what little usage it sees.
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,391
    Location:
    Under a bushel ...
    I have a Xiaomi Mi A1 which is AndroidOne and gets regular monthly security updates, currently on Oreo but supposedly will get Android P.

    But TBH my usage is much like yours.
     
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,901
    Yes, that's why I always recommend LineageOS if the device is supported by them. The S5 is.
     
  8. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,396
    Location:
    Member state of European Union
    Project Treble should decrease cost of developing updates for new Android (Android 8-compatible and newer) devices.

    I recommend inverting this thought process.
    Good: Check which device is supported by LineageOS (or other community driven Android fork) and then buy it.
    Bad: Buy random device, then check whether it is supported by LineageOS.
     
  9. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,292
    Location:
    USA, MICHIGAN
    Good to hear maybe things will start to improve and Android will be more consistently updated.
     
  10. Deletedmessiah

    Deletedmessiah Registered Member

    Joined:
    Feb 20, 2018
    Posts:
    105
    Location:
    Outer space
    I wonder how much Project Treble will help the update problem :doubt:
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    OK I see. I didn't realize that Android 5.1 and 6 both have encryption already enabled, is this correct? So if a person doesn't know your PIN, they can't access your data. The reason why I ask is because I've read that if someone replaces your SIM they have full access to data if encryption isn't enabled.

    I really don't understand how this mess started. Why can't it be just like Windows? BTW, I see that Android 6.0 now finally gives an option to block apps from getting certain permissions, why the hell wasn't this implemented since version 1.
     
  12. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,033
    Windows is designed to support all kinds of hardware. Android has to be customised for each individual device it's installed on, e.g. to include the needed drivers for the hardware in that device.
     
  13. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,396
    Location:
    Member state of European Union
    It's not about Windows. It is about PC (personal computer) architecture. PC comes from IBM. Hardware and firmware (formerly BIOS, currently UEFI) conventions around boot process, CPU architecture, enumeration of devices on PCI and other buses enabled creation of OSes that can just boot - different releases of Windows, Gnu/Linux distributions and so on.
    ARM-based computers, especially mobile devices such as smartphones, did not have these conventions. Boot process can be slightly different on each device.
     
  14. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    It is not about custom versions of Android, they all use the Android libraries and a security update to a code library does not break the applications that use it. Security updates are designed to ensure that should not happen.
    It is because the device manufacturing corporations realized that refusing to provide firmware updates increases the frequency that their users will buy a new device and as there are no regulations to make them provide updates they wont do it, even though every Android device contains an update mechanism.
    That is a good question and I believe it is another case of security subversion.
    Permission control was available long before that, I have an Android 4 device with a permission control system that was only in Android 4.4 then quickly removed thereafter. I believe that was because it was realised it was too good. It alerts to things no other Android device since then even detects, like, hidden attempts to access device hardware such as, location, camera etc.
     
    Last edited: Mar 24, 2018
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,715
    Location:
    U.S.A. (South)
    After I upgraded to Marshmallow on one of my androids, that same thought occurred to me.

    If they really was wanting to be customer/people friendly in my opinion it should always been the other way around or just the opposite.

    By ANDROID DEFAULT the access to certain settings from apps should all be DENIED and allow the phone end user to set what's allowed instead of having to manually go one-by-one and turn off the settings apps really don't need in order to function to begin with.

    But of course the industry is conscience burned and driven to deliver digital goods with everything fully implemented whether a privacy or security concern or not.
     
  16. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Thay only happens when there is competition between manufacturers. When the same people own stock in all of them, it is a virtual monopoly.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,715
    Location:
    U.S.A. (South)
    Tell me about it. How true.

    It's always the big shots who rush to scream Ship It! (they gotta keep that pocket padded)
     
  18. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,759
    Two devices, both running NoRoot firewall. Both out of date and unlikely to change. It's a scandal.
    1. Moto G (2nd generation) phone from 2015, Android 6.0, last patch was August 1, 2016. When I ask for software update it lies: "Your device's software is up to date".
    2. Galaxy tablet 10.1 (2016 issue), came with Android 6, updated to Android 7.0. Patch level Dec 1, 2017. It's still Android 7.0, no idea what patches installed but it was a looong installation of some sorts. According to some website I saw, Samsung issues 2 patches. So I'm doomed on this one as well.
    Samsung Internet (webbrowser) includes AdBlock.
     
  19. 142395

    142395 Guest

    I even feel Apple's 4-5 year support is too short. One of my PC is 10y old but still works w/out problem.
    I wonder how much Lineage improved from CyanogenMod in regard to security (narrow meaning, separated from privacy). Cyanogen was criticized that their patch schedule were significantly slower than AOSP. Also IIRC they're slow to adopt SELinux while Android 4.4 already adopted it in enforcing mode. So far only custom ROM I can trust is CopperheadOS, but I had trouble in IME and I need to use Google Map heavily (web version is not an option, OpenStreetMap is joke - even iMap couldn't meet my needs - rather, even Google Map is far from perfect, I often have to 'correct' it when it doesn't show real best route, and sometimes it says there's no route to arrive there as it doesn't cover minor public transportation) but introducing G-suit on Copperhead is bit of trouble and not recommended. I'll try it again when I bought Pixel 2.
     
  20. 142395

    142395 Guest

    Yup, from 5.0 encryption is on by default, but if you use custom Android it depends on manufacturer. I haven't heard that SIM replacement unlock your PIN. But even w/out that, if that someone has some (not advanced, really) skills he can extract your data from the flash memory if you didn't encrypt.
    As reaconablePrivacy said, Android is not just an OS and this is why current security update is separated to 2 parts with different schedule. The one is universal part, the other is device-dependent part. But as we know, even universal part is not necessarily applied to most devices.:( I feel this permission control is still too coarse.
     
  21. 142395

    142395 Guest

    BTW, do any of you will buy Librem 5? I'm interested in, but personally will wait until it gets time-tested.
     
  22. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,033
    I've got two 12 year old laptops that run really well with Windows 10.
     
  23. 142395

    142395 Guest

    Haha, you won!:thumb: TBH, I don't need these bells & whistles phone manufactures advertise. It's ridiculous to pay 100s of dollars each several years just to get security patch.
     
  24. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,033
    My phone, is a $130 Android phone which I've had for 2 and a half years. It still works very well and does everything I need. The manufacturer provides occasional firmware updates. But it's still running Android 5.1. It would be great if the manufacturer had decided to update it to a more recent version of Android, but I can live with that, rather than buying a new phone.
     
  25. 142395

    142395 Guest

    Ah, 130$ seems to be close to upper bound of reasonable price for those who only need basic function for phone. Well, I can live with older OS as long as security patch is applied. But am not comfortable if it's not and CVE shows there're some serious vulnerability not fixed, tho I understand actual risk is not that high. So in the end I buy new phone maybe each 3 or so years when I found a sale. Maybe I'm just too worrier, or should seek other option like Lineage as I hate the industry's attitude to make us to buy new device. As RockLobster said, there should be regulation but politicians will be afraid that may make economy worse. (sigh)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.