> Google already fixed at least one of the Android exploits used by "Agent Smith," nicknamed Janus, in 2017 but the fix hasn't made its way onto every Android phone. It's a potent reminder that millions of phones around the world are being used without the latest security measures.
Because Samsung (or similar) or even more weirdly, Sprint (or similar) just doesn't fucking update our Android versions for months, or ever.
This seems to be getting a lot of attention, so as an Android Engineer with some security and framework experience let me try to explain.
This is a side effect of Android's initial approach to it's open nature. Android allows a manufacturer to modify its framework for their own use case. Then the manufacturer can allow a specific carrier to input their own system applications and firmware on to the devices well (your bloatware etc).
This can lead to multiple firmware variants for a specific device. It's not uncommon to see over 20 variants of a firmware for a specific Samsung device for example. This can be broken down by carrier, by region, by OS, etc.. for a number of different reasons.
This becomes a problem when Android needs to post an update. That update has to be pushed first to the Android framework, then to the manufacturer who decides if they are going to make modifications for the update, and if the manufacturer decides to make an update, they push it to the carrier who then has to make an update themselves.
This leads to a web with many broken ends, where a specific phone on one carrier may never see an OS upgrade after purchase, but on another carrier, the same phone might get them regularly.
Additionally some manufacturers take a greater degree of liberty in modifying the Android framework, making updates significantly more expensive to implement, so they don't.
The good news is Google over the past couple of years has been making a great effort under Project Trebel to simplify some of the APIs in the Android framework. What this is leading to is less friction when it comes to implementing core updates. Unfortunately not all manufacturers have opted in to adhering to the standards and Project Trebel yet.
This is all in stark contrast to iOS, which doesn't have the restriction of dealing with multiple manufacturers, and makes it harder for carriers to customize the device for their own business cases. This makes security and updates easier to push, but on the cost to the user of being an expensive single stream walled garden. Nothing against iOS in the statement, as a flagship device they're very nice. However, they don't have the adaptability that Android allows, making them prohibitive in some markets.
Sorry for any grammar issues, I'm on my phone (a regularly updated Pixel 3).
This is what I love about Apple. They gave the carriers a big middle finger when it comes to the usual bullshit of bloatware, sticking their logos on things or getting in the middle of updates. That’s because they cared about the end user experience. Google was happy to just grab market share at the expense of the users by allowing carriers to continue with their usual shenanigans. For this reason Apple will have my eternal gratitude, because I remember what a shitshow smartphones (and deploying apps for them) was before Apple flexed their muscles on this.
> That’s because they cared about the end user experience.
I'm sure 100% of any revenue going to Apple and not shared with anyone had nothing to do with that.
It may have, but I doubt it was the primary motivation. Steve Jobs famously cared a lot about user experience, security and reliability. Remember that Apple under his leadership took a firm stance and loudly and publicly refused to allow Flash on its devices, despite the fact that many websites back then relied on Flash.
> Steve Jobs famously cared a lot about user experience, security and reliability. Remember that Apple under his leadership took a firm stance and loudly and publicly refused to allow Flash on its devices, despite the fact that many websites back then relied on Flash.
A less generous take on that would be that he/Apple also wanted to push their app store. At the time Flash was popular for publishing apps and games on the web. Yes their decision helped move everyone away from Flash but it also meant they would be getting their 30% cut from iOS apps.
Edit: I stand corrected. "While originally developing iPhone prior to its unveiling in 2007, Apple's then-CEO Steve Jobs did not intend to let third-party developers build native apps for iOS, instead directing them to make web applications for the Safari web browser." -- https://en.wikipedia.org/wiki/App_Store_(iOS)#iOS_SDK
You mean the same Flash that Adobe said they could have gotten to work on the original iPhone - with 128MB of RAM and a 400Mhz processor but barely worked on Android with minimum requirements of a 1Ghz processor and 1GB of RAM?
I wasn't claiming Flash was ideal in any sense -- just that it was popular back then.
>A less generous take on that would be that he/Apple also wanted to push their app store.
The App Store didn't exist at that time.
The original iPhone didn't even have an app store...
This is like saying that Apple can't collect 30% if you make your app in React Native rather than a purely native iOS app. It doesn't matter what technology you use, they're going to get 30% because they control the store.
Apple also planned to sandbox all apps. But developers wanted bare metal performance.
Sandboxes apps has to do with the permissions not having “metal performance”. iOS apps compile down to ARM native code. Unlike most Android apps that run on top of a VM.
the anti-flash stance was mainly there because of the abysmal performance a flash app would have on the device and the device's battery life.
Hence, user experience!
Don't make this about moral superiority of Apple over Google.
Apple did it because they could, because when the iPhone came out it owned the smartphone market; any carrier that didn't play ball would be frozen out (as T-Mobile was initially - AT&T's exclusivity on the iPhone really helped their market share among high-end consumers). Google did not have that luxury.
That’s not an accurate representation of what happened.
When Apple/Steve Jobs went into negotiations with Verizon and AT&T (then known as Cingular), it didn’t have any leverage. In fact, Verizon wouldn’t sign the deal in part because of the control Steve Jobs wanted over the devices. AT&T agreed to get the exclusive.
BlackBerry was King when the iPhone launched and BlackBerry bent over backwards to do whatever the carrier wanted (the book Losing the Signal has great details on this).
Google could have depended on similar provisions with Verizon when the Droid launched in 2009 or with T-Mobile when the G1 launched in 2008. Both carriers wanted an iPhone killer.
But Google didn’t do that. It did force Verizon not to put Bing as the default search engine on some of Verizon’s Android phones (like the Droid series), despite an early 2009 agreement Verizon made to make Bing its default search engine — and it also negotiated to NOT force consumers to pay for Android apps using the carrier stores (something many carriers had required for previous non-Apple App Stores), once paid apps launched.
But it didn’t negotiate the update bit, even though the company had the leverage to do it.
I can only speculate the reasons why, but based on the number of books I’ve read, people I’ve talked to, and and other information, it strikes me that Google decided it was more advantageous to let any phone maker or carrier adopt its OS to gain marketshare, rather than worrying about device fragmentation or security update issues.
And that strategy worked beautifully and Android took over the world. The problem is getting carriers or device makers to update, especially when many have spent lots of time customizing Android as a way of differentiating themselves.
But it’s unfair to claim Google didn’t have the opportunity to make the deal Apple did. Google just didn’t want to do that and wasn’t willing to walk away from a partnership to have that level of control.
Is that because Android was a defensive move against ios to protect the search/advertising income, like Chrome, rather than something they make money from do you think ?
Yes. (Although it was originally a defensive move against Windows Mobile and BlackBerry and Symbian and it then pivoted as soon as they saw the iPhone.)
The big draw for Android for OEMs was that unlike Windows Mobile or Symbian, there was no licensing fee for the devices. HTC, which made the first Android phone, was a Windows Mobile device maker (fun fact, the XDA from XDA Developers, was an OG Windows Mobile forum — XDA was the name of an early series of Windows Mobile devices) — Samsung and LG and Motorola made Windows Mobile phones, Sony used Symbian and so on. Android was free and customizable, which made it enticing for OEMs and carriers to embrace. And unlike BlackBerry, carriers didn’t have to give a portion of the data charge (which was like $20 or $40 a month per BlackBerry device) to BlackBerry, they got to keep all the data fees to themselves.
But Apple software is proprietary, not friendly to open soure developers and you never know what that software is doing. Maybe they are streaming your data directly to "cloud" operated by NSA. Or iPhone doesn't upload anything to cloud?
Most of the function users care about in their phone, if not implemented by third party, are proprietary apps from google.
Without the app store and the google ecosystem, android experience is poor at best.
The Google ecosystem can drown in bleach for all I care. F-Droid is not bad at all. Downloading apps from the Google store is an awful experience because on that store it's the norm for damn near every application to spy on you to the fullest extent possible. On f-droid, applications the typical application is a good citizen. It's a lower stress experience and a better appstore than either Google or Apple, unless you desire specific closed source software in which case it's no longer an option.
Try this: On Google's Appstore, find a flashlight app that doesn't upload your contacts. Now on F-droid, try to find one that does. This is not an easy challenge!
Or we can also try this: https://www.replicant.us
I am amazed even on hn, too many people compare privacy / security properties of android to iOS w/o knowing about f-droid & degoogling.
And what makes Android what it is to most consumers - Google Play Services is also proprietary as well as all of the drivers. Not to mention whatever the OEMs and the carriers add.
Even if you have a completely “open” operating system on your phone, your communications is still going through a carrier that could be “operated by the NSA”.
All of the data collection functionality in Google Apps is closed source too.
Huawei incident has taught that Android is proprietary too. Any country that's at odds with the US will eventually find out that Android will be blocked to their companies too.
The Google Play Store and related APIs are similarly locked down. Not that you couldn't distribute through something like fdroid.
I take your point but android is similar in some respects (Google probably has less interest in your privacy than Apple does).
Yet another apple shill. All they care is making money by hyping their second-class tech to tech-illiterate rich fellows..
>They gave the carriers a big middle finger when it comes to the usual bullshit of bloatware, sticking their logos on things or getting in the middle of updates
Except, of course, the bloatware of their own making.
Here's a novel idea: you, yourself can give the middle finger to the carriers and buy an unlocked phone from a provider that delivers timely updates to Android...just like Apple.
>For this reason Apple will have my eternal gratitude
I'll take freedom of choice, thanks.
I buy unlocked Nexus devices to avoid mftr and carrier bloatware and update delays.
Never again for a Samsung device, they churn through models absurdly quickly, delay updates for months, and shovel tons of crap on.
>I buy unlocked Nexus devices to avoid mftr and carrier bloatware and update delays.
Exactly. There is a whole series of phones offering bloat-less Android, from a variety of manufacturers:
This is also solvable by Android taking a slightly different approach. Isolating the OS and security framework so that it can always just be updated. The carriers and and manufacturers are still free to install whatever bloatware they want and do what ever logo nonsense they want.
We ran into nonsense issues creating a cross platform development toolchain when HTC phones just didn't implement certain functions of the WebView. We were then stuck trying to create workarounds for no reason. Android could have been the best of both worlds but they just punted it and left their users holding the bag.
> This is also solvable by Android taking a slightly different approach. Isolating the OS and security framework so that it can always just be updated.
I think that is the plan with Fuchsia.
The core of the OS is small. The drivers can be separated out more easily, and with a (hopefully) stable driver API, they may not need to get updated ever (baring security bugs in the driver code itself).
Not to sound like a Google apologist, but all you ask is already in there.
And Google's extensive compatibility requirements aside, webview is now directly updated from the store.
Android Q will extend this to most system components via apex.
As I've commented elsewhere on this thread: my 2015 purchased-new Android tablet has never to my knowledge seen a vendor OS update -- it's running 5.0.2, not even the most recent version at the time, as 5.1.1 was released over six months before the unit was sold.
None of this information was available to me at the time, and the 5.1.1 history I've only just learnt whilst composing this comment. I'd purchased the device under sharp time, budget, and information constraints whilst travelling. Budget and other limitations, as well as a market void of credible alternatives (Purism have my eye) have prevented replacement, though I loathe this device.
Google have considerable monopoly leverage, and yet have not used this to require obligations for (and permit forward use of) Android and related ecosystem services in the form of upgrade timeliness SLAs and minimum EoL requirements: this device was obsolete at time of sale, though I was completely unaware of this at the time. Instead Google have sought to perpetuate their own monopoly and interests:
It is also not capable of being re-ROMed, another fact of which I was unaware.
I'm beyond disgusted and will not and do not recommend Android to anyone.
And up to version 6, Android was not disk-encrypted. If you lose a phone, they don’t need your pw, they can just take the SD card out and read it. All your stored passwords, all your stored cookies, they can read them all...
Never again will I ever trust Android anymore if they can’t even get the basics right.
Sounds like an excuse for poor engineering on the part of Android. Microsoft also sells Windows to multiple OEMs and has done so for decades. OEMs also are free to add bloatware as well as the retailers (ie Best Buy adds its own bloat), but Microsoft doesn’t have this problem.
Yeah but Windows was created for existing hardware, in fact at first even running on an existing OS. IBM PC compatibles were a thing since the 80s on which DOS flavour from various vendor were running which in turn ran on x86.
Microsoft actually waited really long until they combined normal end user Windows with NT which was it's own OS since early 90s but also had a lot of restrictions when it came to drivers, end user Apps, Games in particular.
Google bootstrapped it all at once, that's quite an effort. That said, some phones like those of OnePlus or FairPhone have really long support times.
The whole idea behind WinHEC early on was that Microsoft was guiding hardware manufacturers to the plug and play standard.
I guess in that sense Microsoft really did their homework. Apart from niche usage, good Hardware support seems everything for an OS...
It’s quite different as windows is closed source. The OEMs don’t build their own flavour of windows from source.
Seems like the open source-ness of Android is of little use. It helps manufacturers rather than users.
And almost everything that makes Android what it is outside of China is also closed source - Google Play Services and the drivers.
Ye. Patching system libs should be just pulling those as long as they are backwards compatible. Maybe some key parts that the OEMs fiddle with are not behind abstractions properly.
probably cost you more money than you'd make writing malware for windows phones
no one is talking about windows phones. they're talking about windows.
That's just making excuses for poor software architecture without clearly defined layers and stable, documented APIs between them. MS Windows has a hardware abstraction layer. There's no reason Android couldn't have the same, except that it wasn't a priority.
Some of this is (or was) a fundamental design limitation of the Linux kernel. But there are other kernels.
Arguably, it should not be legal to sell a device and not provide security updates for some guaranteed period of time, as a violation of the implied warranty for fitness for a particular use, or as an unfair or deceptive trade practice.
I wonder if the FTC has ever pushed this particular angle?
That explains why we ended up in a bad place, but it's still an absurd situation.
From my perspective, Essential pushes a monthly security update for the PH-1 like clockwork. However, my carrier (Telus) delays it for some random (between ~0-90 days since the PH-1 launch, currently on ~70 days) amount of time. In that entire time, there's never once been an update that's been delayed for any actual changes from the stock update. In fact, if I don't want to wait for the update, I can just swap in any random non-Telus SIM, and the update is no longer blocked. The user experience is better with any carrier in the world other than the one I bought the phone from in the first place!
If Google put their foot down the manufacturers and carriers would tow the line.
Trying to sell a (non-Apple) smartphone without Android in 2019 would be like trying to sell a PC without Windows. Your market share could be counted on one hand.
> This can lead to multiple firmware variants for a specific device. It's not uncommon to see over 20 variants of a firmware for a specific Samsung device for example. This can be broken down by carrier, by region, by OS, etc.. for a number of different reasons.
You forgot to mention this was fixed about 2 years ago when Google pushed mandatory changes in the way customisation are added to the firmware image.
While not a perfect solution, I've been buying phones from manufacturer since my HTC desire was ruined by bloatware (you could put many apps on SD card but not Facebook as it was included bloatware, which got huge over time and literally meant I couldn't install updates or would have to delete other apps etc.)
It has helped the frequency and speed of updates a bit. Not a fan of carrier customisation.
Sounds like getting phones with stock Android is the best option. I rarely see in the stores Android One being a major feature / selling point: https://www.android.com/one/
Thanks for the info. Is there a place where one might find the data on brand/carrier responsiveness to security updates? I'm thinking e.g. Google publishing a dashboard on this might make it to the radar of the marketing departments of the involved partners.
And yet someone can discover a security vulnerability in a software package and it gets put out to every Linux distro as an update in less than a week, usually by volunteers...
That’s the problem. Why should your carrier have any say so in updating your operating system? If I buy a computer from Best Buy, I don’t have to wait for them to push an update to Windows.
Good question. When a phone stops working, people want their money back. Guess where most people in most markets buy their phone from?
Further, who do you think customer's call for support?
Now you know why carriers are hesitant about frequently updating a product they've already made a sale on. If an update breaks something, guess who pays the price?
Not defending them, and it's not the only reason, but it's a big one.
Whether or not they should have a say is a great question. Now that they do, I'm not sure it can be taken away without them simply choosing the next os that they do have more say over.
Which is why I prefer to buy my phone independently from the carrier service.
The parent is pointing out one possible motive for a large carrier, who has to deal with what I call the "general public".
> Which is why I prefer to buy my phone independently from the carrier service.
You're clearly a tech literate person, which is great! But I've worked at a phone/computer repair/resell store for 2 years, and let me tell you, the "general public" can be very interesting.
It's common for many people to not know that their "phone runs android". Let alone the which version LOL!
What I'm trying to say is, it's great that you buy your phone that way, and that's the smart way to do it. We've had plenty of customers looking for unlocked phones too, but even then many don't understand how there's different radios in the phones that work with different carriers, some didn't actually know what being "unlocked" means, etc.
I’m able to buy a Windows computer from third parties and still get an update from Microsoft....
Then they should also be held responsible for the fallout (technical or financial) caused by an unpatched security bug.
Then it's just a liability and risk choice for them. If the user is not able to update, then they shouldn't be the ones on the hook if there are problems.
Because carriers have a tremendous fear of being simple data pipes.
Apple pushed the carriers to allow it to update its own operating systems over a decade ago.
Apple's situation is completely different from Android. Demand for iphone devices was the leverage Apple had over carriers to do this, and it's not a fragmented ecosystem in the first place.
Apple created that demand. They were exclusively on AT&T at first, and aggressively negotiated that contract so they wouldn't have to have carriers' horrible bloatware. Then the exclusivity made negotiating with other carriers easier.
Google didn't even make any phones until much later. Instead they gave phone manufacturers the green light to do whatever they wanted. They ended up designing phones later because of how crappy the Android phone ecosystem had become. Google could have made Nexuses from the get-go.
Google had plenty of leverage early on with carriers that didn’t have the iPhone. Google still has leverage by threatening to withhold Google Play Services. The last thing carriers want is not to have an alternative to Apple and no cheap phones to entice customers.
Yeah, I know this. I don't think anyone at any of the other phone manufacturers has the weight to throw around that Jobs did, though.
Is there really some expectation for a carrier to be more than that? I just want a fast, reliable service that connects my phone to the internet. Is there actually profit in providing more than that?
From the carrier: yes.
The phone subsidies (in the US at least) are very reminiscent of the old leased phones of yore.
But if you look at the actions of mobile phone carriers and ISPs they're desperate not to become dumb pipes. They design all kinds of clever mechanisms and marketing strategies to distinguish themselves.
> Is there actually profit in providing more than that?
Well, in a free market, competition is intense. So if they can find ways to distort that, then yes: they will make more money. Many of us don't have much allegiance to particular gas station brands. But they create rewards programs to try and get some of that loyalty. Otherwise you just compete on price.
Let's not be silly, there is no market in this case. It's an oligopoly and occasional cartel.
There is only so much competition you can have in wireless. Different carriers have to have different bands of spectrum and only certain frequencies can be used for cellular.
That's why it's not a market. Like I said.
Being just a dumb data pipe means you aren't differentiated from other dumb data pipes, making it harder to compete with other carriers on anything other than price (reducing revenue) and service reliability/speed (and we all know how awful ISPs are at building out better infrastructure). This does make it much harder to be profitable.
well there's usually a bundle of shit in a carrier OS, it's just not profit from you.
From the carrier perspective, sure. Being a dumb pipe is a race to the bottom market-wise.
Exactly. Contracts, identification, phone numbers are not necessary for this. It could be dead simple: the application on your phone generates a pair of private and public keys. You pay some satoshis to a carrier and get some amount of Internet traffic, using your private key for authentication. If you want to switch to other carrier, you just generate a new key and send some satoshis to its account, and your modem generates a new random IMEI. You generate a new key and new IMEI for every new payment so it becomes difficult to track you and sell data about your location. And you can switch between different providers any time. You can even switch depending on who has a better signal in your current location. No need for identification, making a contract, getting a phone number, selling data about you (because carrier doesn't have it) or reporting your location to the government or courts.
This is ten times better than what any provider offers today. If someone implements this, nobody will want to use old scheme anymore.
Also this should promote competition between carriers.
My (no-carrier) WiFi-only Android tablet ... is also wholly dependent on the hardware vendor for updates, of which to the best of my knowledge has never seen an OS update since date of purchase (though vendor apps, which I've never used and cannot uninstall, have updates pushed, routinely demanding greater permissions).
Of all the monopoly-leverage-based requirements Google could make of Android vendors, demanding update SLA and EOL minima are apparently ones they've never contemplated.
0/10, would not recommend, ever.
I don't even buy my phones from the carrier, which makes it even more perplexing.
This comment and most replies use "carrier" as shorthand for "carrier and/or manufacturer". This looks funny to me because my carrier is T-Mobile and doesn't add bloatware AFAICT. Using "manufacturer" as the shorthand would make more sense to me.
T-Mobile does add software to phones. Wi-Fi calling requires T-Mobile-specific OS-level modifications. You won't be able to use it on unbranded unlocked phones. It's definitely not bloatware though.
WiFi calling is supported on iOS devices across carriers and without T-Mobile making os level modifications.
I'm pretty sure the Nexus 5X I got off of craigslist is an unbranded, unlocked phone with an OS from Google, and it makes wifi calls on T-Mobile.
It would not surprise me to see kind of an opposite thing - such as other carriers selling phones where they purposefully turned off or hid settings for wi-fi calling, turning on hotspot and similar.. in which case if tmobile sold the same phone, then it would be a matter of them not turning off / hiding.
Would be an interesting chart to show the things the various carriers had turned on / off... added / removed which similar phones.
I think its already a part of the Android software. I certainly see it enabled on the phone I bought outside of T-Mobile. The only thing I see I need is a the T_Mobile visual mail app but I don't use that much since everything is SMS these days.
This has been somewhat fixed in recent years as my latest unlocked Sony phone has working Wi-Fi calling on T-Mobile.
The carrier wants your phone to work on their network. A software update could change brick the radio (or just disable the channel they are using) if done wrong.
Yet Apple has been able to do that for well over a decade and sells phones via carriers. Even if you buy an unlocked Android phone directly you can update it without carrier intervention.
Yes but apple only has ~10 phones that have to be updated at a time, and all share similar hardware with software specifically designed for that hardware. There are so many different hardware setups for android that getting software to work perfectly on all of them is exponentially harder
Apple has much less risk surface/device variant.
OK, you're a carrier and have millions of Apple and Samsung devices on your network. 0.01% of your users know how to update the OS on their Samsung phones themselves, or jailbreak their iPhones. A software update from the manufacturer could brick millions of those phones on you network.
Which risk keeps you awake at night:
I'm not saying it's impossible Apple could do it, but in terms of ratios how much more or less likely is it versus Samsung?
A few Samsung phone users bricking their phones occasionally A few iPhone users bricking their phones occasionally 50 million Galaxy phones being bricked by Samsung at once 50 million iPhones being bricked by Apple at once
What does jailbreaking phones have to do with updating them?
Could, would, are known as 'weasel words' for a reason.
What the carrier actually wants is to force some applications to always be installed in the customer devices, because of shady business deals, a.k.a. 'partnerships'.
>Why should your carrier have any say so in updating your operating system?
You made that choice when you decided you wanted a carrier subsidized phone.
From the start, Google cared enough about device makers potentially shipping a device running a fork of Android that they forbade doing so in their contracts with device makers.
When it came to making sure consumers got timely software updates, Google sided with the device makers and carriers.
Device makers wanted you to buy new hardware every couple of years, and carriers wanted to lock you into an additional two year contract.
Google could have contractually required device makers and carriers to support end user devices after the sale, it just wasn't something they cared enough about.
Google never forbid updating phones... They forbid forking Android.
That's what he said. They didn't forbid it, but they also didn't mandate it be allowed.
In contrast, Apple did forbid carriers to block software updates in it's contracts with them.
It's a matter of who you think your customers are.
Google sides with advertisers, device makers, and carriers and not it's end users.
I fail to see the relevance of Samsung not updating their phones to Google not wanting Android to be forked. If Samsung had forked Android, they still wouldn't update old phones.
I bought a new Android table from Samsung 3 years ago for more daughter - when bought it had a 2 year old version of Android on and enquiries from Samsung UK said it would not be updated. My daughter is still using it today, unupdated from 5 years ago.
We tend to be an Apple household
Edit - the Device, bought in September 2016 was a Samsung Galaxy TAB E 9.6 SM-T560 WI-FI - I will check the software level tonight.
Which device? That doesn't sound right. We're in a more or less identical situation, with Galaxy Tab S2's for the kids that we bought three years ago. And indeed, they're running comparatively ancient Android 7.0 images and will never see a version bump again.
They do, however, continue to see security updates. And in particular they've been patched against the vulnerability in the linked article. I'd be very surprised if yours was any different.
He's probably wrong, but inadvertently so. Most people seem to confuse android version update with security update, which is compounded by the fact that security updates on android are very "discreet" all things considered, and you don't notice it much.
> comparatively ancient Android 7.0
7.0 is ancient? 5.1, or rather 4.4 is ancient.
The Android ver on my phone is 4.1. Still runs just fine, but then again all I use it for are calls/SMS, so there's little scope to be exploited.
It might still be vulnerable to stagefright, exploitable over MMS.
Stagefright is the name of the component, not the exploit. And in most cases, devices from major vendors are going to have patched binaries, even on images as old as Jellybean.
> ...all I use it for are calls/SMS, so there's little scope to be exploited.
You mean little scope of exfiltration (I'm guessing it's not connected to the internet). There are a lot of vulnerabilities in text rendering that can be exploited via SMS.
Android with a version number is ancient; current Androids have single letters in their name.
I'll have a check in a couple of hours and and report back.
The Device, bought in September 2016 was a Samsung Galaxy TAB E 9.6 SM-T560 WI-FI
I've had luck with official Google phones the past couple years, and in the past the Moto line of Android phones stayed up to date to a point.
My Moto phone hasn't had a security update in a year, and sale of the model was stopped 2 years ago, so that's 1 year support. Luckily it was cheap. I'll be ditching Android I think
Yeah, I'm doubting that.
Go into settings, about device and check the Security Patch Level.
better than ios updates making the phone unusable. happened to me on old ipod touch models, not even the battery thing.
> Not even the battery thing.
That was an attempt at graceful degradation that wasn’t communicated well.
The general belief was that having a phone that runs a bit more slowly, but consistently used it’s battery as the battery life naturally degrades is better than a phone suddenly dying with 40% battery remaining if the peak power draw exceeds what a several year old lithium ion battery can produce.
I much prefer the former personally, but I get where the misunderstanding and public outcry came from.
Beyond that, what made your phone unusable? The last 4 or 5 iOS versions have improved performance across the board, even for phones several years old.
In the class action lawsuit against Google, Nexus 6P customers said their devices were shutting off unexpectedly while reporting that the battery still had a 60% charge.
>In April of last year, a class action investigation began concerning Google, Huawei, and the Nexus 6P bootlooping issues. Many users were reporting issues with the Nexus 6P shutting down randomly, even when the battery was showing up to 60% charge.
It's probably true that this was more an image problem than an actual misdeed, but the outcry was symptomatic of consumers' deep mistrust of tech companies' intentions. Some of that is because, to most people, a computing device is a black box, but some of it is because they've been burned before.
It would have been graceful if the phone gave a pop-up on every boot with 'Your iPhone has a worn-out battery. Have it serviced at your nearest Apple retailer'. Apple was fully aware that people with slowed down phones would buy a newer model iPhone. And besides the free battery replacement for the old model they gave zero recompense if you bought a new phone because your old phone was performing suboptimally.
I had a first or second gen iPod Touch and it became unusably slow right after updating it some time later.
Just make it so the batteries are easily replaceable. It's wasteful to buy a brand new phone when all you need is a new battery.
Ease of maintenance is rarely a marketable feature in mass-market consumer products, and most often is deprioritized.
Replaceable batteries apparently make water resistance a lot harder. I always preferred having an easily replaceable battery but I don't mind the tradeoff on my S10+.
A battery replacement is $79. No one is forcing you to buy a new phone.
A lithium ion battery doesn't cost anywhere near that much, its either poor design and/or profiteering on the device manufacturers part to charge that much for a $15 battery to be replaced.
You could say that about all pricing everywhere. Seems like a waste of breath.
Also doesn't change the upstream clarification that you don't need to buy a new device to get a new battery.
The battery is a user changeable part on most mid-range and low end phones.
The point of this predatory pricing tactic is to force owners of phones with sub-$200 in value to upgrade, rather than potentially waste half (or more) of the phone's value on replacing the battery.
Which carrier sold Android phones - where most users by their phones - have user replaceable batteries?
The Moto G is usually cited as one of the best mid range phone and it doesn’t have user replaceable batteries. I don’t think most of the cheap Walmart phones have user replaceable batteries.
The Samsung Galaxy J7 and Moto E5 Play (both free under 24 month commitment on T-Mobile) have removable batteries.
I do about a dozen mobile repairs a year for family, and it really does seem like the new automobile.
Auto’s were not built for ease of repair, the repairs themselves can be quite easy if you know what to do, and often require components that are only 1 or 2 orders of magnitude in price. Paying someone who knows what to do with it, they also add an order (similar to screen repairs).
> That was an attempt at graceful degradation that wasn’t communicated well.
That was nearly outright fraud which went swimmingly well. The big issue wasn't so much the unannouced throttling. It was that Apple knew that a lot of customers had battery issues but misled them (by denying the entire issue) so that they'll buy a new device. Instead, the debate turned on slightly more defencible for Apple.
Slightly more defencible, because while Apple _says_ that was done to counteract the battery issues, nobody knows whether iOS really checked battery state and didn't just throttle all older models indiscriminately. The latter would be rather convenient for the bottom line.
Apple has had a battery replacement option for quite a few years. Apple Store employees don't work on commission, so a customer coming in with a battery problem would most likely be offered the battery replacement option before being sold a new phone.
Employees can only give answers they know about, and a general battery issue was denied by Apple. That they didn't tell their own employees does not clear Apple from misleading their customers.
Aside, I'm pretty sure that Apple Stores do care about margin, and so do employees that identify with their business or are encouraged by their managers, but I am not accusing them (the employees) of anything.
Which is why Pixel or Android One devices are the way to go.
> Google already fixed at least one of the Android exploits used by "Agent Smith,
Google can't fix it due to Android fragmentation. Millions of devices will never get this update.
I've never understood this as a design decision -- why does Google allow companies to block updating of Android?
Presumably the idea is 'block updates to force hardware sales'?
I can't update my Honor, I think it's the service provider (the phone was on contract) who block the update, but it was easy to update (both Android and EMUI) using an app in the Google Play store to a full version higher, but whoever created that update hasn't done further ones. It is a hack though, there should be a way to do it officially.
It hasn't made any sense to buy phones from the company that provides your mobile phone service for years, especially now that a "phone" isn't in any meaningful sense a phone at all with many people never making or receiving any calls.
They shouldn't be any more involved in what phone you use than your ISP gets to pick whether you use a Mac or PC.
Sure if you want to use a 15 year old phone you're going to need to find somebody who allows that (my guess: no-one) just like you won't find so many ISPs who offer 1200/75 dial-up mode for your original Apple Macintosh with acoustic coupler. But anybody with normal needs shouldn't need to care, just sell me "phone" (ie mobile Internet) service.
Crunching the numbers, it was much much cheaper for me getting this phone on contract then any other route. I did look at buying a phone separately and having SIM-only or PAYGo. (UK, about 3 years ago, low-mid range). With 18 month contract I basically got a 'free' phone with 13MP camera.
I actually use a SIM only by swapping sims with my wife whose phone we bought outright (but it's low end - camera and screen are poor).
A cellular phone is also a network terminal.
A misbehaving device can cause unreasonable load on the network, a disruption to other users, or at least interruption of the service on your device.
When Apple does screw up and iOS update will leave you with no data, the operators will attempt to make it work; they won't do that for every random manufacturer though.
Time to put some effort into this https://www.replicant.us
Question: my brother just got a used pixel 1 phone. Will it stop getting security updates soon/already?
FWIW, LineageOS has official nightlies for that phone now (typing this from one of those builds now, actually)
If the phone is from Verizon the bootloader is locked
Yes, looks like October 2019 is the end: https://support.google.com/nexus/answer/4457705?hl=en#pixel_...
What should he do if he finds out about a vulnerability then? Does he need a new phone?
Yes, but not necessarily Oct 2019. My Nexus 5X is running Android 8.1.0 with security patch level: December 5, 2018, so it's likely Pixel will also get updates after the guaranteed dates.
He needs to weigh the risk versus the cost of a new phone.
There is a custom firmware card LineageOS but it's a community effort. It may get up to date security updates merged in but it could be vulnerable in other ways.
I took 10 seconds to Google your question and found this link:
I'm still on android 5.0.1 because at&t won't allow me to update my phone unless I'm on their network as a customer. But they don't have service where I live so I can't.
"Check Point is not identifying the company, because they are working with local law enforcement."
Well that's dumb.
"It appears that you are currently using Ad Blocking software. What are the consequences?"
The consequences include avoiding situations just like in the story.
When did Phys Org get into tech news? I thought they were just an unreliable source for science rumors.
Strangely enough, in the article they actually recommend using an ad blocker:
> Childs recommends Android users use ad blocker software, always update their devices when prompted, and only download apps from the Google Play Store.
The story is a reprint from San-Diego Mercury News, and as bad at making anything clear about how a user could find out whether the phone has been affected by Agent Smith or identifying the originating infection entry app.
>When did Phys Org get into tech news? I thought they were just an unreliable source for science rumors.
Just wonder what make your think that they are an unreliable source for science rumors?
Perhaps you would like to share your feedback with them https://sciencex.com/help/feedback/
Check Point's write up can be found here: https://research.checkpoint.com/agent-smith-a-new-species-of...
I'm a little shocked that the Matrix still so culturally relevant.
Becoming more relevant with each passing day, it seems.
What is the the best anti-malware for an Android malware ?
Well, its hard to feel any sympathy for Google here. Google forces their android partners to include Google's own apps and keep them updated. They could also have made Android security updates mandatory. MS still got the blame when Windows systems got exploited using bugs that were fixed ages ago. Its unfair, but that's just the nature of the beast...
What ad blocking for Android to would recommend?
DNS66, Works without root by creating a local VNM that it then runs its own DNS (with blocklists) on. End results are all the banner adds on most apps will not show up etc.
I'm not sure this is necessary anymore now that Google added DNS over TLS ("Private DNS") in Android 9. Just choose a DNS server with your preferred blacklist built in and configure it with native Android. Much better perf than using a fake VPN like DNS66.
Firefox mobile + uBlockOrigin or uMatrix
Another vote for uBlockOrigin here
Not rooted, and this is the best option. Tried Blokada and it was just frustrating to use.
You're absolutely right, thanks for catching this. Firefox' addon system is a real boon and the solution that works if you can't/don't want to root.
Before that I was getting frustrated by filtering pseudo-VPN apps and rooting is not an option anymore (sec-wise and because of Google SafetyNet).
Firefox Mobile is dropping extension support for awhile: https://github.com/mozilla-mobile/fenix/issues/574
Firefox Mobile will continue to be Fennec in the short-term.
>when exactly is fenix supposed to replace fennec as Firefox for Android? Once the MVP is done, or when it reaches feature parity?
>We are currently finalizing the transition plan, however we know that Fennec will not be replaced for the MVP, we will make sure our existing users will get the experience they expect later in the year.
If they choose to use an experimental MVP which doesn't yet have feature parity, then sure - they won't have Web Extensions.
Fenix is not the currently supported mainline Firefox Mobile browser, nor will it be for a bit.
Adguard (paid) or Blokada (free) if you don't want to root.
You can use AdGuard's DNS servers for free. They also have the added benefit of supporting DoT and DoH. Click on "DNS Privacy" for their instructions:
If you don't have root: set your DNS server to AdGuard's. It will block most ads and they have a strict no-logging policy. Otherwise you need to use a local VPN, but that will prevent you from protecting your privacy with an actual VPN.
If you're rooted, just use AdAway.
Adaway and Afwall+ for blocking apps that shouldn't need internet to function.
Firefox keeps getting better on mobile. I've been using it for several years now, and it's always been usable, but it's been hard recommending it to other people as it was significantly slower than Chrome. This is no longer true.
Chrome does do touch better, clicking things (like "x" buttons to close in page pop-ups) works better on Chrome, Mobile Firefox tends to switch to text select.
Pi-hole or alike. Works very well for me, although I'm experiencing some problems with it. I'm a bad system administrator, though.
does that work when you are away from home wifi? (not sure what all pi-hole does)
You could set up a vpn to your home network to use it I suppose, otherwise no, it doesn't.
pihole is nothing more than a dns blocker for your home network.
Run a DNS-over-TLS server on top of pihole and use the Private DNS feature available in Android P.
Set up a VPN for that with Vultr. $5 a month, that's okay for me.
It does if you also run a VPN, although that has battery life implications.
AdGuard also has a great beta program if you’re into the bleeding edge sort of thing.
Funny thing was that I was reading this in an ad-blocking browser and phys.org was complaining about that (in a very restrained way)
"It appears that you are currently using Ad Blocking software. What are the consequences?"
Firefox with uBlock
Brave + Blokada
New title: Security researchers did a thing. Article body: See title.
"Oh boy! A whole bunch of people are going to be really boned by a malicious app, but we're not going to let you know any details. Hey, do you bank on your phone? Ooooo you might be realllllly screwed. The competing platform is better and/or worse for thee pedantic reasons, says some random person you've never heard of and will probably never hear from again."
If you're not reporting the name of the company or apps involved, don't waste everyone's fucking time. It's even more egregious than the news doing the whole, "Something in your pantry could kill everyone you ever loved. Details after these commercials."
Sure it puts pressure on device makers to be on the ball with security updates, but at the end of the day there's nothing anyone can do. They don't tell you the symptoms of being infected, how to prevent becoming infected (don't click ads to prevent activating the virus, but do I just never install another app from here on out), or even what to do if you are infected (will a factory wipe work, or does it install to recovery, too?).
I submit the following similarly useful mini-article:
Something in 500,000 grocery stores is causing customers to experience explosive diarrhea. Local law enforcement is investigating, so we're not going to tell you what the item was. Oops! We mean itemS. I mean, there were a LOT of them. Dr. Flabenpoop of the Central Alabama Subcommittee for Safety of Food and Other Eatin' Things reminds consumers that eating is essential to remain among the living and excessive diarrhea can lead to dehydration and death. He recommends NOT experiencing excessive diarrhea while maintaining a balanced diet. He also notes that the two-fingered spotted wallaby cannot get diarrhea, which begs the question: Is it better to be a wallaby or a human? Or a stick? I mean, sticks don't poop at all, so they must feel lucky. Or sticky. But not sticky from poop.
That is the linked article. Both reports provide the same level of actionable information, the same who cares commentary, and same less than half-heartedly rehash of some inane comparison to pad the word count.
tl;dr - Zero useful information released by the research team, zero useful information in the article.
say whatever, I just loved that name
Btw what was the attack vector?
Whenever I read about Greenpeace attacking apple for their phones I laugh. The number of Android models, made with far more toxic materials, never updated and so obsoleted much earlier (check out secondary market for 4 year old phones to see this) is far higher and with a much bigger enviro impact than iphones.
Despite claims apple purposely obsoletes its phones, it actually has a FAR FAR better record of updating old phones (reasonably given hardware differences) which extends the life of old phones.
While it may be reasonable to assume that the actual hardware architecture may vary between Android phones and iPhones, how is it that one is made with raw materials that are "far more toxic" than the other's?
Android is an open platform relative to iOS so naturally you'll see a large range of manufacturing strategies since Apple prohibits the use of its operating system on hardware it does not sell.
>which extends the life of old phones.
Except they were caught purposely throttling older phones with those updates, not exactly what i'd call extending life.
> purposely throttling
So that the phones don't randomly shut off because their lithium ion batteries were old. Yes, they should have told people but it wasn't done maliciously.
That's easy... make the batteries easily replaceable... oh wait.
That would makes the phones considerably thicker and/or make the battery life significantly worse. I don't think replaceable batteries are really worth the tradeoffs given the constraints of a modern smartphone.
Lithium batteries can be quite dangerous, so they need to be in a case to prevent damage that could cause them to catch fire. Then, the phone itself needs a battery door which adds even more thickness and potential failure points.
Finally, once you have replaceable batteries, you give up water and dust resistance. I would bet that more phones have died of water or dust ingress than phones with dead batteries.
> That would makes the phones considerably thicker and/or make the battery life significantly worse.
Would it? The Lumia 950 has a user replaceable battery:
Thickness - Lumia 950: 8.2mm; iPhone XR: 8.3mm
Battery - Lumia 950: 3000mAh; iPhone XR: 2942mAh
I remain unconvinced that other phones couldn't be engineered to have a user replaceable battery.
Water resistance is potentially a fair point, but iPhones have had non-user-replaceable batteries for far longer than they have been water resistant, and I'm not sure it would be impossible to do _both_ (Tile trackers have user replaceable batteries, and are water resistant up to IP55).
You can replace the battery by going to an apple store, giving them $49, and then picking it up a few hours later. That's not a terrific challenge.
What if you don't live near an apple store? Why not let the user manage their own battery, that is also not a terrific challenge.
You can ship your phone to Apple and be without it for about a week. Or, take it to a 3rd party repair shop.
How far do you live from an Apple store?
How far do you live from a phone repair store?
Stop concern-trolling just because you're a snowflake who wants every phone to be bulkier, heavier, and have a few more failure modes.
> So that the phones don't randomly shut off because their lithium ion batteries were old. Yes, they should have told people but it wasn't done maliciously.
"old" - they were less than two years old. They were used up significantly faster than on other phones because Apple was pulling more power to get better benchmarks. This significantly lowered their lifetime and then "forced" them to make phones slower than advertised way before normal lifetime ended.
You really think Apple cares about benchmarks against Android phones? People aren’t going to switch phones from iOS to Android because of benchmarks.
Besides that’s not the way phone manufacturers benchmark well. Android manufacturers have been caught detecting the benchmark and then running in a higher power mode - not running higher all of the time.
Batteries usually start losing their charge in two years.
>but it wasn't done maliciously.
You are certainly entitled to your opinion.
Would you rather your phone suddenly die rather than just run slower? Phones are critical safety devices nowadays.
> it wasn't done maliciously.
Depends on how you look at it. One alternative solution to the old battery problem would be to send it to a repair shop to install a new battery.
But Apple doesn't want people to have the right to repair their own devices, so that's not even seen as an option. Throttling to extend battery life is a convenient explanation that both solves the problem and avoids hurting their extremely profitable repair program (where they'd charge maybe $50 less than the cost of a new phone for a battery replacement).
You can replace an apple battery for $69. It was $29 for a while after the ios 11 battery troubles.
I don't know man. Battery replacement costs $69 or $49 depending on model. Not sure at what price you buy your phones but...
Here's an infected APK (originally from the play store) if you want to have a play
Gacha players on suicide watch
Could you please stop posting unsubstantive comments to Hacker News?
Found the infected neckbeard
I have been begging attacked from apps peograms that dump my phone data for over 5 yesrs found out 18 months a go im no wizard i but i tryed every thing to keep wife and friends from havking me but you know i find data save then gone every time she whins. Im 56 BA in communications electronics and a Veteran and i cant battle any more alone i tryed she lied to my sons about are arguments made me out to be delusional and crazy my sons bought it and now they hate me if i could do one thing it would be to show my youngest who said he hated me last week.the truth that im not crszy.but there so far away i could show them and they woud say i made it up.my wife sex sites her hacking softeare one site https://socal.ress.rr.com was up but i no longer have access the take eveything i have given up cant even break even the android devices attacking me won. email@example.com