Forgot your password?
typodupeerror
Android Security

Wireless Carriers Put On Notice About Providing Regular Android Security Updates 171

Posted by Soulskill
from the suggestion-placed-in-circular-file dept.
msm1267 writes "Activist Chris Soghoian, who in the past has targeted zero-day brokers with his work, has turned his attention toward wireless carriers and their reluctance to provide regular device updates to Android mobile devices. The lack of updates leaves millions of Android users sometimes upwards of two revs behind in not only feature updates, but patches for security vulnerabilities. 'With Android, the situation is worse than a joke, it’s a crisis,' said Soghoian, principal technologies and senior policy analyst with the American Civil Liberties Union. 'With Android, you get updates when the carrier and hardware manufacturers want them to go out. Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.'"
This discussion has been archived. No new comments can be posted.

Wireless Carriers Put On Notice About Providing Regular Android Security Updates

Comments Filter:
  • Java (Score:4, Interesting)

    by goombah99 (560566) on Monday February 04, 2013 @05:23PM (#42789373)

    Does Dalvik have the same security problems Oracle Java does? If so this is a serious problem

    • by Qwavel (733416)

      No, it doesn't.

    • Re:Java (Score:5, Informative)

      by supersat (639745) on Monday February 04, 2013 @05:59PM (#42789947)

      No. Even if it did, it doesn't matter because Android does NOT rely on Java for isolation or security. Each application runs as a separate Linux user, and the kernel enforces isolation between apps this way.

      Because apps are isolated in this way, they can include native code.

      • by Rich0 (548339)

        True enough, but the isolation only protects apps from each other. It doesn't protect your data from apps, unless the app in question doesn't have rights to read your SD card (and if you're attacking an app chances are it was from reading some data from the SD card in the first place, like an attachment to an email).

    • by Rich0 (548339)

      Does Dalvik have the same security problems Oracle Java does? If so this is a serious problem

      It is an independent implementation, so I'd say it likely has a similar but altogether different set of security problems.

      At least it doesn't run arbitrary code from applets, and since applications run as individual users they benefit from the underlying linux security model. That said, maybe if you open some document in an application the document might exploit some dalvik flaw to gain access to other data the application can view (likely your entire SD card), and if the app has rights (likely the case) u

  • by redback (15527) on Monday February 04, 2013 @05:23PM (#42789377)

    Handset manufacturers should stop screwing with it so much, if they used pure android it wouldnt be so much work to get updates out.

    • Tell that to my Galaxy Nexus that's still running 4.1.1. So much for the idea that Nexus devices are on the cutting edge. They're abandoned as fast as any other phone.

      • by tlhIngan (30335) <slashdot@worfMOSCOW.net minus city> on Monday February 04, 2013 @06:58PM (#42790827)

        Tell that to my Galaxy Nexus that's still running 4.1.1. So much for the idea that Nexus devices are on the cutting edge. They're abandoned as fast as any other phone.

        Only the Verizon Nexues are "abandoned". If you got the HSPA ones, you should be at 4.2.x already.

        If you're not, perhaps it's because you bought it from a carrier and have the default carrier firmware stuck to them with carrier firmware updates. In which case you need to go to Google, download the latest factory images and install them on your GNex. This will get updates as fast as Google pushes them out (the carrier ones actually have an update URL pointing somewhere else, while the Google ones point to Google).

        An interesting note - when I did this, battery life shot up dramatically. The carrier GNex firmware isn't all that great.

      • Thats why when I bought my Galaxy S3 I immediately put Cyanogenmod on it.
        My phone is regularly updated (currently running 4.2.1), stable and doesn't have any crap on it.

      • my nexus one is stuck on cm7.2 which is the farthest forward I can go. sigh.

        pretty much abandoned and by google, by design, as I understand it.

        correct me if I'm wrong, but the problem was that they bundled the graphics system too much with the rest of the non-gfx parts. and so, when the n1 chip was declared 'too old', this froze the WHOLE shooting works. so to speak.

        I don't develop for android, I'm just a user. I never looked at any of the code. so I might have this all wrong; but why else is my system

        • correct me if I'm wrong, but the problem was that they bundled the graphics system too much with the rest of the non-gfx parts. and so, when the n1 chip was declared 'too old', this froze the WHOLE shooting works. so to speak.

          Cyanogen have halted development of all the old Snapdragon devices, not just the Nexus 1. There were a number of reasons, including the Adreno 200 GPU, limited RAM and restricted storage memory.

          Other modders are still developing for it though. MIUI have a Jelly Bean version, but I'm not sure what compromises they had to make to get there.

          http://forums.miui.us/showthread.php?15234-ROM-10-29-12-MIUI-us-v4-1-Jellybean-Edition [forums.miui.us]

        • Heh, no. You're stuck with Gingerbread only if you stick with CyanogenMod official release. If you want Honeycomb / ICS / JB switch to another AOSP ROM.

          Here [xda-developers.com] is the XDA-Developers forum for Android development on the Nexus One. I like CM9 on my Desire HD, so I stuck with the Unofficial CM9 on mine, though they have nightly CM10 for the Desire HD too, as well as other 4.x AOSP-based ROMs. There are plenty of 4.x ROMs for your phone on there, too. CyanogenMod is by no means the only one available.
      • by DragonTHC (208439)

        Tell that to my Galaxy Nexus that's still running 4.1.1. So much for the idea that Nexus devices are on the cutting edge. They're abandoned as fast as any other phone.

    • by Frojack123 (2606639) on Monday February 04, 2013 @06:18PM (#42790273)

      I agree, to a certain extent.

      But I also maintain that this is strictly Google's fault (The Open Hanset Alliance).

      They took an operating system, Linux, which always has long the ability to put hardware drivers in dynamically loadable modules and built Android, where they compiled everything into the kernel in one huge binary blob. This is a huge retrograde step in OS design. The kernel should be replaceable without having to replace the driver for every radio, screen, sound chip.

      After all, the radio didn't gain any new functionality between Android releases. The same carrier specific radio "rom" the phone was shipped with should suffice. Just call it dynamically rather than compile it into the kernel. Let us get our kernel updates directly from Google, or the handset manufacturer, and any carrier specific updates from the carrier.

      This is a packaging error.

    • by AmiMoJo (196126) *

      Consumers need to stop buying phones from manufacturers who screw with Android and don't provide updates.

      Actually that already seems to be happening to some extent. Manufacturers seem to be making much more effort to update. It is carriers who really lag behind, but you would be mad to buy your phone from them anyway.

      Rumour has it that Android 4.2 will introduce an advanced skinning system that lets the manufacturer put its skin on but still get OS updates directly from Google. As a bonus the manufacturer (

      • by peragrin (659227)

        That's because the manufactures are getting the blame from users using the phrase.

        Well my iphone used to update why can't I update this one the same way.

        Wait until smart TV vendors realize they also have to provide updates.

        If you want locked down software like apple you must limit the number of models of devices.

        otherwise you can't keep up

      • That explains why Samsung is the #1 seller of Android phones. /sarcasm

    • Hell, this isn't even needed, with AOSP and projects like CyanogenMod, just unlock the bootloader of unsupported phones, and let them have the needed drivers to make the shit work right. But you can't complain about old devies not getting updates when you don't do updates nor let anyone else do them either. This is not a catch 22. This is "we want our cake and eat it too".

      • by peragrin (659227)

        Not it isn't. not even close.

        this is, Hey the iphone has those kinds of updates why can't my HTC/Samsung, etc.

        Seriously the only reason why is the carriers being stupid, and manufacturers not understanding the big software release picture.

    • by gr8_phk (621180)

      Handset manufacturers should stop screwing with it so much, if they used pure android it wouldnt be so much work to get updates out.

      Google should stop screwing with it so much and then they wouldn't need updates! And you should stop blaming the customers (handset makers)

      Seriously, you folks in "the tech industry" have no idea what product quality and reliability are. Try writing software for a car. Yes, it's much smaller in scope, but it has to be complete. We ship modules that are never updated (ROM par

      • The moment you connect your car up to the internet, it too will need software updates.
        In a car no-one is constantly trying to run you off the road or blow you up.
        Not true online, you are almost always being probed to find out if you are susceptible to the latest car disabling technology.
        Online it is an arms race, not a status quo.

        • I remember reading an article about a proof of concept where a hacker was able to control parts of his car with a cleverly crafted MP3 burned to a CD. He hypothesized that such attacks could be distributed through P2P networks and install backdoors into cars allowing them to be unlocked/started without a key.
        • by David_W (35680)

          In a car no-one is constantly trying to run you off the road or blow you up.

          You don't drive in DC, do you?

      • by icebike (68054)

        Try writing software for a car. ... We ship modules that are never updated (ROM parts anyone?)

        Hmmm, that's not my experience.
        Both my prior car and my current car had software updates over their life, the new car within 5 months of delivery as required by a recall. Its still riddled with bugs that are obvious, and grousing to the dealer is of no use, because the software is out of their hands. If I install after-market software, my warranty is void on the entire vehicle.

        • by Velex (120469)
          Ditto this. My 2011 Fiesta needs a software update so the passenger side curtain airbag deploys properly. Perhaps OP should take that little "security glitch" into consideration before getting his dick out next time.
    • by JonBoy47 (2813759)
      These Android-makers customize/skin the Android experience for the simple reason that it's just about the only thing preventing their product from becoming completely commoditized just like Windows PC's have been in the past few years. They also lack the clout to tell the carriers to pound sand. Thus we get Android handsets with carrier-dictated bloatware because the carriers get incremental revenue off that stuff. Be it someone using AT&T Maps and paying $10/month because they can't tell the difference
    • by thegarbz (1787294)

      I can't say I fully agree with this. One of the good things about Android is that you have different flavours just like you do on Linux. For example HTC's OS design choices in my opinion suck. I'd pick Google's vanilla Android any day. However I do like the menu layout, the older keyboard, and many other features that Samsung brought to its version of Android a lot more than Google's own (Touchwiz excepted though, it looks and feels shitty).

      What the manufacturers need to do is work with Google to make the s

    • Android is a gift, not a product. Android needs fixing to work properly because it doesn't work out of the box. Why? Because hardware changes from OEM to OEM, the government require mandatory support for features that aren't included, the customer (AT&T etc) require support for their apps or services, some very important ones, and last, but not least, it's buggy.

      Details:
      It takes about 6 months for a dedicated SCRUM team to knock a version of Android out that meets a major US carrier's requirements after

      • If you aren't pushing bug fixes upstream, you are part of the problem...
      • It takes about 6 months for a dedicated SCRUM team to knock a version of Android out that meets a major US carrier's requirements after Google releases their code to the community. I know because I've done it. Verizon has about 6000 requirements for their devices, Sprint and AT&T are not far behind. On top of the carrier requirements, which could be anything from implementing a custom address book sync adapter, to ensuring AGPS works accurately, you need to meet US Government requirements.

        Maybe I'm mi

  • And haven't had an update since the first year.

    They (Verizon) should at least push updates while it's still under contract.

  • Every new revision of Android is this large, monolithic package that seems to take years to get right. If Android were more modular, you could have teams working in parallel on various modules, and releasing them as needed. This is what regular Linux does, so I don't see why Android doesn't do more of it. Other than the Google Apps package, everything else seems to be lumped together. (and yes, I know it's more modular behind the scenes, but if it isn't that way for the user, it's a moot point.)

    • Go re-read why worse is better http://www.dreamsongs.com/RiseOfWorseIsBetter.html [dreamsongs.com] and realize any form of micro-architecture has long since been destroyed by the formidable drive of the monolithic design and it's ability to be simultaneously horrible and intractably irremovable from the minds of the vast majority of engineers, along with being faster to get out the door and therefore meeting all requirements of the business people who actually shove all this garbage down our throats.
    • by AuMatar (183847) on Monday February 04, 2013 @06:02PM (#42789995)

      Wouldn't matter. The problem is more political than technical. Carriers are the ones who push updates, and they don't care especially in the US. Check EU versions of US phones and you'll see many more updates that never make it out here.

      Some of that is for a good reason. Carriers put phones through very rigorous acceptance testing that takes weeks to finish. It tests the phone as a whole, not individual modules. Trying to push out partial updates would screw with their process and cost tens of millions. It would also lead to people having versions of modules that were never tested together, an increased possibility of bricking your phone. When your device is seen as a consumer utility that just really isn't an option.

      • If an update bricked a phone and the owner died because even 911 wouldn't work, the carrier would be saddled with a slam-dunk loser case that would cost them at least $50 million dollars in settlements, fines, and legal fees.
        • by Skater (41976)
          ...and yet, Apple updates their devices frequently.
          • by cynyr (703126)

            counting the iPad, apple has what? 6 hardware models that they keep supported at any one time? How many has samsung had in that time? HTC? Heck even nokia has had more than that. Now I am counting the 4 and 4S as different, when they weren't really.

            Also Apple has had the ability to stand up to the carriers in the US. There are a few versions of the Samsung Galaxy S3 in the wild. I think it is at least 3.

  • by Qwavel (733416) on Monday February 04, 2013 @05:29PM (#42789461)

    "said Soghoian, principal technologies and senior policy analyst with the American Civil Liberties Union."

    Finally, an article about the dangers of Android that quotes someone I'm prepared to listen to. I'm not entirely sure why the ACLU would be involved in this stuff, but I do have some respect for them and believe them to be objective in this matter.

    I'm tired of the barrage of articles about the security problems with Android, and the need for anti-virus to resolve them - quoting people paid by the anti-virus companies.

  • by getto man d (619850) on Monday February 04, 2013 @05:31PM (#42789513)
    If the carriers were what most of us want, i.e. dumb pipes, then we could possibly own our phones and upgrade them in a much easier fashion (so long as the hardware manufacturer is still providing updates).

    Verizon's treatment of the Samsung Galaxy Nexus has been an eye opening experience and I'm still trying to figure out an alternative solution.
    • by h4rr4r (612664)

      The alternative I will be seeking is leaving verizon and buying a GSM nexus as soon as my contract is over.

      Verizon is losing a family plan that is over 10 years old because of this.

      • by Drathos (1092)

        And when the GSM carriers have crap coverage where you live?

        Believe me, I'd love to leave VZW, but I've got to go several miles away to pick up a signal from AT&T or T-mobile - and I'm not far outside Washington, DC.

        • by h4rr4r (612664)

          They don't in my area.

          I have been to DC, lets see some maps for your claim. I bet you are very far outside DC or mistaken.

    • by Andy Dodd (701)

      Solution: Buy from an MVNO that is a dumb pipe. Straight Talk's BYOD SIM plans are proving quite popular.

      Nexus 4 from the Play Store + Straight Talk = device you control hooked up to a dumb pipe.

      • by SiChemist (575005)

        Do you know anyone who uses Straight Talk? I'm out of contract in January 2014 and I'm contemplating buying the newest Nexus phone at that time and switching to Straight Talk. I worry about running over the "secret" 2GB data cap and getting cut off. There is good AT&T coverage where I live and work, so I was planning on buying an AT&T sim from ST.

        • I can't comment on Straight Talk.. but been happy with SimpleMobile (T-Mobile equivalent) with my N4.
        • by Andy Dodd (701)

          I know a few of the XDA admins are on ST and love it, and more are hopping over.

          I have yet to talk to a user of their BYOD SIM plans that was unhappy in any way.

          • by SiChemist (575005)

            Thanks for the info! I imagine the XDA guys are pretty heavy data users, so that encourages me.

            • by Andy Dodd (701)

              Actually, many of us are quite responsible with our data. I don't think any of us support the "I HAVE A RIGHT TO EAT 20GB OF DATA PER MONTH OVER A CONNECTION THAT WASN'T DESIGNED TO HANDLE THAT!" crowd. Let's face it, if you're in that crowd, your days are numbered and few people will have sympathy for you.

              My average monthly usage is around 500MB. I stay on unlimited only because I like having that "safety net" of not getting charged insane amounts if my device flakes out on me.

  • Engineers are usually focused on the current version, and devices that are coming out in the next year.

    So what you're saying is that it's absolutely PERFECT for the wireless industry, eh? Keep people wanting the future product that you have to buy before the end of your contract!

    I wish I were joking.

  • Cyanogenmod (Score:4, Interesting)

    by vlm (69642) on Monday February 04, 2013 @05:44PM (#42789717)

    Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources

    How come the cyanogenmod people do a better job than everyone else in the industry?

    I just upgraded a LS670 last weekend to cyanogenmod. CM9 if I recall. Its faster, looks better, more features, MUCH newer which would imply fewer holes, overall quite a massive improvement over stock. It no longer has cell service, I'm using this phone as a wifi microtablet, quite happily.

    • The big issue I have with Cyanogenmod is the fact that it can be very difficult to do right and you risk bricking the phone by doing it.

      My wife has a LG Optimus 3D (LG Thrill 4G for those of you stateside) and the last update she received upgraded her from 2.2 to 2.3.5, which was a brutal abortion of a release. Bugs everywhere and eats battery life to beat hell. After researching it throughly I decided against doing anything to it because I had to root it, then make sure I had a kosher set of files and upgr

      • by h4rr4r (612664)

        Nearly no phone can actually be bricked. Absolute worst case you boot into recovery and flash another zip.

        For what device is installing Cyanogenmod difficult?
        From your description not that one.

        There can't be a "good" installer, that would require the device company to play along. There is nothing they could do to make it easier for you.

    • by Rich0 (548339)

      CM is obviously great, and it is even better for the price.

      However, it isn't available for all devices, and because of the large number of devices these days it seems like many devices only have one or two devices. My previous phone was a G2 and CM never got past Gingerbread despite a 3rd party mod being sort-of working with Jellybean. Their quality control is better than the average mod, but isn't really up to professional standards. When a build that just came out of the compiler is released the same d

  • How is this unexpected? Unlike Apple phones and Microsoft phones, Android are a mishmash of some open source stuff, and some carrier specific stuff. This is part of the reason that I, at least, went with a MS Phone, instead of an Android phone. It reminds me of Linux: the core of it may all be the same, but by the time you slap all kinds of custom stuff on top of it, every single version is essentially different from every other version, and compatibility goes down the drain. So of course the carriers a
    • Re:Unexpected? (Score:4, Informative)

      by Microlith (54737) on Monday February 04, 2013 @06:20PM (#42790301)

      Nonsense.

      The core problem with Android is a core problem with ARM, namely that all of the nice plug-and-play stuff that lets a single kernel, and thus an Ubuntu live CD, boot on many systems doesn't exist in ARM. So each handset has to have the kernel adapted to it. And since this adaptation has to be done for every kernel Google releases, the handset vendors get lazy particularly as the kernel moves on and leaves their older, out of tree drivers behind.

      This has little to nothing to do with regular Linux distros because compatibility across them is actually quite good and as of Jellybean there is nothing other than the kernel in Android that is used by other open source projects.

      That they fail to push security fixes, let alone new Android versions, is because they just don't give a fuck.

  • The problem is Android phone manufacturers, rooted in traditionally consumer electronics oriented companies, are pumping out far more models than they could ever hope to provide adequate support for, as they aren't used to actually having to provide long term support for anything. This is one area they could really learn something from Apple, whose home computer roots have taught them what's involved with proper support. As consumer electronics get smarter, you're gonna see the same types of problems from
  • by erroneus (253617) on Monday February 04, 2013 @06:26PM (#42790385) Homepage

    In previous comments related to carriers and phones, I stated that I am done with carrier games.

    I am done with carriers selling me "discounted" phones which are actually far over-priced when required and unwanted data plans are added to the mix. I am done with carriers and their spyware and bloatware. I am done with carriers controlling the obsolesence of my device by providing late updates or failing to update them at all.

    Long ago I recognized the potential for security issues which predictably would not be managed by the carriers well or at all.

    Apple has it easier and it was by design. There are fewer models of iPhone so everyone is happier. Users know what they've got. The accessory makers are better guaranteed sales of mass produced products. Apple's carriers don't get to corrupt the iPhone and therefore there is more sanity when it comes to user concerns like bugs and security.

    I have a Google Nexus. Not quite my ideal phone, but less expensive than unlocked/unbranded Samsung Galaxy S3. It is more likely to get updates and fixes and within my power to install and use custom ROMs.

    Carriers care more about themselves than their customers. It is clear and evident. Why keep hoping and demanding that they care? Know them for what they are and respond.

  • Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.

    That's pretty funny, because there's a small group out there that manages to provide nightly updates for almost EVERY PHONE ON THE MARKET for free... http://get.cm/?type=nightly [get.cm]

    It seems to me like a carrier could simply let you switch to CM10 and get your updates from them as long as you agree that their updates are your problem and not the carriers... oooh... wait... the problem isn't updating Android... the problem is updating all their adware revenue bullshit to work with android, not the OS. I forgot. S

  • The phone maker gets their profit from selling new phones. Updating your phones OS to a new version cost them money and delays your purchase of a new phone. How much effort would you put into raising your cost while costing yourself future revenue? The carrier makes money by locking you into a longer contract term. Often those new terms are at more $$ per month which happens when you buy a new phone. Updating your phone to a new version delays your commitment to a new contract term. I'm perfectly happy with
  • It is more than just Google Android OS -> Phone Manufacturer but also then on to the Cell Carrier. Yes a new Android OS rolls out, and yes the Phone Manufacturer has to tweak drivers and what not. But after that the Cell Carrier then tries to splice on their apps other misc. clutter. This 3-phase pipeline is just murder for delivery. At each transition there is pushback. There had been, for example, discussion on the Droid BIONIC forums on how Verizon rejected a build from Motorola (for ICS) due to
  • This is very interesting in the context of the recent US ban on unlocking. As I understand it, the argument for banning unlocking has to do with the carriers wishing to retain at least partial ownership over your handset. As such, surely they're responsible for security implications? However, they're never keen on the effort involved in keeping older devices secure (which is more of a new threat in the age of android smartphone than it was on older proprietary non-app, non-data handsets).

    So what happens whe

  • They should only be selling phones as stock Android if the carriers are unwilling to manage changes whenever a security update or new version of the Android OS is available.
  • And this is exactly why I threw in the towel on Android. Two reference phones, bought unlocked, were abandoned. After the second one, and seeing my daughter's ancient iPhone 3GS continue to receive updates, I bought an iPhone 5. Perfect world? No. But I do get regular updates and it works with my iTunes/Apple TV. None of the phones worked perfectly in my Ford with SYNC, but sending text messages is limited to feature phones (reading on the iPhone was added in the latest Ford software update). Smartest thing

"Indecision is the basis of flexibility" -- button at a Science Fiction convention.

Working...