Kitz Forum
Computer Software => Security => Topic started by: sevenlayermuddle on August 08, 2016, 10:35:52 PM
-
http://www.bbc.co.uk/news/technology-37005226
To be fair, as long as Google roll out the fixes to all of the manufacturers, and as long as all of the manufacturer then roll out fixes to all of the phones, there'll be nothing to worry about, storm in a teacup. :)
Alternatively, for 'as long as' substitute 'if only'. :D
-
and that will not happen due to commercial interests ::)
Android is Armageddon waiting to happen.
-
This isn't actually an issue that Google have to fix necessarily, as it is a flaw in Qualcomm firmware as opposed to a flaw in the Android OS. Google will be responsible for rolling it out to Nexus and Android One devices however, which they will most likely do in the September Security patch, or may be implemented into Android 7.0 Nougat which is widely expected to rollout either late this month or early next month.
For the other devices listed it is the responsibility of their manufacturers to update the Qualcomm firmware. I can see the following are most likely to do it based on recent trends:
- Blackberry
- Google
- HTC
- LG
- Samsung (they have been releasing security updates in line with Nexus devices as of late, although this is carrier dependent for most)
- OnePlus (Two and Three only, One was being maintained by Cyanogen Inc. but the contract expired)
-
I'm perhaps a little out of touch, but is there any precedent at all for Android phone makers rolling out fixes to anything other than the very latest OS versions and handsets, regardless whether sourced by Google or chip makers?
I am assuming that a fair proportion of that 900,000,000 vulnerable devices might not be running latest version of Android, or newly purchased hardware. ;)
-
As I said, the ones listed in the article are relatively recent, all released within the past year apart from the G4, Nexus 6 and a couple of others. There are other handsets that are not listed, and as such those handsets will need to be updated by their manufacturers. There is not really any business reason for them to update these devices, because as you say many of them are likely still running on older Android versions, although integration of the Qualcomm firmware is not dependent on Android version.
-
yep I found this for samsung, but as you said I think it is still reliant on the carrier to pass these updates through.
http://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016
-
QuadRooter vulnerability: 5 things to know about this Android security scare (http://www.androidcentral.com/quadrooter-5-things-know-about-latest-android-security-scare)
-
The custom rom I got on my phone which is the CPE1 variant of touchwiz 6.0.1 from may 2016, did originally after flashing have the option to grab samsung security updates available and enabled, I disabled it at the time because the updates broke root access.
I checked last night to see if I could turn it back on again, grab the updates and try to fix root afterwards but now on my phone the option vanished haha. Bizzarre. So my phone is patched up until may 2016 and has all 4 of the qualcomm CVE vulnerable.
I been trying to find out more about the vulnerability so to see if it can be mitigated by adjusting the phone configuration, but very little information is out there. e.g. stagefright could be mitigated by disabling the stagefright libraries in the build.prop file so no patch was needed. The only advise out there is the usual vague only download apps from the play store.
-
The iffy patch delivery model is the reason I could never consider an Android box. Although, actually I do own a very old Sony Android device - a music-player - which is ok because it has no Internet connection
-
QuadRooter vulnerability: 5 things to know about this Android security scare (http://www.androidcentral.com/quadrooter-5-things-know-about-latest-android-security-scare)
That article seems to suggest it is not a major crisis, on the argument that the Play Store would not approve a malicious App, and/or the App scanner would detect one. I personally think that is rather naive... just as virus scanners have their uses, one should never actually depend upon them, none are 100% reliable.
The article also refers to this being 'Android security scare season'. If the Authors feel that Android security scares have become such a regular, even a seasonal event, surely that aspect (the frequency of scares) should be the thrust of their story...?
One thing I'd like to understand... If I still had an Android phone, it would be by old Samsung PAYG. Purchased sim-free, and never registered with Samsung. So if it was affected, who would notify me of the update and (hopefully) force-feed me the fix?
-
The main point which I take from that "Five things..." article is that this isn't an Android problem. The vulnerability is in the Qualcomm drivers, and if a different OS was installed on the same hardware, it would have the same problem. So I get a little irritated when people scream about "another Android security problem". Android phones using different hardware are of course not affected.
-
its an android problem because the way android is built and distributed does not allow end users themselves to fetch a patch direct from the source and install it, instead they reliant on their carriers and/or manufacturers.
-
I also noted it being said that it is a Qualcomm problem, not an Android one.
Yet, while I can't pretend to be familiar with which chip does what on every phone, my understanding is that iPhones also used Qualcomm chips, at least until recently. Nobody seems to be suggesting that iOS phones are vulnerable and if they were, I think it would have been mentioned by now... :-\
-
the difference is iphone owners can get security updates from apple, so if they were vulnerable its only temporary.
-
The argument that because Apple controls updates they are bound to fix it is only really relevant when you consider the iPhone 4S and above. Apple generally discontinue support for devices after about 4-5 generations, which is a long time, longer than most Android devices, but bugs from 25 years ago have been found in some software, so it is possible still that they may be vulnerable.
-
One point I keep remembering is a close associate of mine who rose to a senior governmental role (not the UK), with impressive security clearance levels. In early days of smartphones when a 3 horse race between Google/Apple/Blackberry, they were issued with Blackberrys - I understand that only Blackberry were deemed safe.
Modern Blackberrys are of course just fancy Androids and these folks are now given iPhones, but interesting that Blackberry used to be first choice?
-
Modern Blackberrys are of course just fancy Androids and these folks are now given iPhones, but interesting that Blackberry used to be first choice?
It's the same in HMG. Traditionally, Blackberries were the only devices deemed secure enough and even now the higher up in classification the network is the more likely it will use a 'classic' blackberry.
Last I looked, some androids had been cleared by GCHQ but for low level/routine stuff only and iPhones were nowhere to be seen (for anything classified)
-
Still significantly better than the android situation.
-
the difference is iphone owners can get security updates from apple, so if they were vulnerable its only temporary.
and I get monthly android security patches, from Google, on my Samsung phone. Your point isn't valid. Android changed the way security updates work back in android 5.*
-
Android didn't change the way they work, Google simply started releasing non-mandatory monthly patches to the Android Open Source Project (AOSP) and their Nexus, Pixel and Android One devices. It is still up to manufacturers to roll out the updates, this has always been the same.
-
and I get monthly android security patches, from Google, on my Samsung phone. Your point isn't valid. Android changed the way security updates work back in android 5.*
you and some people get updates, but not everyone does.
The samsung updates only happen on some carriers, the carrier has to approve it.
Older samsung phones dont have that facility at all.
Other vendors such as LG dont offer the updates direct like samsung.
Your head is in the sand if you think android doesnt have a problem, dont let brand loyalty mist your view.
-
I ceased to be an Android user some years back so, while I may be a little cynical, I'm by no means an authority on current update processes. That said, my understanding is consistent with Chrysalis. Also, the 'five things to know' (about this scare) article posted by Roseway, which does appear to be generally supportive of Android and tell 'their side' of the story, acknowledges that 'Android security is hard', and that device manufacturers still need to roll out the patches...
http://www.androidcentral.com/quadrooter-5-things-know-about-latest-android-security-scare
Even once patches are issued, they need to go through device manufacturers and carriers before being pushed out to phones
-
Android didn't change the way they work, Google simply started releasing non-mandatory monthly patches
imo your sentence contradicts itself. to me that's a change.you and some people get updates, but not everyone does.
The samsung updates only happen on some carriers, the carrier has to approve it.
on carrier branded firmware yes. I've never bought a handset with carrier branded firmware. my OTA updates come from Samsung, without o2/ee/Vodafone etc adding more bloatware.
Older samsung phones dont have that facility at all.
Older iPhones don't get updated either. all new Samsung's get monthly security patches.
I wouldn't call it burying my head in the sand. I wouldn't call this an Android issue at all. It doesn't affect all androids. it's a Qualcomm issue if anything. Or you could call it the handset manufacturers issue.
I'm not an Android fanboy. I owned only iPhones till the 4S came out. Also bought the original iPad. I've since had 3 Flagship Samsung phones, and 2 different Android tablets. I may at some point go back to owning an iPhone. Just way overpriced. I usually root my phone and stick a custom rom on it right away. Held off with my current handset due to Knox/warranty, but it will get rooted further down the road.