Stories
Slash Boxes
Comments

SoylentNews is people

Android Security in 2016 is a Mess

posted by mrpg on Tuesday December 06 2016, @09:35PM   Printer-friendly
from the and-wait-for-2017 dept.

"exec" writes:

Your phone probably contains banking, payment and personal information that can be remotely stolen via numerous known and unknown bugs in the Android software. This is attractive to criminals.

Vendors (LG, Samsung, Xiaomi, etc.), after selling you their phone, have no incentive to keep your phone's software up to date with Google's fixes. Your Android phone is probably out of date and therefore a gaping security hole through which attackers can steal your stuff from the safety of their own laptops.

In short, your phone could be hacked wide open from afar through a single innocent-looking email, MMS or web-page.

In the end the recommendations are: buy an Iphone, stick to Google phones or install a custom ROM.

Original URL: Android security in 2016 is a mess

-- submitted from IRC

Original Submission

 
This discussion has been archived. No new comments can be posted.
Android Security in 2016 is a Mess | Log In/Create an Account | Top | 46 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Interesting) by TheRaven on Wednesday December 07 2016, @11:12AM

    by TheRaven (270) on Wednesday December 07 2016, @11:12AM (#438283) Journal
    Several reasons. The first is performance. A modern GPU, for example, does user-mode command submission. The kernel is only involved in mapping device registers into the program's address space and setting up shared memory segments. It stays out of the way for anything fast path. This means that the user-mode GPU driver needs intimate knowledge of the GPU. To get the same performance with a hypervisor, you'd need to do device pass-through, which brings you right back to the original problem. Performance also means battery life: the more abstraction layers that you have eating CPU cycles, the more you're draining the battery even in low-power states.

    The second is complexity. If you're moving all of the complexity of device abstraction into the hypervisor, then that's going to be a pretty big codebase. A conservative estimate for a modern phone would be around half a million lines of code (a minimum of about three million if you wanted GPU abstraction as well). All of that code is written in C or C++ and all of it is your trusted computing base. What do you want to bet that it is completely free of exploitable bugs? I'd be willing to bet at least one major exploitable vulnerability every six months. So now you need to have a mechanism for installing updates to the hypervisor.

    --
    sudo mod me up
    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4