SoylentNews is people
SoylentNews
Submission Preview
Android security in 2016 is a mess
Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3
Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.
FeedSource: [HackerNews]
Time: 2016-11-28 18:37:54 UTC
Original URL: https://cpbotha.net/2016/11/27/android-security-in-2016-is-a-mess/ [cpbotha.net] using UTF-8 encoding.
Title: Android security in 2016 is a mess
--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---
Android security in 2016 is a mess
Arthur T Knackerbracket has found the following story [cpbotha.net]:
voices in my head
Your phone probably contains banking, payment and personal information that can be remotely stolen via numerous known and unknown bugs in the Android software. This is attractive to criminals.
Vendors (LG, Samsung, Xiaomi, etc.), after selling you their phone, have no incentive to keep your phone’s software up to date with Google’s fixes. Your Android phone is probably out of date and therefore a gaping security hole through which attackers can steal your stuff from the safety of their own laptops.
Read on for more.
You might recently have read about the incident with the popular BLU phones sold by Amazon in the US [hackernoon.com]. It turned out that these phones were regularly sending bunches of personal information to servers in China: text messages, call logs, contact lists and so forth. After more investigation, it came to light that this was happening via a low-level piece of software called ADUPS.
When Google had previously updated its systems to check for ADUPS, MediaTek (they make the chipset in millions of low-end phones) simply modified their system software to evade Google’s checks. Nice one MediaTek!
This is a painful example of the fact that the software on your phone, although based on Google’s software, is customised by the phone vendor. The further frustrating effect of this is that when Google releases security patches to Android (which they do regularly [android.com]), there is very little incentive for the phone vendor to spend money on updating phones they have already sold.
I bought my LG G3 in 2014 here in South Africa. It was LG’s flagship in that year, and sold extremely well. LG is a well-known smartphone OEM.
However, only because I took steps to flash the official KDZ image (V30a-ZAF-XX), which consumers would normally not do, am I now running Android 6. However, my security patch level is 2016-03, meaning there are 6 months of security updates I don’t have. (You can check your Android security patch level by going to Settings | General | About Phone | Software info.)
Before you think six months lag is not too bad, here’s a nice example vulnerability from the November 1 Android security bulletin [android.com]:
The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.
In short, your phone could be hacked wide open from afar through a single innocent-looking email, MMS or web-page.
My friend’s South African LG G3 is still stuck on Android 5.0 (V20n-ZAF-XX). Most probably this is being blocked due to his carrier (MTN). In any case, 5.0 does not even show the security patch level, so we have no idea how many months of security fixes this phone is missing.
(LG seems to be tracking Google’s security updates quite well [lge.com], but somehow these updates are not reaching phones.)
I just tried Check Point Labs’ QuadRooter Scanner app [checkpoint.com] on my “updated” LG G3, and this is what I saw:
So my manually updated LG G3 is still very much vulnerable to QuadRooter. In theory, my phone could be (or already has been) rooted and pillaged by any old innocent-looking app [techradar.com], although I keep mostly to the official Play Market, so the risk is slightly mitigated.
At this stage, even as a relatively knowledgeable user, there’s not much I can do to patch my phone against this vulnerability.
It’s fantastic that Google’s openness and leniency with Android has helped to make smartphone technology accessible to more than a billion users (probably closer to 2 billion taking into account Chinese Android phones not connected to Google services, see Ben Evans’s post [ben-evans.com]). However, this same leniency allows manufacturers to be irresponsible about keeping their customers safe.
The fundamental problem here is that there are a great deal of Android phone vendors who make phones from absolute entry-level to top-of-the-line flagships, who have very little incentive to spend money on post-sale security updates.
Once you’ve paid for the phone, you’re not important enough anymore to have a secure(ish) telephone.
I’ve been using Android since the HTC Desire Z. I love Android, because I love Linux which I have been using since 1993.
However, if money is no object, my only sound advice can be to buy an iPhone. Apple is still shipping security updates, albeit on iOS 9, for the iPhone 4s which was released in 2011 (5 years ago). The iPhone 5 is still being kept up to date with iOS 10.
Furthermore, in terms of phone encryption, iOS 4, released 6 years ago, was already more advanced than than Android 7 Nougat [cryptographyengineering.com], released in August of this year. In short, already then Apple made better choices in how exactly different files are encrypted, whilst Android implemented full disk encryption, which for the smartphone usecase is not the right choice. In Nougat, Android has finally also changed to file-based, but they’re missing important parts of the puzzle. The phone encryption blog post [cryptographyengineering.com] I link to is insightful, please take a look.
If you prefer sticking with Android, the best choice is getting an official Google device, which means either a Nexus or a new Pixel. Google’s policy for Pixel and Nexus security [google.com] states that they will ship security updates either for three years after device introduction, or for 1.5 years after the device was last officially sold from the Google Store, whichever is longer.
Unfortunately, iPhones are really expensive, and Google’s new Pixel devices are also aiming for the higher-end market. The previous generation Nexus phones offer a more mid-range but very temporary reprieve.
In other words, most normal consumers on a budget, i.e. the largest part of the Android user base, actually of the smartphone-using world, are stuck with insecure, vulnerable phones. This is not cool.
Installing a custom ROM such as Cyanogenmod brings with it another set of issues with regard to the phone being rooted, and with regard to driver-level support of proprietary hardware. In any case, this is not something your average consumer will have access to, but Android gurus can certainly apply.
Efforts like CopperheadOS [copperhead.co] (hardened Android) are certainly promising, but it will be quite a while before they are accessible to the largest group of Android users.
Ideally, Google starts taking a much harder line with manufacturers who put Android on their phones. They could for example maintain and publish a list of phone models that are kept up to date with the latest security fixes, and a list of those that aren’t.
I was happy to see that at least Huawei has a pretty good record [softpedia.com] in terms of keeping their Android phones up to date (although the results were probably skewed as they counted the Huawei-produced Nexus 6P phones, and these formed the majority of the test set, doh). This factor will play a role in the next smartphone that I buy.
Do you know of any (other) manufacturers of more affordable Android phones who are committed to keeping their users safe? Please let me know in the comments!
lobste.rs user jabberwock tipped me off to the fact that Blackberry’s Android phones get monthly security updates [lobste.rs]. Read more at CrackBerry [crackberry.com] and here in the BlackBerry Android security bulletin for November [blackberry.com]: It looks like these phones receive monthly updates (when not blocked by the carrier, sigh )and have already received the November 2016 update.
Here is the original blog post where BlackBerry explained their security patching policies for the PRIV [blackberry.com].
Nice to bring such important information to public. Most people thinking to temporarely when buying a new phone and forget the aspect how the manufactorer will update this phone for the future.
I own a Xiaomi Phone which is pretty rare here in europe. I get weekly updates on it. Every Friday. So i dont really know how much of these update fix security Issues. Most improvements are tweeks and design updates. But still I am very happy and wouldnt want to change back to Samsung.
So I dont know if your example of Xiaomi is validHi there Francy, thanks for stopping by!
Which Xiaomi do you have? Could you perhaps check the “android security patch level”? (settings -> general -> about phone | software info).
This is a bit worrisome: http://thehackernews.com/2016/09/xiaomi-android-backdoor.html [thehackernews.com] — looks like Xiaomi phones talk to the mothership without your knowledge.
Besides this, I have not been able to find an official Xiaomi security update policy. I would be very interested in knowing, because the Xiaomi phones are easily available down here on the tip of Africa. :)
Main reason why I would never get an OnePlus, even though I was tempted to get the 3T when it came out
OnePlus started updating (at least) the OnePlus X monthly with Androids security patches. And since the OnePlus X costs ~250€ it might be another worthwhile budget option. I don’t know about their update policy for the 3(T).
My unrooted stock OPX is now on Android 6.0.1 November security patch level, which I received at the end of October.
I wrote an article on the subject, focusing on the ssl/tls in webkit. You might find it interesting.
I also touched on Google’s negligence with bionic, stagefright, and the Linux kernel.
Fairphone does a fair job of staying up to date with security updates and opensources most software.
Copperhead isn’t just a ROM. It’s a phone you can buy. Why not recommend it? It’s the best option available. Unlike iPhone, it’s still mostly open source (auditable security), although Google could free up more.
We should get behind & help people like Copperhead (Daniel Micay), who are doing something about improve things!
Do you mean the Nexus phones that they are selling with CopperheadOS?
Whatever the case may be, it’s a great and commendable effort. I agree that It’s taking important steps in the right direction, but to help the hundreds of millions of Android users who are not able to acquire or even afford a phone such as the Copperhead Nexus, another solution is required. (heck, in theory I might be able to afford a copperhead, but getting one down here on the tip of Africa is not going to be easy)
Copperhead has one specific flaw, and several inherited flaws.
Copperhead does not include access to the Google Play store. This means (not only) that it can’t install apps directly from Google Play, but installed apps also cannot use Google Mobile Services. A number of popular apps require GMS, leading to a big disadvantage for Copperhead.
Since Copperhead cannot access Play, it can’t update WebKit/WebCore, so any apps that use the bundled /system/lib/libwebcore.so cannot be trusted. This includes most 3rd-party browsers, and otherwise any app that renders HTML without including their own rendering engine. Maybe you can side-load Amazon to get webcore updates (I haven’t tried it).
Copperhead inherits Android Zygote, which loads /system/lib/libstagefright.so as root while booting. The Zygote process lives forever and forks your apps. StageFright is a security disaster that got 115 patches in 2015 and should never have been implemented as a privileged process. Copperhead can’t fix OS fundamentals like StageFright (and perhaps Bionic).
I haven’t really looked at Copperhead other than a brief glimpse months ago at their specs. I know they implemented grsecurity, stack smashing protecting, and they likely turned on -D_FORTIFY_SOURCE. These are great steps, but they can’t fix an architecture that is fundamentally flawed.
sony is also quite decent with upgrades
Quite decent? At the end of october the newest security patch level for the xperia z5 was april, APRIL! Now they updated it to august. Still more than two months behind with no sign of preparing any new updates.
Sony handles security updates really badly!
I’m pretty sure iOS 9 and therefore the iPhone 4s do not get security Updates anymore. Cf https://support.apple.com/en-us/HT201222 [apple.com]
It’s possible Google started developing Fuchsia, their new OS+micro-kernel (Magenta), for this reason. With a modular OS and micro-kernel, they could update the OS directly, instead of waiting for Qualcomm, OEMs and carriers to work together to ship updates.
Fairphone is a Dutch company that aims to create a fairly produced smartphone. They started shipping the first version of the Fairphone 2 early this year. It’s a modular phone designed to be repaired. For example, you can replace the the screen without removing a single screw. Iirc the camera module just needs a single screw.
I’ve been getting regular security updates for the Fairphone 2. Current patch level is at November 5th. One of their goals is extending the longevity of the phone which also includes security updates. Might be worth a look for some people, even though it costs about double what phones with similar specs cost…
-- submitted from IRC
