Your phone probably contains banking, payment and personal information that can be remotely stolen via numerous known and unknown bugs in the Android software. This is attractive to criminals.
Vendors (LG, Samsung, Xiaomi, etc.), after selling you their phone, have no incentive to keep your phone's software up to date with Google's fixes. Your Android phone is probably out of date and therefore a gaping security hole through which attackers can steal your stuff from the safety of their own laptops.
In short, your phone could be hacked wide open from afar through a single innocent-looking email, MMS or web-page.
In the end the recommendations are: buy an Iphone, stick to Google phones or install a custom ROM.
Original URL: Android security in 2016 is a mess
-- submitted from IRC
(Score: 4, Funny) by Anonymous Coward on Tuesday December 06 2016, @09:39PM
There's always Windows 10 Mobile. I feel so secure using it. I never have to worry about someone stealing my phone, as no one else wants it.
(Score: 0) by Anonymous Coward on Wednesday December 07 2016, @07:34AM
Windows 10 phone is officially the smartphone equivalent of gear stick in american cars.
(Score: 1) by ilsa on Wednesday December 07 2016, @04:35PM
Windows 10 phone is officially the smartphone equivalent of gear stick in american cars.
I have to disagree. Unlike Windows mobile, there are compelling reasons to want manual transmission.
(Score: 2) by davester666 on Thursday December 08 2016, @09:19AM
Still the best way to get an STD...definitely the most fun.
(Score: 0) by Anonymous Coward on Wednesday December 07 2016, @08:37PM
(ok, so they weren't american cars, but they were probably american car thieves...)
(Score: 0) by Anonymous Coward on Wednesday December 07 2016, @08:20AM
You're not wrong. I bought a Windows 8.1 tablet (Asus Vivotab Note 8), and when I realized that my pre-purchase research had been inadequate, I replaced it with an nVidia Shield Tablet.
Realizing that there was no chance of selling the Windows tablet, I tried to give it away. Took me two years to find someone willing to accept a free Windows tablet.
(Score: 2) by Nerdfest on Tuesday December 06 2016, @09:41PM
Those recommendations have always applied. I'm baffled at so many people buying Samsung phones with their crappy history of patches. Great custom ROM availability though. Part of the problem as well I think is people don't mind having these phones that are never updated (OS version-wise) as there's almost never anything you can't do because of it. Pretty much every part can be placed because it's not locked down. Perhaps people would care more if features came out that couldn't be done by applications rather than the OS.
(Score: 0) by Anonymous Coward on Tuesday December 06 2016, @10:59PM
The vast majority of Android phone owners don't think about or care about system updates. The vast majority of iPhone users are nagged mercilessly until they install updates.
(Score: 2) by Grishnakh on Tuesday December 06 2016, @11:26PM
What are you talking about? Many Android phones do indeed have a terrible reputation for never being updated, but my Galaxy S5 has gotten continuous updates, and it's a few years old now. The Galaxy S? line has been really good about updates. The problems are those cheap-o $50 Android phones.
(Score: 1) by ilsa on Wednesday December 07 2016, @04:44PM
I made the decision to never use a Samsung mobile device again after having an S3. I eventually gave up and was forced to root it and install cyanogenmod just so my phone would be half-way usable.
The only reason they're even providing updates now (and even then I'm guessing only on a few of their devices, not their entire lineup) was because they were embarrassed into doing it.
This is why I stick with Apple devices now. Sure, they're a bunch of greedy, money-grabbing assholes, but at least they make an effort to keep their OS secure and stable, unlike Google nor every manufacturer that puts out Android devices.
(Also keep in mind that just because a device in the US gets an update, doesn't mind the exact same device in another country will. The likelyhood that this happens is very low.)
(Score: 1, Insightful) by Anonymous Coward on Tuesday December 06 2016, @09:42PM
The only way to fix this problem is to have an actual general computing platform that can be programmed by the collective efforts of disparate intelligence; as long as there are proprietary binary blobs that centralize the control of software development, we'll end up with the corporate drivel we have today.
For an ecosystem to evolve robust solutions under the various selective pressures, there must be variation ; there must be a market of voluntary association; there must be competition, which is the most collaborate process society can ever hope to implement.
(Score: 1) by Francis on Tuesday December 06 2016, @09:59PM
People must be able to disable and uninstall apps they don't want. Why should I have to have the insecurities of the FB app on my phone when I never use FB? Same goes for the many other vendor installed apps that have nothing to do with the basic functionality of the phone.
Google has gotten smarter about the carriers and moved more of their core functionality into independent apps, but it's not anywhere near enough. The vendors shouldn't be allowed to lock the system down without providing the end user the ability to unlock it as needed. And the vendors should be responsible for whatever bad things happen from their software going bad.
(Score: 0) by Anonymous Coward on Tuesday December 06 2016, @10:04PM
All of that would be a natural outcome were mobile devices freed from the arbitrary and capricious limitations set by proprietous corporate overlords.
(Score: 4, Interesting) by Hairyfeet on Wednesday December 07 2016, @01:58AM
This is why I have to really give MSFT credit on their Win 10 Mobile, I may not like Win 10 on the desktop but on the wife's phone? Its damned nice and the first mobile OS I've seen that bring you all the goodness of a general purpose PC in your pocket. Don't like any app that comes with the phone, including the base apps? Just hold your finger on it and choose uninstall, that's it. Want to replace the default apps with third party like you do on the desktop? Go right ahead, nothing stopping you, just install what you want and toss what you don't.
Now that its getting harder and harder to find phones that have decent custom ROMs I'm seriously thinking of dropping Android as I don't care for Samsung products and if I'm not gonna be able to swap the OS anyway I might as well have control of the programs that are on my phone like I have on my desktop.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 1) by Francis on Wednesday December 07 2016, @04:16AM
I used to love Cyanogenmod on my Nexus One years back, it's a shame they changed their model. I'd consider paying for their firmware, but last I checked they didn't even support any of the devices I own, so nothing to pay for.
I personally think that by law companies ought to be required to offer the endusers some way of temporarily, or permanently, rooting their devices in order to remove bundled software. I like the idea of being able to root my device when I need that functionality and then turn it off as soon as I'm done with it. I don't know of any of the manufacturers offering that.
(Score: 0) by Anonymous Coward on Wednesday December 07 2016, @05:05AM
"There should be a law!"
(Score: 1, Interesting) by Anonymous Coward on Wednesday December 07 2016, @08:28AM
Its damned nice and the first mobile OS I've seen that bring you all the goodness of a general purpose PC in your pocket.
Large screen, great keyboard?
Don't like any app that comes with the phone, including the base apps? Just hold your finger on it and choose uninstall, that's it.
Yeah, that's the easy part.
Want to replace the default apps with third party like you do on the desktop? Go right ahead, nothing stopping you, just install what you want and toss what you don't.
If you like "desktop apps", sure. Otherwise, you quickly realize that you have on email app to choose from (and it's locked to outlook.com), one browser (Internet Explorer)...
That's the reason I spent two years trying to give away my Windows tablet: No mail app that works without an outlook.com account, and the best browser was IE. Not because IE mobile is better than IE desktop, but because the only alternative is Firefox 28 which was cancelled because "two few users", even though it's too buggy to use.
(Score: 2) by VLM on Tuesday December 06 2016, @09:49PM
stick to Google phones
There's a popular service option of companies selling phones that use wifi mostly and only switch to cellular when out of range of wifi. I used Republic Wireless for years and never had the slightest problem other than my phones never got any OS upgrades or patches.
I ended up switching to google fi to get patches. So far so good. I never had a security problem that I know of on the RW phones, but I feel much better on fi.
With this kind of custom service you can't really slap in a custom ROM in because then it won't do the wifi offloading calls or whatever.
The google phones are pretty nice hardware and don't come stuffed with with crapware which is also nice.
(Score: 5, Informative) by Snow on Tuesday December 06 2016, @10:31PM
I have a Blackberry DTEK50 which runs android. Blackberry has provided monthly security updates. The OS also isn't bastardized with touchwiz. I would recommend it, plus it's pretty cheap ($429 CDN, no contract)
(Score: 3, Informative) by damnbunni on Wednesday December 07 2016, @07:57AM
I have a Blackberry Priv, which also gets the monthly security patches.
However, buy them direct from Blackberry. Some of the carriers are terrible about rolling out the update.
(Score: 1, Insightful) by Anonymous Coward on Tuesday December 06 2016, @10:00PM
I don't use banking apps. About all they'll get out of my Android phone is my contacts list.
(Score: 3, Funny) by Anonymous Coward on Tuesday December 06 2016, @10:12PM
I'll do you one better, the only thing I use mine for is taking dirty pics of Aristarchus' mother. Any thief stealing my phone gets punished thusly.
(Score: 3, Funny) by DECbot on Tuesday December 06 2016, @11:14PM
That explains the picture of dirt and bones in a closet, on a bed, in the shower, in pleather, etc... But I still can't figure out the photo of the apron wearing goldfish in a giant bowl of wet noodles.
cats~$ sudo chown -R us /home/base
(Score: 2) by MostCynical on Wednesday December 07 2016, @01:22AM
Where is the -1 Ewww mod?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by JNCF on Wednesday December 07 2016, @02:55AM
But I still can't figure out the photo of the apron wearing goldfish in a giant bowl of wet noodles.
That was AC's actual porn stash.
(Score: 3, Informative) by q.kontinuum on Tuesday December 06 2016, @11:12PM
And probably your movement profile. (Even with GPS disabled, due to network information etc.)
And whom you call, and how often.
And your SMS.
But if you are not using maps, web browser, Camera and so on, I'd wonder why you need an Android phone instead of a 20$ Candy bar.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 2) by hemocyanin on Wednesday December 07 2016, @08:39AM
Don't those candy bars also have a GPS in them? And no matter what you use, your cell tower and dialing history will be captured.
Anyway, I'm like AC above. I use my phone as a phone, a calculator, and to browse the news while I eat lunch. I know kids use their phones as general purpose computers -- but I'm too old for that -- I'll never learn to type on a flat screen with nothing but fake feedback.
(Score: 2) by q.kontinuum on Wednesday December 07 2016, @12:38PM
The candy-bars usually don't have GPS (for a certain value of "usually"...). And even if it does, it is much less likely to be hacked by someone, especially since thy usually don't have an app-store.
Your dialling-history and cell-tower-history will be captured by your network-provider, but at least in Germany for them some stricter laws applied on how the data could be used. If your main-concern is those three-letter-agencies, this data is probably not hidden to them.
But for me it is a difference if a shady data broker gets the information, which areas of town I frequent, or if it is a government-organization that at least needs to act as if it doesn't use that kind of data too casually. For a commercial company it could be highly profitable (and therefore costly for you) to know where you spend your time, and whom you spend your time with.
E.g. a health-insurance-company might want to know if you spend your lunch-time in Burger-King or rather in the Gym. Or if you frequent areas known to be frequented by hookers. Or gay-clubs. Your insurance-rates might factor in some imagined health-risk for that. Or lawyers might analyse your address-book, reconstruct your social graph and contact your wife with some interesting deals for a lucrative divorce.
I'm not doing online-banking with my phone, either, and avoid WhatsApp, Facebook app and similar crap. However, I do use HERE navigation software, Signal (as a replacement for SMS) and the browser (although I wouldn't browse any delicate content from that browser).
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 2) by HiThere on Wednesday December 07 2016, @07:17PM
IIUC, the phones are legally required to have a GPS, but not to make it available to the end-user. So making it available can be an extra cost option. (OTOH, my phone is old enough to pre-date that law...but it's JUST a phone.)
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by Thexalon on Tuesday December 06 2016, @10:03PM
This whole issue seems strangely familiar [soylentnews.org], as if we'd just discussed it last week or something.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 1) by fustakrakich on Tuesday December 06 2016, @10:24PM
What am I supposed to do, buy a new one? I mean, 'custom ROMs'? Whoops! Another brick in the wall [virginia.edu].
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Wednesday December 07 2016, @02:24AM
After bricking two phones I am highly annoyed that the computer I purchased that I keep in my pocket all day does not have root access enabler for the owner of the hardware.
Assshats.
(Score: 0) by Anonymous Coward on Wednesday December 07 2016, @03:11AM
This is where I am at... https://wiki.cyanogenmod.org/w/Klte_Info [cyanogenmod.org]
(Score: 0) by Anonymous Coward on Wednesday December 07 2016, @08:35AM
Lovely warning at the top of that page.
(Score: 2) by TheRaven on Wednesday December 07 2016, @10:59AM
sudo mod me up
(Score: 2) by DeathMonkey on Tuesday December 06 2016, @10:36PM
My 2 year old HTC still gets updates. Maybe they're the exception?
(Score: 2) by tibman on Wednesday December 07 2016, @03:05PM
My guess is there are a lot of exceptions. On a OnePlus here and it says it has the November 2016 security patch.
SN won't survive on lurkers alone. Write comments.
(Score: 4, Insightful) by dlb on Tuesday December 06 2016, @10:41PM
(Score: 2, Funny) by Anonymous Coward on Tuesday December 06 2016, @10:46PM
hacked wide open from afar
That is so much worse than being pried partially open from nearby. This sounds like it's really getting out of hand.
(Score: 3, Interesting) by jummama on Tuesday December 06 2016, @11:14PM
I saw a blog post a few years back that suggested the idea of moving towards a hypervisor that would run Android, and would handle the hardware differences itself. Under this model, manufacturers would only need to add support to a hypervisor for their hardware, and the underlying Android image would call on the hypervisor to interact as needed with the hardware. With a standardized hypervisor interface, there would be less of a testing burden on the userspace side of it, and less effort to put newer versions of Android on devices as they come out. Of course, that wouldn't stop Samsung from creating their own ridiculous version of Android and putting that in the hypervisor, but perhaps Google could enforce hypervisor standards as part of their requirements for Google Play. Other than the likely political hurdles in getting manufacturers on board, do you guys see any problems with such a system?
(Score: 4, Interesting) by TheRaven on Wednesday December 07 2016, @11:12AM
The second is complexity. If you're moving all of the complexity of device abstraction into the hypervisor, then that's going to be a pretty big codebase. A conservative estimate for a modern phone would be around half a million lines of code (a minimum of about three million if you wanted GPU abstraction as well). All of that code is written in C or C++ and all of it is your trusted computing base. What do you want to bet that it is completely free of exploitable bugs? I'd be willing to bet at least one major exploitable vulnerability every six months. So now you need to have a mechanism for installing updates to the hypervisor.
sudo mod me up
(Score: 2) by GungnirSniper on Tuesday December 06 2016, @11:27PM
Phones are computers, and should get updates like their bigger cousins. We don't look to HP or Dell or our local white box reseller for security updates, so why should we be asking Samsung and LuckyGoldstar for security updates? Then manufacturers will have to write drivers to standards, and that will be more secure too.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 1, Informative) by Anonymous Coward on Tuesday December 06 2016, @11:58PM
so why should we be asking Samsung and LuckyGoldstar for security updates?
And while we're at it, how about having the bootloader unlocked and give actual control of the phone to the user? Dispense with the proprietary blobs, as well.
I can dream.
(Score: 1) by Scruffy Beard 2 on Wednesday December 07 2016, @02:51AM
Modern cars probably have more lines of code.
(Score: 2, Interesting) by Anonymous Coward on Wednesday December 07 2016, @09:00AM
Not much difference there.
Soon the last Microsoft desktop OS (Windows 7) will stop getting security updates, and then computers will be out of luck too. Only touch devices (Windows 8, 10) will get security updates.
(Score: 2) by darkfeline on Wednesday December 07 2016, @06:30PM
Tthis isn't really an Android problem. This is a problem with computer appliance manufacturers not providing diligent support and updates. I'm sure the same problem can be found amongst kiosk and hospital device manufacturers as well. The issue is irresponsible vendors, not Android.
Join the SDF Public Access UNIX System today!