Android Phones Missing Security Patches

Discussion in 'Alternatives to iOS and iOS Devices' started by apolloa, Apr 13, 2018.

  1. apolloa macrumors G4

    Joined:
    Oct 21, 2008
    Location:
    Time, because it rules EVERYTHING!
    #1
    Interesting story linked below, a group has checked over 1200 Android phones from all makes, including google and Samsung and Sony, and has found them to be missing parts of security patches the manufactures say they got.

    So if google released a security patch version XXXX and Samsung releases it for their phones, those patches are actually missing some of the security updates that google originally released in those patches, the manufacture did not include them in their devices update, so you think you may have a security hole patches because your running version XXXX, when in fact your device did not get that particular patch.

    Have a read, it seems to affect the lesser known brands more but they did note Samsung and Sony devices missing the odd patch, they have a tool you can use to scan your phone to check if your missing any patches in the security updates:

    http://www.theverge.com/2018/4/12/17228510/android-phone-manufacturers-missed-security-updates-lie
     
  2. AustinIllini macrumors demi-goddess

    AustinIllini

    Joined:
    Oct 20, 2011
    Location:
    Austin, TX
    #2
    This is crazy. People ask me for Android phone recommendations and with the misstep from the Pixel line this year, it's hard to recommend any of them in light of this.
     
  3. mib1800 macrumors 68030

    Joined:
    Sep 16, 2012
    #3
    And the world gonna to end for all android users tomorrow when all their money, identity and lives will be stolen. iPhone users can rejoice
     
  4. eltoslightfoot macrumors 6502a

    eltoslightfoot

    Joined:
    Feb 25, 2011
    #4
    Most logical iPhone users want to have good competition, not someone sucks less...which is where we are now.
     
  5. nviz22 macrumors 601

    nviz22

    Joined:
    Jun 24, 2013
    #5
    Samsung is already missing two patches on the S9+.
     
  6. IowaLynn macrumors 65816

    IowaLynn

    Joined:
    Feb 22, 2015
    #6
    When you have a different OS, 7.1.1. vs 8.0.0 or 8.1 and all the out of date 6.0/6.01, plus how fragmented Android is.... that 'patch' may not apply.
     
  7. nviz22 macrumors 601

    nviz22

    Joined:
    Jun 24, 2013
    #7
    Keep me at 8.0 vs 8.1 if it means getting monthly security patches. I can see why people want the Pixel or iPhone for security purposes. If it wasn't for Knox or certified protection, Samsung would be cooked.
     
  8. TRDmanAE86 macrumors 6502

    TRDmanAE86

    Joined:
    Jan 27, 2015
    Location:
    New England
    #8
    One of the downsides of Android is definitely the consistency of security patches/major software versions. Fragmentation is horrible (especially when carrier models and unlocked models are considered in the equation)

    Last summer, I was researching a ZTE branded AT&T Go-phone being sold at my local CVS. As it turns out, this particular phone was over 2 model years old and has not received a single security patch and, had a unlocked boot-loader. Amusingly. a different variation of this same phone (this one was the Cricket model I believe) already got 3 security updates.

    With my main phone, a AT&T branded LG V10, its pretty much a afterthought since it was not a top-selling model and, it was part of bootloopgate. Thus, security patches have been skipped and now the phone is at the end of support for updates. AT&T were thinking about giving it nougat however, they decided not to while the Unlocked and T-Mobile variants got it (and after AT&T received the regular update from LG)
     
  9. GigabitEthernet macrumors 6502a

    Joined:
    Jun 21, 2013
    Location:
    United Kingdom
  10. AustinIllini macrumors demi-goddess

    AustinIllini

    Joined:
    Oct 20, 2011
    Location:
    Austin, TX
    #10
    Agreed. Without android, iPhone would still probably have a 3.5 inch screen.
    --- Post Merged, Apr 13, 2018 ---
    Google has nothing to do with it. These are OEMs omitting Google security fixes. Google is likely powerless to address this issue.
     
  11. LIVEFRMNYC macrumors 604

    Joined:
    Oct 27, 2009
    #11
    Not surprised. Which is one of several reasons I always thought putting a date on Android security patches needs to be axed, along with the reason of people's impatience. 99% of users don't even know what's getting patched, including myself.

    This is equivalent to skipping on Windows updates for several months, but between all the other security measures, you'll still have sufficient protection. Most Android users are probably only at 0.1% higher risk of an attack from not being on the latest security patch. Although this is a problem which Google and manufacturers need to address, in the broad scale it's much to do about nothing.

    On another note ... would project treble eventually make this an issue of the past?
     
  12. GigabitEthernet macrumors 6502a

    Joined:
    Jun 21, 2013
    Location:
    United Kingdom
    #12
    Google has a responsibility, it is fundamentally their OS. I get it is open source but they should make it a condition of Google Services that updates must be done in a certain timeframe.
     
  13. IowaLynn macrumors 65816

    IowaLynn

    Joined:
    Feb 22, 2015
    #13
    Google now has Project Treble to enforce some compliance and make it somewhat easier with going forward with any phone that ships with 8.x or later.

    “P” takes it a step further and 64-bit compliance in 2019.

    But that leaves 100’s if phones with older vulnerable unpatched software, perfect for being harvested by new waves of malware that are more sophisticated.
     
  14. AustinIllini macrumors demi-goddess

    AustinIllini

    Joined:
    Oct 20, 2011
    Location:
    Austin, TX
    #14
    Google has little to no recourse. They make money by selling Google Play Services as a package with the Android OS. A company like Samsung can probably muscle them as they are a large customer of Google Play Services.

    The reality is, Google likely knows this is happening but understands its relationship with OEMs like Samsung are too important to outweigh the Android security push.
     
  15. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #15
    Project Treble won’t enforce anything.
     
  16. AustinIllini macrumors demi-goddess

    AustinIllini

    Joined:
    Oct 20, 2011
    Location:
    Austin, TX
    #16
    Right. Unless Google comes up with a Google certification program for Android and advertises it heavily, you're not going to see anything change.
     
  17. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #17
    Exactly. I don’t think people understand what Treble does. It makes it easier for companies to update, but that’s it.
     
  18. IowaLynn macrumors 65816

    IowaLynn

    Joined:
    Feb 22, 2015
    #18
    If it shipped with Oreo then isn’t Project Treble support if you want to have google support. And updates will be done differently.
    • However, what is happening with Project Treble is that Google is requiring that any vendor-specific code be separated from the Android OS framework and instead live in its own vendor implementation. Usually this means that there is now a separate /vendor partition on Treble-enabled smartphones that contains a bunch of HALs (Hardware Abstraction Layers).
    https://www.xda-developers.com/how-project-treble-revolutionizes-custom-roms-android-oreo/
     
  19. mrex macrumors 68030

    mrex

    Joined:
    Jul 16, 2014
    Location:
    europe
    #19
    and everybody thinks that ios is better? have you checked how many times apple doesnt patch security issues and how many of them are still without patching, partly because people dont want to update the ios and partly because apple doesnt support old devices any more (=fragmented). for example a year 2017, vulnerabilities in os (top 5):

    1. android, over 800 (A bad year for android)
    2. linux kernel, over 400
    3. ios, almost 300
    4. macos, 300
    5. win10, around 250

    all time stats https://www.cvedetails.com/top-50-products.php?year=0

    and a reality check ”how well is my old device supported by apple?”
    https://www.ctrl.blog/entry/apple-abandoned-product-security

    so, do you really think that apple patches everything?? there are many security holes still on ios and macos that havent been fixed althought they are known. and that should be the thing to talk about when apple has the os and the hw to control. still they left holes behind...

    the more or the less known fact is that most of the android related bugs are fixed via playstore without needing an os update. how many times apple has fixed a security hole without needing to update the whole os? so, how many iphones are out there with huge amount of security holes because they have not been updated to current os? yes, ios is badly fragmented - yes it is! - and many iphones dont have patched os or apple ditched them anyway. ”But apple provided a new os for your old iphone and it was your choice not to update.” did you ask yourself why the user didnt update the iphone? but, it is not sexy to talk about apple and security, it is more sexy to talk about how bad android is...

    what comes to updating android, it is abit heavy process, starting from google, ending with carriers... when google fixes something in android, it usually takes months before e.g. samsung even can bring it to the customer (something to fix, too heavy process, imo.). this is already an old article about it but gives some perspective to android vs apple https://readwrite.com/2014/01/28/android-version-updates-take-so-long-get-smartphone/

    is android bad? no! shouldnt you compare android vs apple more like google vs apple? google device gets their patched immediately and almost all of them are updated. so is google devices as fragmented as apple devices?

    if you want and need to get every updates, get a google device.

    btw. i have iphone, ipad/ipad pro, macbook pro, atv, and not really using android at all anymore... but i do not understand this ”Omg, how bad it is...” when closing your eyes and living in a bubble that apple has told you for years... for sure, i feel better with apple, but still come on... it is not a heaven! and for me the problem isnt the android os itself, it is secure(!), but the the fact that google allows devs to change priviledges too easily after google has approved the app in playstore and from the beginning apps has too much priviledges without needing them. there have been several apps innplaystore that i have reported to google and they were removed. until google does it better i stay with apple, playstore app should be checked by google, not by a user...
     
  20. hallux macrumors 68030

    hallux

    Joined:
    Apr 25, 2012
    #20
    Google release OS patches monthly but patching of the non-Pixel and non-Nexus devices (specifically older ones anyway) is up to the carriers and manufacturers. The point of Project Treble is to try to help those OEM's by forcing the manufacturer customizations into a different space to make it easier to do those monthly updates - possibly even by allowing them to be pushed by Google directly.

    Oh - there's another thread on this already.. Lies and Security Patches | MacRumors Forums
     
  21. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #21
    Treble just means updates are easier. It doesn’t mean they’ll actually happen
     
  22. Michael Goff macrumors G5

    Michael Goff

    Joined:
    Jul 5, 2012
    #23
  23. AustinIllini macrumors demi-goddess

    AustinIllini

    Joined:
    Oct 20, 2011
    Location:
    Austin, TX
    #24
    Nailed it. And there's a key difference here. It is the OEM's responsibility to update their devices. Google provides the OEMs with the tools they need to support their customers. Google is not responsible for the shortcomings of the carriers. They make no direct money off of Android. Google Play Services? Sure. Google's job is to support their OS/Services with the Carriers and OEMs as the customers. The OEMs and Carriers are responsible for their products being safe.

    Because Apple has removed the carrier from the equation and is the only OEM (if you accept Foxconn as a silent OEM partner), it is the responsibility of Apple to keep their devices safe and secure.
     
  24. nviz22 macrumors 601

    nviz22

    Joined:
    Jun 24, 2013
    #25
    Until CDMA goes away, Samsung will struggle to remove carriers out of the equation. Qualcomm gets to have a stronghold on the American market. Other OEMs should abide by Google's standards before things get worse and worse. HTC used to be the standard for third-party Android OEM updates.
     

Share This Page