Author Topic: WIRED: How Android Phones Hide Missed Security Updates From You  (Read 826 times)

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 1783
  • Karma: +5/-0
    • View Profile
This was an interesting article from Wired. Before you panic though, do read the response from Google near the bottom of the article. Also shows which manufacturers which seem to the best at keeping up with patches, which I've included as an attachment.

https://www.wired.com/story/android-phones-hide-missed-security-updates-from-you
« Last Edit: April 12, 2018, 07:44:40 pm by Jason Wallwork »
Primary: Desktop w/ Win10Pro/Kubuntu 19.04 on i5-3.2 GHz w/ 12 GB RAM, 64 GB SSD , 2x2 TB RAID 10 array for programs/data

Secondary/Test: Toshiba Satellite Ultrabook Z830-00K w/ Win10/Linux Mint 19.1 Xfce  (i3-1.4 GHz, 4GB RAM, 128GB SDD)

Phone: Sony Xperia XA1 Ultra w/ Android Oreo 8.0.0

Offline ssfc72

  • Posting Member
  • Hero Member
  • *
  • Posts: 867
  • Karma: +0/-0
    • View Profile
Re: WIRED: How Android Phones Hide Missed Security Updates From You
« Reply #1 on: April 12, 2018, 08:25:21 pm »
My Moto G 3rd Gen hasn't had any security updates come through, in  over a year.

My ZTE Axon 7 mini (a Canadian Bell Mobile/ PC Mobile phone) has been nagging me about doing an update, recently.
However, when I read the description it provides about the update, it appears that beside any possible security update, that Bell appears to be going to download one of their apps, with the update.

I don't think I want to do the update and wind up with another Bell app, that might degrade the performance of my ZTE phone.
Mint 18.3 on an HP Pavilion X360, 11" k120ca notebook
Tried Mint 19, but too many bugs. Went back to Mint 18.3
Cellphone ZTE Axon 7 Mini, PCMobile pay as you go

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 1783
  • Karma: +5/-0
    • View Profile
Re: WIRED: How Android Phones Hide Missed Security Updates From You
« Reply #2 on: April 13, 2018, 01:26:21 am »
Forgot to mention there is an app mentioned in the article that you can use to check your phone to see which updates were missed. It doesn't really show the severity of the problem but it gives the CVE nunber so you can do a search. As far as the Bell Update goes, you can always disable the app after it is installed. It might be worth the trouble to get the update.

My Sony phone has had only one update since I got it if I recall correctly and that was in January. Their app detects at lease one patch missing and 56 that say 'test inconclusive'. The app is called SnoopSwitch.
Primary: Desktop w/ Win10Pro/Kubuntu 19.04 on i5-3.2 GHz w/ 12 GB RAM, 64 GB SSD , 2x2 TB RAID 10 array for programs/data

Secondary/Test: Toshiba Satellite Ultrabook Z830-00K w/ Win10/Linux Mint 19.1 Xfce  (i3-1.4 GHz, 4GB RAM, 128GB SDD)

Phone: Sony Xperia XA1 Ultra w/ Android Oreo 8.0.0

Offline fox

  • Posting Member
  • Hero Member
  • *
  • Posts: 991
  • Karma: +3/-0
    • View Profile
Re: WIRED: How Android Phones Hide Missed Security Updates From You
« Reply #3 on: April 13, 2018, 06:57:33 am »
I hadn't realized that getting security updates was such a problem with Android. That's a big factor in favour of Apple phones and tablets. But even with my Android phone and tablet, what probably keeps me relatively safe is that I don't use social media.
Ubuntu 19.04 and openSUSE Leap on 2011 iMac
Linux Mint Cinnamon 19.1 on "late 2015" 5k iMac
Ubuntu 19.04, 18.04 and MX Linux on Dell XPS 13 2 in 1

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 1783
  • Karma: +5/-0
    • View Profile
Re: WIRED: How Android Phones Hide Missed Security Updates From You
« Reply #4 on: April 13, 2018, 12:42:32 pm »
I hadn't realized that getting security updates was such a problem with Android. That's a big factor in favour of Apple phones and tablets. But even with my Android phone and tablet, what probably keeps me relatively safe is that I don't use social media.

Google provides timely updates to Android but it's up to the carriers and manufacturers to get those updates out. Google controls the OS, but not entirely because manufacturers will often add their own customizations to it but they don't control the hardware at all and as we've seen, hardware can have vulnerabilities that have to be corrected in software (drivers and firmware, etc). This is unlike Apple, which controls everything which gives iOS and Apple tablets/phones an advantage here. You can get the same thing by using the Google branded devices (e.g. Pixel phones).

I'm curious what you mean about social media. I don't recall seeing that mentioned in the article. They did mention social engineering likely used more than trying to hack the OS but that's something very different. An example of that is when somebody calls staff in a institution posing as an IT worker for that company and manipulates them into giving up passwords or some other critical information.
Primary: Desktop w/ Win10Pro/Kubuntu 19.04 on i5-3.2 GHz w/ 12 GB RAM, 64 GB SSD , 2x2 TB RAID 10 array for programs/data

Secondary/Test: Toshiba Satellite Ultrabook Z830-00K w/ Win10/Linux Mint 19.1 Xfce  (i3-1.4 GHz, 4GB RAM, 128GB SDD)

Phone: Sony Xperia XA1 Ultra w/ Android Oreo 8.0.0

Offline fox

  • Posting Member
  • Hero Member
  • *
  • Posts: 991
  • Karma: +3/-0
    • View Profile
Re: WIRED: How Android Phones Hide Missed Security Updates From You
« Reply #5 on: April 13, 2018, 05:07:37 pm »
By social media I meant stuff like Facebook, Twitter and Snapchat. I don't go to those sites and I therefore don't click on any links related to those sites. Maybe all that does is help keep my data more private, but I figured these might be connected to things that could keep anyone from installing bad stuff on my phone as well.

I realize why Apple devices have better security and that getting a Google branded device would probably give one the equivalent. But most owners of Android devices, present company included, don't have Google branded devices.
Ubuntu 19.04 and openSUSE Leap on 2011 iMac
Linux Mint Cinnamon 19.1 on "late 2015" 5k iMac
Ubuntu 19.04, 18.04 and MX Linux on Dell XPS 13 2 in 1

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 1783
  • Karma: +5/-0
    • View Profile
Re: WIRED: How Android Phones Hide Missed Security Updates From You
« Reply #6 on: April 13, 2018, 06:32:08 pm »
Gotcha'.

I'm not sure if I'd go as far as saying Apple devices are more secure. They're more difficult to research because most of the code isn't open and I'm not sure, but does Apple really give much information about what is fixed with various updates? With Android, researchers can actually scan most of the code looking to see if patches from Google were applied and Google is quite open about it (I think).

I did notice that Google certifies devices from certain manufacturers which at least means they're satisfied with manufacturers security practices. Though that still has nothing to with the carriers, which I suspect may be a larger part of the problem than the author thinks in that they may not be pushing out updates often enough.

In any case, I'm not at all concerned, more just curious. Google's reply to the researchers makes some good points.
« Last Edit: April 13, 2018, 06:48:19 pm by Jason Wallwork »
Primary: Desktop w/ Win10Pro/Kubuntu 19.04 on i5-3.2 GHz w/ 12 GB RAM, 64 GB SSD , 2x2 TB RAID 10 array for programs/data

Secondary/Test: Toshiba Satellite Ultrabook Z830-00K w/ Win10/Linux Mint 19.1 Xfce  (i3-1.4 GHz, 4GB RAM, 128GB SDD)

Phone: Sony Xperia XA1 Ultra w/ Android Oreo 8.0.0