• Welcome to Peterborough Linux User Group (Canada) Forum.
 

WIRED: How Android Phones Hide Missed Security Updates From You

Started by Jason, April 12, 2018, 07:43:06 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason

This was an interesting article from Wired. Before you panic though, do read the response from Google near the bottom of the article. Also shows which manufacturers which seem to the best at keeping up with patches, which I've included as an attachment.

https://www.wired.com/story/android-phones-hide-missed-security-updates-from-you
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

My Moto G 3rd Gen hasn't had any security updates come through, in  over a year.

My ZTE Axon 7 mini (a Canadian Bell Mobile/ PC Mobile phone) has been nagging me about doing an update, recently.
However, when I read the description it provides about the update, it appears that beside any possible security update, that Bell appears to be going to download one of their apps, with the update.

I don't think I want to do the update and wind up with another Bell app, that might degrade the performance of my ZTE phone.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

Forgot to mention there is an app mentioned in the article that you can use to check your phone to see which updates were missed. It doesn't really show the severity of the problem but it gives the CVE nunber so you can do a search. As far as the Bell Update goes, you can always disable the app after it is installed. It might be worth the trouble to get the update.

My Sony phone has had only one update since I got it if I recall correctly and that was in January. Their app detects at lease one patch missing and 56 that say 'test inconclusive'. The app is called SnoopSwitch.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

fox

I hadn't realized that getting security updates was such a problem with Android. That's a big factor in favour of Apple phones and tablets. But even with my Android phone and tablet, what probably keeps me relatively safe is that I don't use social media.
Ubuntu 23.10 on 2019 5k iMac
Ubuntu 22.04 on Dell XPS 13

Jason

Quote from: fox on April 13, 2018, 06:57:33 AM
I hadn't realized that getting security updates was such a problem with Android. That's a big factor in favour of Apple phones and tablets. But even with my Android phone and tablet, what probably keeps me relatively safe is that I don't use social media.

Google provides timely updates to Android but it's up to the carriers and manufacturers to get those updates out. Google controls the OS, but not entirely because manufacturers will often add their own customizations to it but they don't control the hardware at all and as we've seen, hardware can have vulnerabilities that have to be corrected in software (drivers and firmware, etc). This is unlike Apple, which controls everything which gives iOS and Apple tablets/phones an advantage here. You can get the same thing by using the Google branded devices (e.g. Pixel phones).

I'm curious what you mean about social media. I don't recall seeing that mentioned in the article. They did mention social engineering likely used more than trying to hack the OS but that's something very different. An example of that is when somebody calls staff in a institution posing as an IT worker for that company and manipulates them into giving up passwords or some other critical information.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

fox

By social media I meant stuff like Facebook, Twitter and Snapchat. I don't go to those sites and I therefore don't click on any links related to those sites. Maybe all that does is help keep my data more private, but I figured these might be connected to things that could keep anyone from installing bad stuff on my phone as well.

I realize why Apple devices have better security and that getting a Google branded device would probably give one the equivalent. But most owners of Android devices, present company included, don't have Google branded devices.
Ubuntu 23.10 on 2019 5k iMac
Ubuntu 22.04 on Dell XPS 13

Jason

#6
Gotcha'.

I'm not sure if I'd go as far as saying Apple devices are more secure. They're more difficult to research because most of the code isn't open and I'm not sure, but does Apple really give much information about what is fixed with various updates? With Android, researchers can actually scan most of the code looking to see if patches from Google were applied and Google is quite open about it (I think).

I did notice that Google certifies devices from certain manufacturers which at least means they're satisfied with manufacturers security practices. Though that still has nothing to with the carriers, which I suspect may be a larger part of the problem than the author thinks in that they may not be pushing out updates often enough.

In any case, I'm not at all concerned, more just curious. Google's reply to the researchers makes some good points.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13