This was an interesting article from Wired. Before you panic though, do read the response from Google near the bottom of the article. Also shows which manufacturers which seem to the best at keeping up with patches, which I've included as an attachment.
https://www.wired.com/story/android-phones-hide-missed-security-updates-from-you (https://www.wired.com/story/android-phones-hide-missed-security-updates-from-you)
My Moto G 3rd Gen hasn't had any security updates come through, in over a year.
My ZTE Axon 7 mini (a Canadian Bell Mobile/ PC Mobile phone) has been nagging me about doing an update, recently.
However, when I read the description it provides about the update, it appears that beside any possible security update, that Bell appears to be going to download one of their apps, with the update.
I don't think I want to do the update and wind up with another Bell app, that might degrade the performance of my ZTE phone.
Forgot to mention there is an app mentioned in the article that you can use to check your phone to see which updates were missed. It doesn't really show the severity of the problem but it gives the CVE nunber so you can do a search. As far as the Bell Update goes, you can always disable the app after it is installed. It might be worth the trouble to get the update.
My Sony phone has had only one update since I got it if I recall correctly and that was in January. Their app detects at lease one patch missing and 56 that say 'test inconclusive'. The app is called SnoopSwitch.
I hadn't realized that getting security updates was such a problem with Android. That's a big factor in favour of Apple phones and tablets. But even with my Android phone and tablet, what probably keeps me relatively safe is that I don't use social media.
Quote from: fox on April 13, 2018, 06:57:33 AM
I hadn't realized that getting security updates was such a problem with Android. That's a big factor in favour of Apple phones and tablets. But even with my Android phone and tablet, what probably keeps me relatively safe is that I don't use social media.
Google provides timely updates to Android but it's up to the carriers and manufacturers to get those updates out. Google controls the OS, but not entirely because manufacturers will often add their own customizations to it but they don't control the hardware at all and as we've seen, hardware can have vulnerabilities that have to be corrected in software (drivers and firmware, etc). This is unlike Apple, which controls everything which gives iOS and Apple tablets/phones an advantage here. You can get the same thing by using the Google branded devices (e.g. Pixel phones).
I'm curious what you mean about social media. I don't recall seeing that mentioned in the article. They did mention social engineering likely used more than trying to hack the OS but that's something very different. An example of that is when somebody calls staff in a institution posing as an IT worker for that company and manipulates them into giving up passwords or some other critical information.
By social media I meant stuff like Facebook, Twitter and Snapchat. I don't go to those sites and I therefore don't click on any links related to those sites. Maybe all that does is help keep my data more private, but I figured these might be connected to things that could keep anyone from installing bad stuff on my phone as well.
I realize why Apple devices have better security and that getting a Google branded device would probably give one the equivalent. But most owners of Android devices, present company included, don't have Google branded devices.
Gotcha'.
I'm not sure if I'd go as far as saying Apple devices are more secure. They're more difficult to research because most of the code isn't open and I'm not sure, but does Apple really give much information about what is fixed with various updates? With Android, researchers can actually scan most of the code looking to see if patches from Google were applied and Google is quite open about it (I think).
I did notice that Google certifies devices from certain manufacturers which at least means they're satisfied with manufacturers security practices. Though that still has nothing to with the carriers, which I suspect may be a larger part of the problem than the author thinks in that they may not be pushing out updates often enough.
In any case, I'm not at all concerned, more just curious. Google's reply to the researchers makes some good points.