Android Security Is a Joke

This is the way Android security works as I understand it. Please correct me if I'm wrong. If you buy a Google Pixel you will get guaranteed security updates for 3 years from the date of release of the phone model- as soon as Google fixes any security problem. After that you're on your own.

If you get a phone with Android One you will also get guaranteed security updates for 3 years from date of release of the phone model, but not on the day Google fixes the security problem. Google will announce the security problem, then hackers will get a few weeks to work on something until the OEM gets around to putting the fix on your phone.

If you buy any other Android phone you are entirely up the OEM. Best case - security updates for a few years released by the OEM weeks after Google announces the fix. Worst case - no security updates at all.

Comments

  • +4 votes

    What do you expect? Android is an open source platform. If you want to stay safe. Don't root your phone, disable NFC, disable USB Debugging and Wifi Debugging and don't install random apps from the app store.

  • +7 votes

    Make your own mobile company where you can promise support to the end of time?

    • +6 votes

      Make your own mobile company where you can promise support to the end of time? with blackjack and hookers…

  • +4 votes

    If you buy any other Android phone you are entirely up the OEM.

    I mean, I kind of feel thats how security works with everything, if Facebook gets hacked you have to wait for them to fix it, if google does, you wait for them, you're always waiting for the manufacturer/developer to fix it, even the Pixel. Keep in mind Android is Open Source as far as I know, so OEM could fix it any time, they don't have to wait for Google to make a fix, they can make their own as quick or slow as they like.

    The issue is Google is really the main one that keeps at it, other companies are just willing to stop support for other reasons (likely so you buy a new phone).

  •  

    This is only slightly different with Apple and IOS - it's five years(and they slow it down each time!). With Android you are guaranteed 3 years, so it's less guaranteed, but sometimes more. Often the security patches don't require any OEM work, so they're rapid, but you aren't likely to get a whole new android for the phone after the 3 years (eg. move from android 8 to 9).

  • +1 vote

    Ps, samsung phones get 2 major updates, and a year of monthly updates after that. my s6 edge plus kept receiving quarterly update for the 4th year.

    Only had to replace the phone because of the battery (it was used heavily )

  • +1 vote

    You've pretty much summed it up. This was one of my frustrations with Android when I had my Android handset. Slow OS upgrade & security update cycles if you get them at all. If you care about security then the only options with Android are getting a Pixel or a Android One device. When my old Android device was due for replacement I looked for a phone that had everything I wanted, Pixel or Android One was a must have with 256GB of local storage or SD Card support. I could only find one device at the time that had both which was the Nokia 8 but none of the telcos had that device on a plan & outright was too much for me. A friend works for Optus and he said from their data that Nokia is the fastest Android One vendor to push updates.

  • +1 vote

    So basically you're aware of the advantages and disadvantages of buying Google products vs other manufacturers, so you can make an informed purchasing decision. If there's a serious security vulnerability discovered and the manufacturer doesn't fix it in a timely fashion, don't buy from that manufacturer again if that's important to you. The manufacturers are separate companies to Google. The support those companies provide for their products is their business. It doesn't seem like your issue is with Android security at all, it seems like it's with Samsung security, or LG security, or Sony security, etc.

    The second part is, if you take basic security precautions, how important is this to you? I've been using Android phones for 9 years. I've never had a problem and don't expect to. But I do buy either Google or Android One phones and this is one of the reasons.

    •  

      Agreed. OP is freaking out unnecessarily IMHO.

      I prefer Samsung phones over Google's own variants. The "latency" between patches and them coming over to Samsung (and then to service providers via OTA updates) was woeful a few years ago. Now it seems like there is a much faster patch release cycle and this is a level of risk I'm absolutely happy with.

      That said, I follow good phone hygiene and my production device is NEVER rooted.

  • +2 votes

    My Nexus 7 2013 LTE is running Android Pie with the latest security patch.

    Custom ROMs for the win.

    •  

      Which ROM? Looking for an updated one for my Nexus 7 2013

      •  

        Tried a couple and settled with Pixel Experience for no other reason than the convenience of gapps being included as part of the install.

        There's also an updated ElementalX kernel available, which I'm using while waiting for the new Francokernel.

        •  

          Thanks! I'd love a ROM with OTA updates…

          •  

            @AncientWisdom: Outta luck on that at the moment.

            Although with NFC now enabled and working on all? the Pie ROMs there's a chance we could have some "official" builds with OTA updates.
            Aside from being slightly easier to update, I'm not sure of the worth though. Development in terms of enhancements is long gone so updates are primarily for the security updates.

            •  

              @sir_bazz: "slightly easier" in my case is the difference between updated and not updated. Although to be honest but a big deal as it mostly serves as a glorified ebook reader.

  •  

    iPhone is really the only way to go for security:

    https://9to5mac.com/2018/02/28/ios-versus-android-security/

    •  

      Would love to see updated stats as this is an area where Android has seen (very slow) steady improvements with some manufacturers.

      • +1 vote

        It would be good to see an update of that comparison. See here for tracking of number of security CVE by product which is interesting in it's own right - https://www.cvedetails.com/top-50-products.php

        As it stands right now Android is number 4 on the list with 2178 total CVE's and iOS, listed as iPhone OS, is number 8 with 1651 total CVE's. Note that the oldest CVE for iOS is from July 07 where Android's is August 2011 a full 4 years difference. But what struck me was that for 2019 there's only one CVE for iOS and 27 for Android.

        The CVE tracking proves that Android has more flaws discovered and patched by Google. I'm confident that this is due to Android being open source so you've got lots of researchers going over the code and able to find more flaws. As more flaws are being found and made public you really need to keep your device up to date but most of the Android OEM's do a piss poor job of it.

        •  

          what struck me was that for 2019 there's only one CVE for iOS

          There is sick money to be made selling iOS bugs and exploits on the black market. That may be one (fairly significant) contributing factor.

  • +2 votes

    axon 7 with Android pie, latest security patch. As above, Custom ROMs ftw

  •  

    just buy an iphone if you have issues with it

  •  

    Roll out your own security update. This is not iPhone, you have the control.

  • +4 votes

    Just one amendment, the part about AndroidOne is not correct.
    This platform was borne out of the Project Silver ambition at Google, which we later saw as the "Google Play Edition" devices. It was about giving OEMs the freedom to make their desired hardware, and Google to dictate the software and push updates.

    Current so-called AndroidOne devices have very Stock-ishOS, but it is actually not made by Google anymore.
    So you still need faith in the OEMs to do a good job of the implementation. On top of this, the updates are pushed out by the OEMs and Carriers, it does not come direct from Google like the previous AndroidOne devices, or Nexus, or Pixels. This same bait-and-switch actually happened to AndroidTV and AndroidWear as well, and is one of the big contributing factors for their slump/demise.

    Current AndroidOne devices *promise * you monthly security updates and upto 2/3 years of software support… however, there is nothing to hold them accountable to this, and many devices have already experienced rollout issues. Overall, these devices do actually a better job than SkinnedOS implementations but its not as great as you may have thought.

    In terms of support it goes:
    Latest iPhone's
    Latest Pixel's
    Enthusiast Community support/Custom Roms (eg OnePlus 3)
    Latest AndroidOne
    Key Flagship devices (eg Samsung S10)
    Other Stock-ishOS devices
    SkinnedOS devices
    Cheap devices
    Chinese phones sold in grey market with malware already installed

    And when it comes to security, Google is rather incompetent, even on their latest flagship device. To actually improve security, its a good idea to attain root/superuser privileges then remove some of the lazy/sneaky background stuff and install better systems yourself.

    • +1 vote

      To actually improve security, its a good idea to attain root/superuser privileges then remove some of the lazy/sneaky background stuff and install better systems yourself.

      Unless you are very very well versed in SELinux and other hardened *nix flavours (as well as are quite familiar with the underlying android subsystems), rooting/superuser is by far highly discouraged.

      If you're leet af, and have the requisite knowledge, feel free to attempt hardening. That said, while you may be able to patch certain items, you may end up opening up a range of other attack surfaces.

      • +2 votes

        Yes, but the good thing about YOU the owner getting access to that underlying level is that of transparency.
        You're more likely to stop "bad things" happening if you actually know about them.

        Superuser and the SuperSU provide a sandbox of sorts, where, when system permissions are asked for they are logged and they prompt the user if they want to grant permission. Diving into these logs, you can see which services are running secretly in the background or even communicating to outside servers.

        Sure, you can obtain root/superuser status, and abuse that power thus making your device even more lazy in terms of security.
        However, that's usually the exception and not the norm.
        On top of this, its usually a myth that obtaining root makes you more susceptible to hacks/security breaches. While yes, there could be an exploit within the subframe of the superuser manager itself, this is usually a big blunder to make, and there's no precedent for it. And there is a legitimate argument to make against say SuperSU, now that its gone proprietary with CCMT and ChainFire retiring… however, that doesn't change the argument of having a manager based on an open source effort (ie Magisk).

        So, basically, if you can understand how software works at some degree and follow directions, you do not need to be "leet af".
        You can use this popular tools, and improve your experience and security hygiene rather simple.

        • -1 vote

          Superuser and the SuperSU provide a sandbox of sorts, where, when system permissions are asked for they are logged and they prompt the user if they want to grant permission.

          That's not a sandbox. Re "prompt the user to grant permission", this is achievable through social engineering style attacks on the disguised malicious app. People install stupid shit all the time. https://securelist.com/how-trojans-manipulate-google-play/75...

          Sure, you can obtain root/superuser status, and abuse that power thus making your device even more lazy in terms of security. However, that's usually the exception and not the norm.

          I would say the reverse is true. You haven't worked in IT very long, have you? :)

          On top of this, its usually a myth that obtaining root makes you more susceptible to hacks/security breaches. While yes, there could be an exploit within the subframe of the superuser manager itself, this is usually a big blunder to make, and there's no precedent for it. And there is a legitimate argument to make against say SuperSU, now that its gone proprietary with CCMT and ChainFire retiring… however, that doesn't change the argument of having a manager based on an open source effort (ie Magisk).

          The issue is weakening the device itself by allowing superuser access in the first place. I'm not talking about actual vulnerabilities in SuperSU. On a side note, I think you're giving way too much credit to stuff being open source.

          So, basically, if you can understand how software works at some degree and follow directions, you do not need to be "leet af".

          I'll take that back, sure, you don't need to be "leet af" to manage a rooted phone safely. You need to be technically competent, be exceedingly cautious (more so than with a non-rooted phone) and most importantly, be spending sufficient time analysing comms flows in and out of apps, monitoring processes etc.

          You can use this popular tools, and improve your experience and security hygiene rather simple.

          Yeah, no that's not it IMHO. You use a rooted phone because you enjoy the customisation feature set and the quality of life improvements. While it gives you the ability to perform highly granular monitoring, this really isn't sustainable on a busy person's primary device.

          High sensitivity functions like Mobile banking on a rooted phone, that is very dicey, as there are real world attacks. So much so that, more sensitive applications (e.g. boardpaper applications) try to lock down functionality after performing root detection (easily bypassed) given that from an organisational POV, rooted devices are considered dirty devices.

          My intent here is not to be argumentative, I just want to make a point that privileged access to any device is a very double edged responsibility that should be treated with utmost respect. You never drop to a superuser priv unless absolutely necessary, yet I see too many youngsters rooting/jailbreaking without being clear about the implications (and I'm definitely not saying that you're one of them).

          •  

            @gearhead: Can you give examples of real world attacks? Been rooted since my first Android (Galaxy S2) and never heard of any.

            •  

              @AncientWisdom: Good question. If you have a good antivirus on your old phone and don't have any bank apps or NFC on it what is the worst thing that can happen?

            •  

              @AncientWisdom: Apologies for the delayed response. The general guidance is: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Securi...

              Generally the dangers come from malware, and given the access a lot of "root required" apps have, any compromise becomes more serious. This is akin to running webservers with elevated privileges (which is why Coldfusion hacks were so popular, CFM scripts would run with SYSTEM privs).

              In terms of real world attacks, I'll admit most of my information comes from targeted attacks. Some of the bigger fish were fried using inappropriate IPC comms.
              https://developer.android.com/training/articles/security-tip...

              Basically if any application allowed to run as root has a vulnerability, it may be exploited to get root privs on your Android.

              • +1 vote

                @gearhead: Thanks.

                The reason I asked was that a friend just asked me a similar question, but about general security updates (if there are any examples of real-world attacks that were possible due to outdated Android OS) and I couldn't think of any.

  •  

    Lots of talk about hackers etc. and yet I have never once ever heard of anyone I know having their phone hacked, infected with a virus, compromised by malware etc.
    Not a single person

    Compare to the experience with a regular computer, be it windows or mac, and nearly everyone I know has had a virus at some point.

    I dont install phone updates unless something I want to use demands it, almost universally, installing updates has made my phone worse, across multiple devices (mainly samsung and sony) over the years.

    People talk about new features of pie vs oreo vs nougat etc. I recently fired up an old phone and wondered how it had a new better cleaner version android on it, turns out it was marshmallow!

  • Top