Android security on the ropes with one-two punch from researchers

Faulty Stagefright patch and newly reported sandbox bypass leave users exposed.

Read the whole story

 

[Walt French]

JButler[/url]":2sezzp6b]Windows 10 Mobile can run Android apps with little or no modifications. Are these vulnerabilities applicable to Android apps running on W10M also? Either way, we might have a situation where you would be better off running your favorite Android apps on Windows 10 mobile because MS will update their phones pretty well.

Dream on. Any app that uses any significant amount of G services isn't going to get much, or any attention devoted to replacing in-app purchases, for example. That's the major way most apps monetize these days, so the combo of any work to port, plus a nearly-invisible app-buying user base, pretty much rules that out.

 

[Ed M.]

The sheer number of disparate android devices numbers around 20,000+. How do you test against that many variants? This makes 5 nightmare security issues in under a month.

Where is the outrage, It goes to show you that people probably could care less what OS they have on their phone. All they know (to the extent that the do at least) is that they either have an iPhone or a "not-an-iPhone". Those that don't have an iPhone just might wish they had one before long.

 

[Walt French]

melgross[/url]":3goejjk7]

andrgl[/url]":3goejjk7]It's fairly gullible to think just because you're using Windows Phone or iOS your platform is anymore secure.

Android isn't closed source so exploits are -relatively- easier to develop. I'd rather researchers work their blackhat magic so the holes get publicized.

That's a myth. The very existence of so many massive security flaws in Android puts that nonsense to rest. Of course, it isn't totally open source. But badly written software doesn't care who writes it. Linux has seen major security flaws in its time as well, and several very serious ones this year.

If security isn't the first thing considered when doing an OS, then it's going to be very difficult to add it on. Security can't be a secondary consideration. Earlier this year, a Google executive stated at their conference that security wasn't considered when writing Android, but versatility was. The payment we see is all of these problems that Google simply can't get a handle on. The OS appears to be so riddled, that it may never be fixable.

Ars readers naturally focus on the OS, a subject many of us are expert about, and most are at least knowledgeable about.

But at least since the BlackBerry, the epitome of a bundled computer system, smartphones' OSes are less important than their ecosystems and their vendor policies. These are consumer products more than they are computers. Of course, they're computers, but their billions of users don't think of themselves as computer users, nor do they want to deal with the issues that Ars readers enjoy.

 

[Deleted member 46272]

Peevester[/url]":3q951iol]

Xelas[/url]":3q951iol]

Peevester[/url]":3q951iol]

dlux[/url]":3q951iol]I imagine Google will have to eventually halt everything and execute an 'all-hands' security focus, similar to what Microsoft went through in the early 00s. If the do this right they can eventually come out looking like bruised heroes, but if they don't then that may ultimately be the end of Android for all but the most disposable of phones.

How are they going to get carriers to agree to that? Even if they come up with the best solution ever, the carriers with custom builds aren't going to touch it, or at least not quickly.

While I think you're right that future versions of android need to have these kind of protections built in, and they need to find a way to end OS customization (i.e. pretty much do all the hardware layer over from scratch), it's not going to be a quick solution.

Skelator123[/url]":3q951iol]

Azethoth666[/url]":3q951iol]I sold my soul to iPhone so this does not affect me. However I hope Google figures out security though. Nobody benefits from insecure ecosystems.

There have been at least two fairly recent attacks on iPhone which trigger just by sending a crafted text message which didn't even have to be opened. Both were pretty quickly patched, but don't pretend like exploits only exist on Android.
The real issue at hand is the difficulty getting updates pushed out to Andriod devices in a timely fashion.

It doesn't matter if they exist if they're easily and quickly patched on the majority of devices. That's the problem android has - they only have the ability to directly fix something like 2% of the devices out there, and the carriers have proven completely useless at picking up the slack.

The carriers can continue to load apps if they want to (like their branded voicemail apps, for example), but they shouldn't be allowed to change core functionality that can impact the security of the device.
If Apple can do this, then there is no TECHNICAL reason Android can't.

In actual fact, technical reasons are exactly why Android is in this boat. The design and implementation of the OS makes every single phone model a special snowflake. That's fine when you have a small, vertically integrated product line (like Apple), but it's the worst of all possible worlds in a commodity hardware ecosystem.

That brings up a point - why ARE ROM images model-specific? Linux has the capability to load drivers as needed (see Linux on every PC), Android is Linux at heart, and there is no reason you can't have the kernel load the drivers for the radios and sensors on the phone as needed, then delete the ones it doesn't need to free up space because, unlike a PC, you'll probably never change the phone config, unless Project Ara comes to pass.
Or, you can have the kernel load up "basic" (some sort of VESA standard, like on the PC?) drivers, then go online and suck down the model-specific ones from online.
Why does each and every phone model need a special ROM cooked up just for it? I don't think that extra few percent of optimization you can get form a custom image really matters with the insane specs phones have today.

EDIT: The reason you'd want that is that Google can then freely update the kernel, while the OEMs can (or may choose not to) update drivers, and everyone will be happy.

EDIT2: - There is also no reason that the sensors/devices can't have basic functionality enabled through standard API/calls in a system BIOS to enable a phone to function in "safe mode" with basic touchscreen, USB, and radio functionality with just the standard kernel installed. Just like the old DOS days on PCs from 2 decades ago.

 

[Rosyna]

MrMalthus[/url]":247swq1d]

Rosyna[/url]":247swq1d]

MrMalthus[/url]":247swq1d]

melgross[/url]":247swq1d]

andrgl[/url]":247swq1d]It's fairly gullible to think just because you're using Windows Phone or iOS your platform is anymore secure.

Android isn't closed source so exploits are -relatively- easier to develop. I'd rather researchers work their blackhat magic so the holes get publicized.

That's a myth. The very existence of so many massive security flaws in Android puts that nonsense to rest. Of course, it isn't totally open source. But badly written software doesn't care who writes it. Linux has seen major security flaws in its time as well, and several very serious ones this year.

If security isn't the first thing considered when doing an OS, then it's going to be very difficult to add it on. Security can't be a secondary consideration. Earlier this year, a Google executive stated at their conference that security wasn't considered when writing Android, but versatility was. The payment we see is all of these problems that Google simply can't get a handle on. The OS appears to be so riddled, that it may never be fixable.

I think you may be biased by what you read instead of actual disclosed vulnerability reports. There really haven't been that many major Android exploits (i.e. if Android is "so riddled" that leaves basically every major operating system in tatters). A number of architectural decisions, not least of which was building around SELinux, were wisely made. There's a reason you haven't seen this exploit in the wild yet.

The issue is, as others have said repeatedly, in how Android is distributed and updated.

That's because Google never discloses fixed vulnerabilities.

Hell, Google's very first ever Android Security bulletin was posted yesterday. It only covered 6 bugs. And one wasn't even properly fixed (the one this article is discussing)!

As is usual for OS security updates, all the specifically called out fixes already have CVE numbers (same as Microsoft and Apple security updates). You don't need to depend on the vendor for those, they're already in the National Vulnerability Database (as well as many other vulnerability tracking databases).

A fixed security bug that's never disclosed (or never disclosed as a security bug) does not get a CVE. It also goes without saying unfixed, never disclosed security bugs can't get CVEs.

 

[zogus]

raptormissle[/url]":1flhzqtf]

BaritoneGuy[/url]":1flhzqtf]At my company (about 10K employees) we are looking at banning Android outright. Google needs to get this sorted out really, really quickly.

While you're at it be sure to ban all of those vulnerable Windows machines.

Unfortunately, it is still not practical to replace Windows with anything else on the corporate desktop, in spite of fifteen years of trying by the Linux folk. (Apple stopped trying a long time ago.)

The same cannot be said of Android.

 

[Gary Patterson]

rick*d[/url]":jz1ebh40]

dlux[/url]":jz1ebh40]

Dilbert[/url]":jz1ebh40]Well they also need to cut OEMs and carriers from having anything to do with software updates.

Yes, I can't see any other way to implement this. Microsoft, in their similar situation, had to engage their PC hardware partners as part of the overall cleanup. They didn't have quite the same dependency that Google has now on handset makers and carriers, but not owning the hardware part of the stack certainly complicates things.

Also, Android is past their massive growth stage, so Google can afford to be a little more ruthless with the hardware vendors and carriers (less so with the carriers, though.) They've established the user base and ecosystem, so they now have to weigh whether customers will be more likely to abandon the platform because of security or because of delayed features.

It all depends on who they consider their "customers". Google is far more likely to consider you and I their customers, because the whole point of Android was to get their search tools into the hands of as many people as possible, and thus gather marketable data about us to sell to advertisers..

Almost. Holding an Android phone doesn't make you a Google customer. It makes you the product they sell to advertisers. It's a bitter way to look at the relationship people have with Google, but it's the correct way. Google make money from advertising to users. The users don't pay for the ads, so they cannot be the customers.

Your attention is the product they are selling. Never forget that Google are an advertising company first and foremost. That's where their revenue comes from.

 

[Rosyna]

arsman999[/url]":bqenf4ll]Where are the android fanboys who made fun of iPhone having a similar problem(except the issue was it just rebooting). This is a much bigger problem than the iPhone "exploit"

It wasn't even the phone rebooting. Springboard just crashed. Most other apps were unaffected.

 

[Walt French]

Xelas[/url]":ngzm7hbd]

Dilbert[/url]":ngzm7hbd]

dlux[/url]":ngzm7hbd]I imagine Google will have to eventually halt everything and execute a company-wide security focus, similar to what Microsoft went through in the early 00s. If the do this right they can eventually come out looking like bruised heroes, but if they don't then that may ultimately be the end of Android for all but the most disposable of phones.

Well they also need to cut OEMs and carriers from having anything to do with software updates. Then they need to decide how far back they support Android versions. Then they need to back port each security update to how ever many versions back they officially support. MS does that. Google needs to do it too. Apple does not back port patches to older OS versions but they do make it so several previous hardware devices can run the latest OS, so either way users get secured.

They probably also need to separate the theming/skinning aspect from the GUI itself, then lock down the kernel and all important subsystems to keep OEMs from screwing them up - like the unsecured Samsung keyboard fiasco recently.

This sounds sensible, but it really goes against Google's model for the platform. They provide a nice OS to OEMs, who can make pretty much whatever they want of it, as long as they keep G services up front, and use the latest OS version.

Even the existence of AOSP points to Google's intent: OEMs could sign up for Android without worry that heavy-handedness on Google's part would force them to abandon the platform; they could just take AOSP and do whatever they wanted, any time. The posture obviously worked to get a huge number of OEMs on board, with only Nokia deciding to seek out a third way.

Now, something like 8 years later, Google has still not significantly changed its positions about security, updates, technical requirements, etc. The issues have been around, and talked about, all this time. It'll be a major change for them. I hope they do respond appropriately, but I don't see why Arsians should lay out a roadmap for a trip they don't show they want to go on.

 

[vnicolici]

JButler[/url]":go1rvv4d]Windows 10 Mobile can run Android apps with little or no modifications. Are these vulnerabilities applicable to Android apps running on W10M also? Either way, we might have a situation where you would be better off running your favorite Android apps on Windows 10 mobile because MS will update their phones pretty well.

Well, not sure, but while browsing the filesystem of the Android virtual machine included I found some binaries related to Stagefright.

And it seems it's not based on the most recent Android versions (from what I read is based on 4.4.4 KitKat), so it's reasonable to assume it may be affected.

But it's unlikely any code exploiting the vulnerability would be able to escape the HyperV virtual machine.

 

[Walt French]

OrangeCream[/url]":1cnk7szh]

dlux[/url]":1cnk7szh]

Dilbert[/url]":1cnk7szh]Well they also need to cut OEMs and carriers from having anything to do with software updates.

Yes, I can't see any other way to implement this. Microsoft, in their similar situation, had to engage their PC hardware partners as part of the overall cleanup. They didn't have quite the same dependency that Google has now on handset makers and carriers, but not owning the hardware part of the stack certainly complicates things.

Also, Android is past their massive growth stage, so Google can afford to be a little more ruthless with the hardware vendors and carriers (less so with the carriers, though.) They've established the user base and ecosystem, so they now have to weigh whether customers will be more likely to abandon the platform because of security or because of delayed features.

It's not so much that Google can afford this, so much as the act of forcing a new update and security model on OEMs that might otherwise be deemed monopolistic and anti-competitive (allow us to update your phone or you cannot license Android, and you cannot be allowed to modify core components of Android) when last seen in the year 2000 would be acceptable now.

In other words, security is now such a big deal that everyone can probably 'enforce' such clauses in the name of safety and security.

Had the IE + Microsoft case occurred today instead of 15 years ago (see how tightly Apple can restrict browsers on iOS!), they might have gotten a free pass because Firefox would have introduced unintended attack vectors.

As it is Microsoft is in the news again because Lenovo is misusing APCI to load software onto clean systems.

Good lord, a non-lawyer telling us that an OEM/Google contract full of requirements to provide Google services, can't also include security features because anti-trust.

How do you make this stuff up?

 

[Deleted member 46272]

Walt French[/url]":3jgoqxiz]

Xelas[/url]":3jgoqxiz]

Dilbert[/url]":3jgoqxiz]

dlux[/url]":3jgoqxiz]I imagine Google will have to eventually halt everything and execute a company-wide security focus, similar to what Microsoft went through in the early 00s. If the do this right they can eventually come out looking like bruised heroes, but if they don't then that may ultimately be the end of Android for all but the most disposable of phones.

Well they also need to cut OEMs and carriers from having anything to do with software updates. Then they need to decide how far back they support Android versions. Then they need to back port each security update to how ever many versions back they officially support. MS does that. Google needs to do it too. Apple does not back port patches to older OS versions but they do make it so several previous hardware devices can run the latest OS, so either way users get secured.

They probably also need to separate the theming/skinning aspect from the GUI itself, then lock down the kernel and all important subsystems to keep OEMs from screwing them up - like the unsecured Samsung keyboard fiasco recently.

This sounds sensible, but it really goes against Google's model for the platform. They provide a nice OS to OEMs, who can make pretty much whatever they want of it, as long as they keep G services up front, and use the latest OS version.

Even the existence of AOSP points to Google's intent: OEMs could sign up for Android without worry that heavy-handedness on Google's part would force them to abandon the platform; they could just take AOSP and do whatever they wanted, any time. The posture obviously worked to get a huge number of OEMs on board, with only Nokia deciding to seek out a third way.

Now, something like 8 years later, Google has still not significantly changed its positions about security, updates, technical requirements, etc. The issues have been around, and talked about, all this time. It'll be a major change for them. I hope they do respond appropriately, but I don't see why Arsians should lay out a roadmap for a trip they don't show they want to go on.

If Microsoft can fundamentally change the security model of Windows, breaking thousands of applications in the process (transition from XP to Vista), then Google can do the same. Experience is showing that OEMS don't give a hoot about the long-term viability of Android, so Google really needs to take the bull by the horns.

 

[raptormissle]

zogus[/url]":1fioh9l8]

raptormissle[/url]":1fioh9l8]

BaritoneGuy[/url]":1fioh9l8]At my company (about 10K employees) we are looking at banning Android outright. Google needs to get this sorted out really, really quickly.

While you're at it be sure to ban all of those vulnerable Windows machines.

Unfortunately, it is still not practical to replace Windows with anything else on the corporate desktop, in spite of fifteen years of trying by the Linux folk. (Apple stopped trying a long time ago.)

The same cannot be said of Android.

Yes, it is possible to replace Windows and not only is it practical from a security and administration perspective, it can also be more economical given your business use case. Also, just look at what IBM is doing - they estimate a large majority of their employee's will be switching to Mac's.

 

[checkedout]

I'm looking around for the Google press release or public response to this issue.
I'm sure my search fu isn't as strong as other folks' (or maybe I should use Bing, instead)

There's plenty about "Alphabet" though...

I'll keep looking, but is there a published response from some big organization by now?

Here's the Google press-room: https://www.google.com/press/

Plenty about the wonder and beauty of their stuffs...

 

[realwarder]

Midnitte[/url]":3209rqiz]Might be worth it to note that Google has laos created anAndroid Security Updates Google Group and committed to monthly Nexus security updates. The rest of us are probably on precarious ledge, but atleast some OEMs are committing to monthly security updates.

Actually, they committed to getting the updates to carriers monthly...

We'll see how fast users get them.

 

[Walt French]

Lwio[/url]":1rxpqy30]Got down voted a while back for saying android is becoming what windows was, now it's came to pass. It's even worse. MS could update xp on any system that wanted it, Google can't.
The buck stops with Google, they wrote the faulty code and they set up the faulty update system.

TBF, some of those XP-era bugs went into disk areas not wiped by a reinstall. I knew a couple of people who threw their machines away because they (their kids) irredeemably trashed 'em.

 

[Deleted member 192806]

Faulty Stagefright patch and newly reported sandbox bypass leave users exposed.

Whew! Last time I was this exposed was while I was being born.

 

[raptormissle]

Gary Patterson[/url]":312dw1uu]

Almost. Holding an Android phone doesn't make you a Google customer. It makes you the product they sell to advertisers. It's a bitter way to look at the relationship people have with Google, but it's the correct way. Google make money from advertising to users. The users don't pay for the ads, so they cannot be the customers.

Your attention is the product they are selling. Never forget that Google are an advertising company first and foremost. That's where their revenue comes from.

You should try using Windows 10 if you really want to see who the product is now. Windows 10 is the most privacy invasive OS in the world. I lasted 2 hours before I switched back to Windows 7.

 

[Walt French]

rick*d[/url]":bszlahve]

Peevester[/url]":bszlahve]

dlux[/url]":bszlahve]I imagine Google will have to eventually halt everything and execute an 'all-hands' security focus, similar to what Microsoft went through in the early 00s. If the do this right they can eventually come out looking like bruised heroes, but if they don't then that may ultimately be the end of Android for all but the most disposable of phones.

How are they going to get carriers to agree to that? Even if they come up with the best solution ever, the carriers with custom builds aren't going to touch it, or at least not quickly.

While I think you're right that future versions of android need to have these kind of protections built in, and they need to find a way to end OS customization (i.e. pretty much do all the hardware layer over from scratch), it's not going to be a quick solution.

It's pretty much up to the public to vote with their wallets and only buy Nexus-like phones with stock Android that can be directly upgraded at the Play Store.

But the public doesn't know enough to ask for, let alone demand, that.

This is interesting: Google is only responsible for Android bugs on the phones that it sells; it's really the customers' fault for buying Google Android phones from Verizon or Samsung. Even tho Google sells—they receive an obvious benefit that OEMs are required to agree with—the huge majority of its phones thru the OEMs.

 

[JButler]

Walt French[/url]":8d2081q9]

JButler[/url]":8d2081q9]Windows 10 Mobile can run Android apps with little or no modifications. Are these vulnerabilities applicable to Android apps running on W10M also? Either way, we might have a situation where you would be better off running your favorite Android apps on Windows 10 mobile because MS will update their phones pretty well.

Dream on. Any app that uses any significant amount of G services isn't going to get much, or any attention devoted to replacing in-app purchases, for example. That's the major way most apps monetize these days, so the combo of any work to port, plus a nearly-invisible app-buying user base, pretty much rules that out.

MS seem to have made it real easy to map Google service calls to MS's services as this video shows. Surely this lowers the burden of supporting Windows Mobile drastically and some will take advantage of that. In Europe, WP market share is around 10%, rivaling iPhone in some markets. Why would any dev give up that market if it's just a few lines of conditional code? Plus there are many apps with no dependency on G services. This could really open things up for Windows mobile.

 

[dlux]

Rosyna[/url]":3687rzxk]

Peevester[/url]":3687rzxk]How are they going to get carriers to agree to that?

The same way you get anyone to agree to do something they don't want to do: you publicly guilt, shame, and mock them until they relent.

Or, as has been pointed out numerous times here at Ars, by using the only leverage Google retains with Android - the agreements required to include Google's apps.

At some point, though, with Android getting forked by the likes of Amazon and Chinese domestic phones, and the OEM's own crapware layering, I wouldn't be surprised if Android simply becomes becomes closed-source like Windows. It's not like Google is making any money off the OS itself.

 

[Rosyna]

realwarder[/url]":15uev4cd]

dlux[/url]":15uev4cd]

andrgl[/url]":15uev4cd]It's fairly gullible to think just because you're using Windows Phone or iOS your platform is anymore secure.

If by 'gullible' you mean 'backed up by empirical data', then yes you are correct.

Not sure about the empirical data supporting iOS security:

http://www.gfi.com/blog/most-vulnerable ... s-in-2014/

Windows phone does look pretty good though.

Sigh. I'm surprised people still fall for that crap. Why do people keep falling for it?

You didn't think it was strange that neither Android nor Windows Phone were on the list? It's because neither Google nor Microsoft publicly disclose fixed security bugs.

That list only counts fixed security bugs disclosed by the vendor.

Hell, look at the Apple TV count. It has some crazy high number because Apple uses iOS for the Apple TV as well even though there is no way to access many of the APIs (like WebKit) on the Apple TV.

 

[stux]

Happysin[/url]":23bel7gg]

andrgl[/url]":23bel7gg]

anurodhp[/url]":23bel7gg]I would say between two platform one that receives security updates is more secure. The issue here is android doesn't get updates because they want you to buy a new phone.

My Lumia 720 dev phone was last update December 2014. My Note 4 dev phone was updated 2 days ago.

Which one is more secure?

There's no way that's true, if that's a dev phone. The Developer tools for WP have updated WP 8.1 far more recently than that, and if you want, all the way to Windows 10. I know, I'm using it on my phone now.

He's moaning that MS hasn't updated a phone stuck 3 major (and about to be 4) OS versions ago.

Probably still butt hurt about MS dropping Windows Phone 7 phones.

 

[Walt French]

JButler[/url]":3g6jfyyi]

Walt French[/url]":3g6jfyyi]

JButler[/url]":3g6jfyyi]Windows 10 Mobile can run Android apps with little or no modifications. Are these vulnerabilities applicable to Android apps running on W10M also? Either way, we might have a situation where you would be better off running your favorite Android apps on Windows 10 mobile because MS will update their phones pretty well.

Dream on. Any app that uses any significant amount of G services isn't going to get much, or any attention devoted to replacing in-app purchases, for example. That's the major way most apps monetize these days, so the combo of any work to port, plus a nearly-invisible app-buying user base, pretty much rules that out.

MS seem to have made it real easy to map Google service calls to MS's services as this video shows. Surely this lowers the burden of supporting Windows Mobile drastically and some will take advantage of that. In Europe, WP market share is around 10%, rivaling iPhone in some markets. Why would any dev give up that market if it's just a few lines of conditional code? Plus there are many apps with no dependency on G services. This could really open things up for Windows mobile.

Developers I chat with find that support costs are the majority of expenses for developed apps. Inevitably, those “few lines of conditional code” end up as independent sources of bugs, user confusion from slightly-different interactions, etc.

And is this current?

Sign up for your app to be considered for early access to Windows Bridge for Android. Participants will be given exclusive help and resources and a chance to give their feedback directly to the development team.

(I spoze it must be: at dev.windows.com, the first bing hit for “Android” came up with an OLDER link to porting Android apps to WinRT.)

I haven't seen the actual stats, but I'll stand by my pessimism until I see more than a tiny fraction of Android apps ported to Microsoft's system. Right now, I don't see that ANY have been, or reason to think more than a few WILL BE.

 

[Walt French]

dlux[/url]":333v9f7d]

Rosyna[/url]":333v9f7d]

Peevester[/url]":333v9f7d]How are they going to get carriers to agree to that?

The same way you get anyone to agree to do something they don't want to do: you publicly guilt, shame, and mock them until they relent.

Or, as has been pointed out numerous times here at Ars, by using the only leverage Google retains with Android - the agreements required to include Google's apps.

At some point, though, with Android getting forked by the likes of Amazon and Chinese domestic phones, and the OEM's own crapware layering, I wouldn't be surprised if Android simply becomes becomes closed-source like Windows. It's not like Google is making any money off the OS itself.

Think of Android like the storefronts that Verizon, AT&T et al maintain. None of the product is produced there, but the money is collected there. Android may be a cost center, but it's a very valuable one to Google (which is why they shelled out for it in the first place, and then pumped a LOT of resources into it). Microsoft would be VERY happy to provide alternative search, store, music etc for any formerly-Android OEM who wanted to switch from Genuine Android® to AOSP, Cyanogen or anybody else.

 

[JButler]

Walt French[/url]":3p8ecuz9]

JButler[/url]":3p8ecuz9]

Walt French[/url]":3p8ecuz9]

JButler[/url]":3p8ecuz9]Windows 10 Mobile can run Android apps with little or no modifications. Are these vulnerabilities applicable to Android apps running on W10M also? Either way, we might have a situation where you would be better off running your favorite Android apps on Windows 10 mobile because MS will update their phones pretty well.

Dream on. Any app that uses any significant amount of G services isn't going to get much, or any attention devoted to replacing in-app purchases, for example. That's the major way most apps monetize these days, so the combo of any work to port, plus a nearly-invisible app-buying user base, pretty much rules that out.

MS seem to have made it real easy to map Google service calls to MS's services as this video shows. Surely this lowers the burden of supporting Windows Mobile drastically and some will take advantage of that. In Europe, WP market share is around 10%, rivaling iPhone in some markets. Why would any dev give up that market if it's just a few lines of conditional code? Plus there are many apps with no dependency on G services. This could really open things up for Windows mobile.

Developers I chat with find that support costs are the majority of expenses for developed apps. Inevitably, those “few lines of conditional code” end up as independent sources of bugs, user confusion from slightly-different interactions, etc.

And is this current?

Sign up for your app to be considered for early access to Windows Bridge for Android. Participants will be given exclusive help and resources and a chance to give their feedback directly to the development team.

(I spoze it must be: at dev.windows.com, the first bing hit for “Android” came up with an OLDER link to porting Android apps to WinRT.)

Why do yo say that WinRT link is old? MS offers TWO options for Android developers - native porting (which is probably more preferred method from MS perspective) and Project Astoria. Project Astoria is right up there as 2nd link.

I haven't seen the actual stats, but I'll stand by my pessimism until I see more than a tiny fraction of Android apps ported to Microsoft's system. Right now, I don't see that ANY have been, or reason to think more than a few WILL BE.

There's no actual stat because Project Astoria is not even officially released yet, not to mention W10M itself.

 

[cvnk]

Aethera[/url]":3nkskgyr]Mobile "smart" phones are the single worst failure of information technology that has ever occurred.

It started with regular mobile phones which performed their function - making telephone calls - with no problems. Some also offered a few basic extras.

Then all the greed started and it all went completely to hell. Now it remains in hell.

Google is highly responsible for this. They ripped off the software repository model that existed for Linux distros for so long before, added payment features to it and did not provide a means for users to avoid all the non-free and adware-laden crap.

On top of that, mobile providers focus on marketing and selling the latest gizmos, only to orphan old models and leave the users stuck out in the cold. No security or other regular updates, as would be the case with any standard Linux distros.

Totally irresponsible and inexcusable but see how everyone has fallen for it.

While I agree that today's smart phones are certainly less secure, less reliable, more fragile, and lower endurance than yesterday's feature phones I don't agree that Google (or any other company) should be blameed for providing them. The majority of us want a mobile, always-connected computer phone and the industry responded.

I recently got stuck traveling with some crappy loaner phone from T-Mobile while I waited for a replacement Note 3. It was painful. Yes I could make calls and text and the battery life was astounding but I missed all the amazing thing my Note 3 can do like provide directions and let me read my feeds white sitting in a bar and show me where the best restaurants are.

These devices are amazing.

 

[althaz]

theblop[/url]":1370icxw]Please give us back the PC model over this crappy mobile ecosystem...

Smartphones are computers. Why do we have to throw away perfectly functioning 18+ months old mini-computers when a 0 day becomes available on their abandonned OS and makes them actually dangerous to use?
What a waste of money for users and even worse for the environment. All it would take would be for manufacturers to be forced to release their proprietary drivers to free us from their incompetence. I can't wait for an open phone that follows the linux model.

And now cars are following this seriously flawed mobile model...

If it was that important to you, you wouldn't be using Android - I'm not. Of course, I also don't particularly like iOS or iPhones (seriously Apple, bring out a phone with an OLED screen so I can at least *consider* an iPhone next time). Which I guess is why I'm on Windows Phone - there's things about both other platforms I'm envious of - but one of them is not security.

 

[althaz]

Rosyna[/url]":nx4fht5w]

realwarder[/url]":nx4fht5w]

dlux[/url]":nx4fht5w]

andrgl[/url]":nx4fht5w]It's fairly gullible to think just because you're using Windows Phone or iOS your platform is anymore secure.

If by 'gullible' you mean 'backed up by empirical data', then yes you are correct.

Not sure about the empirical data supporting iOS security:

http://www.gfi.com/blog/most-vulnerable ... s-in-2014/

Windows phone does look pretty good though.

Sigh. I'm surprised people still fall for that crap. Why do people keep falling for it?

You didn't think it was strange that neither Android nor Windows Phone were on the list? It's because neither Google nor Microsoft publicly disclose fixed security bugs.

That list only counts fixed security bugs disclosed by the vendor.

Hell, look at the Apple TV count. It has some crazy high number because Apple uses iOS for the Apple TV as well even though there is no way to access many of the APIs (like WebKit) on the Apple TV.

Uhhh...Microsoft *does* disclose security fixes - it's one of the best ways to find out how to exploit unpatched devices. Of course, I assume you meant they don't disclose security issues for Windows Phone. I know they certainly do sometimes, do they do it all the time? I have no clue. It certainly doesn't seem to happen often - but maybe it's because Windows Phone isn't much of a target and is by design and much fireproofing quite secure.

 

[cvnk]

raptormissle[/url]":1mzifg2w]

Gary Patterson[/url]":1mzifg2w]

Almost. Holding an Android phone doesn't make you a Google customer. It makes you the product they sell to advertisers. It's a bitter way to look at the relationship people have with Google, but it's the correct way. Google make money from advertising to users. The users don't pay for the ads, so they cannot be the customers.

Your attention is the product they are selling. Never forget that Google are an advertising company first and foremost. That's where their revenue comes from.

You should try using Windows 10 if you really want to see who the product is now. Windows 10 is the most privacy invasive OS in the world. I lasted 2 hours before I switched back to Windows 7.

Even after following all the advice out there on how to block all that? Our did you find other problems? Or was it just the fact that Microsoft thought they could help themselves to all your data without asking?

 

[Katana314]

Ugh...buffer overflow exploits? In 2015?

This is why I hate C. Stop trusting yourself to do the math right and use an array<>. Or a vector<>. Etcetera. Pointer-level memory buffer access should only be allowed to the nerdiest system engineer on the team.

 

[Rosyna]

althaz[/url]":1zqwhfm6]

Rosyna[/url]":1zqwhfm6]

realwarder[/url]":1zqwhfm6]

dlux[/url]":1zqwhfm6]

andrgl[/url]":1zqwhfm6]It's fairly gullible to think just because you're using Windows Phone or iOS your platform is anymore secure.

If by 'gullible' you mean 'backed up by empirical data', then yes you are correct.

Not sure about the empirical data supporting iOS security:

http://www.gfi.com/blog/most-vulnerable ... s-in-2014/

Windows phone does look pretty good though.

Sigh. I'm surprised people still fall for that crap. Why do people keep falling for it?

You didn't think it was strange that neither Android nor Windows Phone were on the list? It's because neither Google nor Microsoft publicly disclose fixed security bugs.

That list only counts fixed security bugs disclosed by the vendor.

Hell, look at the Apple TV count. It has some crazy high number because Apple uses iOS for the Apple TV as well even though there is no way to access many of the APIs (like WebKit) on the Apple TV.

Uhhh...Microsoft *does* disclose security fixes - it's one of the best ways to find out how to exploit unpatched devices. Of course, I assume you meant they don't disclose security issues for Windows Phone. I know they certainly do sometimes, do they do it all the time? I have no clue. It certainly doesn't seem to happen often - but maybe it's because Windows Phone isn't much of a target and is by design and much fireproofing quite secure.

Can you show me an example of Microsoft disclosing they fixed a Windows Phone security bug in 2014? (that's the year the graph you links to represents)

As for 2015, they haven't even fixed what they call FREAK in Windows Phone.

 

[Midnitte]

realwarder[/url]":dcth9ea8]

Midnitte[/url]":dcth9ea8]Might be worth it to note that Google has laos created anAndroid Security Updates Google Group and committed to monthly Nexus security updates. The rest of us are probably on precarious ledge, but atleast some OEMs are committing to monthly security updates.

Actually, they committed to getting the updates to carriers monthly...

We'll see how fast users get them.

Indeed, kind of surprised a carrier hasn't tried to use that as a selling point. With all the hacks and security news recently, it seems like you could sell a lot of headsets by providing security updates (let alone feature updates) on a more regular basis.

But I guess Google didn't sell an industry changing number of Nexus devices either.

 

[edwardangle]

I'm not surprised they failed to fix it.

We've gone down a bad road in programming. Well, two bad roads.

The first is that too many programmers depend entirely on virtual runtime environments, and huge standard libraries. They aren't so much programmers as programming language users. Script kiddie programmers.

The second is telling everyone and their mom to start programming. code.org comes to mind. And horse crap like "Scratch". Do we really need MORE incompetent programmers?

We don't go around telling everyone they just have to try mechanical, chemical, etc, engineering. So why software engineering? And yes, I know programming is a lot more accessible than those other fields. That isn't a proper reason for all sorts of people to do it.

If someone has the predisposition for it they'll find their way into it.

 

[Shavano]

Peevester[/url]":16vwr10b]

dlux[/url]":16vwr10b]I imagine Google will have to eventually halt everything and execute an 'all-hands' security focus, similar to what Microsoft went through in the early 00s. If the do this right they can eventually come out looking like bruised heroes, but if they don't then that may ultimately be the end of Android for all but the most disposable of phones.

How are they going to get carriers to agree to that? Even if they come up with the best solution ever, the carriers with custom builds aren't going to touch it, or at least not quickly.

While I think you're right that future versions of android need to have these kind of protections built in, and they need to find a way to end OS customization (i.e. pretty much do all the hardware layer over from scratch), it's not going to be a quick solution.

No, they just need to change their licensing terms. Just don't license new phones to use Android unless the manufacturer and the mobile provider agree to implement an update scheme that Google specifies -- that is the same as what they do on Nexus devices.

 

[microlith]

Xelas[/url]":2cgtqi4h]That brings up a point - why ARE ROM images model-specific? Linux has the capability to load drivers as needed (see Linux on every PC), Android is Linux at heart, and there is no reason you can't have the kernel load the drivers for the radios and sensors on the phone as needed, then delete the ones it doesn't need to free up space because, unlike a PC, you'll probably never change the phone config, unless Project Ara comes to pass.
Or, you can have the kernel load up "basic" (some sort of VESA standard, like on the PC?) drivers, then go online and suck down the model-specific ones from online.
Why does each and every phone model need a special ROM cooked up just for it? I don't think that extra few percent of optimization you can get form a custom image really matters with the insane specs phones have today.

This has multiple causes:
1.) Each ARM board is unique, and due to the way Linux is used on ARM it needs to have kernel-level information about the board.
B.) Because of this, drivers for some chips need to be configured explicitly for that kernel and compiled in at run time. They will hang off an arbitrary generic IO pin that may change from device to device.
iii.) There is no equivalent to VESA in the ARM world at this time.
*.) There are ways to pave over this using UEFI and DeviceTree (which ARM requires for AArch64) but that requires the handset vendors be competent with their implementations. Instead, they typically take shortcuts to keep up with the turnover demanded by the carriers and internally.

EDIT2: - There is also no reason that the sensors/devices can't have basic functionality enabled through standard API/calls in a system BIOS to enable a phone to function in "safe mode" with basic touchscreen, USB, and radio functionality with just the standard kernel installed. Just like the old DOS days on PCs from 2 decades ago.

No, Linux works as-is. The problem is that each of those devices would have a driver in the kernel, but the kernel needs to know where to look to actually talk to them. Also magnifying these problems are how the device vendors don't push their drivers upstream into the kernel and/or bank on proprietary binary-only drivers, which makes all of this impossible.

Nothing about this is truly hard, but when you have wanton interference from the carriers and a disregard of the upstream by the vendors (handset and component,) it's a given that you're going to have problems.

 

[Zarsus]

While OEMs/Carriers are being blamed for Android's current predicament, Google has to take at least half of the blame, considering that:
- it's been clear that Android OSes will hardly be updated after being sold for a very long time, so if Android was to be as secure as iOS, Google has to spend 2x more resource on making it right the first time. Instead every major updates (4.0 & 5.0) contains serious flows.
- Google has a tendency of rushing out features that are either incomplete, buggy, or ill thought out, some of which they had to do a complete rewrite an year or two later, meaning the possible vulnerable attack surface is doubled for zero gain in actual functionality, no to mention they now have to spend more resource maintaining the two versions
- instead of hunkering down and fixing shits, Google prefers to add some features and never do anything with it an year later
- remember the disk encryption that reduces I/O performance by like 80%, and they still had the audacity to release it and tout it as one of Android's security features, WTF?!

Even now it still feels like Android security is something Google has to do rather than something that they want to get right. Things will only get worse until they've changed their mindset.