android security issues and patches - Galaxy S III Q&A, Help & Troubleshooting

I have wondered on and off occasionally what happens if a security issue happens with the android OS.
Currently as we all know android is incredibly fragmented, mainly due to a system where the phone vendors roll out updates at their own leisure and google upgrading the OS at a very fast pace. Combination of the two equals fragmented userbase. But I have never seen an update for android on any version stated to fix a security issue.
Then I read this article.
http://www.bbc.co.uk/news/technology-23431281
It mentiones manufacturers have yet to pass on the patch which is no surprise as here in the uk the phones that still do get updates tend to be 12 months behind google's updates (unless a new model on market), which is a deliberate policy so people buy a new phone to get new android.
Does anyone here know which android version's are affected and if custom roms have it patched?

chrcol said:
I have wondered on and off occasionally what happens if a security issue happens with the android OS.
Currently as we all know android is incredibly fragmented, mainly due to a system where the phone vendors roll out updates at their own leisure and google upgrading the OS at a very fast pace. Combination of the two equals fragmented userbase. But I have never seen an update for android on any version stated to fix a security issue.
Then I read this article.
http://www.bbc.co.uk/news/technology-23431281
It mentiones manufacturers have yet to pass on the patch which is no surprise as here in the uk the phones that still do get updates tend to be 12 months behind google's updates (unless a new model on market), which is a deliberate policy so people buy a new phone to get new android.
Does anyone here know which android version's are affected and if custom roms have it patched?
Click to expand...
Click to collapse
if you're rooted (which i assume seeing your signature) you're safe.
Also read this: http://www.androidcentral.com/making-sense-latest-android-security-scare

well it doesnt say you safe if rooted it just says you have bigger security concerns to worry about so dont worry about this.
So in short if that article is right, its been a problem since android 1.6, all that time google hasnt bothered to patch it, samsung did their own patch but only on the s4, and android 4.3 is expected to be patched.
In the meantime ensure unknown app sources is disabled.
thats what I get from that article.

Very important thread.
Thanks for posting.
I'm glad I'm rooted

another article.
http://searchnetworking.techtarget....s-Report-Mobile-malware-attacks-grew-over-600
Seems android not disclosing the security issues and it wouldnt surprise me all the older phones with no updates are full of security holes.
should google be backporting security fixes to 2.2.x 2.1.x etc?

Install Xposed framework and then load the patch module to fix both security exploits, or simply only install well trusted apps

yeah I patched my AOKP now.
looking at this url it seems I can do the same on TW rom also.
http://forum.xda-developers.com/showthread.php?t=2374453

Related

Android Software

Would I be correct in assuming (at least until recently with the Nexus One and ICS), that every Android phone can run the latest version of the software, and the fragmentation of the platform that people generally refer to are the skins that developers layer over stock that aren't getting the updates? Thanks ahead of time for the answer.
Not every single Android device will be able to run it, but many will. Even devices which won't get it officially will still get it ported/developed unofficially.
I guess, what I was meaning to ask is, when ICS is released, what is stopping every phone except for the Nexus One from running it, since that is the only phone that Google specifically said wouldn't be able to run it? Note, I'm not talking about HTC Sense etc., but but just basic Android underneath it. Is Android more unified than competitors would have others believe?
Ratlegion said:
I guess, what I was meaning to ask is, when ICS is released, what is stopping every phone except for the Nexus One from running it, since that is the only phone that Google specifically said wouldn't be able to run it? Note, I'm not talking about HTC Sense etc., but but just basic Android underneath it. Is Android more unified than competitors would have others believe?
Click to expand...
Click to collapse
Actually, the Nexus One can run it. See here: http://www.youtube.com/watch?v=dyPeT-ZUbBw . A device may not be found fit to run ICS (based on hardware specs), which will cause them not to get the update officially. The hardware requirements may be the main thing stopping some devices from getting the update, since weak hardware with little power will not allow the system to run as it should. On the other hand, this does not stop developers from porting/making unofficial roms to devices which are claimed unable to run it or just not getting the update officially.

What can we expect with security?

Given the compromised found in Android recently and being something I've thought about quite a bit.
"Most" Roms seem to be very rarely updated and if you're using a provider like Straight talk you probably don't get updates anyways.
So, I'm quite curious how Security vulnerabilities are handled? I doubt the Roms are so different that they prevent these flaws from occurring. I'd have to imagine roms may very well introduce new ones.
My thoughts on what the community can do.
I'm not a developer and frankly I'm not into the loop as well as I can be. But, I typically use older phones that aren't getting the support the newer ones are. So, being in the loop of some stuff was never a big concern of mine.
Anyways, first off I'm curious about a security auditing group. A group that can go through the most popular roms of each phone and determine if there are any security concerns. Then this group can offer a label or signing of some kind saying the rom passed the inspection.
Roms like Hyperdrive that have a ton of unique tweaks. Well to me when you are adding and removing things I would naturally assume you probably adding security flaws about as much as you'd remove them.
Security and Privacy is a concern we all have. I imagine that's part of why many people switch to Roms as they remove certain privacy issues and security vulnerabilities.
But, honestly in the community what do we have that really tells us about the security situation of roms and what may be affected by recently discovered issues in Android itself?
Things can legitimately make a rom useless and even a concern to use if it's severe enough.
What about newer people coming in and they start using a rom that's affected?
Thoughts?
Your biggest issue is you can't look at the code for roms. All roms from OEM are closed sourced. All you can focus on is Aosp.
As for security. There will always be security issues. That is just part of a computer based system. That's why any one that is in the loop doesn't keep anything really important on a mobile device.

Updates to Custom ROM?

I'm new to this and don't know the proper forum to ask about updates. Google seems to be releasing monthly software updates to address software vulnerabilities.
With my Verizon Android phone, I understand (and am unhappy) that there are precious few updates, unless of course they in some way benefit Verizon. The phone remains on 4.4 a full year after Lollipop came out, and there are still vulnerabilities that are not being fixed.
Frustrated that my Galaxy Tab 10.1 languished on Honeycomb, I rooted and installed the AOSP ROM by decatf. Except for the Amazon Kindle App and some video weirdness, all the apps I use seem happy. My question is, "is it correct to assume that the ONLY way my tablet will get security updates is if decatf decides to recompile his custom ROM and make it available?" (That seems unlikely, unless he personally owns and uses one of these old Galaxy Tabs.)
I am thrilled to have new life in my old Tab, and happy decatf is so generous with his time and effort. In addition, a case can be made that my Tab on this 5.1.1 ROM is more up to date (and secure) than more modern tablets which are not being updated by their manufacturers.
Do I understand the situation correctly?
Yes, one of the downsides of flashing custom software, in most cases, is that you no longer get OTA updates and have to manually flash them.

[Q] Regarding "Security Patch Level", especially on MIUI devices

Hi guys,
Would like to ask if there is anyway to validate the date/version of the "Security Patch Level, in the About phone.
I'm currently using a Xiaomi Note (Not Pro) and I use their China Development Rom, updating every 2 weeks usually, unless theres a bug fix/feature I want then I'll update to the following week as well.
I check on my Security Patch Level every update, and I find that it is really inconsistent with Google's Schedule. For example, Xiaomi uses only the 1st day of the month patches, ignoring any that come later in the month. Currently last week's (2016-11-24) Rom update states that it is on 2016-12-01 patch. Before that it is 2016-11-01, with no updates to 11-05 or 11-06 patches in between. AFAIK there are no details on December's patch so there's that too. Why don't they just put 11-05/06 which is on the Security Bulletin instead?
Earlier I also reported to MIUI forums regarding inconsistencies in the patch level dates when the Quadrooter vulnerability was reported and fixed, but it wasn't really well received. More information: en.miui.com/thread-346357-1-1.html
Additionally, I am still on Xposed v86 MIUI edition. Seeing that my phone is now on december security patch, why is it not affected by the Bootloop issue which was fixed in Xposed v87? Does that mean I don't have the security patch which affects Xposed? Is the MIUI edition of Xposed not affected by this security patch?
So if manufacturers are putting whatever dates they wish without honoring Google's guidelines, does it mean that we have to take their word for it? Does this apply to other chinese brand phones?
Considering the amount of scary security issues android is facing lately, maybe it's time to finally change my phone? Instead of trusting Xiaomi's monthly security updates which seems superior to most other brands at first, but it's getting more and more suspicious with each passing month.
Thanks everyone.
PS: Hopefully this is the right place to ask this. I also searched quite a bit before asking this, so if discussion already exists I hope u can point me in the right direction. Thanks again.

Is it possible to install Security Updates alone, without upgrading Android?

Hi everyone,
I can't find a satisfactory answer on my favorite search engines, so I thought I'd come here and ask. Sorry if this question has already been put on the table, carved, sliced and gobbled, I couldn't find trace of it in the forum's search engine either.
My phone's a Leagoo T5c that will forever be stuck on Android 7.0, it seems, because the OEM has already lost interest, and because its SoC makes it difficult, if not downright impossible, to find a suitable custom ROM.
The latest ROM I could find and install on this phone goes back to August of 2018 (no-no, no typos), and its Security Update is even one month older (July 2018).
My question is in the title: Is it possible to install Security Updates without reinstalling/updating/upgrading the firmware itself, like you would in, say, Windows or any other OS, I presume?
UglyStuff said:
Hi everyone,
I can't find a satisfactory answer on my favorite search engines, so I thought I'd come here and ask. Sorry if this question has already been put on the table, carved, sliced and gobbled, I couldn't find trace of it in the forum's search engine either.
My phone's a Leagoo T5c that will forever be stuck on Android 7.0, it seems, because the OEM has already lost interest, and because its SoC makes it difficult, if not downright impossible, to find a suitable custom ROM.
The latest ROM I could find and install on this phone goes back to August of 2018 (no-no, no typos), and its Security Update is even one month older (July 2018).
My question is in the title: Is it possible to install Security Updates without reinstalling/updating/upgrading the firmware itself, like you would in, say, Windows or any other OS, I presume?
Click to expand...
Click to collapse
With android 10 were introduced Google play security updates that lets you received security updates (not all of them unfortunately, some requires to upgrade) without updating the full OS. You can't do it because you're stuck with the wrong Android version
Hopefully you won't have any issues with hacking but consider buying a new phone when you'll get a chance
Security updates get rolled out as OTA by OEM/Carrier if they consider it's necessary. You can't force it. Theoretically, all Android smartphones should get around two years of security updates. However, the reality is often very different.
The Leagoo T5c is a small-budget phone what was sold for 99 USD - so more or less a disposable item. You cannot expect OEM/Carrier to have any interest in providing updates for such a phone.
Thank you both for your explanations. I understand that Android works differently when it comes to updating itself, mostly because Google isn't the only party to have a voice in the chapter; still, it's unnerving to see that the end-user is more or less captive anyway.
It kinda defeats the very purpose of an open-source OS, to have to wait for an OEM to release (or not) an update, when you could install the patches yourself.
As for buying another phone, well, as soon as I've got the dough, I will, believe me. Not because I'm dissatisfied with this one, but because I don't like the idea of totting around with a phone that hasn't seen a security update in over two years.
I'm also seriously considering moving to Ubuntu Touch, though there again, my phone's exotic platform could be problematic. Custom ROMs seems to be as complicated an avenue as others, too.
All in all, Android isn't what they sold me: It's not secure, it's not "free", it's just another way to make you shell out bucks for new hardware every couple years.
Android is just iOS without the eye-candy, you ask me...
UglyStuff said:
Thank you both for your explanations. I understand that Android works differently when it comes to updating itself, mostly because Google isn't the only party to have a voice in the chapter; still, it's unnerving to see that the end-user is more or less captive anyway.
It kinda defeats the very purpose of an open-source OS, to have to wait for an OEM to release (or not) an update, when you could install the patches yourself.
As for buying another phone, well, as soon as I've got the dough, I will, believe me. Not because I'm dissatisfied with this one, but because I don't like the idea of totting around with a phone that hasn't seen a security update in over two years.
I'm also seriously considering moving to Ubuntu Touch, though there again, my phone's exotic platform could be problematic. Custom ROMs seems to be as complicated an avenue as others, too.
All in all, Android isn't what they sold me: It's not secure, it's not "free", it's just another way to make you shell out bucks for new hardware every couple years.
Android is just iOS without the eye-candy, you ask me...
Click to expand...
Click to collapse
Android isn't iOS precisely because you can break free from your OEM by flashing a custom ROM. You can develop one for almost any device as long as the OEM releases the kernel source code. And most OEM do (expect for some very unknown phones).
Custom ROMs like GrapheneOS are made to free you from google Services and are truly privacy oriented. And all of that is possible because Android is open source.
Trust me, the Android community has always worked actively to counter aging of their devices (including me).
Just buy a phone with a solid community behind and you'll be able to keep it up to date a looong time
Raiz said:
Android isn't iOS precisely because you can break free from your OEM by flashing a custom ROM. You can develop one for almost any device as long as the OEM releases the kernel source code. And most OEM do (expect for some very unknown phones).
Custom ROMs like GrapheneOS are made to free you from google Services and are truly privacy oriented. And all of that is possible because Android is open source.
Trust me, the Android community has always worked actively to counter aging of their devices (including me).
Just buy a phone with a solid community behind and you'll be able to keep it up to date a looong time
Click to expand...
Click to collapse
I agree with you in principle, but if I must take an example: I have this Early 2006 MacBook Pro with a Core Duo CPU that precludes me from even installing Mac OS X 10.7 "Lion" on it, because the CPU is 32-bit-only, and Lion requires a 64-bit CPU.
The machine itself works very well, albeit a bit slowly, but then it's got only 2 GB of RAM and a 120-GB SSD. When I got fed-up with OS X applications not updating/upgrading and Firefox addons not installing because my copy of Firefox was too old, I partitioned the SSD, installed rEFInd as boot manager, and installed Zorin 15.2 (now 15.3) Lite 32-bit.
I now spend more time on the Linux side of this Mac than on the OS X side, and updating/upgrading it is a breeze, either via the dedicated application or in Terminal. I know there'll be an end-of-the-line there too, someday, but at least I'll keep using this Mac until it truly dies on me, not when Apple tells me it's dead.
This, for me, is the very essence of open-source: Not just the fact that it's free, but that you can revive an old machine and keep it running long after Apple et al have decided that it had gone the way of the dinosaurs.
The same doesn't apply to Android, alas. Here, you must have a compatible SoC/chipset/what-have-you, a Treble-compatible device, you must have this, you must have that...
In the end, only a fraction of Android users really get to enjoy everything their device has to offer for as long as they choose; the others just pop into the nearest phone store, be it brick-and-mortar or cyber, and must produce their credit card.
My question was as much a challenge to myself as anything else. I would really like to learn how Android works, but the tutorials and articles I've found here and there are all a bit cryptic.
That's why I'm regularly prowling this forum, I guess.
"Hunting high and low", as the song goes... :laugh:
yep, good question but google & manufactures are in it for the moola not the users 2 yr old phone.
hiitsrudd said:
yep, good question but google & manufactures are in it for the moola not the users 2 yr old phone.
Click to expand...
Click to collapse
Don't I know it! It's true that even budget phones have decent specs nowadays, still, why dump a perfectly functioning phone simply because you can't update/upgrade the software?
I understand Google's rationale, of course: They invest tons of money year after year after year to keep the whole boat afloat, and they need a steady income. OK. Still, to not be able to keep your phone ***safe*** is a no-go for me.
I'm seriously beginning to think about installing Ubuntu Touch on the device. I think I'm going to try that next weekend.
I'll probably come back here with my eyes red, asking for help in unbricking my phone, though.
Stay tuned! :good:
A followup, if you are mindful of your own security it's conceivable to get more usage of that android. I don't use a banking app, but if need be use a good browser( thats updated of course) And update all often used apps via playstore. I'm still running Oreo on my phone. FYI you iOS ppl need to do critical updates asap

Categories

Resources