Related
I have wondered on and off occasionally what happens if a security issue happens with the android OS.
Currently as we all know android is incredibly fragmented, mainly due to a system where the phone vendors roll out updates at their own leisure and google upgrading the OS at a very fast pace. Combination of the two equals fragmented userbase. But I have never seen an update for android on any version stated to fix a security issue.
Then I read this article.
http://www.bbc.co.uk/news/technology-23431281
It mentiones manufacturers have yet to pass on the patch which is no surprise as here in the uk the phones that still do get updates tend to be 12 months behind google's updates (unless a new model on market), which is a deliberate policy so people buy a new phone to get new android.
Does anyone here know which android version's are affected and if custom roms have it patched?
chrcol said:
I have wondered on and off occasionally what happens if a security issue happens with the android OS.
Currently as we all know android is incredibly fragmented, mainly due to a system where the phone vendors roll out updates at their own leisure and google upgrading the OS at a very fast pace. Combination of the two equals fragmented userbase. But I have never seen an update for android on any version stated to fix a security issue.
Then I read this article.
http://www.bbc.co.uk/news/technology-23431281
It mentiones manufacturers have yet to pass on the patch which is no surprise as here in the uk the phones that still do get updates tend to be 12 months behind google's updates (unless a new model on market), which is a deliberate policy so people buy a new phone to get new android.
Does anyone here know which android version's are affected and if custom roms have it patched?
Click to expand...
Click to collapse
if you're rooted (which i assume seeing your signature) you're safe.
Also read this: http://www.androidcentral.com/making-sense-latest-android-security-scare
well it doesnt say you safe if rooted it just says you have bigger security concerns to worry about so dont worry about this.
So in short if that article is right, its been a problem since android 1.6, all that time google hasnt bothered to patch it, samsung did their own patch but only on the s4, and android 4.3 is expected to be patched.
In the meantime ensure unknown app sources is disabled.
thats what I get from that article.
Very important thread.
Thanks for posting.
I'm glad I'm rooted
another article.
http://searchnetworking.techtarget....s-Report-Mobile-malware-attacks-grew-over-600
Seems android not disclosing the security issues and it wouldnt surprise me all the older phones with no updates are full of security holes.
should google be backporting security fixes to 2.2.x 2.1.x etc?
Install Xposed framework and then load the patch module to fix both security exploits, or simply only install well trusted apps
yeah I patched my AOKP now.
looking at this url it seems I can do the same on TW rom also.
http://forum.xda-developers.com/showthread.php?t=2374453
Given the compromised found in Android recently and being something I've thought about quite a bit.
"Most" Roms seem to be very rarely updated and if you're using a provider like Straight talk you probably don't get updates anyways.
So, I'm quite curious how Security vulnerabilities are handled? I doubt the Roms are so different that they prevent these flaws from occurring. I'd have to imagine roms may very well introduce new ones.
My thoughts on what the community can do.
I'm not a developer and frankly I'm not into the loop as well as I can be. But, I typically use older phones that aren't getting the support the newer ones are. So, being in the loop of some stuff was never a big concern of mine.
Anyways, first off I'm curious about a security auditing group. A group that can go through the most popular roms of each phone and determine if there are any security concerns. Then this group can offer a label or signing of some kind saying the rom passed the inspection.
Roms like Hyperdrive that have a ton of unique tweaks. Well to me when you are adding and removing things I would naturally assume you probably adding security flaws about as much as you'd remove them.
Security and Privacy is a concern we all have. I imagine that's part of why many people switch to Roms as they remove certain privacy issues and security vulnerabilities.
But, honestly in the community what do we have that really tells us about the security situation of roms and what may be affected by recently discovered issues in Android itself?
Things can legitimately make a rom useless and even a concern to use if it's severe enough.
What about newer people coming in and they start using a rom that's affected?
Thoughts?
Your biggest issue is you can't look at the code for roms. All roms from OEM are closed sourced. All you can focus on is Aosp.
As for security. There will always be security issues. That is just part of a computer based system. That's why any one that is in the loop doesn't keep anything really important on a mobile device.
Hi guys, as reported on the vodafone italian forum this week has been released a new update for G6, now is available trough LGBridge (didn't check trough OTA).
Don't which patch are, or if there are any difference because "Bridge is a Britch" (Sorry), and it'll take a while to download the entire KDZ of 3.04GB.
I'll keep you updated about possible changes, cheers
- Edit -
Just flashed the KDZ, January patch! Incredible!
Killua96 said:
Hi guys, as reported on the vodafone italian forum this week has been released a new update for G6, now is available trough LGBridge (didn't check trough OTA).
Don't which patch are, or if there are any difference because "Bridge is a Britch" (Sorry), and it'll take a while to download the entire KDZ of 3.04GB.
I'll keep you updated about possible changes, cheers
- Edit -
Just flashed the KDZ, January patch! Incredible!
Click to expand...
Click to collapse
Do you have a KDZ for us? Or a source to download the new Firmware? Thanks
LGG6Fan said:
Do you have a KDZ for us? Or a source to download the new Firmware? Thanks
Click to expand...
Click to collapse
Here: http://pkg02.lime.gdms.lge.com/dn/d...2ONAXIC8D5F3D5/H87011i_00_OPEN_EU_OP_0108.kdz
unfortunately, the patches of January 1 do not include protection for spectre and meltdown as they include those of January 5, 2018
manuel79 said:
unfortunately, the patches of January 1 do not include protection for spectre and meltdown as they include those of January 5, 2018
Click to expand...
Click to collapse
That's not so important for two major reasons:
- 821 is not vulnerable to Meltdown
- Spectre is a vulnerability that cannot be soft-patched, patches are only to block some applications of Spectre.
Anyway they're still better than December patch xD
in any case g6 no brand ita no update of the patches at the moment, nor through ota or lg bridge,in any case if I have the chance to sell the g6 and I'll take another.
New update V11i here. H870 buy in Orange. Only avalible in lg bridge. No OTA yet.
No branded phone
Same here, Italian G6 no brand just updated to 11i via Bridge...
Inviato dal mio LG-H870 utilizzando Tapatalk
Carrier free H870-POC successfully updated via LG Bridge.
Can anyone confirm these KDZ details?
H87011i_00_OPEN_EU_OP_0108.kdz
size: 3,04 GB
CRC32:
Code:
4D144B99
MD5:
Code:
496A4A2168084E965CCD484006AA9A0C
SHA-1:
Code:
B96CAE6C178EC25DB6C5F10D6F130C57B2A32F6C
edit2
I've compared hashes with the file from the link a few posts back and they match
edit3
GDrive - H87011i_00_OPEN_EU_OP_0108.kdz
Good morning I connected my G6 or LG Bridge tells me that it is impossible to verify the version of the soft, you know the reason, thanks
Updated through LG Bridge too...
What is with all that fuzz about a security patch?! It seems that all of you work at Nasa or Cia and you have big data that interest anyone....
Sent from my LG-H870 using Tapatalk
vic604 said:
What is with all that fuzz about a security patch?! It seems that all of you work at Nasa or Cia and you have big data that interest anyone....
Click to expand...
Click to collapse
We've been without updates for several months and received November patch at the end of December, this is why it's surprising to see January patch.
Killua96 said:
We've been without updates for several months and received November patch at the end of December, this is why it's surprising to see January patch.
Click to expand...
Click to collapse
Yeah... But you see that is only ninja smoke... This is did to forget for a while about android 8.0 update... And also my humble opinion is that this security update don't matter. And keep in mind if someone with the right know how wants to find an exploit to access your phones it will be done...
I am sorry for speaking my mind, I usually read without saying anything, but this time I did not understand what was the hole fuzz... A new thread and some of the guys asking the developer about updates with the new patch
Sent from my LG-H870 using Tapatalk
vic604 said:
Yeah... But you see that is only ninja smoke... This is did to forget for a while about android 8.0 update... And also my humble opinion is that this security update don't matter. And keep in mind if someone with the right know how wants to find an exploit to access your phones it will be done...
I am sorry for speaking my mind, I usually read without saying anything, but this time I did not understand what was the hole fuzz... A new thread and some of the guys asking the developer about updates with the new patch
Sent from my LG-H870 using Tapatalk
Click to expand...
Click to collapse
It's not ninja smoke, it's what LG should have done since ever like other OEMs, realising updates frequently. No one forgot the late 8.0 update, i am (and probably all) angry with LG for late Major updates without any right excuse (like introducing treble, for example).
Also security patch are important when there are RELEASED vulnerability that allows anyone with the right abilities to steal your data, your money or whatever else, like the Krack vulnerability, which is KNOWN since november and patched in december and we received the update now.
I see much negativity coming from you, you're right, if an hacker wants your data will probably get those anyway, but the probability is low like many other scenarios.
To sum up:
- I'm happy to have received a new update
- I'm happy that my device is more secure
- I'm UNhappy that LG won't update the G6 soon to Oreo.
That's all for me =)
Killua96 said:
It's not ninja smoke, it's what LG should have done since ever like other OEMs, realising updates frequently. No one forgot the late 8.0 update, i am (and probably all) angry with LG for late Major updates without any right excuse (like introducing treble, for example).
Also security patch are important when there are RELEASED vulnerability that allows anyone with the right abilities to steal your data, your money or whatever else, like the Krack vulnerability, which is KNOWN since november and patched in december and we received the update now.
I see much negativity coming from you, you're right, if an hacker wants your data will probably get those anyway, but the probability is low like many other scenarios.
To sum up:
- I'm happy to have received a new update
- I'm happy that my device is more secure
- I'm UNhappy that LG won't update the G6 soon to Oreo.
That's all for me =)
Click to expand...
Click to collapse
My opinion is that most of us, here we've got our phones rooted and we also have a bunch of apps that can be manipulateed to gain access in our phones and in my opinion, for me is not so much of LG work but for the work of developers here that patch the systems and kernels and apps that we use daily. My current negativity through all the talk here, about this patch is regarding the pressure on developers to upgrade their work. And I know that none ask for the exact date of upgrade, but some people pointed out the release of the patch and wanted a new upgrade... So this seems to me a bit rude... I don't want to fight with anyone... But I needed to express my thoughts. Have a good one guys and enjoy a great device
Sent from my LG-H870 using Tapatalk
vic604 said:
My opinion is that most of us, here we've got our phones rooted and we also have a bunch of apps that can be manipulateed to gain access in our phones and in my opinion, for me is not so much of LG work but for the work of developers here that patch the systems and kernels and apps that we use daily. My current negativity through all the talk here, about this patch is regarding the pressure on developers to upgrade their work. And I know that none ask for the exact date of upgrade, but some people pointed out the release of the patch and wanted a new upgrade... So this seems to me a bit rude... I don't want to fight with anyone... But I needed to express my thoughts. Have a good one guys and enjoy a great device
Sent from my LG-H870 using Tapatalk
Click to expand...
Click to collapse
Devs here on XDA do this because they like doing it, that's why it's not correct to press them for updates. But OEMs devs are different, they're paid for what they're doing like my boss pay me for the work i do, and he expect me to do my best. Here it's LG fault (concerning the both lack of updates between July and December and Oreo) because other OEMs have already updated their flagship devices, and some also their medium range devices.
I never press devs of apps, mods, kernel or ROMs because they make me a favor. I press OEMs' devs because they're paid for what they're doing, and because all other OEM's devs are doing a better job.
Hope i've been more clear, there is no reason to fight, we're discussing our own ideas, i'm not angry with you only because you expressed your thoughts
Why is this maj only available via computer? Will she be available later in Ota?
I do not have a computer
Sent from my LG G6 using XDA Labs
Someone have the kdz unbrand? I'm with a brand Tim g6 till on july patch, it's time to manually update.
I noticed mine rebooted without any notice, and I found out it has updated to July patch
Those have OnePlus updater can try to check for full ROM
I tried to look for the OTA in the usual place (/sdcard/.ota) but sadly it's not there. Any other possible location it could be hidden at?
The update is also out for NA unlocked version, just checked today and system settings is ready to update to "OxygenOS 11.0.2.0.DE17AA" which includes "July 2021 security patch" and "General improvements".
It says the total update size is 480MB, so I'm guessing it's just another partial update that we can't actually extract anything from.
Even so, I've been trying to find where the file is stored on my phone but I'm not having any luck. It's downloaded, waiting to install, but it isn't present anywhere. I even ran `find / -iname '*ota*' 2>/dev/null` to see if there's any files named "OTA" on the device that I can access, but I couldn't find any.
I'm guessing it's either well hidden, or in a place which requires root permissions to access.
Unfortunately, I rebooted my phone after it initially found the update, so I don't have the update url to download it, even if it is still just a partial update.
They're really not making it easy for us on this one
My question is since android is gpl why isn't it already released?
Now the whole OnePlus is in hot mess
Look at N10 and you know what the Hell is going on
Even R is out and you can grab full ROM from OnePlus updater, the official support still stuck on Q
Before the situation cleared out, I doubt I may get other OnePlus device even 9T
alarmdude9 said:
My question is since android is gpl why isn't it already released?
Click to expand...
Click to collapse
AOSP is GPL and open-source but it is up to the manufacturers when and if they want to release the Android builds for their devices to the public, let alone make the builds open-source.
I know that part, what I meant was most manufactures dump stuff rather quickly when it has gpl code in it due to various other manufactures getting pounded on by the gnu community. It may be an option for us to get at least something going if they don't release it.
alarmdude9 said:
I know that part, what I meant was most manufactures dump stuff rather quickly when it has gpl code in it due to various other manufactures getting pounded on by the gnu community. It may be an option for us to get at least something going if they don't release it.
Click to expand...
Click to collapse
True. It's quite odd for OnePlus to have not released the ROM and tools by now.
Yeah I can only speak in generalities as this is my first oneplus phone. Went with it because I had heard how great their community was for hacking the phones. Makes me a bit sad but worse case I'm not out much and for what it is, it's an OK cheap phone. I personally do hate it when people don't drop their gpl stuff though. I'm not Richard Stallman level open source but I do like and respect it for the opportunities it gives smart people to poke at stuff.
There was a post in one of the other threads where they quoted oneplus support as saying the ROM will be made available eventually. We just have to wait.
The N200 was released a month ago, so we'll get something Soon (TM)
- edit: I replied to the wrong thread. Please disregard -
I can't find an option for deleting the post on mobile, so I'm just editing it.
are we expecting an update on the 4 of April?
updates are usually planned for the first Monday of the month right?
Right
I personally am not expecting this phone to get updated on the first Monday. And technically that would not even be a month from the last update anyway. For whatever reason Google really hasn't been able to keep this phone on the same schedule as the others. I could be due to the fact that it is the only one and Linux kernel version 5 all others are on version 4. Or maybe it's because they have too much other crap going on with dev previews. We had 12l dp which as really only a feature drop. Then we have 13 beta. And then they announced that the 12l program would be continues as a monthly platform for the next feature drop. So I personally think they took on too much. Then you add in the the p6 is a completely different phone than the previous generations of pixels. They still haven't figured out the modem yet.
So my answer is no I don't expect it the first Monday in April maybe the second Monday.... maybe
Yes l am expecting an update on Monday, Google need to start releasing timely updates for there latest phones.
Without any actual information on which to base my opinion, I'm guessing yes we'll see the update on the 4th. It's not a Feature drop month so the update will be simpler, and they really need to incorporate the dirty pipe patched kernel.
I'm not expecting anything. I'll wait until my Pixel 6 comes back from RMA (for the second time) and then I'll sell that POS.
Haptics!!!
The March update seemed to be on schedule for the older Pixel devices using older kernels. I believe that latest devices with the newer kernels were delayed because of the 0-day exploit that was discovered last-minute. They wanted to patch that in the March update.
So barring anything like that then I would expect Google to be on time with the April update. Or at least not as late as the March update was.
The only bad thing about updates is the unnecessary new threads from peeps not understanding what they are doing.
Also custom Roms create issues.
I guess flashing and modding for the hell of it with no idea why. Is like a drug to some peeps.
utnick said:
I believe that latest devices with the newer kernels were delayed because of the 0-day exploit that was discovered last-minute. They wanted to patch that in the March update.
Click to expand...
Click to collapse
The fix is in kernel version 5.10.102 and above and the kernel version for the March update is 5.10.66. The CVE for this vulnerability is not listed in the March update either.
I don't believe they fixed this in March.
TonikJDK said:
The fix is in kernel version 5.10.102 and above and the kernel version for the March update is 5.10.66. The CVE for this vulnerability is not listed in the March update either.
I don't believe they fixed this in March.
Click to expand...
Click to collapse
You are correct. They didn't fix the dirty pipe vulnerability with the March update and in fact Google confirmed that the delay in March was not due to this particular vulnerability.
TonikJDK said:
The fix is in kernel version 5.10.102 and above and the kernel version for the March update is 5.10.66. The CVE for this vulnerability is not listed in the March update either.
I don't believe they fixed this in March.
Click to expand...
Click to collapse
I guess I should have looked that up.
But I'm really not bothered about when in the month the updates come as long as they come. Though I'm coming from an LG phone and updates weren't really a thing I expected from them.
utnick said:
I guess I should have looked that up.
But I'm really not bothered about when in the month the updates come as long as they come. Though I'm coming from an LG phone and updates weren't really a thing I expected from them.
Click to expand...
Click to collapse
I am not too worried about this vuln. It requires physical access to the phone.
Based on previous updates I won't be in a hurry to install the next one right away.
TonikJDK said:
I am not too worried about this vuln. It requires physical access to the phone.
Click to expand...
Click to collapse
AS far as I know, the dirty pipe vulnerability can be included in a compromised app.
Fido hasn't listed anything yet.
The March update was released on 03/21, right? That will be two weeks tomorrow -- seems an awful short turnaround.
I'll be pretty surprised if the April update rolls out on the 4th.
It`s here.
Update 12.1.0 (SP2A.220405.004, Apr 2022) released 1PM EDT April 4th
Still Kernel 5.10.66.
where do we find a changelog?