手机数码

    今日:94| 主题:38715
收藏本版 (4)
手机、平板、VR等3C数码产品的交流.

[其他] Android security in 2016 is a mess.

[复制链接]
无法直视 发表于 2016-11-28 07:57:57
69 2

立即注册CoLaBug.com会员,免费获得投稿人的专业资料,享用更多功能,玩转个人品牌!

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
Summary

  Your phone probably contains banking, payment and personal information that can be remotely stolen via numerous known and unknown bugs in the Android software. This is attractive to criminals.
  Vendors (LG, Samsung, Xiaomi, etc.), after selling you their phone, have no incentive to keep your phone’s software up to date with Google’s fixes. Your Android phone is probably out of date and therefore a gaping security hole through which attackers can steal your stuff from the safety of their own laptops.
  Read on for more.
     
Android security in 2016 is a mess.-1 (Android,attractive,therefore,software,security)
      Between 1.3 and 1.4 billion Google Android phones in March of 2016. Click image for source.      An illustration: MediaTek / BLU phones are uploading your data.

   You might recently have read about the incident with the popular BLU phones sold by Amazon in the US . It turned out that these phones were regularly sending bunches of personal information to servers in China: text messages, call logs, contact lists and so forth. After more investigation, it came to light that this was happening via a low-level piece of software called ADUPS.
  When Google had previously updated its systems to check for ADUPS, MediaTek (they make the chipset in millions of low-end phones) simply modified their system software to evade Google’s checks. Nice one MediaTek!
   This is a painful example of the fact that the software on your phone, although based on Google’s software, is customised by the phone vendor. The further frustrating effect of this is that when Google releases security patches to Android ( which they do regularly ), there is very little incentive for the phone vendor to spend money on updating phones they have already sold.
  What about A-list phone makers?

  I bought my LG G3 in 2014 here in South Africa. It was LG’s flagship in that year, and sold extremely well. LG is a well-known smartphone OEM.
  However, only because I took steps to flash the official KDZ image (V30a-ZAF-XX), which consumers would normally not do, am I now running Android 6. However, my security patch level is 2016-03, meaning there are 6 months of security updates I don’t have.
   Before you think six months lag is not too bad, here’s a nice example vulnerability from the November 1 Android security bulletin :
  The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.
  In short, your phone could be hacked wide open from afar through a single innocent-looking email, MMS or web-page.
  My friend’s South African LG G3 is still stuck on Android 5.0 (V20n-ZAF-XX). Most probably this is being blocked due to his carrier (MTN). In any case, 5.0 does not even show the security patch level, so we have no idea how many months of security fixes this phone is missing.
   ( LG seems to be tracking Google’s security updates quite well , but somehow these updates are not reaching phones.)
  Google’s leniency cuts both ways: More than a billion Android users, but most of them vulnerable.
   It’s fantastic that Google’s openness and leniency with Android has helped to make smartphone technology accessible to more than a billion users (probably closer to 2 billion taking into account Chinese Android phones not connected to Google services, see Ben Evans’s post ). However, this same leniency allows manufacturers to be irresponsible about keeping their customers safe.
  The fundamental problem here is that there are a great deal of Android phone vendors who make phones from absolute entry-level to top-of-the-line flagships, who have very little incentive to spend money on post-sale security updates.
  Once you’ve paid for the phone, you’re not important enough anymore to have a secure(ish) telephone.
  What can we do?

  I’ve been using Android since the HTC Desire Z. I love Android, because I love Linux which I have been using since 1993.
   However, if money is no object, my only sound advice can be to buy an iPhone . Apple is still shipping security updates, albeit on iOS 9, for the iPhone 4s which was released in 2011 (5 years ago). The iPhone 5 is still being kept up to date with iOS 10.
   Furthermore, in terms of phone encryption, iOS 4, released 6 years ago, was already more advanced than than Android 7 Nougat , released in August of this year. In short, already then Apple made better choices in how exactly different files are encrypted, whilst Android implemented full disk encryption, which for the smartphone usecase is not the right choice. In Nougat, Android has finally also changed to file-based, but they’re missing important parts of the puzzle. The phone encryption blog post I link to is insightful, please take a look.
   If you prefer sticking with Android, the best choice is getting an official Google device, which means either a Nexus or a new Pixel. Google’s policy for Pixel and Nexus security states that they will ship security updates either for three years after device introduction, or for 1.5 years after the device was last officially sold from the Google Store, whichever is longer.
  Unfortunately, iPhones are really expensive, and Google’s new Pixel devices are also aiming for the higher-end market. The previous generation Nexus phones offer a more mid-range but very temporary reprieve.
  In other words, most normal consumers on a budget, i.e. the largest part of the Android user base, actually of the smartphone-using world, are stuck with insecure, vulnerable phones. This is not cool.
   Installing a custom ROM such as Cyanogenmod brings with it another set of issues with regard to the phone being rooted, and with regard to driver-level support of proprietary hardware. In any case, this is not something your average consumer will have access to. Efforts like CopperheadOS (hardened Android) are certainly promising, but it will be quite a while before they are accessible to the largest group of Android users.
  Ideally, Google starts taking a much harder line with manufacturers who put Android on their phones. They could for example maintain and publish a list of phone models that are kept up to date with the latest security fixes.
  Do you know of any manufacturers of more affordable Android phones who are committed to keeping their users safe? Please let me know in the comments!
友荐云推荐




上一篇:印度为何成专利纠纷高发区 国产品牌欲专利风波
下一篇:From the Editor's Desk: OnePlus, brand experience, and phones as a gateway
酷辣虫提示酷辣虫禁止发表任何与中华人民共和国法律有抵触的内容!所有内容由用户发布,并不代表酷辣虫的观点,酷辣虫无法对用户发布内容真实性提供任何的保证,请自行验证并承担风险与后果。如您有版权、违规等问题,请通过"联系我们"或"违规举报"告知我们处理。

从蓉 发表于 6 天前
我志愿加入酱油党,围观楼主搞基,挽回楼主尊严,履行回帖义务,保证经验收入,积极前排求粉,信誉有粉必回,人人粉我,我粉人人,为打酱油事业奋斗终身,随时准备为粉和酱油牺牲一切,永不潜水!
回复 支持 反对

使用道具 举报

蕊凡 发表于 昨天 14:18
很有看点!
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

我要投稿

推荐阅读

扫码访问 @iTTTTT瑞翔 的微博
回页顶回复上一篇下一篇回列表手机版
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 )|网站地图 酷辣虫

© 2001-2016 Comsenz Inc. Design: Dean. DiscuzFans.

返回顶部 返回列表