Another new kernel flaw that Google won't fix for Android users prompts more switching to Apple's i

Posted:
in iPhone
A new kernel privilege escalation flaw discovered in the Linux kernel requires server operators to install a patch, but is not going to be fixed for the majority of Android users. After record numbers switched to iOS last quarter, Google's inability to update its user base is inciting switchers to move to iPhones even faster.



A new 0-Day flaw discovered by Perception Point Research has existed since 2012, long enough to have to spread vulnerability across "tens of millions of Linux PCs and servers, and 66 percent of all Android devices."

As noted in a report by Dan Goodin of Ars, the flaw allows unprivileged apps to "gain nearly unfettered root access," including access to camera, microphone, GPS location and personal data.

Having been discovered, the flaw is relatively easy to fix for most desktop and server users, but requires a kernel patch on Android that most users of phones, tablets and other devices are unlikely to ever get.

Despite releasing a new version of Android last fall alongside iOS 9, Google still only reports that a tiny fraction of its installed base has gained access to it--in stark contrast to the 75 percent majority of iOS users who are now on the latest software from Apple.

Android's problem caused by the fragmented accountability of carriers, hardware makers and Google itself to create, test and distribute updates for their customers after the initial sale.


Source: Google


Android's problem is even more serious in China, where reportedly just 20 percent of the installed base has upgraded to software newer than 2014, despite high volume sales of new hardware. Even Android licensees in the U.S. frequently sell outdated hardware with old versions of Android installed on them, with no plans to ever service users with necessary updates and security patches.

"Android/Google needs to fix their update model," wrote a 'reader favorite' commenter at Ars. "Most Android phones with this bug will never be fixed. It is getting more and more difficult to not actively recommend that people avoid Android for Windows Phone and Apple iOS.""It's really irresponsible to have no way to quickly roll out fixes to your customers"

Another stated, "I really really really wish Google would solve the Android update problem. These bugs will happen, and it's impossible to ask developers to always create perfectly secure code. It's really irresponsible to have no way to quickly roll out fixes to your customers. There have been so many security issues with my Android phone, and none of them would be a big deal at all if they could just roll out a fix quickly! Instead I just feel frustrated."

Google did make an attempt to address the issue in the Android Update Alliance, an initiative from 2011 to get hardware makers to commit to at least a year and a half of software update support for their new phones. But it couldn't even win that minor concession from its partners. Hardware makers are actually incentivized not to update old products because this could make their new offerings less attractive (and less necessary to buy).

When Samsung released its Knox software aimed at securing Android enough to sell to enterprise buyers, it only distributed on its newest and most expensive models.

"I can't take it anymore"



Last summer at the outbreak of Stagefright (a flaw that enabled attackers to compromise Android devices by simply sending a text message), Android enthusiast Lorenzo Franceschi-Bicchierai wrote "In many ways, Android is great. I love its open source ethos and the ability one has to customize it. But I can't take it anymore for one simple, but really fundamental, reason.

"Google still has very little control over software updates, and Android users are basically at the mercy of their carriers and phone manufacturers when it comes to getting updates or new operating system versions."




He cited a tweet by security researcher Nicholas Weaver: "Imagine if Windows patches had to pass through Dell and your ISP before they came to you? And neither cared? That is called Android."

In November, Chris Soghioan, the principal technologist for the American Civil Liberties Union, described Google's lack of updates--combined with its lack of user privacy and data collection--as a "digital security divide," adding that "the security people I know at Google are embarrassed by Android."

Apple has long pursued security and the rapid distribution of free updates of iOS as a differentiating feature. Android switchers are increasing. Tim Cook noted in the company's last earnings call that switchers from Android now account for 30 percent of new sales--the highest quarterly rate of switchers ever.

Data from Ericsson noted that iOS has a regular net influx of switchers that surges with each new iPhone release.
gtr
«134567

Comments

  • Reply 1 of 125
    Regardless of the truth of the title, nothing in the article supports it.
    gwydiontechloverrhinotuff
  • Reply 2 of 125
    Can you believe that people still ask me why I'm on iOS?
    sockrolidmagman1979califreediverxjbdragongtrlostkiwilatifbpanton zuykov
  • Reply 3 of 125
    crowleycrowley Posts: 8,755member
    Not sure there's any evidence that exploits are directly responsible for users switching from Android to iOS, but hey, when did that ever stand in the way of a fan-pleasing headline?
    edited January 2016 gwydionsingularitytechloverfreshmakerfreediverxdasanman69asdasdlord amhranxbitksec
  • Reply 4 of 125
    auxioauxio Posts: 2,333member
    sog35 said:
    I wonder if Apple sold an iOS version for Android phones people would buy it?

    I wonder if people would buy iOS software for $99?

    Buy a $300 Android phone and then $99 to install iOS?
    Why in the world would Apple want to have to develop for and test iOS on hundreds of devices which are being built as cheaply and quickly as possible (with little regard for quality)?  They'd end up turning into Microsoft -- stuck in the quagmire of supporting cheap hardware and unable to move forward because of it.
    edited January 2016 calilwiojbdragonmacky the mackylostkiwithepixeldocpropodredgeminipanetmagepalomine
  • Reply 5 of 125
    sockrolidsockrolid Posts: 2,789member

    Data from Ericsson noted that iOS has a regular net influx of switchers that surges with each new iPhone release.
    Good times!
    calijbdragonai46lostkiwi
  • Reply 6 of 125
    volcanvolcan Posts: 1,799member
    According to the researchers, SELinux on Android makes this exploit extremely unlikely. SELinux was adopted by Android in version 4.3. So if you look at the graph in this article you can see that approximately 2/3 of all Android devices are protected by SELinux. Sure, they should be patched but the danger is extremely small for most Android users. Same for any Linux server using SELinux, which includes a large portion of commercial servers because Red Hat and Cent OS are by far the most popular and they have implemented SELinux by default for many years.
  • Reply 7 of 125
    gatorguygatorguy Posts: 23,175member
    EDIT: Nevermind. Not worth it. 

    edited January 2016 singularitygwydionlord amhranDan_Dilgerphilboogie
  • Reply 8 of 125
    sog35 said:
    auxio said:
    Why in the world would Apple want to have to develop for and test iOS on hundreds of devices which are being built as cheaply and quickly as possible (with little regard for quality)?  They'd end up turning into Microsoft -- stuck in the quagmire of supporting cheap hardware and unable to move forward because of it.
    I not looking at this from Apple's perspective or that they should do this.

    I'm just wondering how much people would be willing to pay for iOS software.

    I think an option for Apple is to start a secondary brand. They should call it Peach. But they won't be responsible for building/selling the hardware. They would simply license iOS to this hardware company. They could sell these Peach phones for $250-$300 in Africa, Eastern Europe, South America, ect. It would run a light version of iOS (sort of like what the older iPhones run now). Eventually many of these Peach buyers will upgrade to the real deal Apple. Its sort of like a Toyota/Lexus thing. But the good part is all the risk would be on the hardware company building these phones, and not Apple.
    You are truly living in La la land. There's more chance of Tim marrying Kim Kardashian than that happening. Your constant ramblings about the share price and loathing of Tim as a CEO has finally unhinged your mind. 
    Suggesting a strategy of destroying your own margins by deliberately making an inferior product and then letting others make the hardware and have all that negativity.. 
    jbdragonredgeminipadamonfnetmageiosenthusiastspacerays
  • Reply 9 of 125
    sog35 said:
    I wonder if Apple sold an iOS version for Android phones people would buy it?

    I wonder if people would buy iOS software for $99?

    Buy a $300 Android phone and then $99 to install iOS?
    This would saddle Apple with support of Android's oft mentioned fragmentation, with nothing to gain from it. Every dollar earned selling iOS would probably cost a least a dollar in lost Apple hardware earnings. Steve Jobs understood this when he stopped the sale of Mac OS to cloners upon returning to Apple. I imagine there would also be regulatory and legal issues preventing Apple from replacing the code that controls the radio hardware in a competitor phone.
    calisingularityjbdragonlostkiwithepixeldocnetmage
  • Reply 10 of 125
    It's not as bad as it sounds for the following reasons:
    1. It's a DED article and I can't stand his writing style.
    2. I've never gotten a virus using Android.
    3. All my friends are using Marshmallow so this isn't a problem.
    4. I hate walled gardens.
    5. Android users are smart enough to avoid viruses because they can root their phone.
    6. I love specs.
    7. iPhone = Bendgate
    8. I've always trusted Google because they're so innovative and cool.
    calidasanman69radarthekatrevenantpscooter63ai46boltsfan17lostkiwithepixeldocphilboogie
  • Reply 11 of 125
    Amen to this article.  More journalists need to CALL OUT GOOGLE on how they have failed update MOST if not MANY of their users' Android OSes.  This is apparently a result of Google's failure to forge stricter licenses and partnerships with the big hardware manufacturers like Samsung and LG as well as the big telcoms.  All of these megacompanies are exploiting Google's 'free' Android OS with absolutely no regard for customers.

    Yeah it's **GREAT** owning a 1.5 year old flagship Android phone with an Android OS that's THREE YEARS OLD.  Google:  can you PLEASE work more closely with your hardware manufacturers?  You don't see Apple people with 1.5 year old iPhones stuck in OS 5.  

    I too used to be an Android evangelist.  Not now!  I am ready to switch back to Apple after being stuck in Android 4.4.2 on a TOP-OF-THE-LINE, QUAD-CORE PHABLET  for almost two years!  What a nightmare.
    edited January 2016 caliasdasdradarthekatlostkiwiicoco3
  • Reply 12 of 125
    Google was always more interested in getting Android devices out to as many users as possible without thinking of the consequences of doing so. 

    There is a lot of marketshare for Apple to take. Google is now a sinking ship. 
    lwiojbdragonlostkiwi
  • Reply 13 of 125
    freediverxfreediverx Posts: 1,415member
    sog35 said:
    I wonder if Apple sold an iOS version for Android phones people would buy it?

    I wonder if people would buy iOS software for $99?

    Buy a $300 Android phone and then $99 to install iOS?
    That would make no sense, for either Apple or the users.
    jbdragon
  • Reply 14 of 125
    It's not as bad as it sounds for the following reasons:
    1. It's a DED article and I can't stand his writing style.
    2. I've never gotten a virus using Android.
    3. All my friends are using Marshmallow so this isn't a problem.
    4. I hate walled gardens.
    5. Android users are smart enough to avoid viruses because they can root their phone.
    6. I love specs.
    7. iPhone = Bendgate
    8. I've always trusted Google because they're so innovative and cool.
    Is this sarcasm or not? 

    2. You never got a virus (as far as you know)
    3. Both your friends? That ought to be enough proof. 
    4. Who cares?
    5. Clearly not usually true. 
    6. Do you love having more cores, a higher clock speed , and still be slower? Sounds stupid. 
    7. Really?
    8. Ok, now I know you're joking!
    calijbdragonmacky the mackypscooter63drkrleitchanton zuykov
  • Reply 15 of 125
    magman1979magman1979 Posts: 1,224member
    Love how all the Fandroid supporters come en-mass onto an Apple site, simply reporting on an article that was published by a third-party security researcher, and taking the immediate stance that this is very unlikely to affect anyone, and how Android is actually just fine. You people are the ones living in La La Land and need your head's examined. Android is a complete and unmitigated DISASTER not just of an OS, but as an entire PLATFORM.

    Oh, when you go out to get that examination, make sure to leave all Apple sites, you're just cheap comedy for us.

    Thank you.
    calilwiojbdragonmacky the mackypscooter63Dan_Dilgergtrlostkiwianton zuykovbobschlob
  • Reply 16 of 125
    On an Apple site one expects to see a lot of Android bashing and a lot of Android bashing is justified.  This article however is alarmist nonsense.  A zero day kernel exploit is a problem on a Linux server available to thousands of anonymous users.  On an Android device that is only available to those who have physical access to it it is not a problem.  It may be a remote possibility that a malicious app could exploit this vulnerability, but its so easy to root an Android device that there are plenty of other ways malicious apps can cause mischief. 

    I wish Appleinsider was more  discriminating about what they print. I rely on this site for news an rumors concerning Apple.  Articles such as this with Juvenile catch phrases such as "Android is the new Flash"  lower the credibility of the whole site.
    singularitytechlovergwydiongatorguyxbitphilboogierhinotuffcnocbui
  • Reply 17 of 125
    calicali Posts: 3,494member
    It's not as bad as it sounds for the following reasons:
    1. It's a DED article and I can't stand his writing style.
    2. I've never gotten a virus using Android.
    3. All my friends are using Marshmallow so this isn't a problem.
    4. I hate walled gardens.
    5. Android users are smart enough to avoid viruses because they can root their phone.
    6. I love specs.
    7. iPhone = Bendgate
    8. I've always trusted Google because they're so innovative and cool.
    How many friends? 3? :P

    Seriously it's hilarious when a 'droid user brags that his phone's running marshmallow XD

    sog35 said:
    I wonder if Apple sold an iOS version for Android phones people would buy it?

    I wonder if people would buy iOS software for $99?

    Buy a $300 Android phone and then $99 to install iOS?
    Good idea in theory but Apple wouldn have no control over the hardware which would ruin everything. They could potentially make a ton of money though while Droid loses.

    The "Peach" idea again is good in theory but Apple would want control of the manufacturers. More of a hassle unless Apple themselves build "Peach" phones exclusively.

    Bencorc said:
    Amen to this article.  More journalists need to CALL OUT GOOGLE on how they have failed update MOST if not MANY of their users' Android OSes.  This is apparently a result of Google's failure to forge stricter licenses and partnerships with the big hardware manufacturers like Samsung and LG as well as the big telcoms.  All of these megacompanies are exploiting Google's 'free' Android OS with absolutely no regard for customers.

    Yeah it's **GREAT** owning a 1.5 year old flagship Android phone with an Android OS that's THREE YEARS OLD.  Google:  can you PLEASE work more closely with your hardware manufacturers?  You don't see Apple people with 1.5 year old iPhones stuck in OS 5.  

    I too used to be an Android evangelist.  Not now!  I am ready to switch back to Apple after being stuck in Android 4.4.2 on a TOP-OF-THE-LINE, QUAD-CORE PHABLET  for almost two years!  What a nightmare.
    Knockoffs are never "top-of-the-line", Droid manufacturers pray on the uneducated and spew random numbers to get them to buy their iPhoneys.

    Even disregarding security you will be surprised how much Apple cares about their customers. Enjoy Apple!
    jbdragon
  • Reply 18 of 125
    dasanman69dasanman69 Posts: 13,001member
    It's not as bad as it sounds for the following reasons:
    1. It's a DED article and I can't stand his writing style.
    2. I've never gotten a virus using Android.
    3. All my friends are using Marshmallow so this isn't a problem.
    4. I hate walled gardens.
    5. Android users are smart enough to avoid viruses because they can root their phone.
    6. I love specs.
    7. iPhone = Bendgate
    8. I've always trusted Google because they're so innovative and cool.
    All the newbies (which there are a lot of) are going to think you're serious. 
    jbdragonmacky the mackyradarthekattheunfetteredmindgatorguypscooter63stompylostkiwithepixeldocphilboogie
  • Reply 19 of 125
    volcanvolcan Posts: 1,799member
    Love how all the Fandroid supporters come en-mass onto an Apple site, simply reporting on an article that was published by a third-party security researcher, and taking the immediate stance that this is very unlikely to affect anyone, and how Android is actually just fine. 
    I suppose you are referring to my post. Sorry if I was not clear enough. Personally I have never used an Android device in my life, except to try to fix something for a friend or colleague. I was merely pointing out that, as usual, DED apparently only read the first paragraph of the research article, where it does refer to 66% of Android devices are technically susceptible to the exploit. The last paragraph of the article explains that although technically 66% are susceptible it is actually the opposite. Because of SELinux on Android, approximately 66% are quite well protected from this exploit and that the researchers would potentially look into discovering workarounds for the mitigation that SELinux provides. I said nothing about how Android is fine, only that DED chose not to report some important details of the article, although he did link to it which was thoughtful.
    edited January 2016 singularitystaticx57techloverrhinotuff
  • Reply 20 of 125
    Why does every article which mentions how horrible and bad it is that the version numbers aren't universally highest across android also fail to mention that API upgrades are done independently of the OS/Kernel version and reach back further than Apple's support for iOS?
    techlovergatorguyphilboogie
Sign In or Register to comment.