Google's Android phones are updated. Google make the code available so 3rd parties with modded/skinned/forked versions of Android can also update - but they choose not.
If 3rd party companies made phones using a modified/skinned/forked version of iOS would Apple be responsible for updating them? No of course not.
If people are worried about updates they should buy Apple or Nexus or another brand with a good track record for providing updates.
Oh, right... Google profited from what the OEM are doing to gain massive market share, by creating a POS update mechanism. Now, you say it's all the OEM's fault; are you serious? Google is 100% responsible for the crap that is more and more hitting the fan.
You want those OEM who are barely making money to be slaves of Google and do its bidding?. They can't even get away from Google's pile of software and become independent and actually make money by differentiating themselves if they wanted to, that have to take this whole load of garbage from Google or they don't have access to the play store.
There's nothing open source in Android as a whole; it's a total fiction for the OEM.
IF you think now OEM will suck Google's tit and lose even more money by committing humongo software engineer to port Google's turds on a regular basis; you got that wrong.
Google's Android phones are updated. Google make the code available so 3rd parties with modded/skinned/forked versions of Android can also update - but they choose not.
If 3rd party companies made phones using a modified/skinned/forked version of iOS would Apple be responsible for updating them? No of course not.
If people are worried about updates they should buy Apple or Nexus or another brand with a good track record for providing updates.
It really comes down to this ...
Are you a user that wants a tightly controlled experience [user interface, security, battery life] between both hardware and software at the expense of customization/perhaps not having the latest hardware/simplified user interface?
OR
Are you a user that wants to customize your experience at the risk of things not working well, not getting updates, cluttered and busy interface, etc.?
You should research the potential issues of either of the above [i.e. will I get security updates. etc.] before you chose [i.e. getting a phone that will not be updated to the latest OS quickly] and base your purchase on your comfort level.
If you did not research then you should not be surprised if there are issues ...
And if you did research then you should be able to supply clear and rational responses to correct any misrepresentations/lies
You're assuming people buying Android actually have a choice, or can inform themselves. 80% of Android phones are under $150 and bought by people using them for basic communication functions. Price and availability is the main attractiveness of Android phones. A huge portion are bought by people who don't even own a computer; or if they own one are not tech literate at all (like my mother), uses it for basic functions. these people I guess should just assume their privacy and security is worth nothing because they're essentially sitting ducks for exploits and a botnet (like in good ol' XP time).
People comparing Android to XP sure are right; XP especially in the early year of release was a massive and constant security black hole.
'If you didn't want to be stuck with a start-of-the-art phone running an OBSOLETE version of Android, you should have bought a Nexus.'
Thanks. Heard this before. Should have bought a Nexus. Got it, thanks captain hindsight.
You have merely blamed me and dodged the issue. Millions of people are being sold expensive phones which the manufacturers and carriers (aka Google's licensees) have NO intention of ever updating. It's called planned obsolescence and Google should beASHAMED for allowing this evil practice to happen under their license!
No, I'm sorry, this was an epic failure of Google's management to allow third parties free reign over "their" versions of Android. The disastrous repercussions of this moronic decision are unfolding now as millions of device owners remain permanently stuck in "Android XP". You can't just dismiss this debacle as third-party antics removed from Google's responsibility. Google licenses Android and had the authority to forge stricter policies.
Google's "open", laissez faire approach to Android has FAILED. The company's management needs to forge stricter contracts with their licensees going forward. This is an absolute disaster. I am not the only person who is stuck in a THREE YEAR OLD Android OS who once hailed Android but is now seriously considering switching back to Apple.
Google doesn't license Android, nor did it force any manufacturer to use it, nor were you forced to buy a phone that wouldn't get updates.
It just so happens they picked one off the shelf, which is open source. This decision, for the reasons I mentioned, was a terrible idea.
I agree with you. (Please no heart-attacks!)
I would think that if Google had a do-over they'd have kept things under their control more aggressively from the beginning. They're now in the position of being more creative in bringing the Google vision of Android b ck under their control. More high-profile marketing of Nexus phones coupled with some decent PR for a change, pulling features and functions from the OS itself and making them standalone and upgradable thru the Play Store for everyone (for the most part), committing to separate security updates for Nexus handsets each and every month and getting at least some of the OEM's on board with it too, and offering some security enhancements and protections for even side-loaded apps via Play Services all play into that. Over the next couple of years I expect Google to take even firmer control of the platform.
Fortunately for the users that think they've been left behind at least Google recognizes the drawbacks to being too permissive and is taking steps to make make sure Android users don't miss out on many of the improvements, enhancements and security features in newer Android devices simply because their chosen handset provider doesn't bother to keep them up-to-date. Google is controlling what they can and gradually taking measures to wrest more back.
Notice they are not allowing wearables to deviate from Google's set features and functions for them? Yeah, they see where they should have done differently. There's hope.
Oh noes! Android Nexus devices don't even use this feature in the kernel! Damn, don't even need a patch! In fact Google's guidelines said to not even compile the feature into the kernel as they don't need it! No, even if you get a reply from /proc/keys, it still isn't used. So the vast majority of devices, don't even use it and are not vulnerable by default.
Oh wait, even older devices don't even use the affected kernel! And for those that do run 5.0 or up and SELinux stops it!
And it gets better! It takes a core i7 up to 30 minutes just to even exploit the bug! It's not even instant!
What will Daniel do when all the information in his flame bait article turn out false again? Nothing, because he doesn't give a shit. Just like he will never fix his article about how an Android exec admitted android didn't focus on security, and was an error in translation that his source fixed, but he didn't. Thanks to him melgross keeps posting about it on ars.
You know Dan, if you put the same effort into researching for others that you do when something negative comes around for apple, you wouldn't have posted this. But that's being "fair and balanced", which you obviously aren't.
Thanks Dan, the Rush Limbaugh of the tech world!
Hey, buddy, you're WRONG. The god damn site who actually discovered this thing says so. Go on Ars technica and get a clue about actual implementation of SELinux in various Android versions. It's not as clear cut as you say BUD. Also, SELinux doesn't stop it, merely make it harder for script kiddies to do it. Since this thing remains open forever in hundreds of millions phones, some with many other unpatched vulnerability, you can chain exploits (don't even need this bug in some older phones)
BTW, next time, stop shouting, ignorance isn't better when you do it!
Ars didn't discover it, neither did they update their article with the information that's been disclosed since then. Chaining exploits is irrelevant - this one is barely exploitable on android due to it not even being used.
Btw, I don't give a shit - I bolded it for Dan the Dilger, not you. You want to complain about ignorance, look in the mirror along with Daniel.
Amen to this article. More journalists need to CALL OUT GOOGLE on how they have failed update MOST if not MANY of their users' Android OSes. This is apparently a result of Google's failure to forge stricter licenses and partnerships with the big hardware manufacturers like Samsung and LG as well as the big telcoms. All of these megacompanies are exploiting Google's 'free' Android OS with absolutely no regard for customers.
Yeah it's **GREAT** owning a 1.5 year old flagship Android phone with an Android OS that's THREE YEARS OLD. Google: can you PLEASE work more closely with your hardware manufacturers? You don't see Apple people with 1.5 year old iPhones stuck in OS 5.
I too used to be an Android evangelist. Not now! I am ready to switch back to Apple after being stuck in Android 4.4.2 on a TOP-OF-THE-LINE, QUAD-CORE PHABLET for almost two years! What a nightmare.
We should always be concerned when a security exploit arises. This time is no different. But there are a few things here that make many question the number of potentially affected devices.
The recommended kernel configuration for Android devices does not have the CONFIG_KEYS variable turned on, and that means this exploit will have no effect. The people who made your phone may have enabled it, and custom ROM cookers might have, too.
All Nexus phones are unaffected — they use the default kernel configuration and the Keyring is not enabled in the kernel.
SELinux negates the attack vector, so if your phone or tablet is running Android 5.0 or higher, you should be unaffected.
Most devices not running Android 5.0 or higher will be using an older version of the Linux kernel, and are unaffected.
Google's Android phones are updated. Google make the code available so 3rd parties with modded/skinned/forked versions of Android can also update - but they choose not.
If 3rd party companies made phones using a modified/skinned/forked version of iOS would Apple be responsible for updating them? No of course not.
If people are worried about updates they should buy Apple or Nexus or another brand with a good track record for providing updates.
It really comes down to this ...
Are you a user that wants a tightly controlled experience [user interface, security, battery life] between both hardware and software at the expense of customization/perhaps not having the latest hardware/simplified user interface?
OR
Are you a user that wants to customize your experience at the risk of things not working well, not getting updates, cluttered and busy interface, etc.?
You should research the potential issues of either of the above [i.e. will I get security updates. etc.] before you chose [i.e. getting a phone that will not be updated to the latest OS quickly] and base your purchase on your comfort level.
If you did not research then you should not be surprised if there are issues ...
And if you did research then you should be able to supply clear and rational responses to correct any misrepresentations/lies
The vast majority of people value brand loyalty, so this will never, ever happen. You'll always have people willing to scream how their preferred usage of a phone somehow trumps everyone else's, regardless of usage patterns. They're too busy trying to justify their own purchases and defend them on the internet to actually do a little research or listen to others.
I'm beginning to think AppleInsider is nothing but clickbait, they misreport things like this and get two breeds of people - mindless fandroids defending them, and the equally mindless apple fanboys praising it.
Just disagreeing with DED's style of writing is enough to get you down-voted. I thoroughly enjoy all the Apple products I own and recommend them to others, but I do not need DED to constantly justify my purchases by bashing other companies in the style he does.
Ah. so it's just "style" you have a problem with. Not the content.
It's not as bad as it sounds for the following reasons: 1. It's a DED article and I can't stand his writing style. 2. I've never gotten a virus using Android. 3. All my friends are using Marshmallow so this isn't a problem. 4. I hate walled gardens. 5. Android users are smart enough to avoid viruses because they can root their phone. 6. I love specs. 7. iPhone = Bendgate 8. I've always trusted Google because they're so innovative and cool.
had this long lengthy reply but then realized that you played me for a fool. well played.
Just disagreeing with DED's style of writing is enough to get you down-voted. I thoroughly enjoy all the Apple products I own and recommend them to others, but I do not need DED to constantly justify my purchases by bashing other companies in the style he does.
Ah. so it's just "style" you have a problem with. Not the content.
DED's style is to hide good salient points within emotional vitriol and in the majority of cases cite himself to back up his opinion. Then add in an extra thousand words just for good measure. I think its a shame as there is a great journalist in there if he could hold back a bit.
Ah. so it's just "style" you have a problem with. Not the content.
DED's style is to hide good salient points within emotional vitriol and in the majority of cases cite himself to back up his opinion. Then add in an extra thousand words just for good measure. I think its a shame as there is a great journalist in there if he could hold back a bit.
I think there's a lot of passion for Apple in there, but he tends to write articles that cause me to envision him wearing a tinfoil hat while doing so. If the article was written with a different title and shortened to a reasonable length it wouldn't have been a bad article. The fact that he's claiming this IS the reason people are switching is just B.S. without facts. The average person doesn't care to look into these things. There are millions of people out there that buy their phone purely based on looks or what's trendy, that's how the vast majority evaluates products. Most of us on this site do not fall into that category. I'm a lifelong Apple fan, but DED is an Apple Fanboi, there's a huge difference between the two. I often see him as the overly religious person shouting that everyone is going to hell unless they buy Apple. I don't force my preferences on my friends and family, but I do laugh when their Android devices malfunction, or curse at them as I try to replace a screen on their Nexus 6 (major pain in the @$$ by the way).
Just disagreeing with DED's style of writing is enough to get you down-voted. I thoroughly enjoy all the Apple products I own and recommend them to others, but I do not need DED to constantly justify my purchases by bashing other companies in the style he does.
Ah. so it's just "style" you have a problem with. Not the content.
Tell me some reasons why people hate Dawkins (or someone like Jerry Falwell, if you must) and you might stumble onto some reasons why that "style" is a bad way to go. There is such a thing as style poisoning the substance.
Are you a user that wants a tightly controlled experience [user interface, security, battery life] between both hardware and software at the expense of customization/perhaps not having the latest hardware/simplified user interface?
OR
Are you a user that wants to customize your experience at the risk of things not working well, not getting updates, cluttered and busy interface, etc.?
You should research the potential issues of either of the above [i.e. will I get security updates. etc.] before you chose [i.e. getting a phone that will not be updated to the latest OS quickly] and base your purchase on your comfort level.
If you did not research then you should not be surprised if there are issues ...
And if you did research then you should be able to supply clear and rational responses to correct any misrepresentations/lies
The vast majority of people value brand loyalty, so this will never, ever happen. You'll always have people willing to scream how their preferred usage of a phone somehow trumps everyone else's, regardless of usage patterns. They're too busy trying to justify their own purchases and defend them on the internet to actually do a little research or listen to others.
I am glad to see that there are other who recognise solipsist individuals and their incessant blabbing about something they don't really know about with so much vigour.
Hopefully those who value brand loyalty still do the research versus just buying because it has a certain branding.
Cambridge University reports that 87.7% of all Android devices have not been patched for at least one critical vulnerability going back 4 years and it takes 18 months for 50% of the world’s Android devices to be patched for any one critical vulnerability while the other half never get fully patched.
As a result, no matter how fast Google releases patches for the Android vulnerabilities on this list, most Android devices will remain vulnerable to malicious exploits of that vulnerability for years.
The upshot of this is that it is Android that had 32.8 million devices infected in 2012 alone by 65,557 different malware variants according to InQ Mobile.
Cisco, F-Secure and Kaspersky all report that Android users are the targets of 97-99% of the mobile malware in the world.
Symantec detected 9,839 cumulative Android malware variants in 2014. That year, it reported that an incredible 17% of Android apps were malware in disguise.
This is why Android is called a "Toxic Malware HellStew".
It's not at all surprising that Android users are flocking to Apple in ever greater numbers.
Just disagreeing with DED's style of writing is enough to get you down-voted. I thoroughly enjoy all the Apple products I own and recommend them to others, but I do not need DED to constantly justify my purchases by bashing other companies in the style he does.
Ah. so it's just "style" you have a problem with. Not the content.
Holding DED to standards does not make me a windows or android fanboy.
Cambridge University reports that 87.7% of all Android devices have not been patched for at least one critical vulnerability going back 4 years and it takes 18 months for 50% of the world’s Android devices to be patched for any one critical vulnerability while the other half never get fully patched.
As a result, no matter how fast Google releases patches for the Android vulnerabilities on this list, most Android devices will remain vulnerable to malicious exploits of that vulnerability for years.
The upshot of this is that it is Android that had 32.8 million devices infected in 2012 alone by 65,557 different malware variants according to InQ Mobile.
Cisco, F-Secure and Kaspersky all report that Android users are the targets of 97-99% of the mobile malware in the world.
Symantec detected 9,839 cumulative Android malware variants in 2014. That year, it reported that an incredible 17% of Android apps were malware in disguise.
This is why Android is called a "Toxic Malware HellStew".
It's not at all surprising that Android users are flocking to Apple in ever greater numbers.
Most mobile phone OS attacks are happening in China. Any exploit requiring physical access to a device is non-critical for anyone who isn't a target of a nation-state's security service.
Most mobile phone OS attacks are happening in China. Any exploit requiring physical access to a device is non-critical for anyone who isn't a target of a nation-state's security service.
Actually, 10% of those 32.8 million malware infections in 2012 occurred in the USA according to InQ Mobile.
Stagefright is just one of many vulnerabilities that don't require physical access to compromise an Android phone. In the case of Stagefright, your phone could just be sitting there and a simple MMS message is all that is required to own your phone.
Other Related Stagefright vulnerabilities only require simply browsing a graphic on a web page, in an email or a chat app.
This particular kernel vulnerability is just one of a multitude that won't be patched on the majority of Android devices around the world.
Most mobile phone OS attacks are happening in China. Any exploit requiring physical access to a device is non-critical for anyone who isn't a target of a nation-state's security service.
Actually, 10% of those 32.8 million malware infections in 2012 occurred in the USA according to InQ Mobile.
Stagefright is just one of many vulnerabilities that don't require physical access to compromise an Android phone. In the case of Stagefright, your phone could just be sitting there and a simple MMS message is all that is required to own your phone.
Other Related Stagefright vulnerabilities only require simply browsing a graphic on a web page, in an email or a chat app.
This particular kernel vulnerability is just one of a multitude that won't be patched on the majority of Android devices around the world.
...and just like with most iOS exploits the supposedly billion android devices affected by it are, well, unaffected. TBH the whole malware scare story is waaay overblown IMHO. The stories are much scarier than the truth.
BTW, inn the quite old IQMobile report you referenced do you know what "malware" was defined as? Pay attention to details since they can change the story. For instance you might not be aware that OS X was the most vulnerable operating system last year, worse than Windows... or was it? https://blog.malwarebytes.org/mac/2016/01/was-mac-os-x-really-the-most-vulnerable-in-2015/
Comments
Now, you say it's all the OEM's fault; are you serious? Google is 100% responsible for the crap that is more and more hitting the fan.
You want those OEM who are barely making money to be slaves of Google and do its bidding?.
They can't even get away from Google's pile of software and become independent and actually make money by differentiating themselves if they wanted to,
that have to take this whole load of garbage from Google or they don't have access to the play store.
There's nothing open source in Android as a whole; it's a total fiction for the OEM.
IF you think now OEM will suck Google's tit and lose even more money by committing humongo software engineer to port Google's turds on a regular basis; you got that wrong.
Most of them are barely surviving as it is.
80% of Android phones are under $150 and bought by people using them for basic communication functions.
Price and availability is the main attractiveness of Android phones.
A huge portion are bought by people who don't even own a computer; or if they own one are not tech literate at all (like my mother), uses it for basic functions.
these people I guess should just assume their privacy and security is worth nothing because they're essentially sitting ducks for exploits and a botnet (like in good ol' XP time).
People comparing Android to XP sure are right; XP especially in the early year of release was a massive and constant security black hole.
I would think that if Google had a do-over they'd have kept things under their control more aggressively from the beginning. They're now in the position of being more creative in bringing the Google vision of Android b ck under their control. More high-profile marketing of Nexus phones coupled with some decent PR for a change, pulling features and functions from the OS itself and making them standalone and upgradable thru the Play Store for everyone (for the most part), committing to separate security updates for Nexus handsets each and every month and getting at least some of the OEM's on board with it too, and offering some security enhancements and protections for even side-loaded apps via Play Services all play into that. Over the next couple of years I expect Google to take even firmer control of the platform.
Fortunately for the users that think they've been left behind at least Google recognizes the drawbacks to being too permissive and is taking steps to make make sure Android users don't miss out on many of the improvements, enhancements and security features in newer Android devices simply because their chosen handset provider doesn't bother to keep them up-to-date. Google is controlling what they can and gradually taking measures to wrest more back.
Notice they are not allowing wearables to deviate from Google's set features and functions for them? Yeah, they see where they should have done differently. There's hope.
Chaining exploits is irrelevant - this one is barely exploitable on android due to it not even being used.
Btw, I don't give a shit - I bolded it for Dan the Dilger, not you. You want to complain about ignorance, look in the mirror along with Daniel.
http://www.androidcentral.com/kernel-vulnerability-exposed-researchers
Should you be worried?
We should always be concerned when a security exploit arises. This time is no different. But there are a few things here that make many question the number of potentially affected devices.
I think its a shame as there is a great journalist in there if he could hold back a bit.
Hopefully those who value brand loyalty still do the research versus just buying because it has a certain branding.
Cambridge University reports that 87.7% of all Android devices have not been patched for at least one critical vulnerability going back 4 years and it takes 18 months for 50% of the world’s Android devices to be patched for any one critical vulnerability while the other half never get fully patched.
As a result, no matter how fast Google releases patches for the Android vulnerabilities on this list, most Android devices will remain vulnerable to malicious exploits of that vulnerability for years.
The upshot of this is that it is Android that had 32.8 million devices infected in 2012 alone by 65,557 different malware variants according to InQ Mobile.
Cisco, F-Secure and Kaspersky all report that Android users are the targets of 97-99% of the mobile malware in the world.
Symantec detected 9,839 cumulative Android malware variants in 2014. That year, it reported that an incredible 17% of Android apps were malware in disguise.
This is why Android is called a "Toxic Malware HellStew".
It's not at all surprising that Android users are flocking to Apple in ever greater numbers.
Stagefright is just one of many vulnerabilities that don't require physical access to compromise an Android phone. In the case of Stagefright, your phone could just be sitting there and a simple MMS message is all that is required to own your phone.
Other Related Stagefright vulnerabilities only require simply browsing a graphic on a web page, in an email or a chat app.
This particular kernel vulnerability is just one of a multitude that won't be patched on the majority of Android devices around the world.
BTW, inn the quite old IQMobile report you referenced do you know what "malware" was defined as? Pay attention to details since they can change the story. For instance you might not be aware that OS X was the most vulnerable operating system last year, worse than Windows... or was it?
https://blog.malwarebytes.org/mac/2016/01/was-mac-os-x-really-the-most-vulnerable-in-2015/