The other part of the problem with security updates on Android, IMO, is that they aren't typically back-ported - so if your phone can't do Android 4, you're stuck with the security flaws in 2.3 (including this new flaw) forever.
I do find it interesting though, as someone who through work has deployed a lot of cell phones for field ops - the situation seems to be kind of, sort of getting better in that respect.
We bought a ton of Moto G4s and G5s in last 18 months, and for the first year, I saw maybe one OS update and a couple security patches?. In the past six months, it's been noticably different (and these phones are only getting older, mind).
I'm writing this on a Moto G5+ which has 7.1.1 and the January security patches, including fix for KRACK vulnerability. G4 models have the same patch level and 7.0. Updates have been deployed fairly regularly lately (if still not quite on a monthly cycle).
This from Lenovo, who have historically been terrible for issuing updates in a timely manner.
I wonder if the message is finally getting to these OEMs that they can't afford to let current models wither on the vine in this IT security climate, even if only for their own selfish ends (e.g. avoiding bad press).
> there are millions of devices that will never be updated
Luckily, almost all (if not just all) these millions of devices which will never be updated never ever received the vulnerable version in the first place. The bug was only introduced in 5.8 and due to how hardware vendors work phones are still stuck in 4.19 ages (or better, 5.4. but no 5.10 besides Pixel 6)
Hope you also tell people who use Android about the dismal state of updates (actually the lack of it) from most manufacturers and how most new phones come with older versions with security vulnerabilities not patched on that device (and probably will never be patched).
If it helps I installed CM on my old Galaxy Nexus and it has 4.4.4 now.
>Vulnerabilities like that have to be addressed somehow.
I think these two issues go hand-in-hand. How can we send security updates out when the OEM and carriers have told us to get lost? It hurts google, its hurts android's reputation, etc. Passing off updates, especially critical ones, to the OEM/Carrier infrastructure is just irresponsible in this day and age of endless security threats.
Imagine if my Lenovo PC had to get Windows updates not directly from MS but from Lenovo and Comcast and only after they've agreed to give them to me? That's the situation on Android right now and things like the AOSP browser bug prove its a broken model.
I don't consider a phone that hasn't received security updates in 2.5 years "perfectly fine". I'm all for extending the life of older devices, don't misunderstand me, but that requires software updates. My phone is probably much older than those of most HN'ers (been using it for over 3 years now) and I used my last laptop for 7 years. But I don't run ancient unsupported software on either.
What I'm saying is "you shouldn't run Android 4.x in 2020", not "you shouldn't use a device from 2014 in 2020". Whether it be through better manufacturer support or a custom ROM like LineageOS, these ancient versions need to die.
It's kind of ridiculous that my Google Nexus 5X, which was released just over 3 years ago, will not receive updates to patch vulnerabilities like this anymore.
I appreciate that a solution is for people to update immediately. It really makes me wonder if my Android phones over the years have had 1-days exploited by the sheer incompetence of the ecosystem in updating phones.
Not much confidence when you get an update with security patches from 2-3 months ago.
Well, yes, security updates can be important. However, since I run a home-built Android distribution on the thing I can keep it up to date with the most egregious bugs (SurfaceFlinger bug etc.). This leads to the odd situation where my oldish phone is more secure than my wife's much newer Xperia C3 running a stock 4.4.4 distribution.
unofficial Motorola word on xda was that there was a single intern handling releases for older phone. heh i actually believe it.
everyone here with a short memory will say they are on 5 already. which adds nothing. and they will forget the 4 months they were on a insecure 4.x
reply