
Android Security Bulletin - pjmlp
https://source.android.com/security/bulletin/2016-07-01.html
======
verytrivial
Sigh. I have a well functioning Nexus 4. According to
[https://support.google.com/nexus/answer/4457705](https://support.google.com/nexus/answer/4457705)
this device is no longer supported. I wondered why I wasn't seeing update
prompts as often as my partner. Time to grit my teeth and install CyanogenMod
I guess. Planned obsolescence depresses me.

~~~
lorenzhs
You have no idea how lucky you are to have received ~3.5yrs of updates on an
Android phone. Sadly that's the exception, not the norm. (The oldest iPhone
still receiving updates is the 4S, which predates the Nexus 4 by a full year)

------
zokier
Could someone explain why we still have monolithic "firmwares" on our phones
instead of PC style OS which could be updated directly from Google? That
wouldn't preclude OEMs and carriers adding their crapware (and drivers), but
it sure would make the landscape bit more secure.

~~~
the_trapper
Since there really isn't any good technical reason for that not to be the
case, it is painfully obvious that Google doesn't care enough to actually fix
the problem and the OEMs and carriers have no incentive to provide updates, so
most of them don't.

------
j0rd
Media server remote code execution. No way!

For those interested in an old talk about rooting phones via media server &
MMS watch this great talk.

[https://youtu.be/71YP65UANP0](https://youtu.be/71YP65UANP0)

~~~
owly
[https://copperhead.co/android/](https://copperhead.co/android/) Try it out!

------
billpg
"Partners were notified about the issues described"

I left Android a year or so from the aftermath of the "Stage Fright" incident.
I was very disappointed when my fairly new Android handset didn't get any
updates to that problem.

It will be interesting to see if the Android ecosystem has learned anything
since then. (Other than it is a good way to sell new handsets.)

~~~
pjmlp
No they have not, OEMs and Handset manufactures rather sell new devices than
provide updates, just like they used to do with Symbian and similar
proprietary handsets.

[http://www.androidauthority.com/android-7-0-update-679175/](http://www.androidauthority.com/android-7-0-update-679175/)

~~~
bitmapbrother
Blackberry has released Android security updates every month.

~~~
the_trapper
Blackberry also only has one Android phone. Let's wait and see how they handle
things when they have more models to support.

I'm also concerned that Blackberry phones (Android or otherwise) aren't long
for this world. The Priv has hardly been a success and Blackberry OS appears
to be on life support.

~~~
bitmapbrother
They actually have 2 with 1 more to be released later in 2016 with a PK.

------
andybak
This can be turned into a nice 'name and shame'. If someone could document
currently shipping devices that are still vulnerable. Then everyone can
tweet/blog/complain the hell out of it until OEMs and carriers start taking
some responsibility.

~~~
timgws
> If someone could document currently shipping devices that are still
> vulnerable Chances are at this point in time: every single device.

~~~
piquadrat
> Security patch levels of July 05, 2016 or later address all applicable
> issues in this bulletin

My Nexus 6P is on the July 05 patch level. So is my 3 year old Nexus 7.

Unfortunately, most OEMs lag far behind what Nexus users are accustomed to.

~~~
xbmcuser
Samsung follows the carriers where as I think they have the power that apple
has to force carriers to do their bidding. My S6 edge is a few months behind
android patch level but I know for a fact that the exact same model in other
countries is on patch 1st July patch level. Its the same damn phone. Some
people complain that old models are obsolete but what about the same newish
model getting the latest security patch in one country and not in another.

~~~
dingo_bat
Can confirm. My friend's unlocked S6 is at July patch level.

------
erelde
What is the incentive for carriers to limit updates ? To save cost on
bandwidth ? (...)

Another related/unrelated rhetorical question, should I prepare to buy another
Nexus when my Nexus 5 is no longer supported ? (which should be soonish)

~~~
pjmlp
They usually provide their own customizations also they are very keen in
exchanging devices for a contract renewal for those customers on contracts.

