
Android's fragmentation leads to a digital security divide - petethomas
http://money.cnn.com/2017/06/07/technology/gadgets/android-iphone-security-poor-digital-divide/index.html
======
niftich
Android devices, as deployed in the wild, consist of a bewildering array of
offerings, from shovelware-equivalent throw-over-the-fence devices, to pricey
flagships whose makers command some brand awareness. Google has known for
years that the Android security patch situation is awful, and has been slowly
trying different approaches -- from shipping its own hardware, to moving
portions of the OS out of the base image and into Google Play Services-
updatable components (much to the chagrin of those who lament the increasing
disparity between stock AOSP and Android-as-shipped-on-devices), to its
newest: Project Treble, a HAL and vendor interface.

But a big part of Android's headaches is the long tail of devices that have
been functionally abandoned by all involved parties: the device maker, the
carrier, and Google. These devices are trapped in time and in a cesspit of an
ever-increasing number of vulnerabilities. It's like unpatched WinXP, except
these devices were once bought new a mere two or three years prior. Because
all involved parties have dropped the ball, and at the lowest end of the
market, the consumer can't really punish the these parties because they're
reliant on the exact same names to get access, this sad state of affairs
continues until Project Treble ships for real.

At that point, all pre-Treble devices are still doomed, but post-Treble
devices at least have a fighting chance.

~~~
zanny
> all pre-Treble devices are still doomed

The only devices that are doomed are those that:

A. have no reasonable support for third party firmware B. have no user base or
community to maintain security

The Galaxy S series since the S3, for example, is unlikely to ever stop
getting some degree of support from community ROMs. Of course, those community
developments don't have the resources of the OEM - they can't fix the
proprietary parts that break, and security hinges on the willingness of
volunteers to merge patches, which they don't always do.

I don't think its that black and white, though. Plenty of "supported" devices
get updates and ignore security vulnerabilities. Companies can and will stop
updating arbitrarily, and you have no way to know who is actually looking for
vulnerabilities to fix. All you get is a set of known exploits elsewhere and
the means you can test them yourself on your own devices, or someone else did
and you already know unpatched vulnerabilities on your end.

~~~
bitmapbrother
>A. have no reasonable support for third party firmware B. have no user base
or community to maintain security

You're automatically assuming that these third party maintainers apply all of
the security patches released by Google. This would be an incorrect
assumption.

------
pwthornton
There is no technical reason that Android phones aren't up to date with
patches. Apple is not doing something magical here. This is something that
could be remedied if Google forced phone makers and carriers to support the
latest patches ASAP.

iOS may be more security-focused in general than Android, but this article is
centered on updates and un-patched phones. That part of the security equation
is very solvable.

~~~
rothbardrand
One difference with security implications is that Apple makes both the
hardware and the software. So the hardware is controlled by Apple and can
authenticate the software, across the full stack, including the fingerprint
sensor (this is why third parties who replaced the fingerprint sensor were
running into problems awhile back.)

This ensures all software run on the phone is uncompromised. For android, the
software is modified by the carrier, and while their intentions are likely
good, their ability to integrate the security patches with their custom
changes is open for debate (carriers are not the best software developers.)
Further, there are more opportunities for compromising the software that is
run- more surface area to attack, including installing malware in the supply
chain.

~~~
zanny
Except the Windows world shows it isn't a technical hurdle either. Microsoft
makes their OS, OEMs buy copies of it, and stuff bloatware and crap and change
stuff all the same as Android vendors before selling it to consumers.

But then, despite modifications, Microsoft updates _their_ stuff, including
the kernel.

It doesn't actually even take hardware vendors being ethical and making open
source mainline kernel drivers for their parts. They could just be shipping
DKMS kernel modules instead of baking their trash into fixed kernel releases.
But they simply do not, because they don't care.

~~~
bitmapbrother
You're missing the part where these Android OEM fork the OS, add all of their
source code modifications, compile, link and the build it. Google cannot
update an OS created by another OEM because unlike Microsoft, which provides
these OEM's binaries of their OS, Google simply provides the source to
Android.

------
gruez
At the risk of sounding like a libertarian, what's the issue here? Clearly the
consumers/market has spoken and they place a very low value on security.

~~~
pwthornton
I don't think I would say that consumer ignorance counts as consumers speaking
via the market. Computer security is complicated stuff and no one really
explains to users what the vulnerabilities are and how to mitigate them.

The fact that we don't have chip and pin credit cards in the U.S. is hardly
evidence that consumers don't want them or that they somehow prefer a system
that makes it much easier for them to be defrauded. It's simply that the few
credit card companies we have don't want to spend the money to provide chip
and pin (or another secure payment system).

~~~
gagege
Huh? I'm confused, I live in the midwest and chip and pin is everywhere. Do
stores not use it in other places?

~~~
upvotinglurker
Where I live (also US midwest, rural area), about 2/3 of locations where I
regularly shop have the "chip" part implemented, zero have the "pin" part.
(Chip and pin = having to type a pin each time you use the card in the chip
reader.)

~~~
gagege
Pretty much every store I go to, I use the chip and then enter my pin. I
haven't had to sign in over a year.

~~~
zanny
I live in not-very-rural PA (45 mins north of Philly) and all the cards and
most readers have chips but nobody takes pins, I still have to sign
everything.

