
Android security in 2016 is a mess - iuguy
https://cpbotha.net/2016/11/27/android-security-in-2016-is-a-mess/
======
djsumdog
One of the major major major issues is the hardware itself.

Let's jump back to the late 90s. You want to try Linux. You might partition
your disk, or build a different machine and get a KVM or use an old laptop or
add a second hard drive. In all cases, you can just install a Linux distro and
see if it works. Maybe Ethernet or sound or something doesn't work. You could
try a different distro with a newer kernel, maybe compile your own kernel with
the modules you need, etc. But no matter what, it would at least boot
(usually).

Intel x86/64 is a standard architecture. EFI makes the booting process even
easier (although some motherboards still fuck this up; but for the most part
fiddling with efibootmgr and turning off TPM will work. If not you can always
turn on legacy BIOS and use the MBR). ARM is not a standard architecture. It's
a spec that is sold to companies who all make their own SoC templates. There
are things like Device Tree Config that make some of this more standard, but
it's still far from x86/64\. Just read Torvalds rants on ARM to learn more.

Even if you make some standard Android builds with all the drivers for all
phones in a massive 20MB initrd, a lot of kernels are fundamentally different
with the way bus connections are defined. Manufactures take forever to release
their kernel code, often under threats by people for GPL violations, and even
then they are filled with tons of binary blobs and shims that connect their .o
files so kernel calls.

Stuff like Plasma looks amazing. It only has like two phones it supports. If
you look at any android rom project, you see totally different builds for
every single device. If Intel had been like this, Linux would have died off in
the 90s, for both servers and desktops.

Device manufactures depend on you buying new phones. They cannot support
phones after two years or else it kills their profit margins. Planned
obsolescence like this leads to waste (don't kid yourself, e-waste recycling
gets shipping to Africa where kids remove components. A small percentage of
phones actually get recycled).

TL;DR Mobile phones are based on unmaintainable and non-standard hardware
(intentionally). I wrote a post on this a while back:

[http://penguindreams.org/blog/android-
fragmentation/](http://penguindreams.org/blog/android-fragmentation/)

~~~
0xFFC
>Device manufactures depend on you buying new phones. They cannot support
phones after two years or else it kills their profit margins.

This is the reason after using Nexus devices for 5 year, I will buy an iPhone
and I will never ever look at Android again. My girlfriend switched from
Galaxy note 4 to iPhone last year, and she is amazed how much iPhone
experience is better than high-end Android experience.

2 year only update? Give me a fucking break, this total rip off. If I remember
correctly even iPhone 5 does get update(and remember iPhone 5 is 5 year old
phone, which will get new version of OS, not just security update, this alone
is more than lifespan of Nexus or pixel device). Let alone the fact phone
processors passed the threshold, phone produced after 2015 are almost as
powerful as desktop from ~2005. My point is , if you don't play intensive
games or any specific use case, an above ordinary phone would run browser,mail
client, chat apps for more than 4 year without any issue. But companies trying
to minimize lifespan just because of their own profit.

And my answer to them would be my middle finger.

They are totally screwing up customers.

~~~
eon1
"..remember iPhone 5 is 5 year old phone, which will get new version of OS,
not just security update"

Yes, and remember that Apple intentionally writes OS updates that will run
slower on their older devices, thus achieving almost the same thing but
slightly less blatantly.

~~~
rrdharan
It maybe the case that OS updates run slower on older devices but I think it's
a pretty strong statement to claim that this is "intentional", at least in the
sense that you seem to be implying.

Do you have some strong evidence of this? Amusingly it's actually being tested
in court (see the class action referred to in the link below):

[http://www.cbronline.com/news/mobility/devices/apple-
accused...](http://www.cbronline.com/news/mobility/devices/apple-accused-of-
sabotaging-old-iphones-with-upgrades-but-how-can-users-protect-them-4944274)

~~~
macintux
Some updates actually make older devices go faster, anecdotally.

------
hackuser
The IT industry's lack of attention to security (including confidentiality and
system integrity) has enabled mass surveillance, by both businesses and
government, and that problem now combines with the political situation to
create a serious risk to people's rights.

Google has a very serious responsibility to implement effective security for
Android, and it needs to be done urgently. They've known about it for years
and put it off. The EFF has some basic specs here:

[https://www.eff.org/deeplinks/2016/11/tech-companies-fix-
the...](https://www.eff.org/deeplinks/2016/11/tech-companies-fix-these-
technical-issues-its-too-late)

~~~
qwertyuiop924
Irritatingly, as much as Android security sucks, it's effective enough that
it's hard to root most phones.

~~~
hackuser
Secure against, but not for, end-users.

------
ansible
So, as others have mentioned, the ARM chips out there don't really follow any
common set of standards.

Some IP blocks, like USB controllers, can operate using a standard driver, but
that's about it. Even for the bits that are migrating from PC land like PCIe
and SATA, they aren't uniformly available or have standard driver interfaces
across vendors.

And it gets worse. There's not even a standard means of discovering what all
of the hardware is on the ARM System-on-Chip (SoC). You've just got to learn
that this GPIO register is at this physical memory address from the reference
manual.

And it gets even worse. There's no standard for hooking up the hardware
peripherals either. You could have two phones with the same (for example
Qualcomm Snapdragon 820 SoC) but they might have chosen to connect up
different sets of peripherals, to different sets of ports. There might be
three display output ports, which one did vendor X use?

And don't even get me started about power management. ARM Ltd doesn't do this,
so every chip vendor has their own. Which is completely different. There is
nothing close to what is available in laptop land.

What we need is a widely accepted standard for describing the on-chip
peripherals, which can be read by the software. And we need a separate
description for how the hardware is connected. And even all that isn't nearly
enough.

This situation will not get better any time soon, IMHO.

~~~
swiley
Device tree is actually a reasonably flexible and precise way to describe all
of that, the problem is that many vendors just don't use it.

------
dispose13432
What's frustrating is that People/Google keeps on blaming the OS nature of
Android.

What they forget is that to put Android on a phone, practically you need
Google's permission.

If Google cared, they could have made it part of the terms and conditions that
it has to have security updates for five years.

They obviously don't

~~~
krick
> They obviously don't

All my disdain for Google aside, I wouldn't as well, in a sense you are
implying. I develop a product, I care about its quality, I allow you to use
its code on your devices. Should I care how badly will you fuck up your own
proprietary version of the product I granted you to use? Not the slightest,
IMO.

~~~
ocdtrekkie
The problem with this mentality is the idea that people using phones with
their Google accounts with apps bought from the Google Play Store with email
via (Google)mail which reports their location and other sensitive data to
Google are not Google's customers and that Google has no responsibility to
them.

~~~
MBCook
This is the Microsoft problem, right? People bought tons of computers with
Windows and they were loaded to hell with crapware.

It wasn't MS's fault any more than it was Intel's. They just sold a component
to the company (Dell, HP, NoNameBrand, whatever) that put all the crud on the
computer.

But it was a _WINDOWS_ computer so people blamed Microsoft and said "Why can't
you fix this"?

They're trying, but because their product was so central to what was being
purchased, as well as so obvious and in your face, that people associated them
and they got blame they didn't deserve.

Same thing can (is?) happening to Android.

~~~
swiley
I would say that the problem here is the difficulty in <re>installing windows
due to liscencing and the pile of drivers you need.

~~~
MBCook
I don't think that's germane to the point I was making. How easy it is to
reinstall Windows doesn't really factor in to how 3rd parties are able to
change your reputation for you.

------
loudmax
My 1st gen Moto G stopped receiving updates a while ago, but Cyanogenmod is
still putting out new ROMs. It takes some level of understanding to put
Cyanogenmod on a device, but nothing too challenging for the HN crowd.

If your phone has stopped receiving updates and you're not ready to buy a
replacement yet, you can check if it's supported. It's a great thing that this
project exists.

~~~
greenshackle2
I was considering buying a new phone but I installed CM on my 2nd gen Moto E
and that solved most of performance issues (so far, remains to be seen if it
holds up.)

CyanogenMod has less bloat, and more actually useful core functionality, which
means I need fewer apps. (For example, no need for something like Twilight
since it has adaptive brightness/hue built-in.)

~~~
busterarm
And runs default root so essentially is a security nightmare waiting to
happen.

~~~
amaranth
Their stock configuration doesn't even have root available unless you enable
it in the hidden developer settings menu. Even then it works like SuperSU and
such, non-root by default and popups to prompt for root access when an app
requests it.

------
gregmac
This article also linked to a post about Android disk encryption [0] that I
found pretty interesting.

It goes through Apple vs Android encryption implementations, and talks about
per-file vs full-disk. Android has only just now implemented per-file, but
haven't made it granular enough to handle some very valid use cases and thus
it has some pretty big holes. The worst part is fixing it means breaking 3rd
party apps.

[0]
[https://blog.cryptographyengineering.com/2016/11/24/android-...](https://blog.cryptographyengineering.com/2016/11/24/android-
n-encryption/)

~~~
Watabou
There was some discussion about this on HN [1].

Pretty interesting that it only got 183 votes. Usually when people talk about
Apple's security holes, it generates much more discussion (criticism) and
votes.

[1]
[https://news.ycombinator.com/item?id=13031012](https://news.ycombinator.com/item?id=13031012)

~~~
macintux
Pointing out that Android is insecure is about as newsworthy as pointing out
that the sun will rise tomorrow.

------
grandalf
Google decided to take on IOS by loosening the quality controls that help make
the ecosystem secure. Google could easily require code signing and auditing
for all non-google OS components, but it chooses not to because doing so would
hinder phone sales.

The vulnerability in BLU phones was due to third party code packaged in the
Android build for BLU phones. This was discovered because it sent texts back
to china. Imagine if a slightly more sophisticated attack were included, how
easy would it be to spot?

I'd estimate that there may be over 20 stuxnet level malwares lurking in the
Android ecosystem, leveraging it to spread opportunistically deeper into
infrastructure and onto higher value targets, etc.

And this doesn't even consider hardware level malware which could be included
in bulk via alternative ASIC designs that end up on millions of phones.

------
myowncrapulence
I brought this up in r/ProjectFi (a google/android subreddit) and was wholly
ridiculed and dismissed "for not knowing anything". It seems brand loyalty has
become similar to American politics with little-to-no middle ground or room
for unbiased opinion.

I'm glad to see a realistic approach to mobile security. We need more scrutiny
in this area.

~~~
Someone1234
ProjectFi only works with Nexus (and Pixel) devices, which aren't impacted by
this.

So posting complaints about manufacturers which aren't Fi compatible on the Fi
subreddit seems unusual and may have resulted in some of the negative feedback
you received.

~~~
lvs
That may not be true. Fi works with (and was marketed with) the Nexus 6 which
is EOL as of this month (Oct 2016). That means the OS version will be halted
at Android 7, as I understand it. They may still receive security updates, but
I don't believe Google has said how long they'll be doing that for.

~~~
kevincox
It will get no more version upgrades, but it still has at least a year of
security updates (depending on when it went out of the play store). I'm not
saying new versions wouldn't be nice but personally that seems like a minor
advantage.

------
rogerbinns
Apple does have an iPhone in the traditional Nexus pricing zone. For $400 you
get the iPhone SE - [https://www.apple.com/iphone-
se/](https://www.apple.com/iphone-se/) \- which could be acceptable.

~~~
kuschku
> the traditional Nexus pricing zone

There’s an iPhone selling for 200-250$ right now?

~~~
rogerbinns
I refer you to this chart - [http://www.droid-life.com/wp-
content/uploads/2014/10/nexus-p...](http://www.droid-life.com/wp-
content/uploads/2014/10/nexus-phone-pricing-history.png) \- from this article
- [http://www.droid-life.com/2014/10/16/nexus-6-price/](http://www.droid-
life.com/2014/10/16/nexus-6-price/)

$400 is very much traditional Nexus pricing zone.

~~~
kuschku
The Nexus is sold at 400€ on day 1 of being available.

But we’re not exactly talking about a new phone here – we’re talking about
phones released almost a year ago.

A fair comparison would be the cost of Nexus phones one year after being
introduced.

Which is between 200€ and 250€ – as I can attest, as I just bought a Nexus 5X
for that.

------
isliiiive
My 2c: After 3+ years of android (moto g w/ cyanogenmod, then project fi), I
finally made the switch back to iOS. I'm beyond happy so far, and have the
benefit of google not tracking my every step and key press. It is good when
the manufacturer of a product you __pay __for has interests in line with your
own.

~~~
aviraldg
I am happy for you, but please stop spreading FUD about Google/Android. I
would like you to point out a single practical example of tracking in Android
that you can't opt out of.

~~~
ocdtrekkie
The problem isn't that you can't opt out of it. The problem is that Google
cripples your phone if you opt out of it. Because Google's software is not
designed to function properly without tracking. (For instance, your _local_
Google Maps install won't even remember where you live or your last location
search if you turn search history off in the cloud.) Not having basic local-
only functionality is silly, unless you're specifically trying to push people
to stay in your tracking system.

~~~
curt15
Are iPhones significantly more functional without cloud connectivity?

~~~
macintux
Yes. Apple emphasizes data processing on the device itself to enhance privacy.

Additionally the tracking that does take place is generally less invasive,
since Apple cares a great deal less about correlating your buying habits with
your life history to sell you ads.

------
pimeys
I'm still using my over two years old OnePlus One with the Cyanogen that came
pre-installed and I've been installing all the ota updates, being in security
patch September now and QuadRooter showed no vulnerabilities. Pretty near for
such a cheap phone.

What stops me from using iPhone is my opus music collection I want to carry
with me, Rocket player and my pure hate towards iTunes.

------
emsy
>What can we do? Buy an iPhone. No really.

I was looking to switch to Android, but even after briefly reading up on
security/privacy on Android, I came to the same conclusion. It's too bad
iPhones are pricey and/or despised among a subset of customers. I'm sure more
users would vote with their wallets if they were aware of this.

~~~
coldpie
I'd consider switching to an iPhone, but lots of my music is just MP3 files
and I'd hate to lose the ability to play them on my phone. Using iTunes is not
an option.

~~~
emsy
Yeah iTunes makes transfering libraries or switching PCs unnecessarily
tedious. I've had a lot of problems with it. I also think Apple's product
decisions (hard- and software-wise) are becoming more dubious, which is why I
was looking to switch. Privacy and security still outweigh it by a wide margin
which is why I won't switch for now.

As for the MP3 problem: There are 3rd party apps, where you can simply drag
the files into the iTunes window and they'll sync without hassling much with
iTunes.

~~~
coldpie
I'm a Linux user. iTunes is not an option.

------
NiekvdMaas
Actually Xiaomi (a Chinese vendor) has one of the best update models I have
seen. They update MIUI weekly, every Thursday a new update with small
changes/security fixes. If only more companies would adopt such a model we'd
have a different situation.

~~~
mads
Small problem with this model, if you want your devices to be Google
certified. Google requires that every official software needs to be certified
with Google (CTS and GTS verification need to be passed at a Google certified
lab).

This might not be a big problem once you are rolling after your first
certification, but it does create some overhead every time you need to release
a software.

I don't think MIUI is Google certified.

~~~
STRML
Practically, what good is Google certification, if a majority of the devices
in the wild are months or even years behind on security updates?

~~~
mads
Well, if you are not certified, you are not allowed to pre install the whole
suite of Google binaries and Google Market along with Google Pay and probably
other services are not going to work on your device (at least you wont be able
to make purchases).

~~~
anilgulecha
Xiaomi phones come with the full google ecosystem of apps, so they are
certified.

~~~
mads
Oh okay, I didn't know that. Thanks.

------
willtim
I think this article is spot on. We should vote with our feet. Since Samsung
do not wish to keep my phone secure, and so far they are averaging one update
per year, my next phone is likely to be a pixel.

------
raspasov
"Vendors (LG, Samsung, Xiaomi, etc.), after selling you their phone, have no
incentive to keep your phone’s software up to date with Google’s fixes" \-
that means that they have no concept of long-term (long term = more than a
month) customer satisfaction. If that is the case (and that very well might
be), the future is very bright for Apple.

~~~
Tempest1981
However, people will endure much pain and problems to save a few dollars.
Reminds me a bit of the "inexpensive footwear" Dilbert cartoon:
[http://dilbert.com/strip/2007-05-01](http://dilbert.com/strip/2007-05-01)

~~~
raspasov
Fair point!

------
aq3cn
Has anyone here given a shot to NoPhone?

[https://www.thenophone.com/](https://www.thenophone.com/)

[https://www.thenophone.com/products/the-
nophone](https://www.thenophone.com/products/the-nophone)

------
hackuser
Can anyone comment on the Blackberry Priv? The article mentioned it, and I
know their security goes down to hardware level and what they claim is a
secure manufacturing process, but all I know is what they claim ...

~~~
jevinskie
I purchased one used, mostly to see what it is like but also to have as a
backup phone Just In Case. The hardware is a mixed bag: the screen is
gorgeous, the keyboard is a bit narrow but allows for very accurate typing,
the back of the case is flimsy, and the CPU is underwhelming. The software is
great though! You get a very up to date (second only to Google brand phones
w.r.t. security updates) OS and the Blackberry software (like Hub) is an
actual improvement over the stock Android experience.

Basically, if you want a secure Android phone and wouldn't mind trading older
hardware for a physical keyboard, it is the phone for you. Otherwise, you
might want to look at a Pixel device.

As to security at the hardware level, I'm not aware of the PRIV featuring
anything special outside of the TrustZone TEE stuff that most recent Android
phones have.

~~~
hackuser
I found some notes from when I was looking into the Priv at the end of last
year. They lack detail, but maybe are a good starting point for someone.

* Root of trust: unique crypto keys at the hardware level: Somehow implemented in way that guarantees Blackberry through supply chain, they claim. Maybe Blackerry supplies own chipset, w/ key included?

* Verified Boot and Secure Bootchain: Verifies integrity of all layers, from hardware to software. Uses hashes, crypto signatures

* hardened Linux kernel with numerous patches and configuration changes to improve security

* FIPS 140-2 compliant full disk encryption for data and applications

* Monthly updates through the Google Play store (only?)

* DTEK: "a single dashboard to monitor and control application access to your microphone, camera, location and personal information."

* Can customize each app's privacy settings, like in Android 6

Also of potential interest, from a competitor:

* [http://www.tomshardware.com/news/copperhead-nexus-more-secur...](http://www.tomshardware.com/news/copperhead-nexus-more-secure-priv,30565.html)

\----

Sources:

* [http://blogs.blackberry.com/2015/10/priv-is-for-private-how-...](http://blogs.blackberry.com/2015/10/priv-is-for-private-how-blackberry-secures-the-android-platform/)

* [http://www.zdnet.com/article/the-many-ways-blackberry-beefs-...](http://www.zdnet.com/article/the-many-ways-blackberry-beefs-up-android-security-on-the-priv/)

------
remir
Could this be one of the reason why Google is working on Fuchsia, their new OS
with a micro-kernel (Magenta)?

~~~
ocdtrekkie
It's hard to tell. There's indications it's meant to work on any form factor,
but at least initially their focus seemed to be on desktop-esque hardware like
the Intel NUC, an Acer slate tablet that runs x64, etc. and then with the
Raspberry Pi for ARM support. There hasn't yet been a clear indication that
they're working on phone support for it, or when that would be.

It's still super early for Fuchsia though, so it's anyone's guess.

~~~
remir
I agree, it's still early and there's not much info at the moment. Still, in
the maxwell repo, there's mentions of "GPS acquirers" and in the SysUI repo,
there's icons for battery, airplane mode, screen rotation and cellular signal.

Nothing really specific for phones since these things can be found in some
tablets and laptops, but apps in Fuchsia are made with Flutter, so it's
interesting since it was made to make cross-platform mobile dev easier on
Android/iOS.

------
ensiferum
Simple, don't buy this crap.

------
chinathrow
I'm in the market for a new android these days. Looking at the too tightly
with Google coupled Pixel, the Samsungs S6/S7 (Samsung led me down without
updates once), the Fairfone 2 (thick and ugly) and others.

It's a mess.

