
No One Cares About the Security of Unlocked Android Phones - becewumuy
https://hackernoon.com/no-one-cares-about-the-security-of-your-unlocked-android-phone-cd8ad4aae4c5#.xvdmxs2g7
======
ungzd
But who cares about security of your locked Android phone either?

~~~
soylentcola
That's sort of what I was wondering. Not the overall issue of security so much
as the title's focus on "unlocked" devices.

Sounds like they're talking more about disreputable or negligent OEMs than
anything to do with having an unlocked bootloader or unlocked SIM.

Past phones I've owned that weren't as good with security updates depended on
me being able to unlock the bootloader so I could keep them as up to date as
was feasible. No timely security update from Samsung or HTC? Find a patched
version of the ROM image built by some helpful developer on XDA and flash the
phone.

Even today, as I only buy Nexus/Pixel/etc Android phones, they're still sold
as "unlocked" in terms of SIM because I don't have any desire to give a
carrier more influence over my device than I have to. Again, not an issue with
security as even my older Nexus devices are getting security patches (if not
the big, hardware-dependent OS updates).

------
turc1656
The general consumer really needs to start caring about this kind of stuff and
start demanding more secure devices. They should refuse to upgrade their
phones to the next model until devices are reasonably secure. Problem is that
the average person cares far too much about convenience and having that sleek,
next-gen gadget. Which is why this problem persists.

Personally, I purchased a BlackBerry Priv (which runs Android) and couldn't be
happier. Phone is/was very cheap compared with the other flagship devices and
it runs really fast. Came factory unlocked direct from BlackBerry and has zero
bloatware on it. I get frequent O/S updates for security patches as well,
which is far more than I can say about my previous phone (Galaxy S3 from
AT&T).

Despite most people's apathy, or even hatred, of BlackBerry, they have always
done security very well. The Priv is no exception - secure boot, hardware
keystore, modified Linux kernel, FDE enabled by default, work/personal account
separation, external SD card protection, their DTEK software, etc. Some of
their security features are included as part of the base Android OS, yes, but
their security model as a whole from start to finish is far ahead of all
competitors.

~~~
on_and_off
is it also ahead of the Nexus / Pixel (and if so, how ? ) ?

Also, does it get the security patches in a timely manner ? I kinda remember
them refusing to commit to that

------
m3rc
Which is exactly why we need to fix this problem. Consumer products don't have
good security at all and it's making the world a worse place

~~~
sametmax
The strange thing is that I have less people around me with virus problems,
stolen card problems, scam problems, etc than 10 years ago. Despite the fact
that we deem those devices less secure.

Something is off.

~~~
gambiting
I guess a lot of people have moved to platforms which are essentially virus-
proof, like the iPad. I have several members of my family who used windows
computers before, now they use iPads exclusively for all their work and
pleasure. Previously any of them would open anything that they got in an
email, and I guess they still do - it's just that with some devices, it's not
an issue. A zipped up virus won't do any harm on an iPad, and probably most
Android devices are secure from that too.

So while I think that windows devices are as easy to infiltrate as ever, a lot
of people have simply stopped using them, and replaced them with -
coincidentally, not intentionally - more secure platforms.

~~~
moyta
Pretty much this, security isn't improving, its just those infected zip & doc
files usually aren't targeted at Android or iOS.

~~~
lloeki
From trivial to apply app and OS updates to code signing and disabled
sideloading, the mobile platforms (either one) make it really much harder to
fall prey than on desktop OSes, _by design_. Malware authors have to hit a
homerun on 0-days to even begin to get a foothold on the mobile OSes† these
days.

† on properly updated devices such as the Apple ones as well as Nexus+Pixel.
Probably this is where some form of vertical integration starts to really
matter in practice.

------
mikegerwitz
I commented about something similar two days ago, and once again there's no
mention in the article or here about the fundamental problem of proprietary
software:

[https://news.ycombinator.com/item?id=12957927](https://news.ycombinator.com/item?id=12957927)

True security and privacy cannot be had without free/libre software. It's not
a solution in its own right, but it's a necessary step to mitigate issues such
as these.

A commenter in the linked thread also mentioned other Android OSes working on
hardening.

~~~
mindslight
It's worth elaborating on exactly _why_ this is.

When software is Free, the end-user's relationship is inherited from the
developer's relationship to the software [0]. As such, the definition of
security is a completely _shared_ one.

When software is not Free, the developer's and end-user's perspective are at
odds. For starters, they're likely on _opposite_ sides of a financial
transaction [1]. The security of non-Free software is thus defined in terms of
the _developer 's_ interest. Many desires will still align, like securing
against most third-party attackers. But some will certainly not, like the
business interests of the company and its partners (including the domestic
nation-state).

[0] Indeed, a source of much complaint / usability problem.

[1] I'm certainly not rejecting the idea of trading money for
software/services, but highlighting a deep-seated principle agent problem.
It'd be really nice to find a way to set up a workable economy around Free
software, lest we continue to lose to app stores and "open-washed" webcrapps.

------
mintplant
Oh, great. My BLU R1 HD from Amazon is sitting next to me as I type this.
Anyone know if this is patched in the latest software update, or how I can
tell if I'm affected? I don't see anything "AdUps" in the applications or
services list.

edit: Per an email from Amazon,
[http://www.bluproducts.com/security/](http://www.bluproducts.com/security/)
has instructions.

~~~
pawadu
The lack of corporate BS on that page really surprised me:

 _BLU Products has identified and has quickly removed a recent security issue
caused by a 3rd party application which had been collecting unauthorized
personal data in the form of text messages, call logs, and contacts from
customers using a limited number of BLU mobile devices. ... The affected
application has since been self-updated and the functionality verified to be
no longer collecting or sending this information._

~~~
nix0n
Similarly, their phones are refreshingly free from carrier-lock or (obvious)
crapware.

------
imtringued
As always the SoC manufacturers are to blame. Google could probably fix these
problems by writing yet another layer of software to abstract the hardware
even further but the simple solution would be to fix these problems at the
root.

~~~
lloeki
> at the root

While in theory everything could be made to work fine and the right people
would be held accountable and dropped from any use, probably this is where
some form of vertical integration starts to really matter _in practice_.

------
brazzledazzle
Why would Mediatek go through the trouble of changing the socket instead of
removing the backdoor?

~~~
moyta
They want this data, and they know Google will let them get away with it. Just
like how they segment SOCs based on what version of Android they support for
each SOC, so if you want Android 6 or kernel 3.10, your paying for a higher
end chipset.

------
fencepost
"Google eventually accepted a CTS patch to check for the ADUPS system socket.
That should have solved the problem, but then Mediatek just changed the name
of the socket to purposely evade Google’s CTS check."

That just left me gaping at the sheer brass required to do this, but I
understand how it could happen. I'm sure there are some people who want to fix
the problem, and others who say "Why bother? We may lose a few technically
savvy (aka pain in the neck) end users, but the great unwashed are never going
to know or care about whether this was fixed. Our customers know that their
customers are the great unwashed, so they aren't going to care either as long
as we're cheaper for them."

Or TL;DR, "Screw 'em, what are they going to do, organize a boycott by people
who think chips are something you eat?"

------
tmzt
Maybe we should build a new bootloader that can be locked down once installed,
but with our own keys in the device.

------
kordless
I'm flagging this article because it is making a blaming statement nobody
cares about the security of my unlocked phone, which is provably false. Let's
start eliminating dissonance from HN by taking the time to think about the
content we are consuming and how it affects us!

~~~
tptacek
If you're across the threshold for flagging, you can flag any story on the
site in the sense that a link will appear and change to "unflag" when you
click it.

If you expect your flag privileges to mean anything more than that, you should
probably avoid using "flag" as a downvote, because your flag privileges can be
quietly stripped from your account --- in fact, there's any number of
heuristics that can do it by cron job, without the moderators even knowing who
you are.

The "flag" feature is there to mark stories as off-topic and wholly
inappropriate for HN. Nobody on HN thinks this is off-topic for the site.

Just some advice!

