
Some Android Phone Manufacturers Lying to Users About Security Updates - cfadvan
https://www.theverge.com/2018/4/12/17228510/android-phone-manufacturers-missed-security-updates-lie
======
guelo
Be sure to read Google's response at the end of the article. Sounds like the
researcher's patch detection method is not reliable.

~~~
maxyme
It may not be for Google phones but I fully believe the researcher is correct
with the basis of the article. I have the Galaxy S8 (locked to a US Carrier)
and updates are a shitshow. Extremely high impact vulnerabilities (such as
BlueBorne) were patched over a 3 month period to the world. Interestingly
enough you can't even fully blame the carriers because a lot of the time
Samsung's own unlocked version gets updates last...

~~~
dogma1138
Security is the reason why I switched to an iPhone.

Updates are guaranteed and encryption is second to none.

I had tons of fun “encrypting” android on my milestone and Samsung galaxy S2
but it was just a show, and things really haven’t improved since then even on
google devices.

Heck after doing proper analysis of ARM trust zone and getting first hand
access to some of the trustlets the industry uses to facilitate HVB,
encryption and other security features on ARM devices there is no way I’m
touching them again if I can avoid it.

As for security patches even a Google device isn’t guarantee of updates as if
you buy one through a carrier they are responsible for the updates which is
something I found out with the original LG Nexus (5?).

Even flashing a Google clean ROM didn’t help getting OTA updates since it
seemed they were checking the IMEI.

After the let down which was the One Plus One it was iPhone all the way.

------
pasbesoin
Well, the mentioned analysis app the researchers placed on the Play store is
potentially quite useful. If Google will "bless" it -- can we at least have a
link to a copy of their statement as posted securely on their own domain?

The Android ecosphere particularly with respect to security is a really good
case for the appropriate use of the word "clusterfuck".

And even once a user is aware their phone may not be up-to-date, it's not easy
for them to determine this nor what they are missing.

So, why not at least give users a good overview of this? Turn them into a more
informed consumer?

Unless all you want to do is push ads at them...

~~~
gruez
>can we at least have a link to a copy of their statement as posted securely
on their own domain?

[https://opensource.srlabs.de/projects/snoopsnitch](https://opensource.srlabs.de/projects/snoopsnitch)

with fdroid link if you want that

~~~
pasbesoin
Thank you for that. I see it requires non-standard access to the OS.

What I meant was, to see Google endorsing it -- on their own site(s). Even
if/where they do, obviously in its current state the app won't be functional
for the average user.

Sorry, I didn't read further in before making my comment.

Regarding that, it _would_ be useful if Google provided or enabled such a tool
for the average, locked-down user to review the exact state of their Android
OS (less carrier specific modifications) and updates to same.

------
billpg
I switched away from Android phones in the "Stagefright" aftermath. My device
was only three years old but the only response to my requests for an update
was "Get a new device". So I did.

~~~
ibotty
But what's the alternative?

~~~
quantummkv
Apple. Say what you want about them, their update policy is clear, consistent
and fast.

~~~
gregknicholson
Does Apple announce each model's end-of-life date (in terms of security
maintenance) in advance?

~~~
actionscripted
As I understand it you generally have 5 years for hardware and software
support with software requiring that you upgrade to major versions as they're
released for continued updates. Perhaps someone can share a link or provide
better details for software support/EOL info?

Here's their vintage/obsolete products info page:
[https://support.apple.com/en-us/HT201624](https://support.apple.com/en-
us/HT201624)

~~~
gregknicholson
As an ordinary consumer using my phone, how would I know when it's going to
become unmaintained and I'll need to buy a new phone (if I want to continue
having security maintenance)?

This is one thing I think Linux distros could do better: not just advertising
upgrades to the next release, but warning when the current release is (soon to
be) no longer maintained.

