Hacker News new | past | comments | ask | show | jobs | submit login
There are over a billion outdated Android devices in use (danluu.com)
530 points by josephscott on Nov 14, 2017 | hide | past | web | favorite | 465 comments

With current and older devices working perfectly well, and new devices being even less serviceable and more user-hostile with greater efforts towards planned obolescence, is it any wonder that people just aren't "upgrading" any more? I don't consider this a problem, but a sign of an ecosystem that is gaining stability. In fact I'd say it's even better, from an e-waste perspective, that the amount of churn has decreased.

Even in the low-end/unbranded devices, I'm seeing a gradual removal of hardware features and general lack of parts (screens, cases, etc.) availability, while replacement parts for models several years old are still plentiful.

I had an older phone with 4 GB space. I could keep about 15 apps running on it. A lot of these apps were important - Waze, WhatsApp, Slack, Uber, camera, etc.

So that left me switching between a budget of about 60 MB for games and unnecessary apps, though I can squeeze in a little more by clearing all the caches.

Now suddenly Samsung bugs me to update to the latest version of Android. The new update would take up hundreds of megabytes. My space was already highly limited.

I eventually gave in to curiosity and updated to Lollipop. The phone became unusable because I didn't have the space to install the apps I needed.

I ended up in a situation like that too, except the update auto-downloaded taking up most of my free space, but not leaving enough to install it. I didn't figure out how to reclaim the space so I spent months stuck without being able to install apps or updates before I gave in and bought a higher end phone.

Back up or sync important contacts and data, and then do a factory reset to restore the original OS. Make sure to turn off auto-updates as it will keep downloading them after the restore. It's a shame that phones keep losing features like micro SD.

> It's a shame that phones keep losing features like micro SD.

Phones keep losing features like micro SD (and like end-user replaceable batteries) because too many purchasers do not value those items highly enough to refuse to buy any phone that lacks an SD card slot or a user-replaceable battery.

Start refusing to buy any phone which lacks a micro SD slot, and the manufacturers will bring back the micro SD slots (granted, purchasers need to send the makers feedback that they refused to buy phone X due to lack of a microSD (and lack of a user replaceable battery)).

But buying a phone (any phone) which lacks one or the other simply signals to the makers that it is ok to drop those features, because the phone still sells.

I bought a brand new Android phone about 4-5 months ago. It has both a microSD slot (now holding a 128G SD card) and a user replaceable battery. I picked it because it had those features and I valued their presence. If enough others would get fed up with the lack of one or both, and start refusing to buy any phone without one or both, things would turn around.

I don't think that's so clear cut. I'm looking for a new phone now and I refuse to look at anything without a headphone jack. I've been repeatedly told online and by my friends that I'm weird - the headphone jack is dead, the ship has sailed, it's too late now etc etc. But how else can I vote on this if not with my wallet? I want a phone with a headphone jack but the choices are becoming narrower and narrower - and it seems that even picking up something with a jack does not necessarily send a right signal. Look at the original Pixel - it was Google's pride and joy that it still has a headphone jack while the iphone doesn't. Fast forward to today - Pixel 2 doesn't have a jack and no one cares.

> Pixel 2 doesn't have a jack and no one cares.

And this is exactly the problem. That no one cares. If enough cared, the first phone without a jack (iPhone, right?) would have been a sales flop, and maybe the message would have gotten back to leave the jack in the phone.

Instead, it sold, which tells the makers that dropping the jack was no big deal, people still bought it anyway.

Why would people value an SD card if the apps all refuse to use it?

The entire thing is a shit storm, every player seems to be against the end user (that is paying for everything, go figure). There's a protection racket on the form of patent rights enabling the shit to go on, but it can not reasonably survive on this shape for very long.

> Why would people value an SD card if the apps all refuse to use it?

Valid point, but the apps may just be refusing because most phones don't have an SD card anymore, and the authors are either being lazy or don't care (I don't know which) and simply failing to code in support for something they think seldom exists anywhere.

Although in my case, all my apps that I care about using the SD card are using the SD card. But then again I have 98% FDroid apps installed, so those may just be better behaved apps.

Curious, what phone was it?

Motorola Moto E4 (unlocked version).

Both of Samsung's flagships have microsd. I just wish they had a swappable battery and a flat screen.

Well even the existence of a Micro SD slot isn't enough. My girlfriend's phone had a Micro SD slot ... yet most apps refused to install there or write data there so everything was crammed into the 4GB built-in storage.

Ahhh Android - I only use iOS because I hate it slightly less

Samsung deserves a special shout-out for making their impossible-to-remove apps also impossible to move to remote storage, so their useless garbage takes up a solid amount of device storage even while disabled. It's frustrating how often smartphone customization/upgrading feels like an actively hostile process.

I recently switched from iOS to a Galaxy Note 8, and the sheer amount of garbage on the phone at setup is astounding.

I try to comfort myself by believing that sponsored app deals help keep device costs down, but it doesn't really work. I get that a few core apps (e.g. device-maker registration) are going to be permanent, but the deals for random unremovable crap like the NFL app are just insulting.

This is where Google should have a little foresight and mandate that new Android devices will need to have at least 32GB of on-board storage, for instance. I remember hating HTC for making phones with only 200 MB of free storage in the early days, while giving you an additional 2GB microSD card on which you couldn't install apps anyway. That hatred could have been avoided if either Google mandated a reasonable amount of on-board storage at the time (like 2GB).

If that happened, I wonder how soon apps will fill to expand the space. "Well, the user has at least 32GB on their phone, so we can take 30 of those, right?"

As someone who goes as long as possible without performing updates, this is exactly the reason why.

Example: Last time I updated my iPhone, the music app got an update and now they are trying to shove iCloud down my throat. Not to mention needless UI changes when I was more than satisfied with how it was before.

I understand this entirely, but there are some pretty bad iOS vulnerabilities out in the wild now (e.g. KRACK wpa2). It’s pretty dangerous to avoid updates nowadays.

I think what needs to happen across the industry is a complete decoupling of “feature” from security patching. Too many people are exposed because of exactly the kind of unwanted UI upgrades you describe.

Better have a bricked phone but secured phone? That is basically your argument?

Security is used to euthanize perfectly working systems and harass users for money. Security has become dangerous for the user in that aspect.

> Security is used to euthanize perfectly working systems and harass users for money

That's a cynical and paranoid mindset. Bloat is a lazy tendency not a malicious evil and developers tend to optimise for the latest and greatest if left unchecked and forced to consider backwards compatibility.

> Better have a bricked phone but secured phone?

lets just say don't do any financial transactions on the device or appreciate the general openness of your phone to malicious actors who might use it for nefarious purposes.

That's a cynical and paranoid mindset. Bloat is a lazy tendency not a malicious evil and developers tend to optimise for the latest and greatest if left unchecked and forced to consider backwards compatibility.

As a user, do I care whether my phone is unusable because the developers wanted specifically to render older hardware unusable or whether it was just through their negligence in failing to consider older devices? Stupidity or malice, the result is the same.

lets just say don't do any financial transactions on the device or appreciate the general openness of your phone to malicious actors who might use it for nefarious purposes.

I keep hearing this, but what's the actual presence of malware on Android? If you're not installing shady apps from the Play Store, what's your actual level of risk? Android, even old versions of Android, are far harder to reliably exploit than say, unpatched Windows. As long as you're not installing free-to-play flashlight apps that require every permission under the sun, I'd say your exposure to malware on Android is far less than it is on PC. For the average user, they're still probably better off conducting financial transactions on their phone than conducting those same transactions on their malware ridden laptops.

> Stupidity or malice, the result is the same

Yes but whether we attribute the intent to stupidity or malice is important as per the general health of our thought process. Its likely laziness combined with malice when its noted. I imagine a dev getting up in arms about package size and then when the issue is raised its not given high priority because someone twigs the convenient side effect. That's the worst case. Either way the mindset of paranoia is warped and self centred. Its not because they're thinking of forcing you to upgrade its more because they're _not_ thinking of you and instead the wide-eyed new sales opportunities that ship with greater disc space.

> I keep hearing this, but what's the actual presence of malware on Android?

oh wow, you're gonna play this game? I could tell you that its perfectly safe to trace the outline of a cliff with your feet and in many, many cases its going to be absolutely fine until the one case where the earth gives way and its not.

Let me put it this way; when I see the tagline:

> there are over a billion outdated Android devices

my first thought is:

> what's the most effective exploit to tap into that market?

the existence of security flaws encourages action and the hubris of not updating is the clarion call to those that exercise the exploits.

> I'd say your exposure to malware on Android is far less than it is on PC

This. What is this? This is complete conjecture. Get out of here.

> my first thought is:

> > what's the most effective exploit to tap into that market?

So??? What is it? Do let us know.

I'd venture to say that the fragmentation of that market makes it reasonably secure. Just like how the average router is incredibly insecure, and yet you don't advise people to avoid e-banking and just deal with their money in paper form and through face-to-face contacts.

Yes, you are technically right. But @quanticle is right, in practice: unless those users do some very stupid shit, they're pretty safe doing ebanking on their phones. (and those who do the "very stupid shit" are likely to do it on their computers, too)

Where are the Android LSASS worms? Or Android SQL Slammer? Or Android ILoveYou? Or Android NotPetya? Or any one of the literally hundreds of well-known malware strains that make the news every time they infect a few million PCs? Malware on Android certainly does exist, but the fact that Android has been out for this long, with this many outdated devices, and we haven't seen a single mass infection yet means that Android isn't as easy to exploit on a mass scale as people make it out to be.

I'm not claiming that Android is safe. Nothing is safe. But it does security professionals no good to be alarmists. If we cry wolf about literally every technology that ordinary people use, the result is not people giving up technology. The result is people ignoring security professionals.

If an ordinary user came to you and asked, "Where should I do my banking? On my phone or on my PC?" what would your answer be?

> I keep hearing this, but what's the actual presence of malware on Android? If you're not installing shady apps from the Play Store, what's your actual level of risk?

I wish I could quantify that. It's a hard task. But the store is not the only possible vector. On an old Android you're running a very outdated version of Chrome when looking at any pages / ads. That would be the most exposed/insecure element in the system.

Chrome on Android is updated separately from the OS release. Even old Androids have new Chrome. This is not the Safari-on-iOS situation.

The same is valid for the system WebView, but "only" since Android 4.4. It is updated via Play Store, independently from the base system.

I was responding in the context of:

> As someone who goes as long as possible without performing updates

I take that to mean without updating the apps either, not just the os. I've seen people reject any kind of upgrades.

there are bluetooth exploits and network adapter exploits which are for more localised fun.

That's one reason I'm still hoping for a Linux/Firefox phone.

> That's one reason I'm still hoping for a Linux/Firefox phone.

You should rather hope for GNU/Linux phones. Linux devices (without the GNU part) is most of the time, just another locked device (see your Android phone, router, TV, etc).

The presence of GNU software pieces (or any software licensed under GNU [LA]GPL v3+) ensures the device is free of locks (or with user breakable locks).

> The presence of GNU software pieces (or any software licensed under GNU [LA]GPL v3+) ensures the device is free of locks (or with user breakable locks).

That's not true, as the Linux kernel is still GPLv2. So while you could swap out the userspace GNU utils, the device manufacturer can still lock the bootloader which is perfectly fine with the GPLv2.

Even if the bootloader is unlockable (e.g. LG allows this btw), you will most likely be stuck to a specific kernel version due to proprietary binary blobs which nearly every phone uses.

So instead of a GNU/Linux phone, you should rather hope for a phone with complete open source drivers (or a GPLv3 kernel).

> That's not true, as the Linux kernel is still GPLv2. So while you could swap out the userspace GNU utils, the device manufacturer can still lock the bootloader which is perfectly fine with the GPLv2.

Yeah, probably. But the presence of packages like GNU libc can make it harder for the manufacturer to lock the device.

> ... kernel version due to proprietary binary blobs which nearly every phone uses.

Sadly, binary blobs are always an issue. In the case of Linux, this happened because many Linux developers don't care about binary blobs. If they did, you won't see any binary blobs (as it is a violation of GNU GPL).

> ... with complete open source drivers

My main point was to quote that 'open source' doesn't solve these issues. We should take software freedom more seriously.

> ... (or a GPLv3 kernel).

I wish we will not have to wait until the human civilization end in fire to see this.

> this happened because many Linux developers don't care about binary blobs.

It is mostly users, not developers, who don't care about binary blobs. The users then take the "pragmatic" approach of using binary blobs, but hey, stuff works for them.

See also the Nvidia binary driver. Who is the advocate for that? Users (hey, never had a problem and it runs my apps very well) or developers (whoa, we cannot develop Wayland/etc with this)?

> It is mostly users, not developers, who don't care about binary blobs.

Partly yes, but mostly No.

You are right that most people don't care about binary blobs. But the people who can enforce this are the developers. If all developers agree and enforce this, no on can include binary blobs in Linux kernel.

Also it would be wrong for a mere user to try to enforce it by law, because it might piss off the developers, which is really bad. Also, it might not withstand in court because the developers don't care.

> The users then take the "pragmatic" approach of using binary blobs, but hey, stuff works for them.

"pragmatic"? Most of us are concerned about our immediate problems, and thus we end up with temporary solutions (most of the time), sometimes because we don't have choice, sometimes because that's easier.

I recently got an ASUS eeepc which doesn't have graphics support, because when it was first released, the only support was a binary blob, which is now abandoned.

We will eventually face issues with these binary blobs, for sure. As we know, each day, new vulnerabilities are being surfaced.

But yeah, most of us won't care, until and unless something happen. But by then, it will be too late. Just like how many of us consider the importance of time only when we know we don't have enough.

So I don't think it is "pragmatic" in long term.

> Also it would be wrong for a mere user to try to enforce it by law, because it might piss off the developers, which is really bad. Also, it might not withstand in court because the developers don't care.

And yet, it is the users who have the ultimate power over developers of such hw/sw. No, not courts, that's the entirely wrong solution.

Their wallets.

Such solutions are being developed only because there's money in it. It is only up to the users, whether this factor is true or not. If they care about sources, they would not purchase hardware that requires blobs. If they don't care, and reward the developers with their money for the blobs, whose fault it is?

> Yeah, probably. But the presence of packages like GNU libc can make it harder for the manufacturer to lock the device.

glibc is LGPL, so I don't see how that should change anything?

> (as it is a violation of GNU GPL).

IIRC it's a gray area.

> glibc is LGPL, so I don't see how that should change anything?

glibc requires libgcc[0], which is GPLv3 (with runtime exception). The same for libstdc++[1].

[0] https://gcc.gnu.org/onlinedocs/gccint/Libgcc.html [1] https://gcc.gnu.org/onlinedocs/libstdc++/manual/license.html

The runtime exception makes it possible that everything else is proprietary, locked and unchangeable. Which actually is okay for apps IMHO, because I would want to run proprietary software like games (sandboxed of course).

The kernel really is the problem here and where there's no GPLv3 code used at all.

There's not much left to hope for as every platform that attempted one has fizzled out.

You can already have a Linux phone.

But it doesn't run my banking app.

Your bank doesn't have a website?

Yes, but it requires the use of a dongle/calculator to access it, whereas the app just requires a personal code.

Go ask your bank an app for Linux.

Most banking apps are available for Android, which uses the Linux kernel.

Yeah, it uses the Linux kernel, but I wouldn't call it a "Linux phone".

I'll grant you that GP was being pedantic but he is also correct. The only part in Debian/RHEL/Arch/whatever that is Linux is the kernel. "Linux" only refers to the kernel. So technically Android is also a distribution of Linux.

I think what you're arguing is that Android isn't GNU/Linux or that Android isn't libre like what we've come to expect from desktop distributions of Linux.

How about Purism's Librem 5? https://puri.sm/shop/librem-5/

Librem 5, the phone that focuses on security by design and privacy protection by default. Running Free/Libre and Open Source software and a GNU+Linux Operating System designed to create an open development utopia, rather than the walled gardens from all other phone providers.

Isn't out yet and from what I can tell they haven't released much info about it yet. Maybe will be worth revisiting the idea when it's actually released.

If they release it with the slow outdated i.MX 6 CPU it will be terrible. Let's hope it will be the i.MX 8.

It’s not “perfectly working” if it is wulnerable to many hacks.

Google kind of does that but OEM does not seem to implement them into their phones.


What's the worse that could happen?

Do you mean the worst that could happen to you personally or the worst for everyone?

When your device is compromised by hostile actors I guess it depends on what your nightmares are, but getting framed for child pornography and/or blackmailed for it is a popular one. Or getting your cloud accounts hijacked and all your stuff compromised. Or getting the bad guys access to your employer's network. Etc.

Collectively a widespread Android device botnet could take down a lot of infrastructure, or start a war, or ruin everyone's days with ransomware. I'm sure more imaginative people have thought about it.

1. Ability to passively decrypt network activity (KRACK).

2. Ability to throw a fully persistent implant onto the device (via Wi-Fi exploit + pivot to AP kernel exploit)

Most phones already come with two persistent implants - the user-antagonistic OS, and the baseband processor!

I'm all for trusting computing devices to act as one's agents, but attempting to do so with anything resembling a modern mobile phone is barking up the wrong tree.

Even though just having one means taking the location-tracking hit from negligently designed cellular protocols, further exposure can be mitigated by using these little snitches for as little personal activity as possible.

At some point, reckless behavior affects people beyond the individual. I am irritated that people allow their systems, networks, devices etc to become compromised, thus becoming the assets of malicious actors. Most of the people in this category have are not particularly savvy, which doesn’t give them an out so much as it explains the predicament. However, you are demonstrating that you choose to be in this category, despite understanding the problem. You are letting your personal convictions get in the way of good judgement. You now shoulder responsibility for knowingly making the world a little less safe for the population at large.

It's very fucking weird that by pointing out the larger non-corporate context of digital security, it's being inferred that I deliberately do not secure my devices. I guess by not toeing the AppGoogAzon "Security (TM)" marketing lines, I just end up in that "other - outsider" category, and must be wrong.

I already explained a mechanic of causality whereby assorted end nodes being owned up actually increases our security, as it helps keep at bay the simplistic/totalitarian philosophy of tracking/controlling communication. But don't let that get in the way of the malunderstanding that is ultimately driving this nebulous desire for promised "security".

Your phone will probably turn up in a botnet soon enough, but atleast you had the moral high ground.

Do you have an actual number for "probably" - assuming normal browsing habits (i.e. not to the sort of porn site with a higher likelihood of installing malware), and an outdated version of iOS or Android?

How is that number changed by not using public wifi?

>i.e. not to the sort of porn site with a higher likelihood of installing malware

Porn sites are not where most malware comes from. Ad networks are. I've had more attempts at virus and malware installs from 'legitimate' sites that have had poor control of their banner ads.


>How is that number changed by not using public wifi?

You are, quite falsely, assuming that non-public wifi, say your friends house, is any more protected.


I'm not assuming anything: I asked a question, rather than stating a fact.

"Not significantly" would be a valid answer to the second question. However, you seem to be answering "are home routers entirely secure?", which wasn't my question: my question was about real-world risk levels (i.e. "_are_ public wifi points significantly more likely to deliver threatening payloads", not "_could_ they be").

I'd still be interested in an answer to the main question.

Oh no, not a month's allocation of mobile data down the drain!

An impersonal passive botnet would likely do less damage than status quo "apps" that are built to siphon as much personal data as possible.

Never mind these few Mifi devices that I have - default configs that listen on wan telnet with static passwords! Well known domestic manufacturer, not worth attempting to report - the manufacturer obviously did not care, has long moved on, and there's countless other models with the same problem.

The panacea of every node being secure with an identifiable owner fell apart long ago. You can either cling to that belief in a fundamentalist manner (and prop up the totalitarians who wish to track communication ever more). Or you can work on understanding how non-technical people actually attempt to moderate their own exposure to these insecure-by-design surveillance devices.

You should install security updates. Period.

You don't help anyone by feeling better because instead of having the vendor maybe sniff on you, a hacker can do it instead.

I also haven't found any apps yet that intentionally waste my monthly datacap.

Sure, and I didn't advocate doing otherwise. My point is the larger context - there is no "secure" on mobile.

Likewise, my point about losing a datacap was that it was preferable to having more personal info backhauled into commercial surveillance databases. It's not an either-or and I'm not desiring either one - just calling attention to the larger context of user-security versus the myopia of marketing/corporate security.

There is secure on mobile. Secure is not a binary property, it's a spectrum of options and possibilities which heavily depend on your environment and your threat model.

You either get security updates at the possible downside of sending more data to some database of a known vendor or you get the very possible risk of being part of a slide on DEFCON Fail Panel by some unknown blackhat.

I choose a known advesary over an unknown any day.

At its core, digital security is a binary property equivalent to mathematical proof. Since universal security is neigh impossible (two people can keep a secret if both are dead), we then predicate it on various trust relationships / threat models - what one is secure against.

The modern non-technical but security-conscious person concedes that their devices are pwnt by (ie they are forced to trust) AppGoogAzon anyway, and simply shies away from trusting technology. The phenomenon is what it is - I'm not advocating for it, but advocating for understanding it.

Furthermore, are you saying that you actually know all the players in the commercial surveillance industry?!

I'd appeal to your same argument of known versus unknown, but point out that at least the motives of the rando blackhat are known. Whereas the surveillance industry will be innovating new ways of monetizing their malicious databases for the next century!

That's a rather narrow mindset. As previously explained, security is not binary, even in the circumstances you mentioned.

I don't know all the players in the. Surveillance industry but I'm not as paranoid to believe they are worse the. Black hats.

You probably also have little probability of knowing the actual intentions or motives, which actually helps little in threat mitigations.

It's not a "narrow mindset", but a formal basis that fosters analysis.

It's true that drive by black hats could be looking to snarf up all the personal information they can, and selling it into the corporate surveillance databases. I just think it's less likely than they're looking for a quick hit to defraud some banks.

It's not a matter of "paranoia" (there we go again with the handwavey maligning subjectivity!), but of looking at the outcomes. It's paradoxical - the things we think of as "bad" really are not that worrisome, because the shared goal is to correct them. Meanwhile the things we think are "just the way it is" form an insidious creeping trend.

I have very little fear of say my bank account being drained, because if that actually were to happen, then we're in general agreement that it will be made right - from bank policy on up to common law. Whereas if my de-facto mandatory insurance rates mysteriously double, there is both little immediate recourse and many people will even argue in support based on the just world fallacy!

I'm honestly quite surprised people went to the trouble of downvoting all of your comments on this thread; I think people are talking past each other and missing the bigger point that some threats are being ignored because of their insidious subtlety.

As another comment mentions; security is not binary.

Binary Security is a sign you failed at security. You can be not secure at all, somewhat secure, etc, against a set of threat models or anywhere in between those steps.

Whether or not you have properly prepared against a threat model and you are confident in defending against it is a binary property (or rather, two binary properties) but the underlying security is not.

> Most phones already come with two persistent implants - the user-antagonistic OS, and the baseband processor!

I don't trust Apple or Google to have my best interests at heart at all, but I am quite confident that neither of them will literally try to extort me with ransomware or kiddie porn. It's weird that you're equating the two.

Most people are willing to accept the risk that the NSA is listening in on them. Most people are not willing to accept the risk of an arbitrary person being able to steal their identity.

That already happened as a result of Equifax. Your SSN is no longer secret...so rejoice, you are free to choose whatever phone you like!

Sadly, the world is not America and most people on this planet are unaffected by the latest problems of America.


Naturally. For some reason my brain treats those two phrases as equivalent.

Like 95% of the world, I don’t have an SSN.

Even if every American owns one of those outdated Android phones, 2/3rds of the phones would still have to be owned by people who don’t have SSNs.

If one's "identity" is so bland that it can be trivially "stolen", then perhaps it's not much of an identity after all.

For people living in America an identity is a name, date of birth, mother's maiden name and SSN. If you lose these, you could be the victim of fraud.

But you already knew that didn't you? You deliberately misinterpreted what he meant by identity theft.

Mexico and Brazil use SSNs?

I am a USian. The nonsensical concept of "identity theft" has been promulgated by the surveillance industry to avoid responsibility for their own negligence. A person cannot become a "victim of fraud" in the way you describe. The banks are the only parties that stand to be defrauded, and they could avoid this by stopping to pretend that a few bits of semi-public information is enough to identify a person. So far it has been more profitable to keep the gravy train of easy credit rolling, which is fine. But that doesn't mean we should bear the burden for them!

When someone earnest talks about their "identity being stolen", I prefer to think of them as complaining that one of their friends bought the same pair of red Nikes or whatever.

This all might be true, but as a reason to not install patches, it still makes no sense. If you don’t trust the baseband or the OS, why did you buy the phone to begin with? You trust iOS n, but not iOS n+1?

One is forced to buy a phone, as an expectation/requirement of modern society. This does not imply they wish to spend even more money in support of the broken ecosystem every year/six months/etc.

You're not forced, particularly not to get a smartphone.

You're trading off convenience.

Similar questions were likely asked by owners of insecure routers/cameras before they got hit with Mirai

If only security updates were unbundled from feature updates one could update with fewer worries.

Multiple release breaches are a pain for many reasons. It's very unlikely that companies would spend time doing that, even if they were given a chance to do so.

I can certainly see why multiple branches aren't popular - device fragmentation is bad enough without trying to identify which update branches are affected by some new security bug.

That said, I think companies that require up-to-date devices for security fixes deserve less leeway about the contents of their non-security releases. I've gotten multiple smartphone updates which I considered entirely harmful - they traded cosmetic or vendor-friendly changes against worse battery/performance/usability - and I think "let us break your device or you can't have security" is an unacceptable proposition.

Exactly. Apple needs to separate UI and security releases until they can work out the bugs. So many issues with new updates and UI glitches.

It's more than UI changes: the update from iOS10 to 11 removed support for 32bit applications, rendering dozens of applications that I use daily (and have paid for a lot of money) unusable. So now I have to decide between two bad options - not being secure or losing all that invested money.

With the incentive structure of updates with certain popular software not supported by other revenue, you're always going to get a worse version (more ads, less features), to such an extent that I turn off all updates and only whitelist a few. Permissions are the ways to lock down phones, and security patches, not the permanent beta that is updates.

Security, basically. If you care about your privacy, you should care about security (can't have one with the other). You need updated phone for that.

That shouldn't be the trade-off, though.

I think your average smartphone owner doesn't understand all this anyway. They look at their 3-year-old phone and say "it works fine and does what I need it to do", look at the new ones on the market and say "I don't see anything compelling there to justify that price tag", and so they don't buy a new phone. Most people don't realize that their phone has gaping security holes in it that will never be addressed.

> That shouldn't be the trade-off

Right, but it is the tradeoff.

Of course it shouldn't be, but unfortunately it is.

On the other hand, if you care about privacy, then not updating your apps often helps too.

Damned if you do, damned if you don't.

I think if you update often enough (at least when some vulnerabilities found), you're more safe than if you don't.

Except many times the update will ask to expand its access to information in your phone it shouldn't need. So you choose between explicitly granting permission for unnecessary data access or don't update and hope you don't get owned via a vulnerability in that app.

Those are the apps that I remove from my phone. Holding my security hostage to get at more data? Deleted.

So instead of finding someway to block or spoof a developer telling you they need different permissions, you'll wait around until some hacker breaks into your shit feeling like you beat the system?

In an imperfect system, you end up with imperfect solutions.

This is a tradeoff. Do I accept the developer demanding access they do not truly need, or do I accept the risk of a hacker gaining access to my phone through the developer's application?

If a hacker gains access to my phone through the developer's application, what do they gain access to? At the maximum (hopefully! unless they springboard to another hack and pwn your whole phone or other applications) they have what the application has access to.

Attack surface management is a lot more complex than just "always stay on the most latest shitware that the developer can shove down your throat"

Not having a smart phone is probably up there with being serious about security.

Fully agreed. Running a smartphone and worrying about its security seems at odds. Rather, we should treat our "phablets" like public, insecure terminals, with "spy" sensors anyone can access given sufficient effort.

I think you mean not using mobile internet through cellular or Wi-Fi networks is being serious about security.

Security isn't as big of an issue with many of these devices as you might think. Unless it is years out of date, Play Services still gets updates, the system web view still gets updated, Chrome still gets updates, and in many cases the vendor will still roll out an emergency patch if there is something serious.

That's a huge guessing game, though - remember StageFright? You could have a phone with an up to date Chrome, up to date Play Services, and still be trivially exploited simply by viewing a standard video file. (Not to mention wondering which of your apps uses an out of date embedded web view)

I would submit that the number of people qualified to safely make (and update) that risk assessment is extremely small, and all of them would recommend updating to a version which patches problems rather than hoping you can dance around them.

StageFright was patched on a LOT of devices that "no longer received updates". The concern with embedded web views is overrated, as Android actually updates those via Play Services now.

For all of the talk of how awful this is, actual exploits are almost unheard of.

- Bluetooth driver does not get an update - SSL is not updated - kernel is not updated

Whether or not security is important depends on what you do with your phone.

I don't use my phone for banking or payments and there are no compromising pictures or dangerous files on it. I don't have a pressing need for Android's latest security update.

Well, that's not a real issue, is it? It's purely a decision from the manufacturers to be assholes to their customers. There is no technical need that'd prevent them from creating updates. Especially Samsung (which also produces the SoC in-house for all relevant markets).

Hmm. It's all Google's fault. I don't have to wait for the manufacturer to update my Windows PC. Heck I was able to install Windows 7 on a Mac Mini without any support from Apple. Not to mention I updated a 9 year old Dell Core 2 Duo to Windows 10.

Windows has mostly kept a stable driver API.

And whenever they broke that API, that actually happened — suddenly updates stopped being usable by your system.

Also, be aware that ARM has nothing to enumerate devices, has no BISO or UEFI. An OS image will only ever work on a single device.

As I detailed in another comment in this thread, the issue is this collision of the Linux concept of mainlining everything, short support windows, manufacturers that can't update drivers for every microchip they sell all the time, and Google and OEMs somewhere in there.

It's always been a clusterfuck, Google didn't create it, but they sure made it worse.

Windows driver API has been far from stable from Windows Vista. One of my computers came with Windows Vista (a 2009 Dell Pentium Dual Core - not the Core 2 Duo I referenced) and it still runs Windows 10.

Microsoft provided drivers for the standard PC hardware that was in my 2006 Core Duo Mac Mini and Windows 7 recognized all of my hardware - usb, sound, graphics, Bluetooth, Ethernet etc.

Microsoft goes out of its way to provide drivers for the most popular PC hardware. Mac OS is Unix (i.e certified by the Open Grouo) and doesn't have that problem.

Edit Rant:

But why are printer drivers still a thing? Apple introduced AirPrint for iOS 4 back in 2010 and for MacOS a few years later. I never have to worry about printer drivers when I update my OS. New printers bought in 2017 work perfectly with my 7 year old iPad without having to worry about drivers.

> But why are printer drivers still a thing? Apple introduced AirPrint for iOS 4 back in 2010 and for MacOS a few years later.

Have you looked at the unimaginable amount of crap a typical Windows printer driver forces upon you? It's not just the driver, it's usually also a stripped down license of some image editor, an "update agent" (because Windows 7 does not have an "app store" or a centralized driver distribution that does not phone home like Windows Update does and often enough carries fossilized drivers only), a toolbar for multifunction printers, a watcher that nags you to buy new original cartridges, a scanner agent because there is still no standard for scanning without drivers, much less so over network or cross platform, a selection of adware... and God help you if you have printers or MFDs from different vendors.

The only way to not have this ridiculous mess is buying enterprise printers - for example, the Z2100 plotter drivers are 4MB for Windows, and 16MB for the manager app, while the Photosmart printer driver can only be had as a part of a 145MB download, there is no such thing as a "driver only" package in the consumer space. In enterprise environments (or small offices) the situation sucks even more because you can't really deploy them via GPO, you have to extract the drivers by hand.

Your problem may be more your choice of vendors than anything else. HP's big printers (e.g. M600 family) are still pretty nice, but I've started to avoid them for anything smaller, and god help you if you look at the truly low print volume stuff from them.

HP printers are excellent in terms of hardware build quality: the Z2100 plotter in my company is a decade old, of which it stood 6 years around unused - gave it a full cleaning, new cartridges and heads a new carriage belt and it was back to mint condition. Oh, and there are still new cartridges and ink tanks made, and there are still recent drivers.

And for most of the consumer gear from HP it's the same: even for really old stuff you can find new tanks/cartridges, drivers for new and old OSes and I've yet to see a HP printer fail in a way I could not fix myself with a service manual.

The problem I always ran into was customers getting the consumer gear and wanting me to make it print from their server, with drivers only from HP and no support for server operating systems.

My response to anything HP that wasn't good-sized obviously-business-targeted printers became "I can probably make that work, but it's going to cost you more in my time fiddling around with it than just getting a more appropriate printer."

One area in which MS was lackluster upon drivers was some of their own products - for example the force feedback joysticks, still on sale at the time, never got a Vista driver out of MS and became a glorious paper weight overnight.

That and apart from an initial few months of unstable GFX drivers, was utterly solid.

On a side-note, I believe Core Duo2's was the last Intel chips to not include any form of inbuilt `management` silicon and as such,still favoured by some paranoid/security prudent types.

Have you looked at the unimaginable amount of crap a typical Windows printer driver forces upon you?

Yes. I go out of my way to run a clean crap free Windows PC. Even going as far as either buying from the business line of laptops or buying from the Microsoft store. But the minute I install a printer driver....

It's even worse for people like my parents, they search online for printer driver and usually end up downloading crapware from a third party site unaffiliated with the printer manufacture.

Check printer specs first and select something with built in PCL or (better) Postscript support. With native Postscript you may even be able to just get a PPD file as the "driver."

Won't help as much if you want color though, particularly inkjet color.

And for your parents, see if they're putting the current year on searches - on Bing and DDG that ends (or did end recently) in much worse results because the original sites often don't include dates but malicious ones have all the same keywords plus the year. In my recent experience adding the year meant > 90% malware results on the first page.

Google was much better about this a month or two back.

Still, Google could impose update requirements for Play Store access, for example.

Regardless of stable driver API or not, it is up to the OEMs to make it happen, if they actually cared about it.

I am pretty negative about Project Treble, it won't change anything, because only Oreo devices have it (0.3% currently) and OEMs are still expected to be the ones pushing the updates.

Why does the kernel and driver ABI matter for upgrading userland? On desktop Linux I can by and large use a new kernel and chroot into an old install, or vice versa, and things still work. It would seem that Android userland is unnecessarily coupled to a specific kernel version. It should be able to upgrade independently.

Agreed in principle, but a decent amount of the new security features present in more recent Android phones are due to new kernel features. It's just a sign of the relative immaturity of the platform that this is the case.

Can you provide some detailed examples of that being the case? Genuinely curious to know.

Usually I hear that sort of thing and think somebody isn't being creative enough with fallback behaviors for when the feature isn't there, but I guess it would depend heavily on what the feature is.

I guess I probably misspoke. I was thinking about https://android-developers.googleblog.com/2017/08/hardening-... ... but those certainly don't require userspace changes (probably). And even the case where you'd want the new kernel features (but can't upgrade due to driver ABI incompatibilities), they've backported to several old kernels that are in wide use in Android... though I note that my 2-year-old phone is on an older kernel than most of those features were backported to.

> Also, be aware that ARM has nothing to enumerate devices, ...

Isn’t that the purpose of a device tree?

Your kernel brings in the device tree with itself.

It is primarily to allow the drivers linked in the kernel to detect whether they should load and try to talk to hardware. It doesn't replace bus enumeration when running on totally unknown hardware.

Basically yes, but that's often not good enough either. Lots of third party code OEMs end up with in their kernels, unmaintainable, and often incompatible with anything.

Well, it's not true that "ARM has no method to enumerate devices". It does have that; it's just that hardware manufacturers are bad at using it properly. (That's not to say it's not a huge problem; it's just that it's an economic/business/social one, not a technical one.)

I mean, it sort of does and sort of doesn't, but the hardware manufacturers just aren't used to thinking about things in the proper way. Just like the hardware is a black box with no user serviceable parts inside, as far as they're concerned the firmware (because that's still how they think of the OS and everything on it) is a single binary blob with no user serviceable parts inside, even if it's actually just linux and Android. And just like all the hardware parts are designed and qualified for a particular design, the same goes for the software: when you buy your hardware you get a software with it and that's that. As far as they're concerned it's just another component like a screen that gets customized to work with everything else and goes in the box, then is never touched again.

Now waitasec...

I own Crappy unupdated Android one of. And the drivers use the Linux kernel. Last I checked, they need to release source for their drivers.

So where is it? And why can't we upstream those patches and "fix" android?

Maybe they pull the stuff Nvidia does: write an interface kernel module, then have the driver itself in a library that the module loads. Since the actual driver is never part of the kernel tree...

It's much simpler.

The OEM never releases the source.

And courts have decided that it's not enough if you have some contributions to the kernel yourself or are a user to force them to release it, you have to have made significant contributions to force them to release it via the courts.

And Torvalds and the major kernel maintainers all refuse to enforce the GPL, and actively campaign against doing so.

> And Torvalds and the major kernel maintainers all refuse to enforce the GPL, and actively campaign against doing so.

Two questions: why? and why use the GPL if you’re not going to enforce it?

Are kernel drivers subject to the GPL just because they use the Linux ABI?

It'd be a long legal discussion to properly answer your question, but luckily OEMs make it easy for us:

On most phones, there are zero external kernel modules loaded. The SoC vendor bakes it all into the ketnel, and the OEM gets the kernel as a blob. Which means all of it is subject to the GPL.

Yep, I had to go sleep (yeah, that dreadful thing!).

But this was my main area of attack. You compiled the drivers directly into the kernel. Making it all GPL. Now, as a strict reading, I have to have the device to make the request. That's not difficult. Ive phones from a lot of US named companies.

I just want the rights enumerated in the GPL as granted to end users. I'm no kernel maintainer. Just a cranky person who wants the GPL enforced as any license.

> I just want the rights enumerated in the GPL as granted to end users. I'm no kernel maintainer. Just a cranky person who wants the GPL enforced as any license.

Yeah, it turns out it’s not that easily enforcable. There are still court cases going on, but the current legal situation seems to be that unless you’ve contributed significant code to the kernel, you have no legal leg to stand on.

Because the OEM is simply saying "yes, we violated the GPL, and infringed the copyright of the developers", but the only ones who could sue against that would be devs that contributed significant amounts of code.

> And why can't we upstream those patches and "fix" android?

It's a lot of work, who is supposed to do that?

Some bits of the N900 kernel are still in the process of being upstreamed afaik.

It doesn’t help that not every manufacturer (especially ones from China) don’t release the source code. And when they do, they sometimes contain opaque binary blobs that don’t tell you what is happening.

Most of the time, such a source release means "patching binary blobs into the source".

The source helps little since it's just opaque garbage with little to no meaning.

Your PC, including your Mac Mini, has BIOS/UEFI/other firmware with both boot-time and run-time services. Additionally, it has a hardware, whose sole purpose is to detect and enumerate all the other hardware.

Mobile phones and other embedded devices have none of this.

There was nothing stopping Google from designing such as system -- just like Microsoft and Intel did.

There are many reasons.

First, Google didn't design anything. They were looking for partners for their OS and these partners used their existing design. The first HTCs were almost identical between their Android and Windows Mobile versions.

Second, there are reasons why the embedded systems do not have them. Apart from increased complexity (bad for the designer and manufacturer), increased energy consumption (bad for consumer, and being a competitive disadvantage too), very few of both, embedded devices manufacturers and customers, even count on using other software than the one supplied. From the point of view, there every cent of saved costs on the device makes millions in margin, that would be wasted money.

Google didn't design the operating system? Microsoft didn't design computers either but they have been steering PC manufacturers for over 20 years since Windows 95 and the plug and play initiatives.

Google didn't design the hardware - when we are talking about firmware, booting, pci enum, etc, we are obviously talking about hardware. Their partners did and they reused their existing design.

Microsoft basically strongarmed the PC vendors - they either did what Microsoft said, or didn't ship Windows with their wares. Windows, which was the only game in the town, if you wanted to sell PCs.

Google didn't have such luxury when they started with Android. They needed to be everyone possible to be with them onboard and the "lets throw out everything you have and design new hardware from scratch" doesn't make for a good start.

In mobile, Microsoft also reused Qualcomm's reference design. But contrary to Google, they used ONLY Qualcomm's design, that's why their system looks united. All the WP phones are basically the same board.

So now almost 10 years later, what "other game is in town" that stops Google from taking more control over the hardware except either incompetence or neglect? You won't sell many Android devices that don't run Google Services in the West.

They do design their hardware now. See how they bought HTC.

However, that does not mean you will get an open device now. When was the hardware openness so important, that it played a major role in purchase decision at statistically significant rate?

For 99,999% of people, it doesn't. They want an appliance that works out of the box, without bothering with alternate firmwares. So that's what they are getting.

There's no motivation to put UEFI and PCI into the hardware, just like there wasn't 10-15-20 years ago, when the first designs were made.

No, it's the carrier's fault. The carrier locks down your OS.

The carrier doesn't lock down iOS. Every iOS user worldwide can update to iOS the day it is released if the phone is compatible.

This is a function of market share and customer loyalty, and thus Apples ability to tell carriers to f-off. iPhones will sell regardless whether the given carrier does sell them or not.

On the other hand, iOS updates do cause problems and then it's the carriers, who scramble to modify their networks to make iPhones work (remember when Brits didn't have mobile data for a few days after an update?). They would not do it for Xiaomi or Sony.

Apple rested control from AT&T and the few mobile carriers around the world that were selling the iPhone during the first year with less than 10 million devices sold. There was no reason that Google couldn't do the same. You even had to wait for Nexus updates back in the day that were sold by Verizon.

Apple already had loyal customers, who were ready to buy the devices without regard to mobile operators. iPhone was just continuation of computers and especially iPods.

Also true for Windows 10 Mobile. (My phone gets an update today, why doesn't yours?) Android is the only smart phone platform that carriers still have a say in.

That was not true for Windows 10 Mobile. Some devices never received the update.

What was indeed the insult on top of the injury - the WM devices were all Qualcomm Snapdragon devices. They were never so varied as Android devices are.

It was not true for Windows Phone 8, and therefore some carriers interfered with the deployment of the upgrade. It is true for Windows 10 Mobile, however. If a device is supported for Windows 10 Mobile, all updates are carrier independent. The "Upgrade Advisor" app Microsoft released to the Windows Store effectively allowed you to circumvent the carrier and upgrade to Windows 10 Mobile, replacing the Windows Update source for your phone with Microsoft's.

Ah, so that is how it went. I knew some devices WP devices (didn't note version) never received the updates.

However, the part about them all being the same Snapdragon devices with slightly different cases, cameras, etc. is still true. Microsoft doesn't have to solve how to make a release for Exynos, Kirin or Tegra devices.

The other neat thing they did which included WP8 was that their Developer Preview would do the same thing with the Windows Insider app. If you signed up for test builds, you'd get updates regardless of model or carrier, to the latest build offered. (And a lot of never officially supported phones can use Windows 10 via this method.)

That being said, this was only kindasorta a good thing, because it didn't always have working third party drivers attached. My old Samsung ATIV SE was super glitchy, particularly in the touchscreen department, when I upgraded my phone absent Samsung's blessing.

But it was one more place Microsoft kinda demonstrated even their mobile OS builds were more or less hardware independent, which is a huge contrast from Android.

They have no incentives to do so. I would like Samsung to make it into a business. Have folks pay 5 dollars per year if they want to get ongoing security updates for older devices. I would pay in an instant.

For reference Red Hat charges around $425/yr for extended support. Obviously the situation is different because Red Hat has a lot more software to support but they also have a fewer products and more customers that care enough to buy it. But I think the upshot is that a $5/yr extended support contract is a bit of a pipedream.

Just as an order of magnitude estimate we're assuming that it's about 100 times more effort to continue maintenance of a general purpose Linux based OS than a general purpose Linux based OS on specific set of hardware. And that's before you realize that the market for this support contract is just frugal IT people with specifc Android phones that haven't worn out from use. So not much luck with a 'we'll make it up in volume' analysis.

Google is maintaining Android so why would you assume it would cost massive amount of resources for Samsung to port or backport some security fixes now and then? The comparaison with Debian does not make sense.

Exactly. Why did you think Oracle wanted to muscle in on that?

There is Lineage OS which supports many Samsung devices with the latest android, completely free of charge.

Maybe those little phone repair shops should offer installing it for a small fee as a service.

There is also postmarketOS which attempts to bring a standard Linux distribution to old phones, but it's still in an early stage.

LineageOS? you have to download its roms on shady websites. No thank you.

I don't think not providing updates makes them assholes. Its just the reality of the traditional software model gradually becoming obsolete. They paid the developers to write software, and as a consumer we paid for that software. The cost of additional development has to be borne by someone. The success of the subscription model from biggies like MS, Adobe, Blizzard, SAAS startups, etc has shown that atleast one other model is viable. Its up to others' to show that there can be others.

I have a rooted device, so I can basically make apps do what I want and stop them from doing what I don't want. IMHO that's far better than Google's vision of "security" where they want to be in control and even consider the user an attacker.

How much of a solution is rooting a device for 1 billion users?

Probably more feasible for some of them than buying a new phone, at least.

I think every device should ship with root by default, it's the case for computers, I don't see why phones would be any different.

Because computers don't come with an app store that contains tonnes of crapware. Even if they did, people would install a smaller variety of apps.

I see phone repair shops at every street corner, I don't see why they could not offer this as a service.

Yeah why didn't I remember to tell my mom to just root her phone? I'm sure that will work out well for both of us.

I had a quite high end Android phone from Sony 3 years ago but because it's dual SIM version I maybe receive only one update. I'm running Android 5.0.2 already for 3 years now. My phone works still well but who can count the vulnerabilities I have now on my device...

OK, but it means a billion android devices are vulnerable to various attacks. It would be cool if we could have, idk, backported security fixes for devices that hold tons of critical information?

I'm a little surprised that this is happening on the complete market. Usually when you get less modifyable versions of a product to serve a more broad and simple userbase, you still have these edge cases for tinkerers. There's certainly a big market for that but for some reason nobody is trying to serve that market. Not even relative new comers like this Chinese company Xiaomi or what their name was.

I'd certainly spend $100 more for a configurable phone.

> replacement parts for models several years old are still plentiful.

Data point:

Just replaced a battery in a six years old Samsung smartphone in 20 seconds. It did not even cost me $10. Incredible value compared to the hassle to do this on todays phones, if it is possible at all.

I have an old tablet that doesn't seem to "catch" new updates from Samsung anymore. Perhaps it would be worth rooting or something just to get it current? I would "upgrade" the software if it was available. Buying new hardware isn't something I will do in most situations--the device has to become non-functional before I consider it.

See how Windows 95 & XP turned out. Its full of holes and still being used. We still can't get rid of it.

Can't get rid of Windows 95?

I see a lot of XP computers around, but it's been years since I've seen a 95/98/ME computer.

(Actually, now that I think about it, I think my dad still had a 98 or ME computer two years ago so he could use an old scanner.)

OK 95 is mostly gone, but more people use XP than Macs and Linux combined, according to http://www.netmarketshare.com/operating-system-market-share....

Exactly, my phone is marooned on Android 6.x, and I really can't say that I care about this at all. I'll replace it after it is a few years old with something newer and similarly inexpensive.

Yeah, but if they're not being supported anymore it's not ideal.

How are you so certain obsolescence is planned?

I have seen a prepaid device literally self-destruct from a combination of market segmenting and artificial firmware restrictions.

Edit: There was no CM support, no way to delete bloatware, forcibly disabled SD storage support, and non-optional updates that eventually rendered the device unusable. The two end-user choices were to either remain offline or get stuck in "not enough free space" loops.

Sounds like my Republic Wireless Moto X running Android 2.3 from 2013. It still works, but usability has degraded significantly.

Did you look into Cyanogenmod/LineageOS?

I too am running android 2.3 on my aging phone, thanks to cyanogenmod. Unfortunately, they do not provide any newer version for this particular model.

The case is all scratched up, the protective glass has been replaced two times already (and is up for another replacement soon, touch tends to stop working on cold days in bottom part of the screen), but I am holding on to it, because I haven't seen any newer phone that I wouldn't hate.

They're all either too big (remember when it was cool to have as small phone as possible?), or they lack features like unlocked boot or even a SD card slot.

I'm thinking of going back to some dumb feature phone, if I can find one with good support for importing contacts from outside.

No updates for Android devices pretty much confirms this.

That's quite the opposite. It's hw companies not used to having to support their stuff after it leaves the door. To keep supporting this, they should plan/calculate this in from the get-go. They don't plan anything, so now you have devices that don't get updates.

Supporting/updating devices requires active planning, but then you get cries over companies that actually do perform updates and get the whole 'planned obsolescence' conspiracies.

Android device manufactors are not solely hardware companies. Samsung surely is not, they do publish updates for some time, then they stop doing that. This is planned. As time progresses your device becomes less usable, not because of the hardware, but of the software and bugs/security issues within.

So if your (example) Samsung device gets updates for 2 years, then the planned obsolescence for that device is 2 years + a few months. The amount of months depends on the severity of the security issues discovered. Also, it may not be "planned" obsolescence, but it sure is "accepted" (from the vendors point) obsolescence. Which is even worse.

On a side note, as a customer I don't care about internal structures of companies. I want updates. If they can't deliver that, open source everything.

People make the mistake of thinking of Samsung as a single company - but it is not. Samsung's phone division is absolutely a hardware company, and so are the majority if their divisions. If they would be a software company, their Tizen OS would be in a lot better shape - but it's not.

And most Android manufacturers are hardware companies - their margins are too thin to support/maintain the software side of it. 90%+ of their R&D budget is hardware. It's the same as HP's computer division. No they are not a software company, they use MS Windows as the OS and make sure the correct drivers are present/integrated. This is exactly the same on Android. They buy off-the-shelve chipsets, integrate their drivers - which are developed by the chipset manufacturer - into Android, pour over some crappy GUI customization, in many cases developed by a 3rd party, and they're done.

My phone doesn't become obsolete because of that. It's because I'm not allowed to use many apps without updating them after a certain time. These newer versions are slower and use more resources. Even with regular updates my phone would be unusable after enough userland development.

An unfixed remote code execution (lets say through the SSID, exaggerated example) doesn't make your device obsolete?

The software update case you wrote is a good example of planned (or accepted) obsolescence by the developer.

I often get sympathetic comments for being an Android developer because of this. It's honestly not that bad. Android provides backwards compatible support libraries for whatever SDK you're supporting, and was designed from the beginning to handle diverse screen sizes and hardware.

By far a bigger problem is manufacturers shipping their own version of Android that is sometimes incompatible with the SDK. I've had to implement some ugly hacks for Samsung before, which is unfortunate because of how popular their hardware is. It's becoming less of a problem over time though.

The problem with outdated versions is not app compatibility, but security updates. If a zero-day were released, most of these devices would never receive an update fix the issue.

Worst case scenario: An Android zero day that can be spread via WiFi or Bluetooth that infects devices in a cryptolocker style. The more versions it can affect, the better.

Shoot. Probably shouldn’t give people ideas, especially when I have an Android device. At least it runs LineageOS and can be updated easily...

Edit: To clarify my idea, imagine the Windows XP crypolocker viruses, but for Android instead, spreading not through cell towers or WiFi routers, but instead spreading via the cellular/WiFi/Bluetooth chips in the devices.

I’m starting to wonder if I should buy a portable Faraday cage for my devices...

It's also a problem with compatibility. Just because they've found a reasonable way to mostly work around it (by basically bundling an up-to-date version of the framework into each app) doesn't mean it isn't an issue. Not everything is in the support library.

But I agree, at this point the security issues are a bigger concern.

That "worst case scenario" isn't that hard to achieve. But maybe the only thing stopping something like that from happening is, ironically, the OEM fragmentation which screws up a lot of code related to gaining root or lock screens and similar.

Why not see it the other way around? You can totally go and develop an app that just runs on Samsung Galaxy S8 and nothing else. But with the Android SDK you get the option to support a range of other devices as well with a little overhead. That's far better than with IOS where you only get to support one device type, just maybe different versions of it.

Even if you just target Samsung it's still not the same, unfortunately.

There's a pretty wide range of iOS devices now, but they're all similar, they're all good (or were good when they were released), and you can check your app on them in the Simulator. Just last week I was able to find and fix some bugs in an app that only showed up in certain combinations of screen sizes and iOS 10 or 11, without needing any real devices.

Samsung has many, many more devices; some of them are very good but lots of them are very bad; they do offer some testing infrastructure but it's not as comprehensive or convenient as Xcode; and they frequently make breaking changes to Android without any documentation. A recent example is their "game tuner" which automatically runs games at lower refresh rates and/or screen resolution. Depending which API you use to check the screen dimensions (and Android being Android, there are plenty to choose from) a game can end up displaying at the wrong size.

Yeah, I remember when iPhone changed ratio/screen size, and people scrambled to make their apps work. This is something a developer had to handle from day one on all other devices.

This is still a lot more work than it ought to be on iOS. It's possible to write screen-size-agnostic code, but the tools push you towards individually customizing everything for each of the current screen sizes.

For example, in Interface Builder there's a toolbar with buttons to switch between different screen sizes. But it would be a lot easier if they just made the UI freely resizable (in Interface Builder, not necessarily on the device).

The flipside of this is that developers are forced to support versions of their apps that are compatible with previous operating systems. That's bad for developers, but good for consumers.

iPhones shove updates down your throat as a user. They're so persistent that inevitably most people will accept the new update - and even if you're stubborn like me, eventually your apps will no longer be supported under the newer OS's, and you are forced to update to keep using them. The problem is that the OS upgrades invariably slow down older phones, so even if you're perfectly happy with your iPhone to begin with, it starts to act slow as it gets the newer OS's. It's good that Android users can at least avoid this particular kind of planned obsolescence

> iPhones shove updates down your throat as a user.

And we have the monster that was Windows XP because of users thinking "updates" are "forced" down throats.

iOS is correctly celebrated for having such a high adoption of the "latest and greatest", and certainly hasn't become the demon that is the unpatched Android landscape.

So thankfully, from NetSec to the end user, it's a fantastic thing that iOS keeps devices more up to date than android.

I agree, but it is true that newer updates dramatically slow down older hardware.

I thought this had been tested recently and shown not true? A psychological illusion or something? I’ve never noticed any significant, let alone dramatic, speed change on any given device from iOS 3 on the original iPad onwards.

They tested the performance of the hardware (CPU, GPU, etc), not of the APIs or updated apps. So the CPU and GPU of my iPhone 6 are just as fast as when they were released. But I can guarantee you that the camera app as well as a lot of third party apps aren't as fast as they were when I bought the phone.

Apps that represent light websites like Google and Facebook are now 300mb+. With such memory hogging updates, few people with older phones are going to update.

Size is not speed.

True, but...

Older hardware has older chips (and possibly slower memory) so... a larger size alone would still likely have an actual processing speed impact, no? The newer OS and app versions are developed with chip/memory speed "XYZ" in mind, and that's the target they aim for. That the OS does run on older hardware is great, but if your memory size goes up 2-3 times for apps, I can not imagine that there's 0 speed impact.

Aren't you confusing apps and the OS here?

Apps are definitely bigger and slower, but that's separate from whether the OS is faster or slower.

Anecdotally (and I agree) iOS 11 is slower than 10 for many of the same tasks -- things like switching apps, opening the camera, opening the keyboard.

I thought it was a myth too, but iOS 11 is undeniably much slower for me. And I don't understand why, as it doesn't seem like it adds many features. There's a new filesystem, but shouldn't that be faster, not slower?

Backup, wipe, and reinstall.

In some cases it doesn't help. E.g. iOS 7 update for iPad2, iPhone 4/4S etc.

iOS 7 was pretty rough on anything slower than an iPhone 5

That's bad for developers, but good for consumers.

Is it? I'm a developer --- and a consumer, as are most --- and have always kept to the principle of as much compatibility as possible, mostly by not gorging on new features for the sake of new features, and a "do what you can with what you have" approach. To me, spending a little extra effort to get much more compatibility is well worth it, since I've been on "the other side" and know the horrible experience of not being able to use something just because the developer didn't bother to think about anything but the "new and shiny"; that seems to be something a lot of developers completely ignore or even oppose.

The QA effort to support 3-4 of the most recent OS’s isn’t “a little extra effort.” It can get pretty expensive, too, since you may have to have devices for all supported OS versions and possibly idioms (e.g. iPhone, iPad).

If only Android devs only had to think about 3-4 of the most recent OSes...

There are outliers in either direction, but these days the minimum supported version tends to be either API Level 19 if you're conservative, with a stead shift towards ... API Level 21. For reference, Oreo is API Level 26.

As a developer of a long-lived popular app I've been pretty agressive at cutting off older OS versions from updates (min sdk 21 right now, considering 23). But the Play Store lets you keep serving up an old version of your app for those older devices. So before I cut off an old OS version I make sure to have a solid bug free release that I can serve them for a few years until eventually my backend API server is forced to break backward compatibility at which point I pull it from the app store and serve up an I'm sorry message for anyone trying to run that old version, about 3 years old at this point.

Making it easier for users to run software with unpatched vulnerabilities, even accounting for some extra slowness, isn’t a good thing..

That "isn't a good thing" is paired against another "isn't a good thing": forcing people along an (expensive, disruptive, often utility-losing) upgrade path simply to drive revenue goals.

Perhaps we might look at this as a set of goals:

1. Users shouldn't run software with unpathed vulnerabilitities.

2. Users shouldn't have to discard devices after a small number of years (1-3, from date of purchase, in many cases).

3. Hardware, OS, and software vendors should have a functioning ecosystem in which they can operate profitably.

Unfortunately, the economics of hardware + information goods with an ongoing support liability but a one-time purchase point are pretty much pathological. This isn't a new problem. It's one that AT&T and IBM solved, in the 1930s and earlier, by leasing rather than selling hardware. IBM has continued that model through the present, for its enterprise computing hardware. There are few general-public devices that fall under this category, though.

I think a fundamental problem here is that most information and knowledge goods don't fit well into an economic framework which is based on the assumption of scarcity. Of course you can artificially add scarcity with DRM tech, patent law etc. But what mostly happens in practice is that you need to come up with some kind of indirect business model. Like e.g. Google, developing a lot of great tech, but ultimately being a broker of user attention and data.

This disconnect between business model and products leads to a lot of unaligned incentives between makers and users of product. That's the innocent looking root of evilness - no bad people required.

Pretty much, yes.

Market economics works for commodities.

For wages, it tends to subsistence levels.

For public goods (including information) it under-provisions.

For rents (fixed-quantity goods or services, including both land and attention), this tends to absorb surplus valley.

For assets and risk-based elements, I'm still sorting out the dynamics, though they also appear to be poor.

There's various precedent for much of this:

* Adam Smith's classifications of types of goods: commodities, wages, stock (capital), rents, assets (gold and silver), interest, and "expenses of the sovereign" (public goods).

* Various economic-sector classifications. Alexandre Dumas, Simon Kuznets, Clark, and Beniger come up with 3-5 elements, generally: extractive/sourcing, manufacture & construction, transport and distribution, risk and finance (especially FIRE), governance and information. I'm finding these fascinating.

* Industrial classifications including SIC, NAICS, and ISIC.

* A classification of technological methods I've been looking at for a few years, including materials, networks, information, control, knowledge, and power transmission & transformation.

But yes: inoformation and markets play poorly. Software and systems incorporate both information and risk elements. (And probably others.)

Then manufacturers should fix that problem. The reason people don't like security updates, is that they are tied to feature updates. Most people don't like the new feature updates, and would happily take just the security updates. If users were given that option, I'm betting that a lot of the push-back to updates would drop fast.

I bet most people find digital security too abstract to understand why it’s important, and not bother with updates that didn’t include shiny new features.

Also, Generic Phones Inc. don’t see any money in pushing out pure security features — only big players get that benefit, because it’s a type of quality thats a tragedy of the commons thing.

I’d change the laws by international treaty to require security patches for all devices for whatever the 2σ lifetime is. If the manufacturers don’t want to do it themselves, then an open source requirements and a sales tax to fund hiring developers to fix it.

I'm arguing the opposite: I think people would update if updates didn't break their shit. I have no statistics on this, and would gladly welcome some, but IME people heavily complain that "the last update broke my $x, so I don't want to update again".

If we had 2 different channels of updates: security and feature, then this wouldn't be an issue.

I completely agree with you about the laws and open-sourcing.

Exactly that!

It may be true that "normal" users don't understand security or take it seriously enough, but in my opinion just blaming them isn't fair.

Imagine your car being painted in new colors and handles in the cockpit being re-arranged in unpredictable ways every time you have it serviced.

That's basically what Software updates often do to users.

We constantly force users to re-learn how to use a piece of Software, very often without good enough reason. Additionally updates at some point force them to buy newer hardware, even though they probably neither wished for the changes in the Software nor for new hardware.

That's why I totally understand casual PC users who're not gonna stop using Windows XP as long as it lets them do what they use their PC for.

In my opinion commercial software should be regulated to either provide security updates (distinct from feature updates) or be open sourced.

Manufacturers have no incentive now to do so.

They absolutely do. Android is known to be a security nightmare. That means a bad reputation, which also means less sales. I hate Apple and their products, but if someone said that they got an iPhone because it's more secure than Android, I can't really argue that they are wrong.

>The problem is that the OS upgrades invariably slow down older phones, so even if you're perfectly happy with your iPhone to begin with, it starts to act slow as it gets the newer OS's. It's good that Android users can at least avoid this particular kind of planned obsolescence

I have seen this first hand with my 4S. The updates slowed down my phone, which I was perfectly happy with. Unfortunately, Apple blocks you from restoring your phone's OS back to when it worked great. Heh, and then I bought the 6S, so I suppose Apple got my money anyway.

> That's bad for developers, but good for consumers.

It is bad for consumers as well, since you only have so much time.

Apple has allowed you to download the last compatible version for years - that ability goes as far back as at least iOS 5 that came out in 2012.

No it doesn't. It only allows you to do that for an app you already installed in the past.

If you want to install an app for the first time, where the current version is incompatible with your OS, you can't.

Believe me, I've tried.

There is an work around, download it via iTunes. You don't have to sync via iTunes to do it just use the same account. Apple still makes the previous version of iTunes that allowed you to download apps available to download.

Sure, but will (networked) apps still work? Is it possible to download apps for previous versions still? If you can revert OS but can't run netflix/facebook/whatever then it's not very useful.

Yes. I have a first generation iPad (running iOS 5) that I rediscovered when I moved. I reset it because I forgot the password. Hulu, Netflix, Crackle, theCW, Plex, Google Drive, CBS (?), and Spotify still work.

Apple's productivity apps (Pages,Numbers, and Keynote) also still work and sync with iCloud.

On the other hand, I also rediscovered an old first generation iPod Touch (iOS 3). Nothing that requires network access except for the built in apps still works.

This[0] could give your iPod Touch a slight kick in the butt, and this[1] for your iPad, if you feel inclined to keep using them.



That's really cool. I'm going to definitely try it on my old iPod Touch.

You can to a degree. You’re able to install the last compatible version of an app.

> The problem is that the OS upgrades invariably slow down older phones, so even if you're perfectly happy with your iPhone to begin with, it starts to act slow as it gets the newer OS's.

This is a truism and from my experience it rings false. I ran an iPhone 5 for four years without feeling degraded.

FWIW, as background, I'm an ex-overclocking PC enthusiast and I consider myself very sensitive to any sorts of performance lag.

It's less true on iPhones but even there it starts happening after a few years. On Android, it's terrible.

But yeah, android was a total resource hog when it got started because of Java, and it's gotten worse and worse.

Side note: "truism" means "A statement that is obviously true and says nothing new or interesting."

Or something that’s very obvious to be self-evidently true.

But, he might have thought of the complaint as so typical it has become a saying, and a truism by argumentum ad populum, but in his eyes false. Besides, most truisms are true only until they are not (a truism example). The Sun is hot. One day it won’t even be (exist).

> iPhones shove updates down your throats as a user

It doesn't, you don't have to update iOS. You can keep an older version. The same with Android. The only difference is that AppStore won't serve you older app-versions that would still work for your iOS version, after some time. While PlayStore still serves you much older app-versions.

Hey, they used the data that I made available on my website here : https://www.bidouille.org/misc/androidcharts

Gathering the old data from archive.org snapshots was a pain, I'm glad I saved someone else the trouble :)

One thing that's missing from this data is the actual number of devices in circulation, as said in the article it's only the market share among Android devices, and only those which access the Play Store. Having access to that data would make the graphs much more interesting, but unfortunately I have no idea where to get it.

> only those which access the Play Store

I'll bet this means an enormous number of outdated devices outside the first world are missing. In particular, any area without cheap and reliable data access is probably eschewing the Play Store for some kind of local-area app sharing like Zapya.

Not your fault obviously, these are fascinating stats as is. But I'm also really curious how many smartphones have gone "off the grid" without being retired. Generalizing from Myanmar [1], I suppose Facebook's internal device data would be the best source.

[1] https://craigmod.com/sputnik/smartphones_in_myanmar/

The real problem with mobile devices is that it costs $600-$1000 for a security patch. And when you get it, you'll also be stuck with inferior hardware as a side effect of that very expensive security patch. A device that used to be multifunctional but now is no longer useful for phone calls, music, or videos because it doesn't have a headphone port. One that used to be mobile but now requires you to stay tethered to an outlet because you can no longer switch out to a spare battery. One that's even thinner and more likely to break.

People would like to be secure, but they shouldn't have to pay that much for a security patch and they don't want to downgrade their systems.

>If we look at the newest Android release (8.0, 8/2017), it looks like you’re quite lucky if you have a two year old device that will get the latest update. The oldest “Google” phone supported is the Nexus 6P (9/2015), giving it just under two years of support.

And 2 years is the best-case scenario. Compare to nearly 5 years for iOS devices (which, as far as I can tell was prompted only by a move to 64-bit SoC). It's beyond me that Google hasn't taken a more extreme approach to keeping their devices up-to-date.

My Nexus 6P is eligible for 8.0 under the beta program, the last time I checked, 8.0 was still not available for it in the official channel so I had to switch to the beta program to try out 8.0 on a device.

8.0 has officially been available for the Nexus 6P since August.

Thanks, exiting the beta program to see what happens now.

Outside the US? My 6P got official 8.0 non-beta in September, I'm pretty sure. OTA, the whole nine yards.

Inside the US. I push the check for updates button in October and it told me no. I might have declined once, though.

I bought a flagship device, a Motorola Droid Turbo (1). They finally got android 6 on it a few months ago. Even better is it's so locked down that I have no choice. This is a $1000 phone, why can't I install what I want on it?

They aren't Google devices. They're phones made by companies who downloaded and installed Android on them.

The Nexus 6P was developed and sold directly by Google: https://www.google.com/nexus/6p/

Yes, I understand that Google do make some phones. I own one. But, the vast majority are not created by Google.

The Nexus 6P was made by Huawei. Also usually it is not the manufacturer, but the carriers that hold up or stop updates.

Even if this were true (it's not) that was a conscious choice by Google to capture market share.

This issue was predicted (and observed) years ago, almost since the release of Android in fact, and is only getting worse.

That is all due to Google's own choices.

The real problem with it is Linux. Here's a few facts:

The Kernel has no stable ABI for drivers.

Manufacturers only ever develop a driver for their chips once, and then send that to the OEM. They never update.

The Linux Kernel LTS gets 2 years of updates, Google's fork about 4.

From the day a Kernel is released, to the day it ships in a phone, usually 2 years are spent integrating the blobs and code drops from the chip manufacturers.

On every kernel upgrade that breaks the ABI, those 2 years would have to be redone from scratch.

Linux can't mainline support for every exotic piece of hardware that ever shows up in a device.

Manufacturers can't keep maintaining several developers to update every single chip they release.

Google can't keep Android on 6 year old kernels forever.

Now combine these facts, and you'll see the issue.

That's only a problem because they're keeping driver support closed. If they contributed a driver for their hardware upstream it would be maintained (by others) as the internal interfaces and standards change.

Whenever a security issue or design change happened, their driver would also get updated and fixed with the rest of the kernel.

What the hardware manufacturers SHOULD do is create hardware with a well defined control interface that they CAN make public. Any 'secret sauce', uploaded firmware blobs, etc, should be free to re-distribute since they were too cheep to ship a ROM or EEPROM with the firmware for their device with the device.

That's often not that simple.

For example, SAMSUNG might build your device, and get all of their own code openly.

But now for the US model, due to CDMA, they need to use a Qualcomm processor.

That needs a blob, and Qualcomm won't release that under an open license, nor update it.

So the OEM can either just not have CDMA support, or accept foreign blobs.

It works like this all way down the stack, down to even camera chips.

And then these devices all have custom hardware. Often hundreds of customly designed parts, with custom drivers, only ever for a single device.

Think of the Moto Z Play, withthe replacable components. Samsung phones with facial scanners. LG phones with 3D display.

One-off features that'd never get mainlined.

Apple has the same issues, yet they keep their devices updated and secure for 5+ years.

Well, Apple completely controls the XNU kernel and its I/O Kit framework. By contrast, Google--and especially phone manufacturers--don't control development of the Linux kernel.

My understanding about the US side of this is that the software defined radios and FCC compliance are a major portion of the problem.

STILL, that stuff should be equivalent to a firmware blob that should have been baked in to a ROM or EEPROM. The actual driver controlling it should be able to be open, and for regulatory compliance should use 'magic numbers' as specified for the configuration; which as a fact of how to use that device must be configured already /not/ be covered by copyright (in the US at least).

Well that’s not actually a problem if Google controlled the hardware (or a hardware standard, at least).

But they don’t.

So while you’re absolutely correct from a technical perspective it’s still a consequence of Googles strategy, and a problem for us all.

Android device vendors are Linux distribution vendors, and could support their releases for 5-10 years for a given device generation, like many other Linux distribution vendors are doing. (Or outsource it)

Yes of course it's not free and you can save money by leaving users stranded. But it's myopic to claim it's the fault of Linux.

That’s not really possible.

Let’s imagine you try to build a phone.

You buy an SoC, and you get a single kernel build. If you’re lucky, you get a few binary kernel modules.

These will never be updated.

You will always be stuck on that kernel version.

No manufacturer of ARM SoCs for phones currently provides ever updates for these.

Linux LTS Kernels get 2 years of support.

Now, tell me, how do you support a kernel that was dropped by upstream, with proprietary drivers that you can’t do anything about? I’m not sure if you’ve ever tried porting a custom ROM to such a device, I have. By the time Android was on the 3.11 kernel, I had a device still using kernel 2.6. It was insanity, half the functionality wasn’t working, we were reverse engineering and hacking together the rest, and still barely got anything working. It’s impossible to use a decade-old kernel with modern Android userland, yet that’s what you ask for.

You can support that kernel version, like distributions do now with back port etc work, or you can prefer SoC vendors that promise updated driver support. If the latter was happening, the problem would be fixed by now. So essentially phone vendors have been voting with their dollars for lack of driver updates.

But even for the self caused major version jam, the "get 2 years of support from upstream" is a heavy understatement and even after the n years of community LTS support ends, it's just the baseline you get for granted and you can diy more.

Maybe Fuchsia is an effort to solve such issues? But it won't see the day of light for at least 2 or 3 years.

The official Kernel.org LTS support is 6 years from the Linux devs, some vendors support theirs for longer.

The Kernel.org LTS support was 2 years until a few weeks ago.

Due to Google’s pressure, it’s now 6 years.

http://web.archive.org/web/20170812023641/https://www.kernel... says previously's been 2-6 years for the various LTS releases. But it's always been open to more sponsorship of course.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact