Hacker News new | past | comments | ask | show | jobs | submit login

All Android phones before P are vulnerable to a flaw that allows background camera use:


That might actually be the majority of active Android devices if you look at the marketshare statistics.

I think it's actually somewhat embarrassing that the tech industry hasn't been able to provide a low cost, reasonably secure smartphone platform that can be used for more than a year or two. The only people who can remain secure are the ones who can afford either new Android phones or slightly less new iPhones.

Security is like a luxury item, and the worst part is that most people don't even realize it.

There are GNU/Linux phones around now (the Librem 5, though it may still be stuck as WIP, and the PinePhone, which I think had a first batch sent out a while ago), but the app support will be lacking and they'll likely be stuck as niche forever.

There was windows phone, but the market wanted apps!

Related to this, I almost wanted to mention the “sins” of the major platforms.

Android: not fixing fragmentation after all this time. Essentially, people with less money get less security.

Apple: not making true budget phones with the same lengthy support windows, though this might change as they emphasize services.

Microsoft: leaving the smartphone market entirely. I used to use Windows Phone and it was clearly better than Android. Android was slow and getting updates was a pipe dream. Windows Phone was like a less locked-down iPhone, and around Windows Phone 8.1 the app marketplace wasn’t half bad.

Had Microsoft put out quality flagship phones consistently on a yearly basis on all four major US carriers, they’d still be making smartphones. But people who wanted windows phones were stuck waiting for Microsoft to reorganize Nokia while they mostly crapped out budget phones and had one or two outdated flagship exclusive to a particular carrier.

Windows Phone 10 arrived too late, it wasn’t as good of an update as 8.1, and it arrived after a long drought of phones.

That's not "vulnerable to a flaw". You make it sound like there's some sort of security bug or buffer overflow in the OS that lets any app turn on the camera at will.

The "flaw" is that apps you explicitly gave permission to use the camera, can use it! All they've done in P is notice that they can tighten the permission even further so the app has to be in the foreground to use that permission.

The lack of this wasn't a vulnerability though. Mobile operating systems have been implementing finer grained permissions and security through their entire lifespans. For sure that trend will continue. If we spin every improvement to privacy controls as "fixing a vulnerability" it's just a form of crying wolf that will lead people to ignore security updates even more than they already do.

The parent didn't say "vulnerability" in the "security vulnerability" sense. They sad "vulnerable to a flaw", i.e. there is a design flaw and those versions have that design flaw - meaning users of it are vulnerable to apps taking advantage of that design flaw. I'd say it leaves users "vulnerable", and it's definitely a "flaw". It may be an API working as intended - but that doesn't mean it isn't flawed to the point of being embarrassing.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact