They make it for arm and x86 android.
They used to make a windows version but sadly stopped that build.
Big jump to this conclusion but I'm more inclined to trust Microsoft at the moment as they have a better reputation for lifetime (unlike Android), have a very public security process and good industry comms and the devices are proven usable if not faster after recent updates (unlike iOS which starts to be terribly limiting performance-wise). Plus they're dirt cheap.
I even asked the sales representative if it would be kept up to date (knowing I couldn't trust them, but was looking for any extra assurance), and they said yes.
Right now it's at 4.3 and wont upgrade...
CyanogenMod doesn't have any way to distinguish which phones are currently receiving security fixes in a timely manner and which are not; nor do they have any list of security advisories covering packages they distribute (go look at any notable desktop/server Linux distro — they all have public lists of security advisories and documentation of what release fixes them).
To my knowledge there is no Android distribution that has anywhere near the cohesive security story — and they're all miles behind any desktop OS.
And looking at my phone, I have no idea how I'm meant to update to the milestone builds. The updater lets me select "stable" or "all (inc. nightly)", and nowhere do the milestone builds appear…
None of this is helping me believe there's really any decent security story. Abandon all users who don't check the website (or whatever) to find out about releases, trusting the built-in updater to provide updates. Never publish any security advisories that cover your distribution…
Same. The newest version which supports my phone is years old, and there are major usability issues, particularly in the dialler interface. The manufacturer (HTC) UI was miles better (i.e., actually usable).
Maybe you need to install CM 11 first, so the system has a base to work with.
I think you can see if your phone gets updates if it's listed as CM11-supported.
Dear Galaxy Nexus users... It's time to let go.
Don't think I've ever owned anything with such a serious planned obscolence issue. Windows supports its OS releases for 12 years (and doesn't lock you in, so you can usually follow official upgrade procedure anyway). And anything "dumber" than a smartphone doesn't really open itself up to these gaping security flaws, so still operates fine after many years.
It became beyond the expected lifespan when it became normal to buy a new one every 2 years thanks to contract pricing and carriers pushing people to upgrade.
2 years is just a cost cutting exercise and inexcusable.
Apple has better support than most, but even their phones degrade with features missing on older phones AND included new features run like ass (every time my fiance upgrades old phone to new iOS she hate life until upgrade).
A 2 year old phone really is ancient... much less three or four... Who actually supports phones that old CONSISTENTLY?
There's no fundamental reason a 2 year old phone should be seen as ancient. Hardware can last many times longer than that, and software can be updated. Google is just not making the effort to support its older devices.
For people like me who don't want to buy a new phone every 18 months (both a wasteful use of my money, and the earth's natural resources), Android is looking like a pretty bad choice.
iPhones have built in time lines (more or less replaceable anything. Need a new batter? Have fun...).
And then there is the face that if you want ANY kind of app support - not just OS. Facebook, Twitter, etc... - then you can't use old phones. Years old Windows phones. Look at Blackberry phones. Palm OS. No one supports them because well... no one supports them anymore.
I think it's more a function of the rapid change and growth of complexity that makes smartphones obsolete so quick. Screen density, cpu, graphics capabilities, hard drive space, antenna speeds, etc. EVERYTHING is increasing so quick that it's hard to compare a new phone to a 2 year old phone.
It'll most likely be years before it slows down enough that you can treat a smart phone like a PC - keep it for YEARS and expect most stuff to simply run on it.
That's what I expect.
With Android, if you find a beloved phone by many, you will be supported for YEARS. My gTablet was being updated by the community for 4 years after the last official update. My Galaxy Note has nightlies from multiple different projects. My wife's Sony Xperia Arc S has consistent updates still. You find a phone that people fell in love with and you will have your updates until the hardware is dead.
Also, they say 2 years' support. If you look at the phone recycling business, there is 4-5 years life in a franken-handset shipped abroad.
You're right though about carriers. I always buy non-carrier locked devices here in the UK for that precise reason. Nokia sell "country variant" devices which are usually updated first.
2. Custom Rom and you're on your own.
You can register for the Preview for Developers program  and get timely OS updates regardless of the carrier.
With the 8x the lack of updates is an HTC issue tho as far as I know. They look to roll out 8.1 on some of the 8Xs in October .
If you would like to test on your device/browser, you can on ejj.io/SOP.php . If you click on the button and you see an alert box, you're vulnerable (I doubt many on HN will....)
Many other browser's also seem to be vulnerable. So if you use something else best be safe and check yourself
always allow what you know for sure how to handle instead of denying what you think you know that you don't want.
My guess would be that the URL is being validated with code which relies on null-terminated strings, and it's being processed/executed with code that uses a separate length value.
One easy way this could happen is if the same-origin check happens in C++ (eg. WebKit) and the URL fetch happens in Java.
The same problem can happen in reverse and has before. Java had a file path vulnerability where Java code would see the full path and the OS calls Java passed to would only process up to the first null. This opened up bypasses in application logic designed to validate paths.
Edit: I double-checked the spec ( http://www.w3.org/TR/html5/browsers.html#dom-open ) just to make sure there's no weird "skip nulls" behaviour, and there isn't.
It really depends on the browser. Here are a few test cases to consider. http://jsfiddle.net/8e525ne9/
Leading nulls used to work in common browsers. Most recent browsers don't support it. However, most do continue to support fun things like newlines and tabs in the middle of URL schemes.
Also, damn this thing is slow and tiny compared to my current phone.
Tried again with a Galaxy Nexus on 4.3. Sure enough, it duplicates fine on the stock browser, and works correctly in Chrome.
I think the vuln probably just had not been introduced at that time, but I obviously can't be certain without digging through the git log (and even then...all I can do is corroborate commits with release dates).
Edit: since 4.4 [https://developer.chrome.com/multidevice/webview/overview]
TomPod, the creators of InBrowser, here.
We're unable to reproduce this error on a oneplus and a HTC M8 running the latest version of InBrowser. But rest assured, we'll check this with our suite of devices and Android version during the day.
If we can fix this on our side we'll push a fix asap. If not, we unfortunately need to wait for Google to address this. We'll post any updates on this issue at @tompodapps.
Thanks for reporting it!
Expected is no alert box
I'm on a slightly older phone, but I actually removed Chrome from it not long ago. I started having problems with updating apps due to insufficient space, and while I have a fair amount of crap installed, I also have ~2.5GB of "Phone" storage for apps so I started investigating (this is separate from "sdcard" data storage which is ~8GB). Turns out Chrome, at least on the HTC Amaze 4G with 4.0.3, takes up about 250MB - my largest installed app by about a factor of 4 (next largest was ~80MB). This was not cache or data, this was the app itself.
I don't know what all they've moved into there as part of their push to cripple Android except as a host for the "Google Play Ecosystem," but crap like this is not endearing.
I recognize that there are a bunch of features now that I get to enjoy, but now I have to choose which ones I want to keep.
When I switched, 20MB was a big app. Now I have at least 30 apps that are bigger. Chrome in particular seems bogus. The desktop version isn't even this big.
Chrome : 211MB
Google search: 70MB
Mantano Reader: 54MB
Google Play services: 50MB
Google Text-to-speach engine: 45MB
t-mobile my account: 33MB
Google Maps: 24MB
Google Drive: 24MB
= 87Mb total
Cache is recorded separately, currently at 205Mb. I wonder if it is a question of how the figures are being displayed in different versions of Android.
open a bunch of ssl pages and see app data space explode. same happens with firefox
Reinstalled. (play store reports 30MB download)
Before opening the app 65MB+4KB, 0MB cache
First launch (no sync sign-in) 65MB + 10MB, 60KB cache
Browsed Noisy SSL page (google plus feed): 65MB + 14MB, 13MB cache
Signed into sync: no change ( 10min later, no change)
Browsed image heavy site (imgur): 65MB + 14MB, 25MB cache
.... And after the reinstall it shows up as 65MB of app.
Looking before removing Dolphin, Dolphin is showing 13.82MB of App plus 42MB of Data (which I believe could mostly be moved to phone storage). Also 2.3MB of cache.
Jetpack is showing 18.67MB of App, 4k of Data.
After reinstalling both and a first run of Dolphin (and restoring a slightly out of date backup for bookmarks, etc.), Dolphin is using 13.80MB of App and 4.66MB of Data, while Jetpack is using 18.67MB of App.
I'm not seeing the same thing happening with Dolphin as with Chrome.
app space is the only reason i generated more garbage in the world even though my current device only lacked the software to use the memory i had available.
$ du -h -d 0 /Applications/Google\ Chrome.app
317M /Applications/Google Chrome.app
$ tar -c -f - /Applications/Google\ Chrome.app | wc -c
tar: Removing leading '/' from member names
$ find /Applications/Google\ Chrome.app -type f -print0 | xargs -0 cat | wc -c
I don't see why shiny progress should be held up because you can't be arsed keeping up with new generations of tech. If you don't like it, go install a rom and some of the many many many alternate applications which keep sizes small.
Mobile phones began, much like desktops began, extremely limited. We are simply seeing the same thing happen, we're now getting up to sizes of around 32 gb, yes, it happened much faster this time, and that may be why many feel the pinch much more - I'm sorry for that - however it is the price to pay for being an early adopter like yourself.
Yet thankfully,it has also now reached a level where it is now almost impossible to fill with application data. Storage and processing may continue to increase but I highly doubt you will feel quite the same pain of running low on space with nothing but chrome and facebook installed.
Take a look at the ROM situation for the HTC Ruby platform, aka the Amaze, aka the only phone in its product line. Despite what Wikipedia says, there isn't a huge mass of aftermarket ROMs because the phone itself had such a relatively small distribution and was discontinued.
I'm no browser snob -- I'm perfectly happy to use the stock AOSP browser even though it's got some stuff I don't like about it -- but I really can't understand how anybody uses Chrome for Android at all.
I suppose it's probably time to re-try-out some of the 3rd party browsers again.
I haven't tried Chrome, but I see this in CyanogenMod's stock browser (probably close to AOSP) and Firefox. In Firefox's case at least, my research pointed to "font boosting" being the cause of increasing/decreasing, but I haven't found a good fix.
online they just shutdown the old system. offline now they leave holes and announce them when they want you to upgrade. "for security"
These are in the AOSP branches for jb-dev, jb-mr1-dev, jb-mr1.1-dev, and jb-mr2-dev.
Note that if Apple had a similar vulnerability, you likely couldn't work around it by using an alternative browser, because all browsers are required to use Safari's rendering engine.
Is this not the app you're talking about?
I would guess a great many Android users (if not the majority of Android users) are not using Chrome.
In fact, that's exactly the case according to this: http://www.netmarketshare.com
Chrome has made some strides this year, but the Android Browser still leads by a point. That'll probably change next month or two I'd guess. But unless I'm entirely off base and talking about the wrong thing, I think your comment is very misleading.
If this happened with Safari, you'd likely see a patch pretty quickly, and it would be available to almost everyone at the same time.
(x) Maybe. Assuming someone bothers to incorporate them into to the OS update for your device and they make it through the hurdles between the engineer and OTA update certification.
Even if I were to go back to the old Internet app instead of Chrome, this bug is irrelevant to me since I use an app for GMail, Twitter, Facebook and anything else important. I can't remember the last time I used the mobile browser for anything that matters.
(Note that the rare-to-nonexsistent OS updates are still a problem, this WebView issue nonwithstanding. They are running old vulnerable Linux kernels which compromises the app sandbox)
We hope to see that change very soon. http://thenextweb.com/google/2013/11/12/google-says-working-...
s/aren't/choose not to/
This is simply bad management – we're talking, what, a single engineer to backport critical fixes and some testing support. Contrast that against the damage this has done to Android's competitiveness – even the non-nerds I know talk about how they bought an iOS device because Android never gets updates – and increases the likelihood that they'll have a major security problem at some point when someone creates widespread exploit affecting all of those abandoned phones and the headlines talk about how many millions of people are at risk for a problem which was reported years ago.
The phone vendors and carriers had a large part in creating this problem but most of the reputation sticks to the platform and, as with the more general fragmentation problem, Google has been very slow to take it seriously.
Understatement of the day? :) There is absolutely no way a single developer will be able to support huge/complex codebases like web-browsers across platform versions.
Also keep in mind that most of the original developers would have moved on from the project - due to lack of interest, greener pastures etc. I am wondering what kind of engineer would be willing to babysit a project like this - and if somebody is willing (for whatever reasons), would they be competent enough?
Possibly but I wasn't talking about upgrading to the latest WebKit or the actual patch development – only the work required to backport a critical fix which has already been identified and fixed upstream. That's a fairly normal part of the support process at most places so I wouldn't expect it to be a huge amount of work unless you hit something which required an architectural change to fix.
Edit to add a link to the diffs which were posted earlier today:
Obviously not every patch is like that but there also aren't that many critical bugs – I'd be surprised if the engineer:tester ratio was anywhere near even on this kind of work.
> "...support huge/complex codebases like web-browsers
> across platform versions..."
What could go wrong ?
My Android experience has been shit, and I'm really getting sick of it.
Admittedly, much or even most of the problem for me is the OEMs screwing things up and not sending out updates.
The GNU/Linux terminology is actually quite relevant here, seeing as Android is Linux, but not GNU/Linux. Hell, Android's libc comes from OpenBSD, so...
Can I do that with an iPhone? Maybe, but probably have to put up with a lot of Apple garbage, trying to make things "easy" for non-technical people and/or keep you in their ecosystem.
I also like that Android uses Linux because I think the proliferation of Linux is good for me. (For various reasons, not that I have a financial stake in it, although I do indirectly due to my technical areas of competence.)
In that sense, I prefer that it uses Linux marginally over, say, using FreeBSD, which I would still prefer infinitely more than a proprietary OS.
.. support is terrible on the Android side. Really terrible.
In my opinion if you're not going to buy a Nexus device or a Moto E/G/X then you might as well buy Apple. The Android One program will hopefully add more to that.
Most people don't have the ability to make an informed decision about a phones purchase (or they want to buy an iPhone or Nexus but they simply can't afford it).
I bought a Google Nexus at USD650 retail - a perfect counterexample to your advice.
I recommend iPhones to those who can afford it (purchase price, insurance, screen replacements etc.).
I recommend Huawei Y310/320/330 for those who don't have much.
In between there are too many other factors to make a straight recommendation (e.g. buy second hand iPhone versus a Moto G).
But as a slight counterpoint, given the fast release cycle, you can't expect them to support a phone forever. You mentioned iPhones. Well I have an iPhone 3GS. It's a perfectly capable phone that still works and that was still sold as the low-price alternative after iPhone 4 happened, yet Apple stopped supporting it as well. But I can understand that, because these OSes get more bloated with stuff and it leads to a shitty experience. I was able to upgrade an older Galaxy S (first generation, shipped originally with 2.1) to 4.3 by means of CyanogenMod and it was unusable due to the less than capable hardware.
Google did drop the support too early for the Galaxy Nexus, but try out CyanogenMod. I'm even thinking of installing it on my Nexus 4 because the Android on this device is bloated with Google-stuff that I cannot uninstall and it pisses me off. It's also enlightening to install CyanogenMod without Google Play, for an all open-source experience ;-)
I'd love to buy an iPhone but I want to run Android software so Android it is.
Buy a Windows Phone, then.
I do not follow android closely, but this refers to the browser only, right?
(In the Chromium WebView FAQ they say they're working on fixing it, but there are major difficulties. https://developer.chrome.com/multidevice/webview/overview)
> While the AOSP browser has "been killed off"...
Luckily since most vital user info is going to be in apps this doesn't have nearly the same impact as it would on desktop, but it does represent yet another demonstration that having the web as a sort of super-platform-on-a-platform doubles your attack surface.
Android really is comparable to 90s era Windows, in every possible sense. For better or worse Chrome OS is clearly being positioned as the NT equivalent as well, but it's hard to see how you can recreate the functionality of Android without adopting the flaws too.
But still a browser that was created by Google and was bundled with the OS until 12 months ago, never mind how long it takes OEMs to roll it out. Android <=4.3 accounts for 75% of Android users:
Just because Google decided not to support it any more doesn't mean they shouldn't. Pointing out Firefox and Opera is all very well, but this is the default browser on Android <=4.3, and very few users explore alternative browsers (Chrome being the exception, to a point).
It's also the browser engine used in embedded webviews, don't forget.
Which people? I'll grant that Chrome is an exception, given that it's bundled, but I've never seen usage number of other alternative Android browsers hit any meaningful numbers.
Not saying I agree with the Malware comment, though the bundling is annoying.
The first thing I install on my gf's computer or phone is Firefox and configure it to sensible settings (turn off third-party cookies, install ABP and Ghostery and stuff like that).
where did they argue that? They were just correcting the 90% claim above.
google ridicules microsoft with IE6, and the first offline platform they release they made the exact same mistake!
bundle a integrated browser just so the use cant uninstall... and decide to not patch it.
your other arguments, maybe on your fancy phone. 99% of the phones still stuck on 2.3.3 or older, you
- can't disable system apps
- can't uninstall system apps
- usually have 60mb or less for apps.
- can use the SD card for apps.
that leaves ANY browser out of the option. chrome and firefox, both install on around 20 to 40mb... and then consumes an additional (non-configurable) 100+mb of cache on the app data partition. leaving any older phone crippled (you can't fetch background data when the low storage space warning is showing).
Obviously things aren't the same everywhere...
(Of course, these devices will still be counted by those touting Android's market share. Surprise surprise)
Wait, what ? I'm not an android user, but I am a chrome user on all of my desktops ... can someone enlighten me ? How is chrome not a browser supported by google ?
google logic. ...or better yet, san francisco dev logic
Recalls happen in older cars still. Maybe since it is 2014, we think about a similar idea with software involving millions of users.
Especially with a method called "public static class IllegalCharacterValueSanitizer".
Too bad it uses quite a few resources and may be too heavy for low-end phones.
Opera Classic OK
Opera Mini OK
That said, Android 4.4 and later use Chromium for their WebViews, the source for which is developed along with Chrome as a part of the Chromium project - it does not live in AOSP.
Presumably the stock browser that is in AOSP 4.4+ wraps Chromium, which more or less means the AOSP browser is Chrome...but not the other way around. :)
From a UX perspective, we should really try to fix this somehow. Reddit and ycombinator look terrible in our browser right now. Some examples:
These pages look perfectly fine in stock Browser -- they are a little wonky in Chrome but still better than us
That was 2012-05-01.
2) HN uses HTML straight out of 90s (tables nested three deep, spacer images to indent threads) so I don't mind them not focusing on trying to salvage it. Also from the comments thread: "to fix this we'd want to know the widths of the containers of all the text, which requires doing layout on the whole subtree (or at least a decent part of it), but we need to know the inflation numbers before we do layout. (It's probably doable by constructing reflow states for the entire subtree as we walk it, but that would be a significant performance hit that I don't think we want to take.)" Don't abuse tables and you won't have a problem.
Why? Chrome isn't open source, if you care about that kind of thing. And personal preference also.
tl;dr: Chromium is Chrome minus:
1. Crash/usage reporting to Google.
2. Proprietary video format support
3. Embedded Flash implementation (which doesn't exist on mobile anyway).
4. Google API keys.
If what you care about is security auditability, that's pretty good. If you care about running only open source software, that's going to be very hard to do in the Android/Google-Play ecosystem.
yet, the main advertisement google trhows for android is "open source" "community driven" yadda yadda
we have already been baited and switched. but marketing takes a long time to dissipate...
here, i just clicked 2010 and clicked a random day for android.com
the 1st block is about the nexus one (market as open, but not on this page) and look! the second item on the page reads "Access to the entire platform source and information on how to contribute."
guess they forgot an asterix there saying that the "entire platform" means some of the platform.
Firefox for Android still supports Adobe's Flash plugin for Android.
allows you to control the web, where chrome allows google to control the web for you (e.g. no way to disable referrer for one thing)
There's absolutely NO reason you should have them on, and I've been surfing the web just fine this way for 15 years.
And if your banking app with its embedded webview has its site compromised, you're already fucked without even opening the app.