The biggest Android Flaw Ever?? CNN thinks so

[MasterRyu2011]

http://money.cnn.com/2015/07/27/technology/android-text-hack/index.html?iid=SF_LN

All I gotta say is CNN thinks "Androids" is a thing.

CNN: "This is likely the biggest smartphone flaw ever discovered. It affects an estimated 950 million phones worldwide -- about 95% of the Androids in use today."

 

[Andres Cantu]

It does looks bad for CNN to say "Androids", although other websites should also pay attention to how they address companies, operating systems, and smartphones. For example, Apple vs. Google and Samsung, iOS vs. Android, and iPhone vs. Nexus (not Apple vs. Android or my iPhone vs. my Samsung).

I'm more curious to see how this vulnerability plays out over time.

 

[lazard]

The biggest negative with Android is how updates are dependent of either the manufacturer or the carrier (or both). According to the article, Google already sent out the fix, but nothing has been done yet in regards to pushing out the update.

 

[MasterRyu2011]

The biggest negative with Android is how updates are dependent of either the manufacturer or the carrier (or both). According to the article, Google already sent out the fix, but nothing has been done yet in regards to pushing out the update.

Agreed

Google should the at very least demand their OEM partners to demand the carriers to stop/delay preventing manufacturing updates from happening. I can understand if the OEMs need to make their changes in order to release a new very of Android on their handsets, but it's absurd that carriers have any say at all. If Verizon wanted their VZNavigator crap to be available, just put it on the Play Store and call it a day.

 

[tbayrgs]

Agreed

Google should the at very least demand their OEM partners to demand the carriers to stop/delay preventing manufacturing updates from happening. I can understand if the OEMs need to make their changes in order to release a new very of Android on their handsets, but it's absurd that carriers have any say at all. If Verizon wanted their VZNavigator crap to be available, just put it on the Play Store and call it a day.

Problem is two-fold. How can Google demand anything when Android is open source and available to any OEM? Sure, they could change the conditions of Android's use and try to play hardball but it goes against the very nature of their business model. Google doesn't see the profit margins from hardware that Apple (or even Samsung) has and needs eyeballs on their services for their income. They need the volume of users and alienating OEMs risks big drops in users. Tighten the reins and exert more control and Android becomes more like iOS, exactly NOT was many Android users (and especially the purists) want.

The second element of this is the nature of the carrier/OEM relationships and contract system here in the US. OEMs need their handsets front and center in carrier shops here in the US. Unlocked devices still don't have widespread appeal and simply don't sell well here. If they want their devices in retail stores, they have to play ball with the carriers...meaning they have to accommodate their software requirements. Apple is the only exception to this rule because 1) iPhones are the bestselling phones in the US and 2) Apple customers don't behave like your typical consumer. They will follow the iPhone anywhere and if carriers try to enforce their will on Apple, Apple moves on because they'll still sell the phone..only that customer will now be using a different carrier.

Any way you slice it, changing these conditions is going to significantly impact Google (upset consumers or upset OEMs).

 

[epicrayban]

Problem is two-fold. How can Google demand anything when Android is open source and available to any OEM? Sure, they could change the conditions of Android's use and try to play hardball but it goes against the very nature of their business model. Google doesn't see the profit margins from hardware that Apple (or even Samsung) has and needs eyeballs on their services for their income. They need the volume of users and alienating OEMs risks big drops in users. Tighten the reins and exert more control and Android becomes more like iOS, exactly NOT was many Android users (and especially the purists) want.

The second element of this is the nature of the carrier/OEM relationships and contract system here in the US. OEMs need their handsets front and center in carrier shops here in the US. Unlocked devices still don't have widespread appeal and simple don't sell well here. If they want their devices in retail stores, they have to play ball with the carriers...meaning they have to accommodate their software requirements. Apple is the only exception to this rule because 1) iPhones are the bestselling phones in the US and 2) Apple customers don't behave like your typical consumer. They will follow the iPhone anywhere and if carriers try to enforce their will on Apple, Apple moves on because they'll still sell the phone..only that customer will now be using a different carrier.

Any way you slice it, changing these conditions is going to significantly impact Google (upset consumers or upset OEMs).

Well explained.

And while I want updates to always come faster, I've also accepted that this is how it is on android. It's just an entirely different beast. And there are tradeoffs to that. If android want open to interpretation you wouldn't have the freedoms you have now nor would you have OEM innovations like the things that can be done with touchwiz. Also, having the latest android update isn't going to make our break the average user (aka not peeps visiting these boards). Modern android phone are delivering very good and usable android versions. I think android got that stride a while back. Maybe as far back as ice cream sandwich.

Lastly, OEMs have improved their update times. Namely Motorola, HTC, Sony. Even Samsung is doing better with updates.

It can, of course, always get even better. Especially when it comes to security patch type updates.

 

[grkm3]

pretty sure any device on 5.02 or above jas this patched.

 

[ucfgrad93]

The biggest negative with Android is how updates are dependent of either the manufacturer or the carrier (or both). According to the article, Google already sent out the fix, but nothing has been done yet in regards to pushing out the update.

Agreed, if you have an Android phone getting updates is very hit or miss.

 

[Roadstar]

pretty sure any device on 5.02 or above jas this patched.

If only that were the case, but currently e.g. my Nexus 5 on 5.1.1 remains vulnerable. They've fixed some (but not all) of the flaws on Nexus 6, but that's about it. I hope Google fixes at least Nexus devices quickly as the Black Hat conference is just around the corner.

 

[maflynn]

Google should the at very least demand their OEM partners to demand the carriers to stop/delay preventing manufacturing updates from happening.

Its not like google has control over the OS, as noted, its open sourced. Their only leverage is the google apps license. They threaten that when someone is doing what google wants with android.

This has been the achilles heel of Android, Google went the open source route to get multiple manufacturers to embrace the platform along with multiple carriers. By going this route, they lost a lot of control, and in a sense that loss of control was what they touted. Allowing manufacturers final say, now they're trying to change that, and that's just not possible.

 

[MRU]

Google should the at very least demand their OEM partners to demand the carriers to stop/delay preventing manufacturing updates from happening.

That implies that carriers are the ones delaying software updates and yet in my experience buying only unbranded sim free devices - more often than note a 'carrier versions' gets the update pushed out weeks and sometimes months before unbranded sim free devices get the update from the manufacturer.

 

[diamond.g]

What is worse is this isn't a text messaging flaw, it is an OS flaw. MMS is just easier to exploit than the browser. The temp fix for the MMS portion is to not allow auto download of MMS content. Supposedly only FF isn't affected by the issue (as far as Android browsers are concerned).

 

[diamond.g]

That implies that carriers are the ones delaying software updates and yet in my experience buying only unbranded sim free devices - more often than note a 'carrier versions' gets the update pushed out weeks and sometimes months before unbranded sim free devices get the update from the manufacturer.

Sometimes they do. AT&T has been holding back updates for my N6 even though I didn't get a branded phone.

 

[MRU]

Sometimes they do. AT&T has been holding back updates for my N6 even though I didn't get a branded phone.

True, but even the Lollipop 5.1.1 update was very protracted releasing it device by device over a number of weeks - even when its just 'google'.

 

[OrangeInc]

The biggest negative with Android is how updates are dependent of either the manufacturer or the carrier (or both). According to the article, Google already sent out the fix, but nothing has been done yet in regards to pushing out the update.

I have a custom rom and don't update my phone but I hear this all the time about delayed software updates. It really is dependent on the manufacturer and/or phone carrier. Google just gives them the platform for them to customize on so I imagine once an android update comes out, google gives the code to the manufacturers and then they in turn have to implement it in a way that it works on all their different phone models. And a lot of these manufacturers also have other parts of their business production to focus on. I can see why there is such a bottle-neck.

 

[gotluck]

how do you guys know what versions are vulnerable?

if im not mistaken they have not released real juicy details regarding this yet aside from the 95% effected number.

 

[MasterRyu2011]

how do you guys know what versions are vulnerable?

if im not mistaken they have not released real juicy details regarding this yet aside from the 95% effected number.

Don't go by the CNN article. The real details are in the blog by the security research group who found it. It's basically all devices running Android 2.2 Froyo or later:

http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/

"Android and derivative devices after and including version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11% of devices) are at the worst risk due to inadequate exploit mitigations. If ‘Heartbleed’ from the PC era sends chill down your spine, this is much worse."


So unless, you're using an Android device built in 2010 (that's when Android 2.2 Froyo came out) and never updated your phone, you're vulnerable.

 

[gotluck]

Don't go by the CNN article. The real details are in the blog by the security research group who found it. It's basically all devices running Android 2.2 Froyo or later:

http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/

"Android and derivative devices after and including version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11% of devices) are at the worst risk due to inadequate exploit mitigations. If ‘Heartbleed’ from the PC era sends chill down your spine, this is much worse."


So unless, you're using an Android device built in 2010 (that's when Android 2.2 Froyo came out) and never updated your phone, you're vulnerable.

Roger that! But we are still awaiting details of the actual exploit eh? As in it can't really be weaponized yet because it is not documented.

Fingers crossed that there will be a workaround/fix that mitigates this for rooted users because my phone will likely not be updated!

 

[lowendlinux]

Problem is two-fold. How can Google demand anything when Android is open source and available to any OEM? Sure, they could change the conditions of Android's use and try to play hardball but it goes against the very nature of their business model. Google doesn't see the profit margins from hardware that Apple (or even Samsung) has and needs eyeballs on their services for their income. They need the volume of users and alienating OEMs risks big drops in users. Tighten the reins and exert more control and Android becomes more like iOS, exactly NOT was many Android users (and especially the purists) want.

The second element of this is the nature of the carrier/OEM relationships and contract system here in the US. OEMs need their handsets front and center in carrier shops here in the US. Unlocked devices still don't have widespread appeal and simply don't sell well here. If they want their devices in retail stores, they have to play ball with the carriers...meaning they have to accommodate their software requirements. Apple is the only exception to this rule because 1) iPhones are the bestselling phones in the US and 2) Apple customers don't behave like your typical consumer. They will follow the iPhone anywhere and if carriers try to enforce their will on Apple, Apple moves on because they'll still sell the phone..only that customer will now be using a different carrier.

Any way you slice it, changing these conditions is going to significantly impact Google (upset consumers or upset OEMs).

They could just tie it in with GMS. If they don't allow Google to OTA update then the phone can't use GMS. I'd like to see the carriers try to sell a phone with just AOSP.