the title should say "every vulnerable Android device":
One of the most interesting ones is the addJavascriptInterface vulnerability ( CVE-2012-6636 ) which affects every device running a version older than Android 4.2
the exploit is from march 2012 and affects devices running android < 4.2. which according to latest platform usage [0] numbers is around 14.9% of all active android devices.
Unfortunately, Google has stated no intention to support or secure any device running an OS released more than 18 months ago. There's many dozens of CVEs that involve owning devices pre-5.1 that will never be fixed by Google or the OEMs.
This is interesting. In Australia, there's the Australian Consumer Law, which mandates that products must be of acceptable quality for a duration that aligns with the length of the contracts. Legally a consumer can return such a 'faulty' device to the carrier. I'm guessing that this is something that needs to be bumped up by 6 months in Australia (or more likely the carriers will take a risk that there aren't enough consumers that care about security to follow through with such returns). Perhaps if someone were to post a 'How to get a free phone every 18 months' type of article it could press the point that writing software is not a one shot process, and broken software should be supported for longer periods of time.
I work in the mobile. I am experiencing this daily. IF normal consumers gave a shit about patching old phones, THEN we have a legitimate shot at fixing this problem. But carriers are generally transitioning away from treating handsets as a revenue source and focusing more on transport.
So please- think hard about repeating this cheap shot. It's easy and can win you internet points, but I am arguing that now is the best time in history that we could start making progress on this issue. Comments like this do not help move the ball forward.
Though from what I've witnessed, even though it is unreasonable, it seems most non-techs expect the carriers to do it automatically for them without their involvement.
I'm writing this from a Samsung device that never had a supported lollipop release. If I'd be on stock, I'd be vulnerable to many vulnerabilities including stagefright.
But I'm using an open source ROM called cyanogenmod, currently on Android 5.1 (cm 12.1). I upgraded to a newer nightly after patches were made to fix stagefright, and now I'm not vulnerable. I could also have installed a version of cyanogenmod from KitKat that back ported the patch.
So yes, open source can and has addressed this. If your device is supported by cyanogenmod, you can fix it.
Note that marshmallow cm builds are expected to be released soon, and afaik my device (S3) will still be supported: this would make my device upgradable 2 entire major releases after the manufacturer dropped support.
In fact, there are already Marshmallow nightlies for the S3.
Interesting is that, even though you are running 12.1 on the S3, there was never an official CyanogenMod release for the S3, only unofficial ones. But now a maintainer has stepped up, made MM (CM 13) run on the S3 again and we get our official releases again.
And I don't see any CM 13 releases yet. I thought they were expected to drop in a few weeks.
Edit: I assume you were talking about the international version. That does seem to have skipped lollipop. I also came across unofficial builds of 13 for my device, but I'm not upgrading until I have debug time.
I've got a Japanese Galaxy S. As far as I know, there are no ROMs with a working modem :-( So either I'm stuck on Gingerbread, or I don't get a working phone. Binary blobs suck.
Learned my lesson. Next phone will be a Nexus so that I can be sure that it isn't abandoned 6 months later. I do admit that it seems strange to have a nearly 5 year old phone and still use it. But it does everything I need it to do so I can't really justify dropping $X00 upgrading to a new phone.
Asking as a GNex owner: what did you expect Google to do when TI decided to exit the mobile space and could no longer maintain its drivers for newer kernels? I was pissed off, but only at TI.
- Have their own teams develop the required fixes. After all they are developing Android.
- Have had the business sense to make a proper contract with TI that would either oblige them to keep doing the fixes even after product termination or provide the relevant information for Google.
This is how a company ensures its costumers are safe from outsourcing deals.
Right now, Google can let it happen again and people can choose to properly blame Google or the OEM.
For all practical purposes no, being open source does not help. Yes, Android is OS, but the device manufacturers and carriers lock down their devices so you do not have the freedom do install changes or make modifications to your own device. They do not accept contributions from the OS community.
I believe this will eventually be true for everything - from servers to desktops to laptops, etc.
Sure, I install cyanogenmod when I can. Ordinary users cannot do that. Samsung is actively hostile to this and samsung makes some of the most popular android devices.
It does, but only for users technical enough to do so. And most users who are, probably buy newer phones anyways.
Also, here in the US, our largest carrier (Verizon), requires phones to have encrypted bootloaders. So my phone, for instance, cannot be flashed with a third party build.
> Also, here in the US, our largest carrier (Verizon), requires phones to have encrypted bootloaders. So my phone, for instance, cannot be flashed with a third party build.
Nexus 5X and 6P work on Verizon, and have a unlockable bootloader out of the box.
Ugh this type of commoditization of exploits is downright scary. Google needs to do something about the OEMs dragging their feet on updates and do it FAST. I can't see any other solution for people other than to move to Nexus or iOS phone.
Commoditization of exploits is important. The crooks have had access to them for a long time now on the black market; it's time we, the ordinary folks, have it too, so that we can raise awareness and protect ourselves. There are dangerous BIOS and router rootkits available for people who know where to look - but the general public won't take it seriously until they're widely available, out in the wild and wreaking havoc. The sooner, the better.
Google doesn't much power in the relationship. They have announced several efforts to make OEMs and carriers provide a better update experience. So far it hasn't helped.
The OEM's customer is the carrier because the carrier determines whether or not the handset even appears for sale in the stores or on the website. For both the OEM and the carrier, updates are a pure cost center for which there is little-to-no benefit.
Google can't roll out updates on its own because the OEMs customize for their CPU, platform, baseband, etc. Google doesn't have the drivers, licenses, testing capacity, or configuration details to deal with the various bits of hardware.
Presumably Google could make regular updates a requirement for using Google services on Android. At that point we'd find out whether the tail wags the dog and I think Google might not like the answer; getting the data on Android users is quite valuable for building advertising profiles. I doubt a few Googlers desire to have timely updates would survive contact with the money-making ad side of the house but I could be wrong.
Google needs to actually develop Android as a platform where drivers and their software can be distributed separately. Like Windows. Even Windows Phone lets Microsoft push the OS directly (first tested in the Dev Preview feature) separate from the firmware updates from the carrier or OEM.
The problem is, when Google say add a new feature to android, they don't want OEMs to upgrade if the phone's hardware isn't up to the task. So you make a low-ish spec phone that can do everything this generation of the OS demands and then all of a sudden it's not good enough any more.
Plus it's in the OEMs interest to make the upgrade path involve purchasing a new handset.
> So you make a low-ish spec phone that can do everything this generation of the OS demands
If only. Actual low-ish spec phones can barely even lift the OS! By "do everything the OS demands" OEMs generally mean "sort of do it by hanging up in the process and requiring battery-removal powercycling". Source: spent three years using such a phone.
I have a Moto G 2nd gen. Nice device - good screen, peppy processor, runs android 5.
Only 1G of ram and 8G of storage, meaning only 3GB for apps, most of which are the stock Google ones, and 1G of ram means the thing crawls.
Moto is still releasing these anemic specs on the 3rd gen Moto G, only their "moto G turbo" will have respectable specs, and that's only in like Mexico or something.
And the company sells a phone lower than the G.
And this is a company that used to be owned by Google, and was branded as being a great stock android company during that phase.
I have a 1st gen Moto G. Bought it Dec 2013 and don't even care about having anything faster/bigger.
Indeed, the Moto E has been out for a little while and that phone is what I probably consider the bare minimum while still qualifying as a smart phone.
I'm just happy to have had device support for all these years so that I can run Android 5 natively and efficiently.
How do you deal with the storage problem, though? I don't mind the missing features or the thick build, but the fact that I basically have about 600MB of free space to play in for apps is killing me. Google Photos has a pathetic churning cycle where it downloads photos from my online google account and then complains that it's out of space and needs to delete them... and then does it again, all without ever having been run.
The Moto E at least supports moving "supported" apps to the SD card. Unfortunately, it doesn't work for the Google apps. But I can squeeze in Firefox Beta, an epub reader, and the Google apps so I'm fine with the internal storage.
Indeed. I have this problem with my S4 right now - I can't install anything anymore, because something (apparently the OS; INB4 yes, I've checked the obvious things like data caches) grew to take most of it, and I'm stuck at ~500MB free. Most apps can't even be moved to SD card, and those that can be only get moved partially.
Yup. This is the "dirty little secret" of the Android ecosystem IMHO.
Personally, I use Nexus devices... however, I still don't trust these devices enough for very sensitive stuff -- fixes for known escalation bugs can still take a while to get patched. :-/
Yeah my Hisense smarttv is android 4.2 and it will never get upgraded. I am pi$$ed - mainly because it didnt occur to me, I had it in my head that I could upgrade it or their might be a community scene but not for something this obscure.
[0] https://en.wikipedia.org/wiki/Android_(operating_system)#Pla...