One billion Android devices at risk of hacking
bbc.comNot even spending several hundreds or even going beyond a thousand bucks will save you from this on Android, and this is the reason why I try to avoid it whenever possible. At least iPhones are expensive but you do have years and years of updates (and no, not willing to change my phone every year or two).
I'm not super familiar with how Android does it's versioning, so I may be off base here.
The article mentions the S6 being vulnerable, but it had its last update 6 months ago. It also says versions below 7.0 are vulnerable, but the S6 supports 7.1. It also says the most vulnerable are phones from 2012.
I don't think it's unreasonable to say an 8 year old phone may have some security vulnerabilities. I personally don't know anyone with an 8 year old phone. I'm sure they exist, but I don't think this is an Android exclusive issue.
Further, Android is the defacto default OS for phones. Every shovelware burner sitting in a bin at the convenience store is running some version of Android. Saying "1 billion are vulernable" is surprising in that it's only 1 billion.
These include the phones that cops hack into by placing the phone in a machine that tries every pin combo between 0000 and 9999 until it unlocks.
Android (the project) may release updates, but it's useless if the phone manufacturers don't distribute them.
The article says
> According to the Android security bulletin, there were no security patches issued for the Android system in 2019 for versions below 7.0
But this doesn't really matter. The only way the vast majority of Android users will get an update is if there's an "over the air" (OTA) update. Which most device manufacturers don't provide. I've seen Samsung phones from 2016 which are stuck on Android 6, no security updates. I don't actively use Android personally, but I suspect there are more recent phones in a similar situation.
This is the crux of Android's problems re security updates.
The only consumer-grade phone I'm aware of that does a decent job of security updates is Google's Pixel. Interestingly Samsung do provide security updates fairly promptly for some models -- possibly because they're widely used as corporate Android devices and their purchasers made security updates a requirement.
From https://support.google.com/pixelphone/answer/4457705
"Pixel phones get Android version updates for at least 3 years from when the device first became available on the Google Store".
My Pixel (1st gen) no longer gets updates as of a few months ago. I might flash an open source Android ROM, such as LineageOS.
This has always bugged me because not providing even security patches is straight-up malpractice in my book.
Given all the attention lightning cables get in terms of e-waste, someone should ask lawmakers worried about e-waste to consider the impact of Android's enforced obsolescence policy -- no security updates means the device is effectively vulnerable and not usable.
Google and all the big handset manufacturers (Samsung, Xiaomi, etc) could easily provide updates should they choose to -- some of them release multiple times a a year (e.g., OnePlus; and Samsung introduces new products throughout the year) but don't have the resources to provide security updates? Give me a break.
I'm hoping they do the right thing before legislation forces their hand.
Project zero remains oddly silent.
Interesting, isn't it? Paging Ian Beer...