Android Devices Are at Risk of Data Theft (2020)
wired.comMy smartphone is a simple affair. I have a hardened Firefox as my default browser (uBlock Origin with JS disabled by default with HTTPS-Everywhere addon with EASE turned on).
I keep my app-count to a minimum. There are people who need every app imaginable, but that increases the attack surface of the phone. Try to minimize the amount of apps on your phone please!
Then of course all the usual OPSEC practices like not clicking on suspicious links in Whatsapp, E-mail or SMS always apply. You have to consider the human element of all this. So many people have been owned by fat-fingering some suspicious link in an SMS that then took over their phone.
But there is always the argument that: phones ship with malware anyway so you're pwned either way.
You can do a little more if you have root access, like use XPrivacyLua to restrict the amount of data and hardware apps like your browser have access to, and AdAway to block ads globally (protects you from app telemetry that shares data with third parties). You can also run a DoT server and point your phone there to protect your DNS queries from random WiFi networks you may have to connect to, or better run a VPN server and stay connected to it. Also whenever you can, always replace the OS that comes preinstalled with LineageOS (just makes sure everything works for your phone, like the camera and LTE). With the latest LineageOS you can also restrict internet access per app and per network type, though AFWall+ still gives better control over that. For the extremely suspicious apps you can install them on the work profile for extra isolation with Island (Play Store) or Insular (F-Droid).
https://www.qualcomm.com/company/product-security/bulletins/...
This happened months ago but I still can't see much info. Also, I see check point reported 4-5 issues to qcomm, not 400.
To people complaining android never gets updates: Android has been providing monthly security updates for some years now. It is even possible that this was fixed even faster since modern android can update some system libraries right from the store (Project Treble announced in 2017)
400 vulnerabilities! Good luck getting any reasonable percentage of users to install these patches. The software update situation on Android is horrible.I dont LOVE walled gardens but has there been any exposure of this scale in IOS devices?
This sort of things happen all the time in both camps. It's just that Android security is more open and visible to ordinary people.
Apple _just_ patched some really big zero-days.
Update: since this is getting down voted be skeptics, here are some sources for you
https://www.bleepingcomputer.com/news/apple/apple-fixes-2-io...
https://www.bleepingcomputer.com/news/security/apple-fixes-m...
https://www.bleepingcomputer.com/news/security/apple-fixes-a...
Apple doesn't have a spotless record with security. However, they are significantly better at pushing updates. A large majority of eligible iOS devices install OS updates, and iOS devices tend to be eligible for updates for many years.
Additionally, because sales are much lower for iOS than Android, it's hard to get to the same scale. I don't know about iPad numbers, but 1 billion iPhones is about 5 years of sales, and five years is around where Apple stops providing updates (edit: as pointed out below, they're doing closer to 8 years from release now, but not all sales are from current model phones) and that combines with other factors and very few devices make it past five years of use.
Just a few days ago, Apple issued a security update (iOS 12.5.3) for the iPhone 5s, a phone that first came out in Sept. 2013. Not bad huh?
> that combines with other factors and very few devices make it past five years of use
The original version of the iPhone SE and the iPhone 6s are six years old now.
They run the current version of iOS and still work just fine.
How many of those sold six years ago are still operating?
My guess is many have had something go wrong to the point that they're no longer used.
The iPhone 6 and SE are still hugely popular in Asia. I see them everywhere, and there is a whole after market economy for repairs and parts replacement.
They are also still hugely popular in the US.
Even the performance under the current OS, six years later, is still fine.
https://arstechnica.com/gadgets/2020/09/ios-14-on-the-iphone...
The 5s received iOS 12.5.1 in January, it was released Autumn 2013
I wonder how much of it is due to a walled garden, and how much of it is due to iOS devices getting security updates.
It seems like even expensive flagship android devices get a year or maybe 2 of updates now and then you're just left on your own.
Here is an interesting (sad) story I read yesterday: https://www.technologyreview.com/2021/05/06/1024621/china-ap...
From August 2020.
The duration and quality of security updates/fixes is roughly commesurate with the price users paid for the s/w part of their mobile devices.
That's pretty cool - you can pay almost nothing for the s/w and still get a phone that works.
Alternatively, i bought my Google phone for 1000 dollars 3 years ago and get zero updates now. That's pretty sorry.
What is even more sorry is if you had bought a 100 dollar phone you could have bought a new phone every year for 10 years and had better protection. Which is totally wasteful.
Kind of ironic that 3 year old chrome books cost less and still get updates.
I worked in both Android and ChromeOS orgs at Google. They way the leadership in each treated updates was very different.
ChromeOS devices are expected to be supported for 7 (or so) years. This is true even at the planning stage, which is why certain vendors are avoided as they cannot be reliably expected to provide support for that. There used to be a policy even that only upstreamed kernels can be shipped, as in: if the vendor does not upstream their kernel patches, no part of theirs can be in a ChromeOS device.
Very little thought about updateability was given in Android until about 2018(?)-ish, when project Treble started happening. And even then, that idea had existed for a while before it was implemented, and it took a long time to sell android leadership on it.