Google Says Google and Other Android Manufacturers Haven't Patched Security Flaws (engadget.com) 19
Google has disclosed several security flaws for phones that have Mali GPUs, such as those with Exynos chipsets. From a report: The company's Project Zero team says it flagged the problems to ARM (which produces the GPUs) back in the summer. ARM resolved the issues on its end in July and August. However, smartphone manufacturers including Samsung, Xiaomi, Oppo and Google itself hadn't deployed patches to fix the vulnerabilities as of earlier this week, Project Zero said.
Researchers identified five new issues in June and July and promptly flagged them to ARM. "One of these issues led to kernel memory corruption, one led to physical memory addresses being disclosed to userspace and the remaining three led to a physical page use-after-free condition," Project Zero's Ian Beer wrote in a blog post. "These would enable an attacker to continue to read and write physical pages after they had been returned to the system." Beer noted that it would be possible for a hacker to gain full access to a system as they'd be able to bypass the permissions model on Android and gain "broad access" to a user's data. The attacker could do so by forcing the kernel to reuse the afore-mentioned physical pages as page tables.
Researchers identified five new issues in June and July and promptly flagged them to ARM. "One of these issues led to kernel memory corruption, one led to physical memory addresses being disclosed to userspace and the remaining three led to a physical page use-after-free condition," Project Zero's Ian Beer wrote in a blog post. "These would enable an attacker to continue to read and write physical pages after they had been returned to the system." Beer noted that it would be possible for a hacker to gain full access to a system as they'd be able to bypass the permissions model on Android and gain "broad access" to a user's data. The attacker could do so by forcing the kernel to reuse the afore-mentioned physical pages as page tables.
They're probably too busy (Score:4)
Helping the Kremlin
https://youtube.com/watch?v=4I... [youtube.com]
Between that, and this:
https://www.nytimes.com/2018/0... [nytimes.com]
I've lost all respect for that company, and its employees for that matter.
Re: (Score:3)
Sounds like that guy has a decent case against RT, but he's pretty off-his-rocker in regard to YouTube. It's a pretty big stretch to claim YouTube is making "intentional efforts to undermine the United States of America in collusion with the Russian government" by not terminating all 39 of RT's YouTube channels because of a few minutes of copyright infringement by one of them. Lots of exaggeration and loaded language, and some strong hints of pa
Short support times (Score:5, Insightful)
The other problem is that these things only receive updates for a short time. This is the device "lifetime" which is often only 2-3 years. This is not shown on the box when you buy it; it is easy to buy something that was first released a couple of years ago that only has a few months of support coming.
All of these things should get security patches for at least 10 years from when the last one was sold as new in a shop or web site.
Re:Short support times (Score:4, Insightful)
I've been saying this for years now. It's why I refuse to buy an Android and exclusively use an iPhone. Security on Android is a joke.
Re: (Score:3)
The other problem is that these things only receive updates for a short time. This is the device "lifetime" which is often only 2-3 years. This is not shown on the box when you buy it.
I think this is a good, relatively-easy first step: vendors need to print end-of-support dates on the outside of the box, visible at point-of-sale, and it'd cost basically nothing, though it'd provide an easy pressure point from carriers...a 2-year subsidy on a phone with an expiration date that ends six months before the term of the contract would likely encourage longer support cycles.
I also think mandatory, free bootloader unlocks no later than 6 months prior to the expiration date should be implemented.
Re: Short support times? (Score:4, Informative)
I was amazed some time ago that the Note 2 and S3 are actually still supported by LineageOS and even their downstream, the privacy-focused /e/OS https://doc.e.foundation/devic... [doc.e.foundation]
Another uptick of Free Software: it generally works with older hardware, too. In case of these Android mods, that also means security patches do get merged continuously.
The FSFE has workshops on "Upcycling Android": https://fsfe.org/activities/up... [fsfe.org]
Re: (Score:3)
The issue here is that the flaw was in the Mali GPU driver supplied by ARM. Once they fixed it, the patch had to be tested by the manufacturer of the ARM SoC and rolled into the Board Support Package (BSP), and then tested by the phone manufacturer with the current version of Android. In some cases those last two are the same people.
In other words it takes longer for the patch to reach users than it does with other types of software.
As for security updates, the situation on Android is actually pretty good.
steroids for androids (Score:3)
Will they ever fix the updates issue? (Score:4, Insightful)
I understand Android launched during and somewhat as an answer to the era of carriers controlling the client hardware on their networks. To drive adoption Google had to cede some amount of control to the carriers and phone manufacturers, they needed their bundled, uninstallable apps after all...
It's 2023 now though and is my phone really all that different than my laptop that I can't have a BIOS and ability to separate my hardware from my OS? I buy any x86 mobo and CPU from $20 to $20000 and install Windows or Linux on it out the gate, updates and all. I feel as though the reasons for this not happen for phones is purely profit and business related and nowhere near technical at all.
The fact it hasn't happened yet to me means this is now a matter for legislation.
make it more like apple with the base OS updates (Score:2)
make it more like apple with the base OS updates.
carriers having there own roms with slower / missing updates on top the manufacturers hardware that you can buy with out the carriers stuff. Can be an starting point with the updates just needing to be done by google / manufacturer
Re: make it more like apple with the base OS updat (Score:1)
You can buy Android phones that have nothing carrier specific, at least you can in the EU. It does not help much, they still come with only 2, 3 or sometimes 5 years of updates, instead of being supported for as long as you can update a PC.
Re: (Score:2)
Buy your phone outright, not from the carrier. Buy from brands that don't load their devices up with uninstallable shovelware, like Google, Samsung, and OnePlus.
Yeah, even Samsung are not too bad now. Their version of Android has minimal changes from stock, they let you re-assign hardware buttons, and most of their own apps can be uninstalled or simply aren't installed at all, instead waiting for you in their app store.
Avoid the lowest end handsets as those tend to be the most heavily subsidised. If you wan
Re: (Score:2)
I do use Pixel phones and my phones for the last 6 years or so have all been bought outright. Pixels are better but they all suffer from this issue. Pixel just means Google is upfront about what updates it gets and for how long, they are still nowhere close to operating like the x86 hardware we all know and love. No BIOS, no bootloader (without jumping through hoops) no updates if the phone manufacturer decides to drop support.
There's gotta be a better way for the other 98% of Android users not on Pixels
Re: (Score:2)
It really is down to the modem and SoC manufacturers. Their drivers are needed for the phone to operate, and in the case of the modem they have to be certified and made difficult to modify (e.g. by being signed).
Those manufacturers only support recent versions of Android. People do extract those drivers for use in Lineage and other unofficial versions of Android, but they are unsupported and uncertified so no phone manufacturer could ship them without risking being booted off some carrier's networks.
Apple b
Re: Will they ever fix the updates issue? (Score:2)
Agree and really this why I am open to legislation in the issue. There's no technical reason the modem and SoC people don't publish drivers like we get on a PC, signed and all, it's just profits which they'll do unless forced to otherwise.
Re: (Score:2)
[expert] says fix [something expert should fix] (Score:3)
Google says Google... (Score:2)
At least they didn't type Google into Google. That could break the Internet.
https://www.youtube.com/watch?... [youtube.com]
Secret Source (Score:2)
Mali has been a real problem for more than a decade for embedded developers working in the open souce space.
Undoubtedly there are other nasty bugs that haven't been found yet - at lead publicly.
The rumor was that ARM had stolen/infringed patents to compete so they couldn't release anything but a blog. That never excused how buggy it was (is?)