I love my Android phone, but one of my concerns about the Android
platform is the lack of a clear end-to-end process for distribution of
security patches and bugfixes.
The model outlined in the FAQ states that once a patch or bugfix has
been released into the source, then it is up to the hardware vendors
to pick up and push them.
At present this seems to be a haphazard and unreliable process.
On any other OS one can simply run the platform equivalent of 'Check
for updates' and get up to date virtually immediately.
If Google can't build their own update service, then can they at least
require those OEMS that are certified 'With Google' to disseminate
critical patches and fixes with a minimum period after the fix has
been released?
It could be something like 30 days for non-critical patches and a few
days for critical security or stability issues.
Non-compliant vendors could lose their certified status and no longer
have access to Google App Market etc.
if they don't get their act together
This might get things moving faster.
Also, what is the point of the 'Security Announcements' group if it
has had no posts since the initial welcome message in 2008?
Supposedly it was to highlight important releases and list teh process
for updating hw from various vendors.
In practice it looks like no-one has cared about it since day one.
I'm still using my android phone 'cause it was an expensive device, but the only one I'll remotely consider will be one from Google itself. At least you can be sure to get some updates.
As much as I dislike them, Microsoft really did well with the update mechanism for their phone OS...
I'm still waiting for these issues to be resolved: - Google doesn't provide information about security problems (mailing list, google group, web page) - Google has no means to force the manufacturers to push out updates to the phones - You have no means to get updates on your own either
I do care and echo R_NZ and Jan's sentiments. I do realize that a responsible policy or process could look something like:
1. Collect/find vulnerability (V) 2. Inform device manufacturers & partners (P) first, if V is critical 3. Agree on the fix (F) and delivery vehicle/time (T) 4. Push F at T 1. Or ensure P members push F 5. Disclose the V and F sometime after T
Lack of response from the Google team on this topic is out of character. I've never liked the following strategy but there are situations like this that encourage white hats and security researchers to find a vulnerability, call the vendors and give them only 24 hours to fix, and then disclose the details next day in IRC. This is an opportunity for the Android team to work closer and in a more open manner with the community.
-Hadi
This email reflects my personal opinion.
On Sun, Jan 16, 2011 at 5:39 AM, Jan Niggemann <jan.niggem...@gmail.com>wrote:
> I'm still using my android phone 'cause it was an expensive device, but the > only one I'll remotely consider will be one from Google itself. At least you > can be sure to get some updates.
> As much as I dislike them, Microsoft really did well with the update > mechanism for their phone OS...
> I'm still waiting for these issues to be resolved: > - Google doesn't provide information about security problems (mailing list, > google group, web page) > - Google has no means to force the manufacturers to push out updates to the > phones > - You have no means to get updates on your own either
> In practice it looks like no-one has cared about it since day one.
> -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > android-security-discuss@googlegroups.com. > To unsubscribe from this group, send email to > android-security-discuss+unsubscribe@googlegroups.com<android-security-disc uss%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en.
One suggestion to address the non-updating carrier phones used market
dynamics.
If a carrier wants to the the term "Google Android" then their phone
must support installing a basic Android OS image from Google.
Besides there always having security updates for vanilla images, this
rule could also resolve my biggest pet peeve. All the custom bloatware
carriers put on their phones that can't be easily killed or
uninstalled.
The Android bug reporting/fixing process is well understood, it's just
that it ends with 'released into source tree.'
As far as the Android team are concerned, they seem to feel that this
is where their reponsibility ends.
It seems that it is up to the oems to figure out how to create a patch
from the source and push it
I personally think this is a fundamental error in the Android model,
as there is no mechanism to ensure that oems and carriers distribute
fixes and updates in a timely fashion.
I get that there are a myriad of devices of all kinds that have vrious
ports and flavours of Android so universal patching may never be
possible, but the major players that are licensed to distribute Google
apps and access the Market have to conform to a minimum copmpatibilty
level in order to be certified, so how hard would it be to require
them to implement a standardised pactch mechanism?
On Jan 17, 5:58 am, Hadi Nahari <hadi.nah...@gmail.com> wrote:
> I do care and echo R_NZ and Jan's sentiments. I do realize that a
> responsible policy or process could look something like:
> 1. Collect/find vulnerability (V)
> 2. Inform device manufacturers & partners (P) first, if V is critical
> 3. Agree on the fix (F) and delivery vehicle/time (T)
> 4. Push F at T
> 1. Or ensure P members push F
> 5. Disclose the V and F sometime after T
> Lack of response from the Google team on this topic is out of character.
> I've never liked the following strategy but there are situations like this
> that encourage white hats and security researchers to find a vulnerability,
> call the vendors and give them only 24 hours to fix, and then disclose the
> details next day in IRC. This is an opportunity for the Android team to work
> closer and in a more open manner with the community.
> -Hadi
> This email reflects my personal opinion.
> On Sun, Jan 16, 2011 at 5:39 AM, Jan Niggemann <jan.niggem...@gmail.com>wrote:
> > The problem is that you don't realize that there are issues to be patched
> > or bugs to be fixed in the first place!
> > I already tried to bring attention to that problem, please read this thread
> > and draw your own conclusions.
> > I'm still using my android phone 'cause it was an expensive device, but the
> > only one I'll remotely consider will be one from Google itself. At least you
> > can be sure to get some updates.
> > As much as I dislike them, Microsoft really did well with the update
> > mechanism for their phone OS...
> > I'm still waiting for these issues to be resolved:
> > - Google doesn't provide information about security problems (mailing list,
> > google group, web page)
> > - Google has no means to force the manufacturers to push out updates to the
> > phones
> > - You have no means to get updates on your own either
> > In practice it looks like no-one has cared about it since day one.
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Android Security Discussions" group.
> > To post to this group, send email to
> > android-security-discuss@googlegroups.com.
> > To unsubscribe from this group, send email to
> > android-security-discuss+unsubscribe@googlegroups.com<android-security-disc uss%2Bunsubscribe@googlegroups.com>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/android-security-discuss?hl=en.- Hide quoted text -
I agree with nearly everything written here, and I'd add another
concern. The security FAQ (http://developer.android.com/resources/faq/ security.html) doesn't describe how Google decides which versions of
Android OS to patch. If someone reports a flaw tomorrow, will it be
fixed in 1.6? 2.1? 2.3? 3.0? Does Google release fixes for anything
other than the current (or next) major version? If so, where's the End
Of Life schedule?
Last November flaws in 2.2 were reported and Google's response was not
merely that they would not fix the then-current 2.2 release, but also
that it was too late to be fixed in 2.3.0 (http://www.h-online.com/ open/news/item/Android-vulnerability-permits-data-theft-1141200.html).
I can understand why Google might prefer not to patch older releases
-- it reduces development and QA costs to orphan an OS version the
moment a new release comes out. But it would be (is??) terrible for
end users.
One infosec-minded Twitter user at schmoocon last week described the
mobile malware situation as a "powderkeg," and if my fears about
Google abandoning old versions of Android are correct, then he's
absolutely right.
Here's a nice metasploit blog post about that data theft problem that
I just stumbled on, in which the author opines that "If the situation
is not resolved, I fear the Android device pool could become a
seething cesspool of malicious code... "
> I love my Android phone, but one of my concerns about the Android
> platform is the lack of a clear end-to-end process for distribution of
> security patches and bugfixes.
> At present this seems to be a haphazard and unreliable process.
> If Google can't build their own update service, then can they at least
> require those OEMS that are certified 'With Google' to disseminate
> critical patches and fixes with a minimum period after the fix has
> been released?
> In practice it looks like no-one has cared about it since day one.
I agree with pretty much everything written here, and I'd add another
concern. The security FAQ (http://developer.android.com/resources/faq/ security.html) does not describe how Google decides which versions of
Android OS to patch. If someone reports a flaw tomorrow, will it be
fixed in 1.6? 2.1? 2.3? 3.0? Does Google release fixes for anything
other than the current (or next) major version? If so, where's the End
Of Life schedule?
Last November flaws in 2.2 were reported and Google's response was not
merely that they wouldn't fix the then-current 2.2 release, but also
that it was too late to be fixed in 2.3.0 (http://www.h-online.com/ open/news/item/Android-vulnerability-permits-data-theft-1141200.html).
I can understand why Google might prefer not to patch older releases
-- it reduces development and QA costs to EOL an OS version the moment
a new release comes out. But it would be (is??) terrible for end
users. It doesn't do users of Motorola Devour phones (released a year
ago) any good if Motorola won't upgrade past Android 1.6 and Google
won't release fixes for 1.6. Don't tell me the fix is in the new 2.3.x
source tree -- handset vendors have embraced Android in part because
of Google's implicit promise to offer a suitable OS. They shouldn't
have to backport complex patches in the OS core.
One infosec-minded Twitter user at schmoocon last week described the
mobile malware situation as a "powderkeg," and if fears that I and
others have about Google abandoning old versions are correct, then
he's absolutely right.
