Thursday, April 18, 2013

Most Android phones are unpatched and unpatchable

It's so bad that the ACLU is complaining:
Yesterday, we filed a complaint with the Federal Trade Commission (FTC) asking the agency to investigate the major wireless carriers for failing to warn their customers about unpatched security flaws in the software running on their phones. These companies—AT&T, Verizon, Sprint and T-Mobile—have sold millions of smartphones to consumers running versions of Google’s Android operating system. Unfortunately, the vast majority of these phones never receive critical software security updates, exposing consumers and their private data to significant cybersecurity-related risks.

In a 16-page complaint filed with the FTC, we argue that the major wireless carriers have engaged in “unfair and deceptive business practices” by failing to warn their customers about known, unpatched security flaws in the mobile devices sold by the companies.
Android itself gets patched, but the handset vendors (Samsung, HTC, etc) and carriers aren't making them available to subscribers.  Apple has a much better model for the iPhone.

7 comments:

Anonymous said...

I'm currently suffering with this through Verizon and an HTC Thunderbolt. Next phone will be unlocked GSM hardware from Google so I get updates from the source.

Peter said...

Is there any way for us to get Android updates from Google, and load them ourselves?

Eagle said...

Go to xda-developers.com and use the "Find your device..." at the top of the page to see if there's a forum on your device.

If there is, there might be an open-source non-telco replacement for your phone's ROM.

Then, find out how to "unlock" your bootloader, grab a copy of the ROM, and install it.

Voila! Up-to-date code, NO CRAPWARE, and you have FULL control over your phone.

Or, unlock your bootloader and load TitaniumBackup. This tool lets you "freeze" and disable telco-loaded and usually unloadable crapware from running on your Android phone.

It isn't Android per-se that's the problem. Android is Linux: it's reasonably secure... unless it's been compromised. And it's the crapware that comes loaded on the phone by the telcos - the crapware that "helps you keep in touch" that's primarly responsible for compromising Android phones.

The crapware they use to push pay-for-service junk that you don't need, don't want, and is the cause of MOST of the security holes, should be the FIRST THING you either remove or totally disable on your phone. Once you do, most of the security holes vanish.

I'm an embedded Linux / Android developer - it's what I do *for a living*, folks.

Unknown said...

Thanks for sharing this information.

developer android

Jake (formerly Riposte3) said...

@Peter: What Burt said. Also, check out CyanogenMod (www.cyanogenmod.com). You'll find from XDA that they're one of the "big name" custom ROM's out there (a lot of the other custom ROM's are actually built with CM as the starting point), and they have it built for a very large variety of phones.

CM is pretty close to stock Android, but with a few improvements based on user requests and feedback. The best thing is that they release frequent updates, and I have seen security fixes listed in the changelogs pretty frequently.

Weetabix said...

What do you think about the Blackberry Z-10 for security. I've been reading reviews that make me want to get one.

Borepatch said...

burt, thanks for the information-rich comment.

Weetabix, I don't know very much about the Blackberry's security architecture. I'd guess given its market share that it doesn't get a lot of attention from the Bad Guys.