One billion Android devices at risk of hacking

[Thaldor]

2 hours ago, rcmaehl said:

You have tons of choices for continued updates on Android Devices:

 

LineageOS

Resurrection Remix

AOSPE

And a dozen or so more

Except most of those require root access, which then means you need to try to hide that because there are apps that don't work if they notice the phone has been rooted (like my banks authentication/login app, it will even refuse to start if the Android is just "modified").

 

In general:

It's really surprising that even today Android is one clusterfuck when it comes to updates. Like how long have PC OSs been out of the era of monolithic design? 20 years? And I mean that device drivers, kernel, UI and other parts aren't one single piece that needs to be updated as whole but different pieces that can be updated individually. Yeah, it would bloat Android a little but then we wouldn't be in this place where it's up to phone manufacturers how long and which security updates phones receive (which mostly means not a lot and late as fuck). At this point I would bet Google has resources to keep general security updates for different Android versions up for a decade, easily, and push them out, but currently that doesn't matter because Android is a monolithic piece that needs to be patched, upgraded and distributed by those who have made the hardware so it fits because making a driver platform and having drivers separated from the OS so that Google can update the OS without fucking up drivers (at least if the drivers aren't made by fuckwits who can't read the manual) and there would be at least some security. It wouldn't fix every hole there is but it would be a lot better than like HTCs "update schedule" where while promised you get 1 update in 2 years (not to mentions Samsung which may not push a single update to some of the lowest priced models in their whole support time, even if there was found problems or just those phones you buy from discount bins because often they have already run out of their support time) and even that comes 1 year too late (HTC U11, Android 9, security updates from July 2019).

[mr moose]

In the 80's an old bloke once told me (which would make him someone who lived through a several wars, watched the world go from no radio to valves to transistors then PC's), "if something is free it is often worth less than the asking price".

 

Seems rather accurate in this discussion.

 

 

[jagdtigger]

4 hours ago, Phill104 said:

many cannot

Anyone can do it with a basic reading skill... (there are tons of fool-proof guides out there)

 

21 minutes ago, Thaldor said:

Except most of those require root access,

They dont need root just custom recovery, very few app checks that.

Edited March 6, 2020 by jagdtigger

[Guest]

35 minutes ago, jagdtigger said:

Anyone can do it with a basic reading skill... (there are tons of fool-proof guides out there)

 

They dont need root just custom recovery, very few app checks that.

That assumes a lot of things, that they even know it needs doing is just one of many. There really are plenty of people in the world who just would not have the skill, knowledge or most importantly, the will. I know plenty of older people who have never used a computer or if they have tried struggled with the hand eye coordination to control the mouse pointer. 
 

Not everyone on the planet is literate, let alone IT literate. Should that stop them using a phone? Certainly not. Should that mean it is easy for someone to abuse them because a company deems them unprofitable? Seems so.

[mr moose]

3 minutes ago, Phill104 said:

That assumes a lot of things, that they even know it needs doing is just one of many. There really are plenty of people in the world who just would not have the skill, knowledge or most importantly, the will. I know plenty of older people who have never used a computer or if they have tried struggled with the hand eye coordination to control the mouse pointer. 
 

Not everyone on the planet is literate, let alone IT literate. Should that stop them using a phone? Certainly not. Should that mean it is easy for someone to abuse them because a company deems them unprofitable? Seems so.

Not only that, but the concept that consumers should have to finish making the product in order to have what they paid for is inanely unproductive.  I see the same argument being made for Linux, no one should have to learn how to install an OS let alone learn new skills just to use a product normally.

[jagdtigger]

9 minutes ago, mr moose said:

no one should have to learn how to install an OS let alone learn new skills just to use a product normally.

They had to learn windows(using and installing) once so you can forget about this pretty dumb argument...

 

14 minutes ago, Phill104 said:

skill, knowledge

If someone cant follow a detailed guide thats their problem. Besides if the person in question is tech illiterate why they bought a smart phone lol....

[mr moose]

9 minutes ago, jagdtigger said:

They had to learn windows(using and installing) once so you can forget about this pretty dumb argument...

 

windows comes preinstalled on nearly every domestic computer, users simply follow prompts to get it set up.  If you think that is a "dumb argument" you don't understand the market very well.  And even then many older people and less technically inclined get a friend to do that bit.

 

Quote

If someone cant follow a detailed guide thats their problem. Besides if the person in question is tech illiterate why they bought a smart phone lol....

because they want a phone, knowing how to root a phone and follow a technical document is not the same as being able to use the product.  Companies spend millions developing their systems to be intuitive for people who are not tech literate.  The same cannot be said for rooting a phone.

[jagdtigger]

11 hours ago, mr moose said:

windows comes preinstalled on nearly every domestic computer, users simply follow prompts to get it set up.  If you think that is a "dumb argument" you don't understand the market very well.  And even then many older people and less technically inclined get a friend to do that bit.

 

So you say they didnt learned how to use windows and born with the knowledge?  Just face it, it is a dumb argument..... BTW installing linux is way less complicated than windows.

[mr moose]

42 minutes ago, jagdtigger said:

So you say they didnt learned how to use windows and born with the knowledge?  Just face it, it is a dumb argument..... BTW installing linux is way less complicated than windows.

most people already know how to use windows.   Kinda embarrassing to call an argument you don't understand dumb.  

[Guest]

32 minutes ago, jagdtigger said:

So you say they didnt learned how to use windows and born with the knowledge?  Just face it, it is a dumb argument..... BTW installing linux is way less complicated than windows.

You really have no idea about people do you!

 

i know a chap, mathematician, ex college professor now in his 90s. He could explain in detail how a processor does its job. However he just cannot operate a mouse, he has tried but a combination of lack of hand-eye coordination coupled with severe migraines when he sits at a screen means computers have been out of his reach. He still needs to phone his family and friends. He has an android device that I am quite sure has never been upgraded since he got it in 2014. It does what he needs, makes phone calls. Should he be forced to root it? Should he just shut up and be left to die alone? Should he spend the rest of his life trying to learn these skills?

 

What about those who are dyslexic? Those who struggle to read Or struggle with numbers? People who are very talented at what they do but for some reason or another cannot do things others find easy. This is quite a large part of the world’s population. Maybe we should just have a policy of euthanasia for those that cannot root their devices, commit apostrophe abuse or cannot understand the grammatical difference between learnt and learned.

[jagdtigger]

1 hour ago, Phill104 said:

You really have no idea about people do you!

His argument was "no one should have to learn how to install an OS let alone learn new skills just to use a product normally". Which in practice actually true for windows as well. Every person had to learn how to use it, thus needing to learn new skills.....  Plus for a consumer friendly distro like ubuntu you dont even need new skills. Yeah its different because if they would try to copy MS they would get sued into oblivion. You can get similar enough distros (Linux Mint) that are pretty close and most ppl wouldnt even have problems using it. As for installing its way easier than windows.

[AlTech]

18 hours ago, rcmaehl said:

You have tons of choices for continued updates on Android Devices:

 

LineageOS

Resurrection Remix

AOSPE

And a dozen or so more

Most people don't know how to do that or are unwilling to.

 

I know someone who once has an S6 Edge and they were on Android 6. At the time Android 7 was out and they specifically didn't want to update to it.

 

Also, some devices are much much more difficult to unlock bootloader like Samsung devices and Xiaomi devices.

[rcmaehl]

On 3/6/2020 at 1:44 PM, Thaldor said:

Except most of those require root access, which then means you need to try to hide that because there are apps that don't work if they notice the phone has been rooted (like my banks authentication/login app, it will even refuse to start if the Android is just "modified").

LineageOS doesn't require root and works with Netflix and all banking apps just fine. Root is an entirely optional install. I can't speak for other ROMs however.

[Kisai]

On 3/6/2020 at 10:40 AM, rcmaehl said:

You have tons of choices for continued updates on Android Devices:

 

LineageOS

Resurrection Remix

AOSPE

And a dozen or so more

Nope, your choices are:

1. Stop using the device, throw it in the trash

2. Go to your cell phone carrier and pay for another expensive Android device that only lasts 18 months

3. Switch to an iPhone and have it last 5-6 years.

 

Realistically, people just do not care what the device is, they only care about the price, and when people have been trained since 1999 that they get a "free phone", they often balk at paying money for something that lasts a few years when they know they can get a new "free phone" every year if they ask. The fact is, the free phones are often those very same models that stop getting updates in 6 months.

 

Then you have the prepaid market.

 

The prepaid market is literately devices with no updates. The cheapest of the cheapest devices. People are very quick to forget that there is an entire sub-section of the population that can not afford a device every 2 years, and will hang onto whatever device they have until it physically stops working. Don't need to worry about exploits if you never put it on the internet. (oh, but what about bluetooth exploits?)

 

The matter of fact is, even if you could replace the installed OS on a device, people with these devices are not going to. It works for them, and they're not going to want to make it any more complicated. It's very likely that the prepaid devices that are still running Android 1.x-4.x aren't even being counted because the majority of them are used as talk+text devices.

[Engineer.AI]

This is horrible! A lot of people still use older android devices for one reason or another. The fact that due to such causes, their security license expires, makes really no sense. Couldn't a universal app help in doing just this - helping outdated phones be usable beyond the date of expiry?

~Engineer.AI

[Colonel_Gerdauf]

On 3/7/2020 at 8:18 AM, jagdtigger said:

His argument was "no one should have to learn how to install an OS let alone learn new skills just to use a product normally". Which in practice actually true for windows as well. Every person had to learn how to use it, thus needing to learn new skills.....  Plus for a consumer friendly distro like ubuntu you dont even need new skills. Yeah its different because if they would try to copy MS they would get sued into oblivion. You can get similar enough distros (Linux Mint) that are pretty close and most ppl wouldnt even have problems using it. As for installing its way easier than windows.

[Commodus]

I never get the "just install this community software if you want to keep getting updates" excuse.

 

In addition to the absurdity of requiring a level of comfort with tech that most people don't have (and shouldn't be asked to learn), there's a simple reality here: you're being an apologist for crappy behavior on the part of Google and Android phone vendors.  Instead of leaning on unofficial hacks like crutches, we should be asking Google to do the right thing and mandate 4-5 years of updates for all Android phones with Google apps.

 

Think about it: at any given point, only a small fraction of Android users are running the latest version of the OS (based on Google's most recent statistics), and most of them are using a version that's at least two years old.  It's messed up that you may miss out on certain security features, not to mention common convenience upgrades, for a large chunk of the usable lifespan of a phone.

[Colonel_Gerdauf]

4 hours ago, Commodus said:

I never get the "just install this community software if you want to keep getting updates" excuse.

 

In addition to the absurdity of requiring a level of comfort with tech that most people don't have (and shouldn't be asked to learn), there's a simple reality here: you're being an apologist for crappy behavior on the part of Google and Android phone vendors.  Instead of leaning on unofficial hacks like crutches, we should be asking Google to do the right thing and mandate 4-5 years of updates for all Android phones with Google apps.

 

Think about it: at any given point, only a small fraction of Android users are running the latest version of the OS (based on Google's most recent statistics), and most of them are using a version that's at least two years old.  It's messed up that you may miss out on certain security features, not to mention common convenience upgrades, for a large chunk of the usable lifespan of a phone.

Welcome to the hypocritical lunacy of the FOSS fanatics. It is like when a toilet breaks, these people come out of the woodwork to scoff and nag at people to get rid of toilets. Sure they are "just being honest", we will see how well history will reflect on that mindset.

 

The music industry is a hellhole of infighting and petty mudslinging for this reason.

[mr moose]

25 minutes ago, Colonel_Gerdauf said:

 

 

The music industry is a hellhole of infighting and petty mudslinging for this reason.

People think there is a lot of need for talent and conscious intentioned ability when it comes to creating a sound.  But some of the biggest aspects of music (things like gated reverb and the 808 bass in hip hop) was the result of accidents and shit hardware.  

 

What these people don't seem to understand is that the public are not connoisseurs of mobile software/hardware, they are not connoisseurs of music (especially the audiophiles) and they are not connoisseurs of best practice.  They use what ever shit gets shoved in their face because the current alternative is to be social and work outcasts.  If people had the time and desire to understand mobile technology then google would have been given the flick the second users worked out they couldn't turn off data mining.  

[Thaldor]

On 3/7/2020 at 1:02 AM, jagdtigger said:

If someone cant follow a detailed guide thats their problem. Besides if the person in question is tech illiterate why they bought a smart phone lol....

So, it's "you are using wrong OS, install other for support" -argument. Anyone else getting "you're holding the phone wrong"-vibes? Instead of arguing that it's Googles and vendors fault for not supporting their products, it's users fault for not fixing the faulty product.

 

It's mostly Googles fault that Android is piece of shit when it comes to security updates. "Mostly" because Google has had years time to make Android more modern by making it modular instead of this "vendor provides complete support and updates" shit they still do. For modern phones it wouldn't be taxing to have HW driver and other needed platforms and make it so that Google can provide core system updates without going through vendors who then would provide updates to drivers and whatever they have added on top of the core system. Just as how Linux, Windows and almost every other OS works (on the other hand Android is the same as Windows 10, tons of bugs that haven't been fixed and every major update brings just more features because you don't sell and OS with fixing bugs, you sell OS with new features).

[Guest]

9 minutes ago, mr moose said:

People think there is a lot of need for talent and conscious intentioned ability when it comes to creating a sound.  But some of the biggest aspects of music (things like gated reverb and the 808 bass in hip hop) was the result of accidents and shit hardware.  

 

 

Quite a lot of guitar effects pedals were results of accidents. In one case a faulty cap caused a lm386 to go into overdive and the effect was so loved people started making pedals to emulate the sound.

 

Totally off topic but I just found your comment interesting.

[mr moose]

9 minutes ago, Phill104 said:

Quite a lot of guitar effects pedals were results of accidents. In one case a faulty cap caused a lm386 to go into overdive and the effect was so loved people started making pedals to emulate the sound.

 

Totally off topic but I just found your comment interesting.

 

This guitar sound was created by dislodging a valve in his amp.  It was before they worked how to create the effect without damaging something.

[Colonel_Gerdauf]

Hell, it has become a very popular gag within the industry to mock bass players, despite the importance of a bass guitar in any music track. 

 

Why? Because the producers and engineers had very thin skins during the proliferation of mainstream hits in the late 2000's. They felt that bass players there were a waste of everyones time, as a number of them "failed to demonstrate meaningful talent in the guitar, and were generally anti-social".

[Kisai]

32 minutes ago, Thaldor said:

So, it's "you are using wrong OS, install other for support" -argument. Anyone else getting "you're holding the phone wrong"-vibes? Instead of arguing that it's Googles and vendors fault for not supporting their products, it's users fault for not fixing the faulty product.

 

It's mostly Googles fault that Android is piece of shit when it comes to security updates. "Mostly" because Google has had years time to make Android more modern by making it modular instead of this "vendor provides complete support and updates" shit they still do. For modern phones it wouldn't be taxing to have HW driver and other needed platforms and make it so that Google can provide core system updates without going through vendors who then would provide updates to drivers and whatever they have added on top of the core system. Just as how Linux, Windows and almost every other OS works (on the other hand Android is the same as Windows 10, tons of bugs that haven't been fixed and every major update brings just more features because you don't sell and OS with fixing bugs, you sell OS with new features).

The mobile phone space is the only space where the network operator has to validate the devices, rather than say adhering to known standards. Amazingly Apple has no problem here.

 

Now to share one story about AT&T Wireless, when they started selling the Samsung and LG phones when the GSM network was first put online, they sucked. The devices didn't support the bands AT&T needed, thus the warranty exchanges on these devices I swear was higher than the notoriously rubbish V60i from the TDMA network.  Flip phones suck, but "free phones" suck forever.

 

I wouldn't recommend Android devices to my worst enemy. The fragmentation on all parts ( See also https://www.protocol.com/google-android-amazon-fire-tv ), while I would recommend Apple's devices, I'd only recommend those devices to someone who actually buys-in to the Apple Ecosystem. Like the SmartTV market is literately one where I hate all the options, because throwing away a TV every 2 years is even more stupid than throwing away an expensive phone. I'd rather that they all go back to "dumb" TV's and put the "smartTV" bits in a STB. Consider that all the Cable ISP's (who are late to the party) have been switching to IPTV systems and want you to rent their own box as well. So after the initial two years where the smarttv part of it becomes useless, you end up having to buy another STB anyway. Just save spending the extra $300 in the first place.

 

Samsung has enough leverage right now they do not need Android, and in fact have switched to Tizen to everything but their phones. Tizen is also likely even worse than Android for exploitability, but owing to it's only real presence being the SmartTV platform probably not the biggest target.

 

 

[Thaldor]

36 minutes ago, Kisai said:

I wouldn't recommend Android devices to my worst enemy. The fragmentation on all parts ( See also https://www.protocol.com/google-android-amazon-fire-tv ), while I would recommend Apple's devices, I'd only recommend those devices to someone who actually buys-in to the Apple Ecosystem.

Out of the options, Android is still the one that I recommend, even if it's support is probably the worst. The competition of mobile OSs is just terrible currently: Android with fragmentation and the worst support, iOS is full on Apple walled garden and that's it, apart from the couple FOSS projects with extremely expensive HW compared to the others with also quite questionable support (as long as the original company stays up support is probably fine, but when they go bankrupt it's "welcome to the Android-world" where official support is zero).

Quote

Like the SmartTV market is literately one where I hate all the options, because throwing away a TV every 2 years is even more stupid than throwing away an expensive phone. I'd rather that they all go back to "dumb" TV's and put the "smartTV" bits in a STB. Consider that all the Cable ISP's (who are late to the party) have been switching to IPTV systems and want you to rent their own box as well. So after the initial two years where the smarttv part of it becomes useless, you end up having to buy another STB anyway. Just save spending the extra $300 in the first place.

 

Samsung has enough leverage right now they do not need Android, and in fact have switched to Tizen to everything but their phones. Tizen is also likely even worse than Android for exploitability, but owing to it's only real presence being the SmartTV platform probably not the biggest target.

SmartTV:s are what they are, as long as they have HDMI-port you can do whatever you like. At least for now I haven't heard about smartTVs that would block you from using something like AndroidTV boxes or smartTV-enabling other accessories like AppleTV or BR-players. Mainly I have good experiences with Philips AndroidTV (even if it's kind of F'ed up since it's WiFi/BT-circuit is fried since it got some lightning which fried it's MB and PSU, but 0€ for 55" 4K HDR TV with very good panel and 300€ to replace the MB and the PSU (at that point the WiFi/BT-dongle worked)).

 

Samsung on the other hand... If we were to award the asshole company of the year based on how closed the company is and how much they like to fuck with everyone; First year the price would go to Apple and the second year Samsung would get it. "Oh, look we have a SmartTV, you can stream stuff from you phone to it" yeah... You literally can only stream stuff from your Samsung phone to it and even then it's screen sharing so good luck with that less than FullHD screen to be shared to 55" 4K TV, oh and did I mention it works only with Samsung phones? Not to underline what you said about their security, "hey, this option lets you to prevent anyone from reactivating your smart watch" and literally you just need to connect it to a PC, throw couple of commands to it and it will set to the factory settings and anyone can do what they could do with a brand new watch. And also Samsung has made quite a work even with phones to hinder custom ROM usage, so using Tizen stuff with other OS is kind of out of the picture.