But even with the data we have, we can take a guess at how many outdated devices are in use. In May 2017, Google announced that there are over two billion active Android devices. If we look at the latest stats (the far right edge), we can see that nearly half of these devices are two years out of date. At this point, we should expect that there are more than one billion devices that are two years out of date! Given Android’s update model, we should expect approximately 0% of those devices to ever get updated to a modern version of Android.
Whenever I bring up just how humongous of an issue this is, and just how dangerously irresponsible it is to let average consumers use this platform, apologists come out of the woodwork with two arguments as to why I’m an Apple shill or anti-Google: Google Play Services and Project Treble.
Google Play Services indeed ensures that a number of parts of your entire Android operating system and stack are updated through Google Play. This is a good move, and in fact, Android is ahead of iOS in this respect, where things like Safari and the browser engine are updated through operating system updates instead of through the App Store – and operating systems updates present a far bigger barrier to updating than mere app updates do. However, vast parts of Android are not updated through the Play Store at all, and pose a serious security threat to users of the platform. Google Play Services are anything but a silver bullet for Android’s appalling update situation.
Project Treble is the second term people throw around whenever we talk about Android’s lack of updates, but I don’t think people really understand what Project Treble is, and what problems it does and does not solve. As Ron Amadeo explains in his excellent Android 8.0 review:
Project Treble introduces a “Vendor Interface” – a standardized interface that sits between the OS and the hardware. As long as the SoC vendor plugs into the Vendor Interface and the OS plugs into the Vendor Interface, an upgrade to a new version of Android should “just work.” OEMs and carriers will still need to be involved in customizing the OS and rolling it out to users, but now the parties involved in an update can “parallelize” the work needed to get an update running. SoC code is no longer the “first” step that everyone else needs to wait on.
Treble addresses an important technical aspect of the Android update process by ensuring OEMs have to spend less time tailoring each Android update to every specific SoC and every specific smartphone. However, it doesn’t mean OEMs can now just push a button and have the next Google Android code drop ready to go for all of their phones; they still have to port their modifications and other parts of Android, test everything, have it approved by carriers, and push them out to devices worldwide.
Project Treble addresses part of the technical aspect of Android updates, but not nearly all of it. While Treble is a huge improvement and clearly repays a huge technical debt of the Android platform, it doesn’t actually address the real reason why OEMs are so lax at updating their phones: the political reason. Even in the entirely unrealistic, unlikely, and honestly impossible event Treble solves all technical barriers to updating Android phones, OEMs still have to, you know, actually choose to do so.
Even the most expensive and brand-defining Android flagships – the Note, Galaxy S, LG V, and so on – are updated at best only six months after the release of a new version of Android, and even then, the rollout usually takes months, with some countries, regions, carriers, or phones not getting the update until much, much later.
This isn’t because it really is that hard to update Android phones – it’s because OEMs don’t care. Samsung doesn’t care. LG doesn’t care. HTC doesn’t care. They’d much rather spend time and resources on selling you the next flagship than updating the one you already paid for.
Treble will do nothing to address that.
But let’s assume that not only will Treble address all technical barriers, but also all political barriers. Entirely unlikely and impossible, I know, but for the sake of argument, let’s assume that it does. Even then, it will be at best four to five years before we experience these benefits from Treble, because while Treble is a requirement for new devices shipping with Android 8.0 out of the box, it’s entirely optional for existing devices being updated to 8.0. With the current pace of Android updates, that means it will be no earlier than four to five years from now before we truly start enjoying the fruits of the Treble team’s labour.
At that point, it will have been twelve to thirteen years of accumulating unupdateable, insecure Android devices.
The cold and harsh truth is that as a platform, Android is a mess. It was quickly cobbled together in a rushed response to the original iPhone, and ever since, Google has been trying to repay the technical debt resulting from that rushed response, sucking time and resources away from advancing the state of the art in mobile operating systems.
As an aside, I have the suspicion Google has already set an internal timeline to move away from Android as we know it today, and move towards a new operating system altogether. I have the suspicion that Treble isn’t so much about Android updates as it is about further containerising the Android runtime to make it as easy as possible to run Android applications as-is on a new platform that avoids and learns from the mistakes made by Android.
Each and every one of you knows I’m an Android user. I prefer Android over the competition because it allows me to use my phone the way I want to better than the competition. Up until recently, I would choose Android on Apple hardware over iOS on Android hardware – to use that macOS-vs-Windows meme – any day of the week.
These days – I’m not so sure I would. Your options as an Android user today? A Pixel phone you probably can’t buy anyway because it’s only available in three countries, and even if you can buy it, it falls apart at the seams. You can buy a Samsung or HTC or whatever and perpetually run outdated, insecure software. Or you can buy something from a smaller OEM, and suffer through shady nonsense.
You have to be deeply enveloped in the Android bubble to not see the dire situation this platform is in.
… buy a phone from a company that makes good software support its USP.
In fact I’m nearly totally happy with my Wileyfox Swift 2+.
– good software updates (I got it with Marshmallow, but by now it runs Nougat 7.1.2 with September 2017 patches, November 2017 patches and an Oreo update are on the way)
– good enough hardware (SD 430, 32GB, 3GB RAM, fingerprint reader, NFC – ticks a lot of boxes and the SOC is ‘okay’)
In fact, in my eyes, it has only one drawback, and that is that it comes with Truecaller dialer which I don’t want (but there are sufficient decent alternatives available).
Okay I’d be happy with a SD 625 or 630 but really that’s just my numbers fetish, the 430 is quite capable.
Did I mention the software updates? I did, didn’t I
Edited 2017-11-14 13:49 UTC
Got it in one!
I am happt with my WileyFox Swift 2 X for all the same reasons. The 2 + would have probably done me but I thought the extras worthwhile and still at a cheap (mid?) price.
In fact the lower spec CPU seems to have advantages. it fast enough for what I do that I do not notice. And the battery can last 2 or 3 days instead of half a day!
I was even so impressed I got one to the OH. But unfortunatly she has already smashed it. Unfortunatly nothing cures that! At least it did not cost much more! She can have one of the chinese one now that seem similar spec for ^Alb80. Just might have to send it back to amazon a few times before you get a good one. They have no quality control. Or updates. But as long as It runs 7 I am ok, and they are ones running 7 now. None with 8 as far as I can see. Well unless WileyFox have a good black friday offer!
sure, I just didn’t want a bigger phone, and I figured the extra resolution might impact battery life.
Personally, I’m happy with my Pixel XL. It’s a rock solid phone, and it gets reliable updates. The back is a bit hideous, but I don’t look at that side unless I have to.
Not heard of this company. Looks interesting. Any word on how long they promise security/OS updates?
Main device is an iPhone, but I also carry an old Nexus 5 as my “dirty” phone – by dirty, I mean something that I need for the revolting but necessary stuff (because society has no standards) like WhatsApp, Line, Waze, etc – and am hoping to replace that soon. These Wileyfox phones seem to strike a good performance/price/updates balance.
Thanks for sharing.
“Android is a mess” and that is why it had been so successful.
Remember that when Android was released we already have Blackberry and iOS on the market. I thought it was too late and that the market had been already taken.
What it happens from there is what people called “the mess”. Since Android was open source anybody building cheap phones in China can bundle it on phones and cheap tablets. Loosing control of Android was what it helped to the worlwide adoption.
When we talk about fragmentation (different Android devices with older OS version without the possibility to update), who we have to blame about that?
The first to blame is the Manufacturer. The manufacturers just want to sell hardware and don’t want to spend money on supporting the hardware with periodically software updates forever. It is as simple as their business case. On the other hand Microsoft owns Window on the PCs, so when manufacturers sell hardware, MS make money with the OS and have the business to maintain it, and it also (used) to make money with the updates.
But I think we also need to blame Linux. I think that part of the fragmentation problem is also in part of Linux monolithic kernel design. The Linux kernel is so customizable (which should be good) that allowed it to be compiled on every processor architecture, but it also mean that on each update needs to be recompiled with all the required drivers for each phone. That means you can not generate a standard binary to update the kernel of all phones. We are used to think of an OS like Windows, when you get the standard CD of the new version and you install it over the old one. But that is not the way how a monolithic kernel works with different process architecture, and for sure, you don’t get an Android CD each year to update to the new release.
So, Android is different. If you want an update model like Windows, maybe the phone processor architecture needs to be standardized and the kernel should be Microkernel.
…and the kernel should be Microkernel
Project Zircon (magenta): https://fuchsia.googlesource.com/
And what problem would that solve?
Would it magically make Samsung, HTC, etc., commit to security updates for the next 3 to 5 years?
Because that’s what’s needed.
The NT kernel is hybrid monolithic. NT never has been a microkernel. Same goes for the MacOS and iOS kernels. And anyway, like the poster below me, moving to a microkernel is not going to help
Blackberry and iOS – perhaps from US & Canada perspective. The rest of the world was mostly on Symbian WRT smartphones and on “feature phone” platforms such as Nokia Series40, Sony Ericsson A200 …hell, even some touchscreens like LG Cookie; and it moved from them to Android.
Edited 2017-11-15 23:16 UTC
Microkernels will simply move the problem from one place in the code to another. Down in the hardware these SOCs are all different unlike the monolithic x86 world. I suspect a microkernel will even make things worse by introducing a new kernel and ruining the skill set of the people the HW manufacturers currently employ.
The correct answer is money. It is in the hardware manufacturer’s own interest to do this. It is a way of forcing you to buy a new phone every 2-3 years whether you want to or not. Forcing consumers on this endless treadmill results in billions in profits for the HW manufacturers.
This is only marginally Google’s fault. Google could certainly make life easier for the HW OEM but it is not clear if that would make any difference. HW OEMs purposely practice “port and forget”. Of course they don’t issue any updates, the software team has been moved to the new phone design and there is no one left working on the old phones.
How to solve it? We could force everyone to use Qualcomm processors and create a monoculture like Apple. But do we want that?
I think it may be self-correcting in the future dues to a change in how phone plans are priced. Previously your phone payments were bundled into the phone bill and now they aren’t. I used to hate it when after two years my phone bill would not decrease any. Instead they told me to come and get a new phone for “free” and if I didn’t get that new phone they’d still charge me for it.
We have not been on this new system long enough to see the full effect. I suspect that it will result in a significant slowing of the upgrade treadmill. If the treadmill slows it will increase pressure on the OEMs to keep things updated.
I think you are right as phone OEMs are about to see replacing phones every other year die as hard as the PC makers saw the endless treadmill die when we went from the MHz war to the core wars.
At the shop I have to deal with Android phones all day because everybody seems to need to be shown how to connect their phones to their PCs, be it to get off pictures or transfer music or whatever…know what the most common Android version I’m encountering is? Android 5, because by the time of Android 5’s release phones were over 5 inches and had quad cores which was frankly overkill for most users. add to this the fact that most carriers here offer phones running Android 5 that are powerful enough to play 3D games for sub $70? I’m seeing more and more end up on these phones as people realize that $70 phone does everything they would do with an $800 phone for $730 less.
At the end of the day they can add a dozen cores and 48Gb of RAM and if all the users are doing with it are watching YouTube and playing the latest Angry Bird style time waster? Then they are not gonna be able to tell the difference between that $100 phone and the $800 one. again its the same thing that happened to the PC market, you can buy 32 thread systems with 64Gb of RAM and 12Tb of storage but if all they are doing is going to FB and working on docs and editing their home photos that power is pointless.
But sadly short of government intervention I seriously doubt the OEMs will ever give a crap, as I said I’m seeing carriers selling tons of new Android 5 phones and some places are still selling android 4 phones, as long as they can get away with selling phones with zero support that is what they are gonna do.
If the security problem rises to pandemic scale (think 100m devices botnets or something) the government (or EC) intervention will be inevitable.
It’s as simple as adding some additional requirements to device certification or forcing carriers to throw out known vulnerable devices off the network.
…you DO realize if the government mandated this the OEMs would put out phones with zero support and when the next vulnerability came out simply demand everyone buy a new phone?
I have a feeling if the government were to try to order OEMs to support these devices they would just make all phones $600+ and claim that is the cost of having dedicated dev teams to support such a myriad of devices, and frankly they would probably not be lying. The problem is that mobile is where PCs were in the 80s, with everything being black boxes of proprietary everything and what we need is for governments to force the hardware makers to come up with standards and a driver ABI so that it would be trivial for others to make ROMs for the phones.
If this were to happen frankly I would not care if the OEM released a new version of android for my device as there would be competition, and we could choose which ROM had the features and software that does what we want, just as we can now with PC OSes.
I agree with this. Putting it this way, it’s even more reason to put a company tax on electronic waste. If they get taxed for the waste, they’ll need to avoid the tax. Meaning they have to do better supporting it.
The problem is that vendors:
* don’t want to live with the restrictions that stable kernel -> userspace interface imposes on their HW innovations
* don’t care if their implementation of the API is 100% correct unless it actually breaks their particular skins
I can imagine the OEMS will drag implementation of Tremble as long as possible trying to pressure Google to make it defacto optional (by watering down requirements) even post 8.0 as going for 100% compliance if additional $$ spent on manuf side for no apparent benefit.
Thom,
Yes, Android updates are a mess and it certainly looks like Google has a new OS in the pipes. How long will it take? Who knows. That said, I have never felt insecure with my Android devices. I don’t install 3rd party apps unless they are from a trusted source and I have never had malware issues. While this is certainly a weak point for Android its not a massive issue yet. Still I concur with most of what you wrote.
Except the Pixel 2 stuff. I have owned both the original Pixel XL and now the Pixel 2 XL and saying “they are falling apart at the seams” is ridiculous. Is there a blue tint? Sure, but I barely notice it unless I look for it and I think its even slightly pleasant. The smudging is contrived bs, I can’t even replicate it on my device. I haven’t seen any burn in on my device and the steps people have to take to even identify it are way beyond what any normal user cares about. Whats not reported? The new screen (without the crappy saturation) makes my pics from both my original Pixel and my new Pixel look freaking AMAZING. This screen and its color profile show off just how good of a picture the phone takes. The lack of saturation was intended (unfortunately not well explained to the market)
Now, lets look at the iPhone tragedies:
– numerous reports of swollen batteries breaking the phone casing. (LITERALLY falling apart at the seams!)
– most breakable iPhone ever!
– FaceID owned in its first week by a Halloween mask.
– Screen tinting – even if not as noticeable, its there.
– Autocorrect bug
– “The iPhones are susceptible to screen burn in.” – Tim Cook
– **touch screen unusable in cold temperatures**
The Pixel 2 has a non-saturated screen with some barely noticeable quirks but I would take them over the iPhones “quirks” any day.
You can say a flagship phone should be perfect but the standard bearer is far from it as well.
(Edit: typos)
Edited 2017-11-14 14:30 UTC
It seems that if you’re on a patch level older than 2017-09-01, you’re susceptible to Blueborne. If you’re not running 2017-11-06, you’re susceptible to KRACK.
I recently got my first Android phone, LG K10, from a bank. The model was released less than two years ago. It’s nice, has everything I would want from a phone. The patch level is at 2017-08-01. If I don’t want to share my data, I had better not use WiFi nor Bluetooth.
Edited 2017-11-14 15:02 UTC
That is the important update problem with Android, the security updates aren’t being delivered to all platforms. There is no good reason why this is the case. This is why its a mess, not the actual os upgrade issue.
– Haven’t heard about the swollen batteries problem, so no comment on this.
– All smartphones have had problems with breaking if mishandled. I have had an iPhone since they first came out in 2007 and I haven’t even had as much as a scratch on the screen. I have seen roughly the same percentage of Samsung and HTC phones with cracked screens as I see iPhones
– Horrible demonstration of hacking FaceID and they only answer questions about how their process went with, “We are experts in the field.” Which makes their process very questionable.
– All OLED screens have this issue, Apple never denied this, they just found way to get Samsung to make it less obvious.
– Already fixed
– Again, all OLED screens have this issue. But I wonder, who keeps their phone screen on with any one part of their screen never changing for a long enough period to cause burn-in? Personally, I jump from app to app, which changes the whole screen except maybe the very top, frequently, and then the screen is off when I am not using it.
– Unusable for a short period of time. It has to do more with sudden temperature changes as opposed to just being cold. Apple says they are going to address this, we will just have to wait and see.
– Edit: Double post.
Edited 2017-11-14 19:49 UTC
“Horrible demonstration of hacking FaceID and they only answer questions about how their process went with, “We are experts in the field.” Which makes their process very questionable. ”
Whoops!
https://www.phonearena.com/news/Another-swollen-Apple-iPhone-8-Plus-…
https://www.theverge.com/2017/11/14/16650394/10-year-old-unlock-mom-…
There are two big trends to watch, this might be a good basis for an article.
1) Android anti-trust in the EU. The EU is going to find then guilty no matter what simply because they want the money from a gigantic fine. The EU justifies these excessive fines as payback for Google’s HQ in Ireland.
The net of this may be that non-Apple phones in the EU are sold with just the lowest OEM SW layer on them and then a ‘ballot box’ for which higher layer to install. One choice will be Google’s project Treble install. And who knows what the other choices will be. I pity anyone who picks the other choice.
Google is never going to agree to install all of Android and then let you swap out high-level components. It is utterly obvious that entities will create packages that swap out the ad manager and play store and nothing else. That will capture all of the revenue from the phone while leaving Google will all of the expense of providing the services.
2) Will Google go the route of Apple? Will Google make Google phones and then simply abandon AOSP? That is another solution to the EU messing with Android. Google simply converts to the Apple model and totally screws Samsung.
This will certainly stop the problem of Android fragmentation by simply cutting off all of the fragments.
It will also satisfy the EU’s desire to stop Android domination by telling Samsung/et al to go get a new OS. Of course I don’t think it is so simple to come up with a new OS that people want (Tizen?).
————–
I suspect the EU’s actions are going to trigger #2. I don’t think Google wanted this, but I don’t see that they have much choice in the matter.
The end result of the EU’s meddling is likely to be less competition, not more. If the EU forces choice #2 then they may ultimately end up in the perverse situation of having to do another anti-trust suit against this new Apple/Google world telling them to switch back to the old model.
I don’t usually go through graphs because data is not that easy to analyse from a global perspective.
For example there are people that never log in to Android and obtain apps from other sources (when it’s needed).
Others simply won’t update because they fear compatibility problems (eg: usually admins that just want the corporate apps to work as they received them from the company without having to explain to anyone that they couldn’t connect because X update came and broke something).
From graphs this will show as outdated apps, even if the OEM may very well provide regular security updates.
It’s pretty much the same thing with Windows before Microsoft came and forced the update process fo rthe home user.
Apple does this too..
Is this the only way though to keep the ecosystem safe enough? Hard to say but it’s good for everybody to have choice.
My ancient Moto X (running “outdated” Android 5.1, and still runs every app I try on it) received a security update a couple of months ago.
If Thom wants to complain about lack of updates, he needs to make a better case than contextless (and dataless) claims of insecurity. Being “outdated” in some central authority driven way (it doesn’t run the latest and greatest from master Google!) doesn’t mean a damn thing, and as I’ve pointed out numerous times, can often lead to better user experience. Android phones don’t get slower over time like iOS devices do. No gripes with that from the Apple fan boi…
Edited 2017-11-14 16:26 UTC
Exactly!!
And probably i could not find a single thing i would miss if i could downgrade my phone from whatever it is running now (is 7 or 7.1 i think, not sure, don’t think it is 8) Amazon Webservices weekly(!!!) newsletter with changes is much more exciting than the latest many Android releases.
There might be a little tech stuff that developers care about, but for the end user, it is really same same. Last update to matter was 5.0, just for the new looks, before that it was 4.0.
Yeah yeah, it got the multi screen feature that probably a few people use, probably a bit more on tablets, but some OEMs have had this for years anyway so that didn’t really require an Android upgrade, just buying the right product.
Maybe if they started releasing new versions when there was something to release, we could stop this silly discussion. (Just like it would be great if Microsoft would stop making useless but slow to install “major” updates to Windows 10)
Edited 2017-11-14 19:53 UTC
My Xperia Z3C was released in September 2014, I bought it in February 2016. Have received update to Android 6.0.1 right after purchase. That was it. My security patch level is still Feb 2016 !!! This is an insult to customers. You can guess what my next device is going to be…
That is normal be it a iphone or an android device. Between 2-3 years from release date of the device has been all you have been promised.
So your next device something Android Oreo that hopefully has 5-6 years support?
By February 2016 you should have got your phone quite discounted because it was running out of support.
This is the normal head in sand problem.
From September 2014 to February 2014 this is just one year and a half !
My iPhone 6 from 2014 is still receiving updates 3 years later and will be for at least a year.
Then that’s also quite short support, since many people bought this phone quite recently (Apple sells / pushes on consumers old models much longer than Android device makers do)
Edited 2017-11-15 23:23 UTC
[QUOTE]That is normal be it a iphone or an android device. Between 2-3 years from release date of the device has been all you have been promised.
So your next device something Android Oreo that hopefully has 5-6 years support?
By February 2016 you should have got your phone quite discounted because it was running out of support.
This is the normal head in sand problem.[/QUOTE]
Yeah it’s a head in the sand problem – Manufacturers head in the sand…
We’re alking about security updates here. They should not be negotiable. Period.
Edited 2017-11-16 10:28 UTC
No it users, carriers, sales people, Manufacturers head in sand.
Please note lack of security update to drivers and bios firmware after warranty runs out on laptops/desktops happen as well.
People buying hardware don’t ask how long updates will be provided for. Sales people normally don’t know because they are not being asked the question enough. Carriers are not cutting off devices out of support as they could and not demanding long support time from companies they get handsets from.
Some Manufacturers gave users unlock-able boot-loaders on the idea that when support run out they would go across to third parties. Then failed to make sure that third parties had the source to pick up the support.
You cannot expect Manufacturers to provide support that user and carriers have not paid for or demanded.
oiaohm,
True, PC system builders can be guilty of not distributing updates too. However there is a significant difference: unlike with android, PC users can often get updates from elsewhere be it windows update or directly from the component manufacturers.
My acer laptop had issues with USB3 and Wifi even though I had the latest drivers supplied by acer.
However it turned out the respective chip makers (intel and atheros if I recall) had fixed my issues in the latest drivers off their websites. Likewise I can get windows updates from microsoft even though my acer warranty is long gone.
So even assuming an acer android tablet and acer windows PC (for example) had similar update schedules, there’s still a world of difference between what I can do as a user to update the android tablet versus a windows/linux PC. And because of this, the lack of vendor updates on android are much more problematic.
Edited 2017-11-16 19:31 UTC
There are a few differences.
1. Microsoft gives you 10 years support. Google has only been giving about 5.
2. Equal to going to vendor for drivers on Android is installing third party rom. Just like installing third part rom on android device using generic drivers straight from the device maker does not work under Windows all the time either. Same problem hardware maker customised something and never told anyone.
The reality is lack of vendor updates in laptops for firmware defects and other items is highly problematic to some users as well. So like it or not it mostly the same problem.
Early Microsoft windows did not push out driver updates by windows update either. Google with Android 8.0 is starting to work on pushing out driver updates where they can. People running windows were upset by Windows 10 forced updates because a lot of people even in windows 8.1 were blocking particular windows updates from installing so their drivers work.
Vendors not providing updates to drivers you cannot get else where is truly everywhere and is creating quite large exploit surface area.
oiaohm,
The windows 10 forced updates are something else entirely, just one of many aspects where microsoft has taken owners out of the drivers seat – even with so called “pro” editions
I hope very much that the driver stability improvements in android 8 with treble will help with the poor support that has plagued earlier versions of android, but only time will tell. It’ll be a while before I even own one.
Edited 2017-11-17 02:15 UTC
Android 8.0 with treble is progression from what started with Android 5.0. From Android 5.0 to current cover about 75% of the Android devices out there.
Alfman I do not dispute the support on Android has not been up to where it should have been. But is not quite as bad as a lot of people would think either. Lot of people miss since Android 5.0 that not all security updates have to come from vendor quite a few come from google play updates.
Reality Android 5.0 and newer for number of security flaws you are likely to have on a device that has updated against google play is about the same as a Windows PC prior to Microsoft adding driver updates to windows update. Hopefully Android 8.0 will bring it into line and possibly better than Windows update with driver updates.
So Google has been progressively attempting to fix the update problem. It truly takes years for these changes to deploy and become common in the pool of android devices. Same was true as Microsoft changed their update processes.
Edited 2017-11-17 03:38 UTC
oiaohm,
So this goes back to Thom’s original point, which is that making it easier for manufacturers to update phones is swell and all, but if the manufacturers don’t change their attitudes about long term support, then helping them with updates is kind of a mute point.
I’m actually hoping that treble can do more than it’s stated goals and also allow 3rd parties to take those drivers and build kernels 100% independently of the manufacturer. In theory treble should help anyone build a new android kernel, not just the manufacturers. This would be a real boon for 3rd party firmware fixes on android devices!
Edited 2017-11-17 04:49 UTC
Its reading the right sections.
Android O that is Android 8.0 has a stack of requirements that make third party firmware makers life simpler but not 100 percent easy yet. That is of course if people buy the devices with unlock-able firmware.
https://source.android.com/devices/architecture/kernel/modular-kerne…
The mandate to use ACPI, Device tree to define where hardware is. Not some random vendor made up stuff any more.
Figure 2. Android 8.0 and higher device kernels. On that page shows what the new google rules are attempting to mandate this time around.
I do expect there will need to be more rules with Android 9.0+ and it hinted to in the following:
In the future, we want to move towards a single binary distribution of kernel per-SoC.
The new driver model is need because ODM/OEM under the new rules is not meant to rebuild the complete kernel instead use the kernel for that soc chip so things can be updated faster. Also SoC vendors are meant to upstream stuff as well.
So at Android 8.0 its better for third party rom vendors due to what is mandated but how good for third party vendors will be YMMV based on how much stuff is upstream for the device. Improvement is an improvement.
Agreed, but you do know Google pushes monthly security updates, right? Which means if you aren’t getting them each month, you’re device is vulnerable to the issues that have been patched since the last security update.
Show me stats on exploitable android versions, and active exploits when we talk about security problems, or I’m not interested.
Second – this talks about API versions – that’s fine as a way to collect stats, but it says nothing about whether all those hopelessly outdated Android installs can run the latest software, built with the latest APIs for the latest API versions. hint: old Android versions can still run new software. The SDK doesn’t work like it does on other platforms.
So if we don’t have any real data on security (which would be a concern) and the problem of not being able to run current software isn’t a problem – well what is the problem?
The absence of a large volume of reported exploits should worry you even more. We know there are vulnerabilities, and we therefore know that people are exploiting them, but if the exploiters aren’t being found then they’re being very successful.
Edited 2017-11-14 17:09 UTC
There are more than just a few active and documented exploits.
https://www.cvedetails.com/vulnerability-list.php?vendor_id=1224&pro…
Another interesting read is the Nokia vulnerability report, this explains quite how prevalent invented devices are;
https://www.nokia.com/en_int/news/releases/2017/03/27/nokia-malware-…
Edited 2017-11-14 17:28 UTC
CaptainN-,
Isn’t this the ostrich approach to security? It’s fine as long as our heads are in the sand
Seriously though, it’s not a good practice to keep known vulnerabilities active. It’s not ok for manufacturers to do a lousy job here. A weakened security device only increases the attack vectors for other devices and networks at home and at work. Even if our personally devices aren’t directly hit, we still have to pay a high price to cover security breaches and fraud conducted through the exploitation of insecure devices.
KRACK, mentioned earlier, is pretty significant because an attacker can break the security of wireless networks that are otherwise behind firewalls.
https://www.krackattacks.com/
Edited 2017-11-14 18:03 UTC
It’s a data approach. I’m interested in knowing whether all these proclamations of insecure android versions are valid or not.
What is the active exploit rate? I’d settle for an estimate of the opportunity rate – but there’s no data here. Without knowing that, how can we know for sure this update thing is even a real problem (it’s not a problem as far as getting access to new APIs).
Without data, this is all just Chicken Little stuff.
CaptainN-,
But why do you keep ignoring the data when others link to it? The KRACK vulnerability that I linked to in the very post you responded to affects virtually all android devices that haven’t been updated.
Suggesting this is “Chicken Little stuff” due to lack of data is inaccurate, you just haven’t done your homework on this one. The CVE database, already mentioned by others, is high quality data about real device vulnerabilities in the wild. Another database is here: https://www.exploit-db.com/ You can find remote exploits such as this one: https://github.com/offensive-security/exploit-database/blob/master/p…
Maybe ordinary users can be forgiven for being ignorant about their phone’s vulnerabilities, but manufacturers and the tech industry don’t have this excuse. Sometimes consumers can end up with a phone that’s still under original warranty, yet running the manufacturer’s own firmware that’s unsupported and unpatched. This was the situation with my phone, unfortunately.
Edited 2017-11-15 18:06 UTC
This article says nothing about the data. As I’ve said, my first gen Moto X has recently received security updates. That’s enough. It doesn’t have to run the latest point release to be a secure phone which can run all the apps. That’s the point others ignore.
If security releases aren’t going out for a majority of users, I concede that’s a problem. This article (and Thom) are making a different point
CaptainN-,
The data shows that phones that aren’t being updated are vulnerable. If you want to know how long phones are being supported for, Google officially announced 2 years of major updates and 3 years of security updates.
http://www.androidpolice.com/2015/08/05/google-announces-new-update…
How much you consider this a problem may depend on when you buy your phone within the support window. If you buy it towards the end, then you won’t be getting support for very long. In any case, google’s commitment to long term updates is well behind apple’s.
http://www.androidpolice.com/2015/09/17/software-updates-a-visual-c…
You made a good choice with Moto X, it basically runs stock android and their updates should mostly follow google’s. Not all android users are so lucky though.
Thom Holwerda,
It won’t do much for manufacturers who never gave a crap about providing updated firmwares anyways, but in theory the treble device abstraction ABIs along with working drivers can provide a good & strong foundation for the 3rd party community to build and release updated kernels themselves. We’d be far less dependent upon the manufacture for updates, and IMHO that’s a good thing.
I don’t have experience with treble as it’s not present on my phone, but I’m optimistically hopeful.
Edited 2017-11-14 18:25 UTC
Agreed. I’m not holding my hopes up but basically Treble is the reason why I’m not even thinking of buying an Android device this year (well, there’s the Pixel but I’ve got other reasons for not considering it).
Absolute spot on about this. Why would they spend their bottom line on new features and security fixes for end users?
However, I’m sure Sony, Adobe, Equifax and the rest of them felt the same about where their money should be spent. Pretty sure they don’t feel the same about it now.
So perhaps what the world needs is for a particular model of smartphone from a specific brand to be totally pwned en masse. That *might* make them wake up because their brand name being affected DOES impact the bottom line.
Just a thought.
Edited 2017-11-14 18:40 UTC
our options as an Android user today?
I just don’t care that much, as apparently a lot of people don’t – if we’d care we wouldn’t be buying the phones.
I have a Galaxy S5 (i think, not quite sure, don’t really care) – It plays media (on and offline), makes decent photos, browsing the interwebs, mails, chats…shit like that works without hiccups.
for me it’s just a phone, I don’t have any sensitive data on it (still encrypted though), never buy shit online from my phone, have no social media (except the google accout for gmail and yt).
I’m a really basic user as I believe most of the people are.
I don’t know (or care) what version of Android I have, because this one works just fine.
After one month of Windows 8 I felt like “this crap needs to go and be replaced on my laptop” – this kind of feeling never came to be on my phone.
Not an android fanboy at all (was actually considering iPhone when buying this one, but iPhone at that time hadn’t had water and dust resistance).
TL;DR: It’a just a phone, don’t really care about android version on it.
And after a few more days probably you would stop caring about Windows 8 too, because you realize you can simply ignore most of the useless new parts, and it booted up a bit faster and the start screen search was faster than windows 7, so in total, it was a very slight upgrade
Win 8 was fine come 8.1
Much like Win Vista was fine come SP1.
It was less bad, but not good. More of a win me service pack kind of improvement. Less of a Vista SP or a Win XP SP.
Well, I am not an apologist, I am not calling you an Apple shill, I am not calling you anti-Google, but I would like to point you to the arguments of
* Point releases are updates as well and they keep many a phone secure. You always focus on phones not receiving the major updates but those updates are about features, not security!
* App stores with vetted apps and retro-active removal of harmful apps.
* A general lack of attack-vectors. It is much harder to attack a phone that accesses most content from isolated apps than it is to attack an internet-connected computer with programs running as admin and interfacing with other programs.
I wish it would be required for every OEM to support the software on their devices much better, but the horrible security on mobile devices just isn’t a real problem like it used to be on pc’s where most consumers still didn’t bother to secure them properly.
And most attacks nowadays don’t result from an insecure OS, they come from users getting phished or from stolen online passwords
avgalen,
On the one hand I agree with you that general code sandboxing model on mobiles provides better security than traditional PC software. But on the other hand we shouldn’t dismiss how the number of publicly available attack vectors grows quickly when manufacturers don’t provide mobile updates. You are more likely to get pwned by a script kiddy running metasploit against an unpatched mobile device than a patched windows one.
I suspect more mobile users may be pwned than owners realize because they are operating blind and don’t have the nearly same wealth of tools at their disposal. Typical PCs are regularly updated and scanned by AV software.
Please tell me how a scriptkiddie (from for example Belgium) would attack my mobile device (from for example The Netherlands)
It seems that the only realistic way to hack another mobile device is via
1) phishing, and not much can protect a user from himself
2) proximity attack (bluetooth/nfc)
3) fake wifi-hotspot (ones you are on the same network, especially an untrusted network, most bets are of)
Both 2 and 3 are very limited attack vectors because 1 source can only attack a few targets and those infected targets don’t spread. The risk is also very high
I haven’t heard much about a device getting pwned from just browsing a website for example. The only such situations where very old “move this slider to root your ios-device” and “receive this skype/imessage to crash your phone”
avgalen,
In practice, you don’t really get to decide who hacks you or how they do it. The thing that everyone needs to have pounded into their heads is that no code is 100% safe, including webbrowsers and websites:
https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-goog…
https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
https://technet.microsoft.com/en-us/library/security/MS16-MAR
http://exploit.kitploit.com/2017/05/apple-safari-cve-2017-2491-use-…
As long as software is updated, then that mitigates a good portion of the attack vectors a “script kiddie” would have access to. But for software that hasn’t been updated in a while, then there’s a good chance that not only is it vulnerable, but the vulnerability is publicly known.
What’s good is that software downloaded from the app stores can be updated even on phones that the manufacturer has dropped support for. What’s bad is that many users will be using factory bundled applications that only get updates through the manufacture. My phone is rooted and I uninstalled most factory bundled apps and installed managed alternatives, but many users will be using the original apps that came with the phone.
The more we can take device manufactures out of the software loop, the better. IMHO they don’t take security seriously enough to hold that responsibility.
Amen!
I will give you device to device spreading malware has not been common on Android. Fairly much only found in malware that traces back to groups like the CIA and other intelligence groups at this stage.
https://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infec…
The claim that they stay restricted to the application is very false. A lot of the infection are like copycat that use kernel exploits raise privilege and hide.
Then the question comes why do they use exploits to root but not exploits to install?
The answer is simple the majority of malware authors are greedy and lazy so and so. There are a lot of device to device spreading malware code for Windows published. So malware writers recycle it. Now even in most of the exploit kits you will find network spreading example code for windows and other platforms. Now for Android at this stage that example code does not exist.
There are tones of people who have wanted applications to root their phone so they can have more control. So there is tones of example code for that and its in exploit kits. Right up the lazy coders path of recycling someone else work.
Is it safe to presume that malware on Android will remain commonly unable to spread device to device the answer is no we cannot. If it gets too hard to get into the stores for android malware makers will be forced to work on device to device. While they are not doing this it is a great time to fix the development and device maintenance processes up.
avgalen,
I was browsing exploits, and I thought this was an interesting one:
https://www.exploit-db.com/exploits/43127/
Note that this vulnerability would be exposed by an application even though the bug technically resides in the kernel.
There are many phone models with stable custom ROMs available (for those willing and able to do that), but there are probably even more where that option isn’t there. My Galaxy Nexus is running LineageOS, but my mum’s J1 looks like it’s stuck with stock 4.4 – how many community hackers would bother with *any* of the “uninteresting” handsets like that?
Reality here is most mobile phones are only support for a max of 3 years.
https://www.businessinsider.com.au/apple-ios-10-iphone-software-upda…
This has been android, ios, blackberry….. The pattern of 3 years or less support goes back to the early 90s with the first feature phones.
Only this year has google with Android and Apple with ios put forward the idea of taking this to 5-6 years.
In studies in USA found that in iphones about 47% keep on using their iphone until it no long works same with about 58% of Android phone users.
This leads to the 1 billion plus devices running out of date software. Let alone the people who don’t allow their devices to software update ever.
I would say that phones most likely should be supported for at least 10 years for how long people are going to keep phones. So 5 to 6 years support is still going to be on the short side.
Humans are not as big of consumers as people making phones like.
Solution: phones should run Debian and never Android.
All it then needs s an occasional
$ apt-get upgrade
People don^aEURTMt treat phones like the serious devices they are. One guy said he just used gmail on his phone, no biggie.
Considering sms and email are the two most prevalent 2FA out there, Thom is on point.
As a cyber security worker, there^aEURTMs only pixel or iPhones. Anything else would be irresponsible, unless you can develop drivers for it as an organization and have a dedicated staff for security implementations.
That^aEURTMs like… insane and probably not realistic considering the regulations and non-open nature of firmware/drivers on Android.
The sad reality is that most end users simply don’t care or know any better. On osnews you are talking to an echo chamber of technical users. Until ‘average Joe or Jane’s cares the vendors don’t care.
I previously worked for a Telco provider, we surveyed all of our customers of those motivated enough to respond update frequency wasn’t even in their top 10. It was always about either iOS or Android and thwn ‘the best apps’ and related responses.
Based on this data with a sample size in the low hundreds of thousands it seems at a high level that having google services update from the app store has actually done them a disservice… I have no data to prove that but it’s one way to read the results.
Also note that these surveys got completed over 4 years ago so the landscape may have changed. I moved on from the Industry since then.
I think if people only bought Google Phones (ie. Nexus or Pixel) it would be a much better comparison.
Those phones are comparable to anything Apple makes and you would get OS updates etc.
If more people voted with their wallets then you would probably see a consolidation in the Android market towards vendors that are more Google-like in terms of updates.
As it stands, people buy phones for various reasons ie. price, looks etc. mostly knowing full well that they won’t get any updates.
So bottom line … limit your choice and get security or don’t.
Either ways, I don’t think it’s fair to put the blame squarely on Google for this one as sensational as the headline sounds.
My solution is to buy used devices after checking that they are well supported by LineageOS.
This works well for me except for one important fact: camera quality is always degraded on all devices I’ve had when running an AOSP rom instead of the stock rom.
Also this is not a viable option for most normal people and probably represents less than 1% of all the Android users.
The infuriating thing is that if a few unpaid people can support phones for a long time, it means the vendors could as well. We should force them by law to provide software support for 5 years (or more). If they don’t they are not allowed to sell in the EU market for example.
How do you do that? XDA mailing lists are at best chaotic.
https://wiki.lineageos.org/devices/
My Nexus phone always gets the latest update. And with every update it gets slower. Other than that, there is no noticable difference to me, not since a few years. I feel I just get more and more bloat with no tangible benefit in terms of functionality.
And no, a securtiy fix should not come at that performance cost.
This is wishful thinking. Fixing a security fault normally results in needing to run more code than you did before to prevent the security fault. Its a rare security fault fix that is less code.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/c…
This is a cve security fault fix. That is a few hundred extra bytes of executable code every time it passed.
This is one of the big nasty facts insecure code normally runs faster than secure code because it lacking safe guards and that is why its insecure in the first place.
So saying that security fixes should not slow things is asking for the impossible. Of course security fixes should attempt to minimise performance losses due to the fix.
I think the problem is not that it gets slower it’s how much slower it gets. 7.1.1 on the Nexus 6 with no extra apps is significantly more laggy than the 7.0 release train.
My 2 years old midrage phone I bought 2 years ago for some 150^a‘not can run all the apps I need and will continue o for at least one more year. Battery capacity still holds. So why would I lose sleep about it being outdated?
Thom, again you promote a looser like iOS and iPhone. 5 years ago iOS and Iphones had over 22% of worlwide market and now it has 14% and is going down. iOs and iphones lost the war and Android wo.
iPhone and iOs are a luxurious products for a niche market for rich people. Promoting iOs and iPhone is like promoting Ferrari cars to normal people.
The fact is Android’s security is good enough for most of normal people for most of the countries. Your standard of secutity is crazy high and can be met only by rich people from rich countries.
I’m calling complete BS on the story. A billion Android devices are alleged to be insecure. Yet there are no large scale malicious software attacks.
I’m currently running Android devices with 4.4. 5.1 and 6.01. To be honest I can barely tell the difference between versions. They all run the latest app versions. It’s pretty much like a rolling Linux release except there is no kernel update.
Edited 2017-11-15 08:38 UTC
Google has been supporting the user-space where they can back 5 years because of people who like you are using older Android. So all 3 for userspace code should be fairly ok. Problem is the kernel updates both 4.4 and 5.1 devices you have would have fallen out of vendor support.
https://en.wikipedia.org/wiki/File:Android_Version_Usage.png
We can get usage data on phones from google play store. To cover 98 percent of users for how long they keep their phones at this stage we need to support back to what was released in 2012 and those devices most likely have kernels from 2011. That is if people don’t keep android phones any longer than they currently do.
So we are needing at least 6 years of vendor support. Currently we have been getting 3 years of vendor support. To be on the safe side I would say target 10 years of vendor support.
These numbers also say from the time Google and vendors fix there method to give the need time of 6 years it will take about 6 years to be deployed.
So the data tells us what is required to fix the current problem. Of course we have two options attempt to push for the processes that will have device vendors support their hardware while its still in active usage. Or wait until we have some attack that is failing to contained then attempt to get vendors to extend their support.
Do remember we are talking 6 years delay at least from when support processes are fixed to when its fully deployed. It might be 10+ years all depends on how long people hold on to their phones.
Android phones have an effective life of 2z-3 years. You can pretty much guarantee the phone will be in landfill long before major exploits are discovered.
Google play data tells us that people holds on to their android phones for 5-6 years.
So your effective lifetime guess is way out.
Everyone I know who has a Pixel is very happy with it but I’m sure you know better as someone who doesn’t own one…
Only 1 billion? Intel says “hold my beer”.
Yeah, Intel and Microsoft. I’d bet the number of computers running outdated Windows is well over 2 billion. The problem comes down to money – the people running these outdated computers and phones CAN’T update because their system is too old and they can’t afford a newer one.
My phone is about four years old, but the “latest” Android it could run was from almost three years ago. I couldn’t afford a new phone capable of running an updated Android until recently. It’s a little easier to get the latest linux to work on old hardware, but most people think you won’t be able to run the apps/games you want unless you’re using Windows, so most people will stick with Windows.
Last time I stumbled onto stats about this, there was less than 2 billion PCs total; IIRC around 1,6 billion.
Mobile phones are vastly more popular than PCs ever were.
That’s old data. We passed 2 billion a couple years ago, and while PC shipments have declined in the last few years, the global total continues to rise.
Still, even with revised numbers it’s extremely unlikely that “the number of computers running outdated Windows is well over 2 billion”
Unlikely due to the number of PCs. But would not be impossible it how you measure outdated. Out dated if that is covering drivers, software and OS updates it is truly possible.
Remember if someone installs all their software from Android store all updates come from the store.
Yeah, Google learned from their mistake, that’s why they repeated it verbatim with Android TV.
Expect Fuschia to be much of the same.
Without regulation mandating security patches for an X number of years, the problem will not be solved.
Since Android is an “Open” platform, the OS should be user-updatable.
Also I know that BlackBerry releases frequent updates for its Android phones. I am sure there are others. But you need to buy the phone carrier-free to benefit
OK, it’s only for tech people (but that’s OSAlert’ target audience isn’t it?), but if you don’t get a Pixel phone (which I think are too expensive anyway) then research XDA Developers, LineageOS etc. and make sure you get a phone that has a reasonably well supported custom ROM or two.
Use your Android device with the stock ROM during its warranty and when the warranty ends, you can then decide if you want to root/custom ROM your device or not. If the device is still getting stock updates then great, otherwise it’s off to custom ROM-land we go.
This is an option that Apple don’t provide and can give some Android devices many extra years beyond stock support (heck, my ailing Nexus 10 tablet has actually got an early Oreo build for it!) and often with an Android release that’s way better than stock too.
While it might be “breaking some implied promise”..
Does Google/Alphabet have to continually license “Android mk222” or whatever future title they wish to moniker their mobile OS in perpetuity??
If indeed that is roughly the terms laid down in the OS AOSP project…..then by all means they should simply come up with a “new” mobile OS. Be it magenta or whatever they end up calling it..
And make the future commercial use terms stricter — Simply mandate version updates for minimum 3 years or 3 version cycles, whichever is longer.
And non-compliance takes the offending company out of the game. 1 strike and you’re out..
Really can’t see why it’s any harder than this.
AOSP could still live on an OS project… but would be defacto deprecated
2 to 3 years is the current. What is need is 5-6 years at least. Because this is how long users are holding on-to devices at this stage. Google is working on moving the terms to that. But its not going to help the people with devices already.
The collected data by google play tells us that we need at a min.
The argument that 99% of Android users “just don’t care” if their phone is running the latest version of Android, which may very well be true based on the fact there is very little hue & cry from users about this situation, stands in stark contrast to the statistics that 50-60 and even 70% of iOS users upgrade their devices in very short order, just a few weeks and months, following a new iOS version release. Are iOS users that much more concerned and dedicated to keeping their devices updated and by definition, secure? It seems that would be so, and is amazing.
That’s possibly because new versions of iOS apps typically run only on current iOS, while on Android new apps run happily on “old” versions of the OS (thanks to mentioned in the article Google Play Services updates)
Thom, you write
…but what other choices are there? Should people move back to “dumbphones”? Apple doesn’t want to target “non-premium” users, which form the majority of 2+ billion Android-using population.
Recently you wrote fondly of “race to the bottom” PCs of the 90s in http://www.osnews.com/story/30071/Restoring_a_1998_Packard_Bell_mul… and how “they did make computing accessible to an incredibly wide audience, and they served an important role in the history of computing” …that’s what Android is today, an even greater enabler.
Yes, Android has its issues (like those old PCs had them). However at least they don’t seem to hurt it much… (Apple would be all over such news in their keynotes…)
Edited 2017-11-15 23:35 UTC
I booted up my Samsung Galxy Tab A 4G this afternoon and an update to 7.1 was available. It was updated from 5 to 6 last year. Since it has no carrier mods it is obviously the carriers that are holding back updates.