Comment by free2OSS
5 years ago
Are Androids without crapware as insecure as iPhones?
I wonder if the daily HN article about Apple failing to be secure is a result of 1 OS, 1 phone. Where as no one is going to put the effort to find an exploit on a phone with 1% market share.
Similar question for desktops.
Android has has several critical flaws recently. The ones I can remember are stagefright and dirtyCoW. Stagefright was easily remotely triggerable since it was in a media library that runs when getting sent media.
The main difference between the two I have seen is ios users get an update that fixes the issue often after their device has stopped getting feature updates while many android users are on kernels that haven't received an update in the last few years.
Stagefright was ~5 years ago now, though. I remember it, because the company I worked for at the time flipped out and banned all Android phones from their network for over a year.
It was fantastic; I got a whole year of not being able to see work emails after I went home, and then they let us opt out of the invasive MDM software that they wanted to put on Android phones to let them access corporate email. All for a bug that my phone wasn't even vulnerable to.
By the time I left, I had gone 4 years without ever responding to unexpected evening emails. And now that I know it's possible, I'm never going back! :)
Wow that dirty cow exploit affects Linux too? My server was at risk...
Although none of those are recent like daily security flaws we see on HN.
dirtyCoW was a linux kernel bug. The reason the news and drama was all in the android scene was every desktop/server linux installation would be patched long before a malicious binary would be run on the machine (I think it was patched before the news even broke). Android would be left with the exploit until all of the older devices made it to e-waste. It also meant the rooting efforts would be helped somewhat.
Here's a recent walkthrough of a Android messenger exploit, by the same organization as the main link: https://googleprojectzero.blogspot.com/2020/08/exploiting-an...
And a second: https://googleprojectzero.blogspot.com/2020/09/attacking-qua...
The problem with android is that there is a lot of software in the end OS that's not open source and is delivered as binaries from component manufacturers (the GPU drivers tend to be the worst, they almost universally come from Qualcomm since most phones now use the same series of SoCs.) Once the hardware is released these are rarely updated if ever which means the vulnerabilities aren't patched. The phone manufacturers are just helpless as the community is in this situation. Project treble mitigates this to some degree but the individual software components still can't be updated.