back to article You've got a patch, you've got a patch ... almost every Android device has a patch

It's the first Monday of the month, and that means another batch of patches for Android, fixing flaws that can be exploited by apps and webpages to hijack devices. As usual, if you're not using a Google Nexus device, you're at the mercy of your manufacturer and phone carrier to approve and distribute these updates, which may …

  1. Dan Melluish

    Where are those monthly updates?

    Didn't some Android phone manufacturers commit to providing monthly updates following the Stagefright vulnerability? Is it still a thing...or has it been quietly dropped?

    1. yoganmahew

      Re: Where are those monthly updates?

      Dropped, and without actually sending any updates at all...

      And Google don't update the Nexus 7 2012 anymore either.

      1. bazza Silver badge

        Re: Where are those monthly updates?

        I'd read somewhere that BlackBerry were keeping up - ish - with the updates on the Priv.

      2. mrbeardy

        Re: Where are those monthly updates?

        Why do people keep whingeing about the first Nexus 7? Google only originally promised Nexus device updates for 2 years, which is now dropped to 18 months. That tablet you have is 4 years old now and was flawed on release, its not gonna get fixed. Not now, not ever.

        Go out and buy the 2013 version. Its cheap and twice the tablet of the 2012 version. But its still not gonna get updates cos its old too.

        1. Warm Braw

          Re: Where are those monthly updates?

          That tablet you have is 4 years old now and was flawed on release, its not gonna get fixed. Not now, not ever

          If there's one thing the tech industry has done consistently well, it's been to lower the bar on "merchantable quality". In any other field of manufacturing, a company that would not support its products for more than eighteen months or sold products that were "flawed on release" and "not gonna get fixed" would be closed down by Trading Standards.

          Ane we put up with this why? So we can send pictures of our lunch to perfect strangers?

          1. Paul Crawford Silver badge

            Re: Where are those monthly updates?

            Sadly we need the law to step in and make suppliers liable for bugs not patched in a timely manner for, say, 5 years after the data of sale.

            Can't patch the software after 2 years due to your chain of code monkeys? OK, then give the customer a new device free of charge. No doubt it would focus their minds on quality in a manner not seen so far.

        2. William 3 Bronze badge

          Re: Where are those monthly updates?

          Why do you keep whingeing about people who want a device to be supported longer than 18 months.

          Why don't you shut up

          1. ChunkyMonkey
            Thumb Down

            Re: Where are those monthly updates?

            Have a down vote..

            You must be one of those who just must have the latest bit of crap just to look cool. Why change hardware every 12-18months? They last much longer and we really don’t need to be any more wasteful than we already are.

            1. mrbeardy

              Re: Where are those monthly updates?

              Must I? I used my nexus 7 for 2.5 years before giving it away to a good home as I didn't use it much. I didn't replace it with another tablet. I buy devices because of the utility, I hold onto good stuff until it breaks beyond repair. I couldn't give a flying monkey what other peoples opinions of my choices.

          2. mrbeardy

            Re: Where are those monthly updates?

            @William 3

            People on many forums complain regularly about their nexus 7s. This is the first time I've commented on it. Not shutting up cos its a valid debate.

            I said they promised 18 months, i didnt say i thought that was acceptable or not. What do you consider to be an acceptable time to provide what level of support? (Don't forget the nexus line are the BEST supported android devices)

            @Patrician

            Good to know, I didn't realise the 2013 nexus 7 got marshmallow.

            1. Updraft102

              Re: Where are those monthly updates?

              "What do you consider to be an acceptable time to provide what level of support?"

              Well, coming from Windows as I have, I'd say ten years of getting each security update that is rolled out would be a good start. Of course, that's still not as good, as you can still install a new version of Windows and get another ten, as long as the hardware is up to the task.

              Smart phones are pocket computers. It's time we started treating them as such. They're premium-cost devices (even if your mobile carrier buries that cost in your monthly bill) that are effectively disposable, both in build quality and level of firmware support, and we deserve better.

              People have allowed themselves to be swept into the same insane upgrade treadmill that plagued the PC platform through the 90s... but on the PC side, it was legitimately driven by a rapid technical obsolescence cycle, not planned obsolescence. Even in the peak "upgrade treadmill" period of the late 1990s, PCs were not glued together and built to essentially self-destruct if someone attempted to get at their innards to repair something, or to intentionally brick themselves (looking at you, Apple) if they detected they'd been repaired with "unapproved" replacement parts whose main difference from the approved parts is the insane margin the official part carries.

        3. Patrician

          Re: Where are those monthly updates?

          My Nexus 7 2013 is till getting Android system updates

  2. gollux
    Mushroom

    Good Luck on that...

    Good Luck getting that update from your mainline Android producer, except the majority probably won't be getting it out to you soon. Samsuck earned my eternal do not buy on this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Good Luck on that...

      Same for Lifes Grotty haemorrhoid phone, no update.

    2. alain williams Silver badge

      Re: Good Luck on that...

      My Samsung - stopped getting updates very quickly. I contacted them and was told that they had done a study and that what I was running was optimum for me -- or some similar bollocks; they had sold it and maintaining updates cost - so why bother ?

      Their ideal customer is one who wants a new 'shiny' every year.

      1. Anonymous Coward
        Anonymous Coward

        Samsung is adopting the strategy Microsoft used to have

        Sell them a product knowing it will be compromised by security issues where the fix is "buy a new one". It was great for Microsoft and the whole PC industry back when people bought new PCs because their old one was "slow" due to malware let it by Microsoft's shoddy security. Bad publicity forced that to change, and a Windows 7 PC is still pretty much as fast as it was the day it was purchased.

        Maybe that's why they've been so aggressive about trying to push free Windows 10 on people - hoping a lot of them will turn off automatic updates, their PC will become infected and slow, and they'll need to buy a new PC. Bring back the good old days when people were forced to upgrade once in a while...maybe that will cause PC sales to finally stop falling!

        Just like how Microsoft didn't change their ways until there was bad publicity, Samsung won't either. The problem for Google is that all Android OEMs have this issue, so it won't be just Samsung phones that get compromised when someone writes a "successful" Android malware that spreads to hundreds of millions of devices ala Code Red and I.Love.You. Samsung is probably banking on Google taking the hit and not losing any customers over it.

        Unless Google changes the Android license terms to require OEMs who have a license to deliver updates within certain criteria (x length of time after Google provides it, for y years after the first sale of the device) nothing will change. Even then they might worry that this causes them to simply drop Google's services. I'm sure Microsoft would be happy to step in with substitutes based on Bing, Cortana, etc. that they'd license to them for free without the restrictions Google imposes.

        1. Updraft102

          Re: Samsung is adopting the strategy Microsoft used to have

          I'm still amazed that Microsoft got away with selling Windows 98 as a separate product. Windows 95 was extremely buggy and unstable at release. Not all of it was their fault, as these were the early days of PnP as well as the final days of the old ISA bus (which was never designed for PnP), so there was a lot of misbehaving hardware out there, but it's hard to argue that 95 was not a house of cards that crashed hard at the first sign of anything unusual.

          MS fixed a lot of that, then released the fixed version as a new product for people to buy again, and eager to have something more stable, they did. MS should have given it away as an update for 95, like a service pack, along with an apology for how unstable the original was.

          The success of 98 as a separate product set the stage for a progression of Windows versions that mostly existed as a means of selling us the same product again and again (which was also the case with Office versions).

          Having many versions of Windows to support was fine and dandy for MS as long as the customers kept upgrading every time, but once the users learned to say "No" (as most did with Vista and 8) and to expect stability and security from the product they paid for rather than hoping they'd get it on the next attempt, we get MS complaining that it's too expensive to support so many Windows versions, and that we must all be on one version.

  3. Anonymous Coward
    Anonymous Coward

    Xiaomi Updated

    Not sure when, I havent checked since my last battery charge (last week). Also not sure if everything listed here is in the list as it was too long!!!

  4. Planty Bronze badge
    Megaphone

    Weurd

    "get patching – if you can – because you can be sure miscreants will be finding new ways to exploit these programming cockups. ®"

    Never ever seen or heard of a single exploited android vulnerability in the wild, which given the 1.8bn android devices, seems odd..What gives????

    Ironically a day doesn't go by when I dont see malware infested windows devices. Android seems to be made out to be the windows of the mobile world. However android is vastly more secure.

    1. Lee D Silver badge

      Re: Weurd

      You remind me of those people who used to crow about Macs "being more secure" and "not getting viruses".

      Even if your anecdote is true, it's a single data point. Do you deal in Android phone repairs or support? Then it probably doesn't mean much that your group of friends don't KNOW they have a compromised Android phone.

      And even if it's true - that doesn't mean you aren't vulnerable and/or that it can't come your way. The fact is that people don't use smartphones for visiting random web pages as much as they do their PC. But that one time you do, your phone is technically more vulnerable.

      And, honestly, when was the last time you CHECKED your phone? I don't run on-access antivirus, ever, but I still occasionally give my PC a sweep through just to check that my "don't do stupid things" policy has kept me safe. When was the last time you did that on your phone? Virustotal has an app that might detect malicious apps, but detecting a compromised base OS is much more difficult and you might never know about it. Literally, if you don't look, then you can't see.

      And, yes, I'm an Android smartphone user. I wouldn't touch anything else.

    2. William 3 Bronze badge

      Re: Weurd

      It would increase your chances of seeing them if you stepped out of your basement once in a while.

      1. Anonymous Coward
        Anonymous Coward

        Re: Weurd

        It would increase your chances of seeing them if you stepped out of your basement once in a while.

        That is, after having a shower and actually getting dressed..

        1. Jeffrey Nonken

          Re: Weurd

          I'm not Planty and can't speak for him, but I haven't seen any of these exploits either. Though I also don't blithely dismiss them. Still, haven't seen them.

          And here I am getting ready to shower and leave for work. As for basements, those are pretty rare here in California. I haven't seen one of those, either. Though I hear they exist.

          Argument by stereotype? Huh. I guess that gets lumped under "ad hominem".

    3. Dave 126 Silver badge

      Re: Weurd

      I'm not downplaying the importance of regular updates (or defending the chain of OEM > ODM <> Carrier > Regulator > User), but Planty has made a valid observation - News coverage, or personal accounts, of attacks on Android in the wild are a a bit thin on the ground. I say this not because I don't think they exist, but because I am curious.

      Again, I'm not saying ignorance is an excuse for complacency.

      1. Planty Bronze badge

        Re: Weurd

        That was my point. 90% of the world's smartphones are android powered, and where are all the malware infested devices?? Will billion of devices, android devices are now more common than windows PCs.

        Nada, nothing seen in the wild, all I see is news about potential exploits, not real world actual exploits..

        I think there is a word for this, it begins with S and your post gets rejected if you mention it..

      2. Michael Wojcik Silver badge

        Re: Weurd

        News coverage, or personal accounts, of attacks on Android in the wild are a a bit thin on the ground

        How would the average user tell that their Android phone has been compromised?

        Many of the obvious uses for a compromised phone aren't readily user-visible, and indeed there's a lot of value in keeping the end user ignorant for as long as possible. Harvesting credentials and other sensitive information is one obvious application. Using the phone as a spam / DDoS bot can be done quietly if you don't run too much traffic through it (and if you have a large phone bot army, there's no reason to run them into the ground).

        A number of security researchers claim most large organizations have numerous compromised systems in their networks, in part simply because no one notices.

  5. DwarfPants

    Sony Updates

    Its all-right I get updates for the important stuff, like stickers for some pre-installed crap I cannot get rid of. System updates and bug fixes, they are just fluff and don't contribute to the bottom line.

    1. ragnar

      Re: Sony Updates

      In their defence, they've just given us Marshamallow on the Z3 Compact which is now almost a two year old phone. My phone says it's got a March 2016 security patch level. They've also signed up to the open hardware programme, so they're better than many other phone manufacturers.

    2. David Hicklin Bronze badge

      Re: Sony Updates

      I am with you all the way here - my Sony Xperia SP has not had an update past 4.3 dated May 2014 - yet I get badgered with Lounge updates and new apps (recent one to get info about a song you just listened to) all the time.

      Now where has that flying pig got to...Battersea anyone ?

  6. Rimpel
    Big Brother

    We can't have apps spy on victims

    That's googles job.

  7. cantankerous swineherd

    just been updated by cyanogen mod. frankly I'd rather be vulnerable to hacking*.

    Bluetooth borked.

    access to SD card borked

    USB access to SD card borked

    ftp access to SD card via WiFi borked

    loads of pissy little "improvements" to the ui that are neither here nor there.

    silently changing my preferred data access from one sim to the other on reboot.

    of course I could just recompile the kernel&tm; and sort it out myself or alternatively just do a factory reset when compromised.

    * I don't do anything silly like internet banking though.

    1. Jeffrey Nonken

      I can't get cm13 to work properly on my phone (S4 Sprint) with my carrier (Ting) due to APN settings and lack of ability to set them. Known, ongoing problem that they don't seem to care about. Apparently can be fixed via hacking, which I'm starting to consider, because of ongoing cm12 problems that of course aren't being updated.

      Cm is one way to keep older phones up to date, and you have the option of backing out of that latest update to resolve those issues. But it seems to me your complaint, while valid, is off the topic of manufacturer updates. S4 stock ROM, for example, is stuck at 5.0.1, not even the latest Lollipop. Thanks, Samsung.

      Also, check out Optimized Cyanogenmod. If you don't care about the fancy extras check out AOSP. They may not appeal but they are worth looking at. Assuming you haven't done that already, of course.

  8. Will code

    Patching through exploits

    So these flaws allow an app to elevate to kernel space? I'm sure it would be tricky but Google could push OS level patches out using this exploit

    Wonder if they've looked at that and what the hurdles would be beyond the technical challenge

  9. Anonymous Coward
    Anonymous Coward

    Dead

    So Android is unsafe unless you're willing to keep forking out. Windows phones over about 6 years cannot be upgraded and windows phone is dead. All we have left is Apple and their selling less and less. Talk about mobile being the future, well it certainly isn't the present.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dead

      Selling less and less? They have had one quarter where sales dropped after sales have been rising ever since the iPhone was first sold in 2007! Your problem is looking at smartphone sales stats, which have shown Apple falling for years because smartphones keep getting made cheaper and cheaper and displacing feature phone sales.

      Look at their share of the overall mobile market, which properly shows them gaining year by year and peaking at 15.9% last year. With their drop in sales in Q1 (compared to Q1 2015) they still recorded 14.8%, so they're going to be fine even as Android grows bigger by displacing the remainder of the feature phone market over the next few years. It doesn't matter, people buying $40 Android phones are not customers that Apple (or Samsung, for that matter) wants anyway.

      Apple will remain as an option for those who want their phone's OS supported longer than a year or two even if their sales do fall somewhat due to longer replacement cycles. The short length of Android support hasn't mattered too much up until now since most people were replacing their phones so often, but as replacement cycles lengthen due to new phones on the market not having any improvements you really care about having a phone that's supported longer will become a bigger factor. You can spend more up front and get an iPhone, or you can buy cheaper Android phones more often, but that erodes a lot of the Android price advantage. It remains to be seen whether Samsung will continue to be able to sell its phones at premium prices despite their subpar ongoing software support.

      1. Jeffrey Nonken

        Re: Dead

        Apple hasn't updated my iPhone 3GS in quite a while. Those dastards.

        ...I know, I know. Just sayin'. :)

      2. Anonymous Coward
        Anonymous Coward

        Re: Dead

        Obviously the top mobile companies are not going to disappear overnight and people would still use these mobiles as any competitor could not ramp up production that quick.

        The comment was made slightly with tongue in cheek. It was a comment more of a statement as to how some people think this industry is now set in stone. If Android continues with a bad name for vulnerability, will people continue buying at the low unsupported end? And if not where are the cheaper mobiles coming from? Niche players and Windows Mobile manufacturers possibly? As you state Samsung needs to justify its premium prices. Apple too, although its 'good name' may well see it through any bad times.

        My thoughts are that none of these platforms have a strong enough past to be able to create a stable future at present. The only thing keeping them going is that there is no viable alternative which doesn't bode well for their future. Most people will jump ship quick given viable alternatives rather than stick with the best of a bad bunch.

        The alternative may well come from within the current mainplayers, but the whole status quo is ripe for change.

  10. TeeCee Gold badge
    Facepalm

    Let me fix that:

    ....at the mercy of your manufacturer and phone carrier to approve and distribute these updates, which may take some timeis never going to happen.

    I've said it before and I'll say it again. With the notable exception of the Nexus devices, you'll get one OS version upgrade. Two if you are very, very lucky. Security patches? Yeah......right........good luck with that.

  11. IPTMan
    Happy

    Someone must love me?

    I purchased a Note 4 second-hand on the tat market after carefully researching the seller and pulled it off. It was branded EE with the usual bloat that I can ignore and it's being used on Three. Yesterday I get a notification for software updates and low and behold a full 1.5Gb update to Android 6.0.1 with security patch level dated 1/5/2016. I never got that level of service ever with Orange/EE on an S3.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like