back to article Android's unpatched dead device jungle is good for security

Android's diverse and oft un-patched ecosystem is a strength, not a weakness. So says says Dino Dai Zovi, security lead at mobile payments outfit Square, because he feels diversity makes criminal hackers work harder. Android variants are a dime a dozen, thanks to customisations used to get the OS running on myriad phones and …

  1. Pascal Monett Silver badge

    Image not representative

    The image included contains a bewildering amount of little blocks, but each block represents a physical handset model, not an OS version.

    The beginning of the article clearly states that two-thirds of Android devices run either one of two OS versions, so that image should actually be two big blocks with whatever is left taking up the slack.

    Except that I image it is quite difficult to know exactly what the rest of the situation is.

    1. Anonymous Coward
      Anonymous Coward

      Re: Image not representative

      I thought that at first however if you look each colour represents an OS/Handset as the S4 is in there twice.

      1. Dave 126 Silver badge

        Re: Image not representative

        Each coloured block represents a handset/OS. MotoG is shown several times, but the MotoG name was given to each of a succession of phones.

        The colour represents the OS. The size of the block represent market share.

        1. 404

          Re: Image not representative

          ooooohhhhh... got it!*

          ;)

          *slightly brain dead after a 14 hour day troubleshooting/installing stuff. I need a beer.

          Edited to say: and boobies. Beer and boobies would go over nice right now.

  2. J. R. Hartley

    Indeed.

    The same way that legal firearms reduce crime.

    /sarcasm

    1. SuccessCase

      Re: Indeed.

      Now when I go out, I'm going to leave all the windows in my house open. Then burglars will have to do some extra-hard thinking deciding which one to use and quite likely get so confused, they'll get dizzy and pass out.

  3. Steve Davies 3 Silver badge

    Yeah But...

    do they not think it beyong the wit/skill of the malware creators to see what version of Android the device is running and use known vunerabilities for that version to install the payloads?

    The sooner the networks start blocking really old devices from accssing web pages etc the better. Perhaps that is the trigger that will get the device makers to up their game and release updates?

    Now that I think about it, Nah, it won't. The device makers are mostly operating at the bottom end of the market. They's sooner sell you a new phone than update the old one therefore consigning the old one to the landfill site that everyone seems to have in their home ( a drawer/cupboard specifically for junk that will never be used again).

    1. Charlie Clark Silver badge

      Re: Yeah But...

      do they not think it beyond the wit/skill of the malware creators to see what version of Android the device is running and use known vulnerabilities for that version to install the payloads?(spelling fixed)

      The point he's trying to make is that it is exactly this kind of discovery and targeted exploit that is too expensive to be worthwhile.

      This is a "things aren't as bad as some people make out" argument which does seem to be borne out by the facts: millions, or even billions of mobile phones have yet to be compromised. I also wonder what the potential market even for those compromised devices is, assuming that miscreants go for the current favourite attack of ransomware. Even for the technically unskilled a factory reset and reinstall from the cloud shouldn't be too hard, or too expensive if you have to get someone to do it: must be less than cost of a replacement handset.

      No reason for Google or the handset makers to rest on their laurels, of course.

      1. Doctor_Wibble
        Boffin

        Re: Yeah But...

        > The point he's trying to make is that it is exactly this kind of discovery and targeted exploit that is too expensive to be worthwhile.

        That may well be true but is a bit of a misleading omission to ignore the exploits that are simply an app 'doing the wrong thing' with all those permissions the user just gave it. Widespread coverage is tricky to engineer, as someone still has to install it - unless drive-by installs now work again given all the other stuff the industry forgot when a new platform came along!

        Give an app lots of flashing lights, and make it go bingely bingely beep and maybe add some cat video bonus levels, and your targets might even install it themselves. And maybe it's just my inadvertently-pwned tablet but with the regular 20MB updates even for just the preinstalled Calendar app, who's going to notice a load of other activity going on?

        1. Anonymous Coward
          Anonymous Coward

          Re: Yeah But...

          The telling point is that despite all of the vulnerabilities out there, there are actually very few compromised devices. That implies that it's too expensive to attack a significant proportion of those devices in use for the financial return you'll obtain. That in turn means that, much as it goes against the grain for IT types, in the current environment it isn't worth putting a lot of effort into improving the fragmentation situation.

          In some ways it's a bit like home security; most people rely on Yale-type locks, don't use window locks and don't have burglar alarms, because the risk of their house being burgled is low. If you live in a dodgy area or are more at risk then you probably have additional deadlocks and do take those precautions.

    2. dajames

      Re: Yeah But...

      The sooner the networks start blocking really old devices from accssing web pages etc the better. Perhaps that is the trigger that will get the device makers to up their game and release updates?

      No, the device makers will just try to sell you a newer device.

      What's needed is for Google, as licensor, to place a requirement on Android licensees that they issue security updates and bugfixes in a timely manner for a minimum of (say) five years after a given handset first goes on sale, and Android upgrades to the latest version for a minimum of (say) three years.

      Five years is probably about right for fixes -- Android 2.2 (Froyo) is the oldest Android version that isn't marked "obsolete" in the latest Android SDK, and that's about five years old.

  4. Naselus

    Surely there's a lot of security flaws which apply to many versions, though? For example, Stagefright was applicable to everything from 2.2 right up to 5.0. That would have been every operational droid on the planet at the time, more or less, and wouldn't have needed to check version numbers or handset manufacturer because it applied to everyone.

    It's a nice theory but I don't think it holds up. As Charlie Clark says above, the main thing protecting droids right now is that ransomware is in fashion, and mobiles (particularly low-end droids rather than the exec-favoured iTat) aren't a great target for cryptolockers, with their relatively small storage and low chance of being the primary store for valuable data.

    1. Paul Shirley

      Today's ransomware explosion can't explain the 2013 study unless you generalise to say Android simply isn't a valuable enough malware target in general. I think most owners simply don't put anything they worry about losing on them and the Google cloud let's them restore enough to not care about resets.

  5. Christian Berger

    The problem is actually different

    Modern "smartphones" are designed for a business case that is incompatible with security. They are built to sell apps.

    The problem with this is rather simple, apps come from a number of untrustable sources, usually only in binary form, and some even deliberately malicious. The proposed solutions for this problem are as follows:

    1. An Appstore with censorship: In theory some Authority determines what software may go in, and what software must not go in. In that theory there is no other way to install software. In reality commercial pressures on that Authority mean that malware (by some standards) may pass, while perfectly harmless software gets filtered out as it expresses different opinions. So a large amount of people root or jailbreak their devices to get at least some sort of control over it. Since that wasn't seen as a possibility in the security concept, there are no other meaningful precautions.

    2. Sandboxing: In theory you would simply sandbox an application and restrict it's abilities that way. Unfortunately that doesn't work. Any app can just refuse to run if it doesn't get the access it wants. Since the user wants to run that app, those rights will be granted. Even if you solve that problem by providing "fake rights" to that app, sandboxes are by no means secure. With Rowhammer we have learned that even allowing memory accesses to restricted areas can lead to sandbox breakouts.

    So what can we do against it?

    First of all we need to ditch the idea of installing random software from some app-designer. Installing an app should be something rare, not something you do because a billboard tells you to do. Maybe it should even only be possible by holding down some hardware button inside of the device.

    Then we need to greatly simplify those operating systems. Those systems should be roughly at the same level of complexity of Windows 3.1 or a task switching DOS. That level of complexity still can be managed and you might even get to a point where a typical user will not notice a bug. Then you can get rid of the idea that software updates have to be something that has to be simple.

    The main problem is that people want web browsers and that web standards are already to complex and are on the way of becoming even more complex. Today a web browser is probably the most complex piece of software you have. Often it's more complex than the operating system kernel it runs on.

    1. Anonymous Coward
      Anonymous Coward

      Re: The problem is actually different

      Those two requests are contradictory. Installing few apps and having little functionality in the OS.

      Though I suppose you could have the OS with very little functionality, and all the systems as "apps" from Google/Samsung. It would be great to be able to uninstall half of those! But I doubt they would use it the right way. :P

      1. Dave 126 Silver badge

        Re: The problem is actually different

        >Modern "smartphones" are designed for a business case that is incompatible with security. They are built to sell apps.

        iPhones are built to sell apps and high-margin hardware. Android is built to sell advertisements.

        Apple make their money from hardware, and a 30% cut of app store sales, and a cut of 'virtual magazines', music, videos and other content. Google make their money from advertising. Plenty of studies have shown that iOS users are far more likely to buy apps compared to Android users - which is really what you would expect: People who pay £600 for a phone instead of £300 tend to be those with spare money, thus are more likely to spend money on an app without adverts.

      2. Christian Berger

        Re: The problem is actually different

        "Those two requests are contradictory. Installing few apps and having little functionality in the OS."

        Actually not. You can reach that by having few, but orthogonal features, something many modern developers don't seem to understand. The functionality you get from apps today could also be implemented by a simple "terminal" standard.

        The only problem would be games... but there's a whole group of people they don't want to have that. Those want to get information from "online services", they want to communicate, and they don't want to worry what happens if their device gets stolen.

  6. David 155

    MS manage it

    I dont understand why Google cant send out updates themselves? MS manage to patch Windows on an even more diverse range of hardware.

    1. Dave 126 Silver badge

      Re: MS manage it

      >I dont understand why Google cant send out updates themselves?

      It's because of the nature of Android and the hardware it runs on. There is no equivalent to a BIOS on Android hardware, and each version of Android has be crafted for an individual device and its components.

      For a new version of Android, Google release the code to the chipset manufacturers, eg Qualcomn. They in turn, if they decide to support the new version of Android on a particular SoC, release a binary blob, a 'Board Support Package' to the handset OEMs, such as Samsung. The OEMs, if they can be arsed, then build the new version, test it, send it to any relevant carrier partners (yep, carriers are still faffing around with phones) and regulatory authorities for testing. Rinse, repeat etc.

      If Google were to create Android today from scratch they would do it differently, as they have with ChromeOS. As it was at the time, Google were racing to deliver a competitor to iOS.

      Google have implemented a bit of a half-way house - they have brought more services and APIs into their Google Play Services, which can be updated just like any other app.

    2. Dave 126 Silver badge

      Re: MS manage it

      >MS manage to patch Windows on an even more diverse range of hardware.

      Desktop PCs have a BIOS, and were always designed to run a choice of OS. That was, and remains, the norm - PCs made up of different bits of hardware. You can get Windows running, then go looking for dedicated hardware drivers.

      NT OS/2 ( then NT 3.1 > 4 >2K >XP > poo > 7. I stopped at 7 ) was designed to run across different architectures, too (MS were feeling threatened by network-capable OSs and RISC chips).

  7. sabroni Silver badge
    Unhappy

    Horray! Difficult to write malware for all the different versions!

    Boo! Also makes it difficult to write apps that work for all the different versions....

    1. Anonymous Coward
      Anonymous Coward

      Re: Horray! Difficult to write malware for all the different versions!

      No, Android apps (the type you use through the UI) run on the Android Runtime (VM - ART, formerly Dalvik), which provides a layer of abstraction between the apps, the underlying OS (Linux) and the hardware in the same way Java does on the desktop. You could write an application for Android 1.0 and run it on Marshmallow because of this.

      The article is referring to OS applications / drivers running "below" the Android Runtime which are hardware specific and malware trying to exploit those needs to be specific also.

  8. RyokuMas
    FAIL

    Security by obscurity...

    ... is no security at all.

    1. Brewster's Angle Grinder Silver badge

      Re: Security by obscurity...

      You need to research the difference between "obscurity" and "diversity". It's well understood in security circles that monocultures are bad.

    2. Palpy

      Re: Security by obscurity... Yes. No.

      1. Yes, security by obscurity is no security at all. If you run an obscure but vulnerable system and you are targeted then you will be pwned.

      Surely the 3-letter agencies have stashes of vulnerability lists for various OSes, just in case they run across someone using something obscure which they want to hack.

      2. No, security by obscurity is effective in the most common malware attacks because there is no economic return in targeting your system..

      It's very unlikely that a for-the-money malware group will write code to target Minix or desktop Solaris. Or even, as we know, most desktop Linux.

      1. Naselus

        Re: Security by obscurity... Yes. No.

        "2. No, security by obscurity is effective in the most common malware attacks because there is no economic return in targeting your system.."

        This; the legends of Apple invulnerability from the late '90s/early 2000s were mostly based on no-one in their right mind ever keeping anything of value on a Mac. The security on MacOS itself was reckoned to be 10-15 years behind even Windows by 2010 (according to Eugene Kaspersky) yet Windows remained by far the more exploited OS because people actually used it for valuable things.

        Despite it's huge market share, Android phones are mostly used as... telephones, generally by poor people. Valuable corporate email or data is much more likely to be on an iPhone or a Windows box than it is to be on even a flagship-class droid, which means serious, hardcore professional hacking groups are more likely to look at other targets. This doesn't excuse poor security, but goes some way to explaining why we have a billion unpatched vulnerable droids in the world but no massive compromise efforts going on.

        If botnetting seriously comes back into fashion in a big way then I'd expect a big wave of version-agnostic droid-focused attacks, since everyone is a target for a botmaster. Android isn't a particularly friendly environment for the current hacker fashions for ransomware and spear phishing.

  9. MalIlluminated

    TLDR

    Guy at mobile payment firm assures you that known vulnerabilities on your mobile device are no big deal, but doesn't go so far as to personally indemnify you when your device is compromised.

  10. Jeffrey Nonken

    ASOP... Did you mean AOSP?

    http://highonandroid.com/android-roms/what-is-aosp/

  11. NotBob
    Pint

    Wait, based on this article, all those unpatched and partially patched old windows boxes on the net must actually increase the security of everyone on the internet, too. Good for the goose, good for the gander and all that...

    Now I need a drink. There's only so much crazy I can take.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like