32

I have an android phone which, like many others, has quickly become unsupported and is not receiving any updates. At the same time there are publicly available exploits for privilege-escalation vulnerabilities, which are mainly used for legitimate rooting the phone, however as far as I can see there is nothing stopping an attacker from using these exploits to completely bypass the android permissions system. This is already done by the applications used for easy rooting of the device - they do not require any special permissions and are able to execute the exploits that give them full access to the system.

It seems like the only thing stopping a normal looking application in the market from bypassing all android restrictions and taking control of a device (which does not receive updates) is hoping that Google can catch all such applications and ban them from the market. This does not seem realistic to me. The other option is to run a custom ROM which often receives updates, assuming you trust the ROM developers and assuming that the ROM is fully compatible with the particular device.

So, the questions are: Is this accurate, or am I missing something? And what is the best solution for somebody who would rather not deal with custom ROMs?

Improve this question

4 Answers 4

Reset to default
23

Yes, this is accurate. If your version of the Android OS has known privilege escalation vulnerabilities, there is nothing stopping a rogue application from exploiting a privilege escalation vulnerability and thus escaping the sandbox (i.e., gaining unrestricted access to your phone).

This absence of security upgrades is a shortcoming of the Android ecosystem. The ecosystem is reliant upon handset manufacturers and carriers to continue providing security upgrades, but many handset manufacturers/carriers have declined to do so, for economic reasons. They treat the phones as disposable, and don't always show loyalty to older customers. Once the phone is a few years old, they stop providing upgrades and focus on the latest shiny models that are being sold, prioritizing selling new handsets over supporting past customers. This is not very eco-friendly and not particularly customer-friendly. I think it is unfortunate, but it appears to be a fact of life. And so it goes.

There is an excellent analysis of this phenomenom by Michael DeGusta. Here is a infographic showing the results of his analysis:

chart showing availability of OS updates for various phones

Credits: Michael DeGusta at The Understatement.

Update (12/26/2012): Ars Technica has a nice overview of the situation with Android updates, a year later. Unfortunately, it's not pretty: things haven't gotten any better, and many Android phones are not receiving updates. The security risks remain.

Improve this answer
1
5

some valid points... I personally go the custom rom route, you mention having to trust the developer, this is true.... Just like every other open source, community driven project. And for that matter Google, Apple, Microsoft, etc. I find it much easy to trust an open project vs closed source anything. These are choices we have to make with all tech platforms. FWIW, Cyanogen actually works for Google now, so they apparently trust him. (I'm sure you've heard of Cyanogenmod, it's what I and most others use for rom of choice)

not a lot of options at the OS level to get updates if the carriers aren't going to push them, without going rooted/custom.

As for apps in the marketplace, you just want to keep some common sense, just as you would finding and installing apps for your computer. Check out an app's ratings, feedback and download count. These are usually a good indicator.

Improve this answer
1

Modern Android versions (10+) can still be updated (at least its core components) regardless of device manufacturer release cycles. Google put a lot of effort into redefining Android’s low-level system architecture in a way that separates critical system components from vendor-specific code: Project Treble was introduced in Android 8 and its main goal is to separate device-specific vendor implementation from Android OS Framework. This separation significantly simplifies the Android update process for device manufacturers, but most importantly, it allows Google to push security updates to all devices, regardless of vendor-specific changes.

Source: https://android-developers.googleblog.com/2017/05/here-comes-treble-modular-base-for.html

The biggest issue after implementing Project Mainline was the fact that all updates, including security ones, had to be pushed to the device directly by the device manufacturers, who, unfortunately, in some cases, deliberately did not provide those updates in order to force users to buy new devices. This problem was solved in Android 10 with Project Mainline. Long story short, Project Mainline highly modularizes the Android ecosystem and allows core modules to be updated with Google Play, thus making critical updates independent from device manufacturers’ release cycles.

Source: https://source.android.com/docs/core/architecture/modular-system

Improve this answer
0

Of course it is all a risk/benefit tradeoff - Apple's alternative model also is flawed. Different flaws, sure, but again you are having to place trust in something.

If you are worried, you really want to check the code yourself, or get an independent code reviewer to do it for you. Very tricky with Apple. Very straightforward with something like Cyanogen.

For me, Android is the only OS that gives me the functionality I need on a smartphone so I limit my risk by vetting every install, running antivirus and generally following good practice.

For Android now - in 2016 - more carriers are offering updates, but more importantly, it is easier to buy carrier-agnostic phones without having to root or use custom ROMs. These phones tend to get more frequent updates, and thus far it looks like the update period lasts longer.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .