Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fragmentation Leads To Android Insecurities

samzenpus posted about a year and a half ago | from the united-we-stand dept.

Android 318

Rick Zeman writes "The Washington Post writes about how vendor fragmentation leads to security vulnerabilities and other exploits. This situation is '...making the world's most popular mobile operating system more vulnerable than its rivals to hackers, scam artists and a growing universe of malicious software' unlike Apple's iOS which they note has widely available updates several times a year. In light of many companies' Bring Your Own Device initiatives 'You have potentially millions of Androids making their way into the work space, accessing confidential documents,' said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the American Civil Liberties Union. 'It's like a really dry forest, and it's just waiting for a match.'"

cancel ×

318 comments

Sorry! There are no comments related to the filter you selected.

Or... (5, Insightful)

MrDoh! (71235) | about a year and a half ago | (#42829169)

iOS is a single target, get one sploit that works, you know it'll work on all of them. The recent exnyos sploit only worked on some Samsung chips. So.. hackers have more devices to attempt to hack! Though all this is a waste of time if people use non-standard app stores and/or download warez, then what do they really expect?

Or... (4, Insightful)

Anonymous Coward | about a year and a half ago | (#42829293)

You get one exploit that works against Android Gingerbread, and you've got one that works for 2+ years against the still most popular version, by a large margin.

Re:Or... (4, Insightful)

denmarkw00t (892627) | about a year and a half ago | (#42829483)

Mod parent up. iOS is a single platform, but new releases (major, point, all) are adopted relatively quickly, and support long lines on the hardware end. Android, however, is slow moving in upgrade adoption - while ICS or JB might have security fixes, most devices are stuck on Gingerbread with no apparent upgrade path from vendors. And, even when Google release major updates, and even if your phone is very capable, odds are you're locked out of doing anything yourself by the manufacturer (or in some cases by your carrier - gf's Xperia had "Untrusted Apps" disabled and locked from being enabled, that's an AT&T "feature").

Re:Or... (-1)

Anonymous Coward | about a year and a half ago | (#42829641)

how many times did your girlfriend need "untrusted apps"?

you're complaining about a "Feature" but when 99% of your userbase doesn't need it, then turn it off. that is, unless you still have telnet enabled on your system because "FEATURE!@$"

Re:Or... (5, Interesting)

happymellon (927696) | about a year and a half ago | (#42829681)

You mean like the Android humble bundles?

Re:Or... (4, Informative)

ahabswhale (1189519) | about a year and a half ago | (#42829303)

Android phones rarely get updated. About half of all Android users are still running 2.3 or earlier and the uptake for new versions is glacially slow. This makes android extremely vulnerable. If someone discovers an attack for 2.x, it's game over for millions of phones. Android also has a leaky walled garden that allows users to easily bypass the Google Play store and go to any market place they may choose. Hell, it's not even unusual to find infected apps in the official Google Play store.

Re:Or... (5, Insightful)

TheGratefulNet (143330) | about a year and a half ago | (#42829355)

nexus one user, here. cm7.2 is 2.3.7

likely, that will be all it ever runs.

shame and pity that google designed this. they farked it up. would you tolerate a linux distro that ended just a few years after it started?

that's how I feel. abandoned.

I run linux hardware (x86) that is recent and I also have 10 yr old systems that are just fine (thanks) and I continue to get linux updates for them.

but not android.

stupid google. seriously. why do people give google a pass on shit like this? we would not put up with this on regular desk/server linux.

Re:Or... (2)

crutchy (1949900) | about a year and a half ago | (#42829429)

can you imagine the security epidemic faced by routers and set top boxes that never get updated... omg its the end of linux!

Re:Or... (0)

Anonymous Coward | about a year and a half ago | (#42829495)

My router has been updated at least four times within the past 6 months. A router that is not getting updates is a security problem, as it controls everything about your internet access...

Re:Or... (1)

limaCAT76 (2769551) | about a year and a half ago | (#42829505)

can you imagine the security epidemic faced by routers and set top boxes that never get updated... omg its the end of linux!

Yup, it's the Morris Worm days all over again!

Re:Or... (0)

Anonymous Coward | about a year and a half ago | (#42829453)

The Nexus One doesn't have enough space to support higher versions of Android. What do you want? It just can't do it. Just like you can't run Ubuntu on a 286.

Re:Or... (1, Insightful)

thetoadwarrior (1268702) | about a year and a half ago | (#42829731)

Some of us didn't give the poor experience a pass and moved away from Android. More people need to do that and let google know we think it's shit.

Re:Or... (3)

thegarbz (1787294) | about a year and a half ago | (#42829669)

Hell, it's not even unusual to find infected apps in the official Google Play store.

Citation Needed.

Not a one off either. You said it's not unusual so please link us to the this supposed endemic problem in Google's Play Store.

Re:Or... (5, Insightful)

DerekLyons (302214) | about a year and a half ago | (#42829345)

Though all this is a waste of time if people use non-standard app stores and/or download warez, then what do they really expect?

It's funny.... when Apple or Microsoft comes up, all the highly rated comments are about how Android lets you escape the walled garden and get your apps wherever you want from whomever you want. But let the story be about malware and security problems with Android - and all of the sudden it's the users fault for going outside the walled garden.

Re:Or... (1)

Anonymous Coward | about a year and a half ago | (#42829389)

So what? I don't remember anyone saying that you'd be safe running every single random apk, just because you can.

Freedom can come with risk, in nearly anything. I prefer to be able to choose. Just a personal preference.

Re:Or... (1)

crutchy (1949900) | about a year and a half ago | (#42829443)

i'd rather android malware than windows malware... at least android malware isn't going to tank the whole system

Re:Or... (1)

limaCAT76 (2769551) | about a year and a half ago | (#42829493)

i'd rather android malware than windows malware... at least android malware isn't going to tank the whole system

You know, you could always stop deactivating UAC, stop running with admin account and start auto updating your PCs with windows update for those worms that affect windows services.

Re:Or... (4, Insightful)

mjwx (966435) | about a year and a half ago | (#42829421)

Though all this is a waste of time if people use non-standard app stores and/or download warez, then what do they really expect?

It's funny.... when Apple or Microsoft comes up, all the highly rated comments are about how Android lets you escape the walled garden and get your apps wherever you want from whomever you want. But let the story be about malware and security problems with Android - and all of the sudden it's the users fault for going outside the walled garden.

When given responsibility, people are expected to be responsible for themselves.

Shock Horror.

Whenever there is a thread on viruses for Mac's, Mac Fanboys always blame the user as malware is only found in pirated programs. Whilst this is not strictly true in any modern OS (OS X, Windows or Linux) almost all malware these days is (knowingly or unknowingly) installed by the user.

The equivalent on relying on "walled gardens" for security is like trying to cut road accidents by mandating that people can only buy white Automatic Camry's with speed limiters. This ignores the fact that you can still crash a speed limited auto camry if you have no fecking clue how to drive.

Re:Or... (4, Insightful)

dido (9125) | about a year and a half ago | (#42829481)

Oh, I dunno. I kind of like having the choice of whether to stay in the walled garden or go outside every now and then at my discretion because I'd like to think that I know what I'm doing most of the time. Let's rephrase that a little: If someone decides to go outside the walled garden, well then, their security becomes their responsibility right? Perfectly reasonable thing if you asked me. Trouble is Apple doesn't like giving anyone this kind of choice, and that kinda makes you feel they're still trying to exercise ownership over your device even though you've paid them their ridiculous profit margins for it.

Re:Or... (1)

H0p313ss (811249) | about a year and a half ago | (#42829557)

Oh, I dunno. I kind of like having the choice of whether to stay in the walled garden or go outside every now and then at my discretion because I'd like to think that I know what I'm doing most of the time.

Absolutely, kind of like Amsterdam, it's always there if I want it. Similarly I know the Android garden of infinite delight is always there. And if I ever feel like bending over and getting reamed I'll leave the walled garden. Just knowing its possible makes me feel so much better.

(Tongue firmly in cheek)

Re:Or... (4, Insightful)

icebike (68054) | about a year and a half ago | (#42829427)

iOS is a single target, get one sploit that works, you know it'll work on all of them.

The recent exnyos sploit only worked on some Samsung chips.

So.. hackers have more devices to attempt to hack!

Though all this is a waste of time if people use non-standard app stores and/or download warez, then what do they really expect?

To be fair, a couple of exploits have slipped into the Android Market over time, but by and large you are correct, it is the dodgy pirate black market where users hope they can avoid paying the 99 cents charged in the legitimate market where you are likely to get hacked.

Yet these stories, always couched in terms of "fragmentation" and "malware" always show up in the press whenever Apple needs a little diversion.

Fragmentation, because apple wants you to think that only a monolithic OS is safe. The variety of the Android world scares them to death.

Malware, because the they want to put the fear of alternative markets into the buying public. The emergence of alternative markets scares apple to death.

So every 3 or 4 months Apple plants these stories in the press. And every time, there is, predictable, absolutely ZERO outbreak of malware, except for the same patter of cheesy hacks found on Chinese websites by people looking to save a buck.

Re:Or... (1)

Swampash (1131503) | about a year and a half ago | (#42829465)

To be fair, a couple of exploits have slipped into the Android Market over time

Yes, in the sense that Apple is not on the verge of bankruptcy.

Re:Or... (3, Insightful)

an unsound mind (1419599) | about a year and a half ago | (#42829477)

This does not change the fact that a lot of Android phones are running vastly outdated versions of their firmware with several known security holes - and the people owning these phones do not have the option of updating their phones.

Android is insecure, because of two factors - the manufacturers frequently simply don't give their users a way to update, and because the system requirements of the OS keep rising at an absurd pace, making many older phones incompatible with later releases of the OS.

Re:Or... (4, Insightful)

icebike (68054) | about a year and a half ago | (#42829499)

There is no epidemic of exploits.
Most doors can be opened with a bump key. But that isn't happening either.

Re:Or... (0)

denmarkw00t (892627) | about a year and a half ago | (#42829529)

imgfwsrntmrniwtryanonbsihsttsty

Re:Or... (0)

Anonymous Coward | about a year and a half ago | (#42829539)

Fragmentation, because apple wants you to think that only a monolithic OS is safe. The variety of the Android world scares them to death.

I suspect that you are referring to the various App Stores, but the variety of Android is the only thing saving Apple. There is not a single consistent experience that people can depend on, which normal people really do want. Amusingly, Amazon is stealing the show from Google because of this.

Every single person that I know that has switched from Android to a different OS has done so because of the general lack of support from manufacturers following the phone's release, which is then compounded by the carriers followed by Google's lack of caring beyond toothless public statements.

Re:Or... (1)

icebike (68054) | about a year and a half ago | (#42829577)

That's nonsense. People don't switch from android because their phones don't look like everyone elses.
People only use one phone, they could care less that their neighbor's phone is slightly different.
I don't know a single person who has switched from android to another OS. It's always the other way around.

Re:Or... (1)

DKlineburg (1074921) | about a year and a half ago | (#42829689)

I'm leaving. Because I can't upgrade. Verizon has told me my phone will never get the new OS. I guess it is because it can't support it, but I don't like being stuck with an old OS I can't patch. Yes I don't care what it looks like. I care what is on it.

Re:Or... (1)

icebike (68054) | about a year and a half ago | (#42829733)

They will give you a new phone every other year for pete sake!

Re:Or... (0)

Anonymous Coward | about a year and a half ago | (#42829561)

screwed up mod

Re:Or... (1)

thetoadwarrior (1268702) | about a year and a half ago | (#42829705)

iOS is also an easy platform to fix. All those android users stuck on gingerbread will be on that for the life if the device. You can hit them over and over.

Analogies (0)

Anonymous Coward | about a year and a half ago | (#42829171)

Should have used a car analogy.

Re:Analogies (0)

Anonymous Coward | about a year and a half ago | (#42829231)

Ah...that car analogy would be "It's really like a parking garage full of BMWs, and its just waiting for a laptop"

I remember... (4, Insightful)

webmistressrachel (903577) | about a year and a half ago | (#42829189)

Not so long ago niche platforms and disparate architectures were slated to be good BECAUSE they were so diverse it wasn't worth the time to hack them individually...

I also remember a time not so long ago that Microsofties used to complain that the frequency and ease of attacks on public sites was due to their dominance and being a big target. I wonder what Linux admins say now, since they now dominate the data centre?

Re:I remember... (4, Insightful)

erice (13380) | about a year and a half ago | (#42829225)

Not so long ago niche platforms and disparate architectures were slated to be good BECAUSE they were so diverse it wasn't worth the time to hack them individually...

I also remember a time not so long ago that Microsofties used to complain that the frequency and ease of attacks on public sites was due to their dominance and being a big target. I wonder what Linux admins say now, since they now dominate the data centre?

But these are not niche platforms or disparate architectures. They are all compatible from the point of view of applications and malware. It is just the customization and vendor disinterest that prevents updates. It is as if Dell, Lenovo, HP, etc added their crapware so deeply into the Windows infrasture that Microsoft's security updates could not be applied and the vendors were not interested in creating or distributing adapted versions.

Re:I remember... (1)

Telvin_3d (855514) | about a year and a half ago | (#42829383)

Not that long ago an exploit that only targeted 5% of smart phones would have a return so small it would not possibly be worth it. Now an exploit that targets 5% of smart phones represents millions of phones.

Re:I remember... (1)

crutchy (1949900) | about a year and a half ago | (#42829461)

yeah cos we keep hearing about how all these linux datacenters keep getting hacked and infected by viruses and malware

it's a total disaster :)

Re:I remember... (0)

Anonymous Coward | about a year and a half ago | (#42829541)

Android runs on a standard linux kernel so I fail to see the point in comparing it AGAINST linux. When android is doing good than it is linux. When android is doing bad then I guess its not linux? Maybe its the linux part of android that should be doing a better job? http://www.androidcentral.com/ask-ac-android-linux

Re:I remember... (0)

Anonymous Coward | about a year and a half ago | (#42829611)

That was harder to parse than it needed to be...

Number 1 mobile platform is not exactly niche.

NIX has long dominated the data center. I can't think of anything else that ever really challenged it there.

Windows problems were due to one vendor, MS. This article is discussing the pitfalls of multiple vendors writing crap and not patching it.

The quest for free apps (0)

Anonymous Coward | about a year and a half ago | (#42829199)

As long as any platform offers potentially free apps and upgrades there will always be this high risk for exploitation. Perhaps we should take the matter into our own hands and start a group to offer a safety certification?

Re:The quest for free apps (1)

crutchy (1949900) | about a year and a half ago | (#42829511)

exploitation of an app is only a problem if the operating system enables an exploited app to infect the rest of the system

Not vendor fragmentation (4, Insightful)

rudy_wayne (414635) | about a year and a half ago | (#42829203)

The problem isn't vendor fragmentation. The problem is vendor laziness. If you produce an Android device there is no legitimate why you can't provide regular updates.

Re:Not vendor fragmentation (4, Interesting)

TheGratefulNet (143330) | about a year and a half ago | (#42829371)

bullshit!

google abandoned the 'bad old hardware' (gfx chips were 'too old').

and so they stopped ALL updates of importance.

its not the vendors. don't blame them. its the creator of android. those guys messed up the design (split of gfx and non-gfx) and so we get 'end of lifed' systems that are FAR too young to be put to pasture.

sigh. really, deep sigh.

Re:Not vendor fragmentation (1)

crutchy (1949900) | about a year and a half ago | (#42829517)

all the other linux distros seem to be able to manage

Re:Not vendor fragmentation (3, Informative)

thegarbz (1787294) | about a year and a half ago | (#42829789)

I call bullshit to your bullshit.

Go have a look at the list of supported devices by Cyanogenmod and look up how many of those devices actually offer vendor upgrades to Jellybean. Hint: very few. My device stopped being supported at Gingerbread because the vendor says "it was too slow". I am now running Jellybean and thanks to Google's tweaks it's runs faster and smoother than it ever did.

But hey let's not dwell on old hardware shall we? Jellybean was released in early July 2012. Just under 4 months later Samsung were still saying US customers will get their SIII update in "the coming months". You know when Cyanogenmod 10.1 supported the Galaxy S III? Within 3 weeks of release.

The problem IS vendor lazyness.

Re:Not vendor fragmentation (2)

noh8rz10 (2716597) | about a year and a half ago | (#42829431)

If you produce an Android device there is no legitimate why you can't provide regular updates.

I'm afraid you have it backwards, love. if you sell an android device (i.e. the carriers) you have no incentive to provide upgrades, and it's better for you if the user plus ups his phone. savvy?

Re:Not vendor fragmentation (2, Informative)

Anonymous Coward | about a year and a half ago | (#42829485)

Two reasons:

1) Hardware component manufacturers don't provide updated drivers. Many of them are binary blobs that aren't compatible with newer kernel/Android versions. Especially Qualcomm and Nvidia chipsets.

2) Carrier certification is *expensive*. Going through the effort of getting updates carrier-approved costs tens of thousands of dollars, per update.

Re:Not vendor fragmentation (0)

obarthelemy (160321) | about a year and a half ago | (#42829501)

Does your car vendor update your engine when they come out with a new one ?

Re:Not vendor fragmentation (3, Insightful)

DarwinSurvivor (1752106) | about a year and a half ago | (#42829527)

Is your old engine susceptible to remote control security bugs that can be activated by a teenager in Russia?

Not everything is conducive to a car analogy.

Re:Not vendor fragmentation (0)

Anonymous Coward | about a year and a half ago | (#42829545)

McLaren does.

Re:Not vendor fragmentation (1)

thegarbz (1787294) | about a year and a half ago | (#42829797)

No but I got a recall notice in the mail saying my car needs to come into a GM workshop to fix a problem for free and that I need to phone to arrange the time.

Car vendors to provide critical updates. Your analogy works quite well.

Re:Not vendor fragmentation (0)

stephanruby (542433) | about a year and a half ago | (#42829645)

The problem isn't vendor fragmentation. The problem is vendor laziness. If you produce an Android device there is no legitimate why you can't provide regular updates.

I'm not disagreeing with your main point, but you have to admit that there are a couple of legitimate reasons for not providing updates:
* Android 2.3 is for single core phones (single core phones are not going away anytime soon since manufacturers are still making them for some carriers)
* Android 3.x is for some tablets & google TV (a better name for it should have been Android 2.3 tablet edition)
* Android 4.x is for multi-core devices (but even then, if your device wasn't the latest multi-core, avoiding 4.1 and waiting for 4.2 instead was preferable)

Furthermore, security updates are in a completely different category. Carriers do provide over-the-air security updates assuming a flaw is serious enough. It just doesn't necessarily mean that they'll update you to the most recent version of Android. In that regard, Apple is the exact same way. If a security flaw is found, Apple will fix it with an update, sometimes long before there is a next major release.

Re:Not vendor fragmentation (1)

DKlineburg (1074921) | about a year and a half ago | (#42829727)

I think it is good to note. Think of the late 90's. I remember you had to get a new "PC" every year, if not more to keep up with the latest toys.

I guess this would be the same. Now, should my phone be secure? Yes.

I blame the SoC vendors and Google (5, Insightful)

Casandro (751346) | about a year and a half ago | (#42829215)

If there was either a common hardware platform, like on the PC, where every PC is essentially compatible with every other PC, you could easily update your operating system without the manufacturer of the hardware.
However SoC vendors don't want that, since it would mean that a device maker could easily switch from one SoC to another one. Plus they still use undocumented proprietary hardware in those SoCs, that's why you have binary device driver blobs which are hard to port.

The other problem lies within Google. They should have mandated some sort of "BIOS" which would have allowed any operating system to see what kind of hardware there is. This wouldn't have been more than a few hundred bytes in the flash containing the bootloader. That way you could have a generic operating system image, which would read out that ROM and execute routines found in it to use the hardware and then, perhaps at a later stage, use specialized drivers... just like it's done on the PC.

The sort of fragmentation we currently have in the Android market is simply bad, but a logical consequence from bundling hardware with the operating system. I just hope that one day the Chinese will wake up, and design a common hardware platform allowing the user to boot its own operating system from the SD-card, and even move it from device to device.

Re:I blame the SoC vendors and Google (0)

Anonymous Coward | about a year and a half ago | (#42829297)

The common hardware platform of the PC has not done much to improve its value over time. I think these companies would rather sell us the same hardware over and over again with small modifications. Sure, it would be better for the consumer but not for these companies ready to cash in on doing the least amount of work possible.

Re:I blame the SoC vendors and Google (1)

Casandro (751346) | about a year and a half ago | (#42829365)

Disclaimer: I'm going to use "PC" in a very sloppy sense, meaning any 386-derivative system which can, in theory, run DOS-games or a standard Linux distribution from scratch.

I wouldn't say so. It's been upgraded from, essentially a "home computer" with 64k RAM to something which now spans everything from larger embedded systems to huge server farms. Just keep in mind that only in the 1990s it would have been impossible to run a high performance webserver on a PC. Today special "PC"-architecture servers are the norm.

Re:I blame the SoC vendors and Google (0)

Anonymous Coward | about a year and a half ago | (#42829463)

This may be so but the "PC" as in "Personal Computer" or "Computer sold to people for their own personal use" has lost value whenever in the past its been sold within the context of having cheap interchangeable parts. The original vendor of that computer loses out in the end financially speaking due to cheap knockoffs and the added ability for the consumer to upgrade the computer or fix it.

Re:I blame the SoC vendors and Google (1)

Belial6 (794905) | about a year and a half ago | (#42829551)

I don't know. I'm thinking that IBM may have sold more PCs due to the fact that they were cloned than they would have sold if they were never cloned. The would have had 100% of the "IBM PC Compatible" market, but I'm not convinced that that market would have gained the dominance that it did.

Re:I blame the SoC vendors and Google (1)

Casandro (751346) | about a year and a half ago | (#42829759)

Actually IBM set the perfect example. In response to the clones they developed their PS/2 line. They were designed to be deliberately incompatible with normal PC parts, as well as having a new bus, the MCA. It did still run MS-Dos or Windows or OS/2, so it was software compatible, even games ran on it.
Needless to say it failed. Nobody wanted to have a proprietary system for which a network card costs multiple times as much as for the competitors. Needless to say it failed miserably, even though there were considerably better.

A common hardware platform means that you have actual competition. Compaq, for example built an IBM compatible into a portable case for the same price as IBM. Plus you could use all your normal peripherals.

Re:I blame the SoC vendors and Google (1)

crutchy (1949900) | about a year and a half ago | (#42829531)

remember those huge server mobos... wow those were the days

Re:I blame the SoC vendors and Google (1)

Casandro (751346) | about a year and a half ago | (#42829553)

Why remember? Those still exist. How else would you get a 4 socket mainboard? (that's 4 CPU sockets, each one with its own RAM)

Re:I blame the SoC vendors and Google (1)

kllrnohj (2626947) | about a year and a half ago | (#42829349)

Except for the "problem" that Android is open source. Google mandating a BIOS would be a waste of everyone's time because it wouldn't have changed anything.

Also a common hardware platform would be a terrible idea. The competition between SoCs right now is awesome and something sorely missing on PCs.

Re:I blame the SoC vendors and Google (1)

Casandro (751346) | about a year and a half ago | (#42829395)

Well it actually would have changed things. Instead of having to port Android to every little device, which is extremely time consuming, you'd just need to compile it once. And you wouldn't even have needed drivers for all your hardware.
Android at least allows you to do that, but in reality you'll still be faced with closed source SoC vendor proprietary drivers. It's just a lot of wasted resources.

So far I don't see much competition between different SoCs, you select one and have to stay with it since going to another one is to much effort for most projects. Please name positive aspects of the competition you see there, don't just state they somehow exist.

missing disclaimer (3, Informative)

Anonymous Coward | about a year and a half ago | (#42829221)

TFA author is an iPhone user, according to his twit feed https://twitter.com/craigtimberg [twitter.com]

Re:missing disclaimer (0)

mjwx (966435) | about a year and a half ago | (#42829471)

TFA author is an iPhone user, according to his twit feed https://twitter.com/craigtimberg [twitter.com]

So the only genuine insecurity to be found in the article, is that of the authors.

Fragmentation (4, Insightful)

LordLucless (582312) | about a year and a half ago | (#42829263)

Trying to argue about fragmentation with people attacking Android is a losing battle. "Fragmentation" means there's too many different hardware form-factors. No, it means too many vendor-specific UIs. No, it means that we need to support multiple OS versions. No, it means that we can't guarantee what security patches have been applied.

Bah, from where I'm sitting, "fragmentation" means nothing more than "I don't like it" - a way of disparaging choice from those who don't want it.

Re:Fragmentation (1, Troll)

TheGratefulNet (143330) | about a year and a half ago | (#42829381)

(modded insightful? where? why?)

yes, google is at fault, not the vendors. they bundled hardware and os too much and this is the result. fragmentation, HERE, means that 'this hardware is too old, waaaah!' and they abandon it for security updates, app updates, feature updates (that don't require snazzy new hardware).

they simply did a lazy and poor job. go ahead, mod me down. but its still true. the way android is structured, they abandon stuff way too early and for the lamest of reasons.

its not 'just complaining'. if you think so, you are more deluded than those you are complaining about.

Modded insightful?! (0)

Anonymous Coward | about a year and a half ago | (#42829671)

Wait- who?

Google abandons stuff way early? Or you mean the vendors, who make the vast majority of abandoned devices and have every incentive to obsolete old hardware so they can sell new devices?

This "fragmentation" angle is a bullcrap attack on Android or Google. It *IS* a valid criticism of a bullshit FCC that prohibits unlocking phones and won't even give their explicit blessing via DMCA exemption to unlocking bootloaders so that people can update their tablet (and other devices)'s old operating systems. As if we should need anyone's approval.

The fucked up business models of the mobile cartels is the massive issue, not something inherent in Android or Google. And you can add the FCC's total ignorance regarding mobile devices that they are regulating, as they're supporting the anti-competitive status quo.

Re:Fragmentation (4, Insightful)

aztektum (170569) | about a year and a half ago | (#42829673)

Whether to continue supporting a phone is not up to Google. Much of that decision is up to the carriers, then the vendors. Those same folks that want to roll out new devices every 6-12 months.

If a vendor takes Android 4.0 and mods the fuck out of it for their device, is Google responsible for patching all the security problems they introduced? Should Google take on writing new versions of Android for that hacked up version?

I like how you ultimately defend your post by suggesting anyone that disagrees is a clueless rube. Brilliant.

You're blaming Google for what is simply the mess that is the cellphone industry. At least in the U.S..

Re:Fragmentation (2)

symbolset (646467) | about a year and a half ago | (#42829385)

This. They've actually been at it since before the first Android device was even launched, claiming it was a fatal ill. Despite the dire fragmentation it has succeeded handily.

I'm kind of curious how many millions have been spent Android-slandering in this way. Has to be quite a few. Any self-respecting for-fee product slanderer would have switched to another strategy that was failing less spectacularly by now. His customer might have switched to another more effective slanderer in some sort of normal world.

But, meh. It's not working and that's how I like it, so fine.

Re:Fragmentation (1, Insightful)

tsj5j (1159013) | about a year and a half ago | (#42829415)

And dismissing it is the easiest way to avoid the problem and do nothing about it.

Fragmentation is a problem as it undeniably results in a subpar experience: apps that may or may not work, much more testing required for developers, slow update process (due to all those pesky vendor UIs), and apps contorted to fit resolutions it's not designed for.
But most importantly of all, it guarantees you a platform where finding an exploit is lucrative: because most people will still be vulnerable months after it is announced.

People point out that iOS is a nice, unified platform to target malware. True, but remember also that Apple doesn't have to wait at the whim of vendors to push updates. Your precious 0-day exploit will be patched long before an Android-equivalent is fixed.
From where I'm standing, competition is great, but fanboys from both sides are fiercely defending problems when their energies are better invested into pressurizing the developers to make something greater, which can they be proud of using.

Perhaps asking for carriers to take a completely hands-free approach to updates is too big a leap. Why not try pushing for a framework where critical system-level security updates can be distributed without carrier approval? Alternatively, just get everyone you know to stop buying devices with locked down bootloaders: I've recommended all of mine to get a Nexus, simply because they aren't as restricted. Every small effort counts.

Re:Fragmentation (1)

Belial6 (794905) | about a year and a half ago | (#42829567)

Fragmentation is a problem as it undeniably results in a subpar experience:

I'm confused. You are implying that Android is 'Fragmented' and that Fragmentation causes a subpar experience. Those to ideas don't add up.

Re:Fragmentation (0)

Anonymous Coward | about a year and a half ago | (#42829521)

In this case it means that millions of phones don't get security updates cause because carriers handle updates instead of the OS vendor.

Re:Fragmentation (1)

ChunderDownunder (709234) | about a year and a half ago | (#42829783)

Ubuntu phone - security updates are as easy as syncing with your local distro mirror. An LTS release would provide security updates for 3 years.

Re:Fragmentation (1)

phantomfive (622387) | about a year and a half ago | (#42829701)

there's too many different hardware form-factors. No, it means too many vendor-specific UIs. No, it means that we need to support multiple OS versions. No, it means that we can't guarantee what security patches have been applied.

You realize all of these are valid criticisms, right?

Re:Fragmentation (2)

LordLucless (582312) | about a year and a half ago | (#42829737)

Yeah. But when you address one, the issue shifts to another; when you address that, suddenly you're arguing about the next. Moving goalposts. Although I notice there are far you form-factor fragmentation arguments now that Apple's got at least three different form-factors under their belt...

Re:Fragmentation (1)

phantomfive (622387) | about a year and a half ago | (#42829769)

Well Apple's fragmentation is annoying too! Android being bad doesn't preclude Apple from being bad. If only WebOS had made it, since clearly it was the perfect OS.

HA HA! (-1, Troll)

Anonymous Coward | about a year and a half ago | (#42829291)

Every one that use android is a fucking dumbass.

Re:HA HA! (0)

Anonymous Coward | about a year and a half ago | (#42829509)

Some of them aren't dumb, just poor.

Headline should read ... (1)

Anonymous Coward | about a year and a half ago | (#42829299)

"Washington post parrots Microsoft talking points."

Fragmentation is not to blame (4, Insightful)

Morgaine (4316) | about a year and a half ago | (#42829333)

Linux has huge diversity among its many distributions, and yet it doesn't suffer from the security problems described in the article. So-called "fragmentation" isn't really a valid technical reason for lack of security at all. If a system is designed for security then it will be secure, regardless of the number of its variations.

The real reason why Android is lacking in security is because Google hasn't focused on security. They decided not to include iptables/netfilter (the Linux firewall) as a standard facility in Android, which would have been very easy to do. And they haven't allowed users to block privileges demanded by apps after install. Instead you're offered only a package deal, either let the app do whatever it wants or don't install it, period. Android users are hence pressured into a corner, and the end result is often worse security than they would wish.

Don't blame fragmentation. Instead point a finger at Google designers who seem remarkably disinterested in supporting the Android user's security and privacy requirements.

Re:Fragmentation is not to blame (2)

kllrnohj (2626947) | about a year and a half ago | (#42829375)

Android's security is top notch, and your claim Google isn't focusing on it is bullshit. With every release it has gotten better than the one before it.

And those permissions you complain about? Yeah, that's something desktop Linux doesn't even have. Android wins that by default. Your attempt to turn a very obvious and straightforward advantage into some sort of negative is ridiculous.

iptables/netfilter doesn't help here in the least, by the way. They are completely pointless here.

Re:Fragmentation is not to blame (3, Insightful)

Anonymous Coward | about a year and a half ago | (#42829515)

Android's security is top notch

I guess you didn't read the article then.

With every release it has gotten better than the one before it.

Which implies that every earlier release has had insecurities which Google had to fix.

And those permissions you complain about? Yeah, that's something desktop Linux doesn't even have.

Desktop Linux doesn't install insecure apps from unknown 3rd parties as Android encourages. Because Android's approach to apps is vastly more dangerous, it requires a hugely more comprehensive approach to security instead of relying on trust in an app provider. It's tailor-made for abuse.

Instead we have almost nothing, just some requested permissions which are meaningless in practice. As many Android commentators have described, it's totally normal for app developers to request everything, and you can never tell what they are doing with that permission, nor block it. It's an insane package deal. Those permissions don't provide user security, they only deliver security theater. It's a sham.

iptables/netfilter doesn't help here in the least, by the way.

Don't be ridiculous. Controlling which sites your app is allowed to talk to is the very first step in network security.

Re:Fragmentation is not to blame (0)

Anonymous Coward | about a year and a half ago | (#42829407)

Another reason why the "fragmentation" excuse is bullshit is that Android was DESIGNED to be implemented by umpteen different handset manufacturers each on their own diverse hardware. Even the three Nexus tablets are all from different manufacturers and run on 3 very different kinds of hardware.

Google and/or journalists can't turn around and complain of fragmentation when this was the intended Android environment. It's exactly as was planned from the start.

Re:Fragmentation is not to blame (-1)

Anonymous Coward | about a year and a half ago | (#42829497)

As we speak, Linux servers are busy portscanning and attacking everything they can reach. Before I even finish typing this sentence, Linux systems will have sent more SPAM than England consumed during all of World War II.

Linux is pretty shitty, isn't it?

Oh, wait. You mean it isn't RedHat, Canonical, Novell, or Linux Goddamned Torvald's fault that users fail to apply updates? It isn't their fault when some jackass untars a CMS into a docroot and lets it rot, never even applying security patches? ...I guess Android is pretty damned good at security.

Re:Fragmentation is not to blame (3, Insightful)

um... Lucas (13147) | about a year and a half ago | (#42829643)

Your missing the point. Users aren't failing to update, they're not provided with any updates at all.

Re:Fragmentation is not to blame (2)

jvonk (315830) | about a year and a half ago | (#42829667)

The real reason why Android is lacking in security is because Google hasn't focused on security. They decided not to include iptables/netfilter (the Linux firewall) as a standard facility in Android, which would have been very easy to do.

That's why I installed the free DroidWall [google.com] app from Google Play. Now I have an Android iptables firewall that is very versatile.

And they haven't allowed users to block privileges demanded by apps after install. Instead you're offered only a package deal, either let the app do whatever it wants or don't install it, period.

That's why I built and installed the free PDroid [xda-developers.com] framework into my free custom ROM. Now I can grant, deny, or spoof the permissions on all my apps.

If anyone's interested, I currently recommend using Auto-Patcher [xda-developers.com] as the tool to inject PDroid into your ROM. I also recommend using the OpenPDroid [xda-developers.com] option in Auto-Patcher, with PDroid Manager [google.com] as the front-end UI app.

So, both of the Android security problems you cited have solutions. Yes, these solutions require rooting, and PDroid requires a custom ROM; however, since you were talking about Linux distros and iptables, I anticipated you might be able interested and capable.

As an aside, being able to do things like this is why I will never consider iOS or (*shudder*) Windows Phone for my devices.

Re:Fragmentation is not to blame (1)

phantomfive (622387) | about a year and a half ago | (#42829707)

They decided not to include iptables/netfilter (the Linux firewall) as a standard facility in Android, which would have been very easy to do

The vast majority of Android phones I've found actually do have iptables. You need to be root to do much with it, though....

um no (1)

slashmydots (2189826) | about a year and a half ago | (#42829339)

Having everything all being exactly one way is one giant target for easy attacks. The more different, the better. They have this completely backwards.

Android fragmentation FUD .. (1)

dgharmon (2564621) | about a year and a half ago | (#42829445)

That whole article reads like it could have been written by the Microsoft FUD division. It's either nobody uses Open Source or, if it is popular, then it has to be fragmenting ...

"Android also gives you tools for creating apps that look great and take advantage of the hardware capabilities available on each device. It automatically adapts your UI to look it's best on each device, while giving you as much control as you want over your UI on different device types."

"you can create a single app binary [android.com] that's optimized for both phone and tablet form factors. You declare your UI in lightweight sets of XML resources, one set for parts of the UI that are common to all form factors and other sets for optimzations specific to phones or tablets".

"At runtime, Android applies the correct resource sets based on its screen size, density, locale, and so on."

It's not the frequency, it's the penetration (1)

Swampash (1131503) | about a year and a half ago | (#42829447)

ba-dum-tish

But seriously folks, it's not that Apple releases updates several times a year that's the important bit. It's that those updates are available instantly, worldwide, to everyone, on every carrier, to every device younger than about four years old, and the update process is so easy and convenient that everyone (close enough) installs the updates.

The biggest install base for iOS is always "the latest version". The biggest install base for Android is what, Honeycomb? Shit.

Re:It's not the frequency, it's the penetration (4, Informative)

Swampash (1131503) | about a year and a half ago | (#42829459)

The biggest install base for iOS is always "the latest version". The biggest install base for Android is what, Honeycomb? Shit.

Even worse, it's still Gingerbread.

http://bgr.com/2012/12/04/android-version-distribution-december-2012/ [bgr.com]

Re:It's not the frequency, it's the penetration (1)

ZiakII (829432) | about a year and a half ago | (#42829747)

Honeycomb was designed only for tablets........

Re:It's not the frequency, it's the penetration (1)

Belial6 (794905) | about a year and a half ago | (#42829589)

As a happy Android user, I have to concede that your point is valid. Fragmentation complaints are pure FUD. It is the lack of updates that is the problem. Apple did good in their negotiations with the carriers that allows them to update the phones directly. I would like to see Google move to a 3 tier setup for Android. 1 tier would be all of the drivers for the specific hardware. The second tier would be the OS itself. The third tier would be the carrier/manufacturer customizations. At any time, Google should be able to update the base OS whether the carrier likes it or not. Since the third tier would be apps installed over the OS, they should be no less compatible with the OS update than any other software. There is no reason that the carrier/manufacturer customizations should be anything more than apps that are installed by default.

Re:It's not the frequency, it's the penetration (1)

denmarkw00t (892627) | about a year and a half ago | (#42829593)

The biggest install base for Android is what, Honeycomb? Shit.

Try an earlier version, oh hmm ah, Gingerbread. [android.com]

Meanwhile at TCFKA RIM (2)

rueger (210566) | about a year and a half ago | (#42829507)

What? Android bad for corporate security? BYOD bad for corporate security?

Excuse me sir... {smile}

Is the solution paid OS updates ? (1)

obarthelemy (160321) | about a year and a half ago | (#42829519)

I'm wondering if the solution would not be for OS updates to be on sale, at a low-ish-price, ie 5 or 10 bucks. That way, OEMs can recoup part of their investment, and users can put their money were their mouth is. I personally don't care that much about OS updates, my Xoom has gone from 3.x to 4.0 to 4.1 and I really didn't notice any difference.

Fix Android (0)

Anonymous Coward | about a year and a half ago | (#42829525)

First fix the two most known design flaws:

1. Security model. Most apps have the "internet" capability already but don't actually need it. Many have more than one capability not needed by the application. Some might need it for very small operations but the trust is already rendered useless.

2. Play Store. Quite similar as point 1 mentioned above. The end user should judge the "trust" level of an app by reading the comments. I once installed an app reading 6 pages of "this is wonderful app 5/5 stars!" and every 7th pages had "don't install it, it's a trap!". Despite of being a a malicious app it had 4/5 stars as the people giving the reviews were not enough to bring the average down (the 5/5 review spams).

3. Fix Java.

This is quite sad as the Android platform has some potential. And Google doesn't really care.

Hmm (2)

drolli (522659) | about a year and a half ago | (#42829533)

I always thought its the responsibilty of the manufacturer of the device to make a product which sticks to certain definitions. I dont see many android products listet with security as a feature, therefore i also dont assume that the design of the preinstalled sw goes into that direction.

It's a feature, not a bug! (1)

Dr Herbert West (1357769) | about a year and a half ago | (#42829691)

Some of us look forward to the inevitable shitstorm and think this kind of excitement is just... great!

Obligitory Animal House [youtube.com]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?