Silicon Shecky

Infosec Practitioner

Connect

Security Slimebags or How to be forced to pay for security

By Leave a Comment

Android is the most popular mobile OS in the world. It also has some of the most frightening security holes, currently Stagefright. The carriers know this and use it to legally to seemingly extort their customers.

Apple has one thing that Android doesn’t have, and that is a decent patch cycle. You can see people still using the iPhone 4s today. They don’t have to get a new device just to be secure, but not everyone likes the iPhone. Android, on the other hand, is awash in situations. From the heavy fragmentation of the OS, to the majority of phone snot getting critical security updates thanks to the carriers, it really is the wild west. The best bet is to get an unlocked phone that will get updates directly from Google, but the cost of an unlocked phone is high, and the everyday person might not realize that is an option.

Carriers such as Verizon, AT&T, T-Mobile, and Sprint know this and use it against the everyday person. Heck, last year when Android 5 came out, the list of phones to get it included mine. I still have not seen that update, even though Android 6 was just announced. So in my wisdom with Stagefright out there, now in two versions original and even better, I went through my phone settings to see when the last update was pushed out to me. The answer was June, before Stagefright, even though there have been patches made by Google and approved by the phone makers to patch Stagefright version 1, and soon version 2. Now why would a carrier not push out such critical patches? The only answer I can come up with is profit.

Think about it, they don’t send out the patches, you need a new phone to be secure! With the changes all the companies have been making this year to move away from plans and phone subsidies, it is the perfect plan. Extort the customers to make them secure! It is a perfect plan, especially considering no one has done the one thing that could end this. Sue the carriers once hacked. Lawsuits, especially class action ones are going to be the only way to get non-rooted, locked phones timely updates. The carriers have to be held responsible. The problem is those of us that know the carriers are doing this, root our phones, or get the Nexus line of phones. The lack of communication with the layman who uses an Android phone, continues to allow this pattern to continue.

The only other option is for everyone to move to iPhones, but without the competition how bad will the iPhone get? Think about it, most of the “great new features” on a iPhone are features that were already available on an Android phone. Apple just refines the feature a bit and whammo, now people are saying how Apple invented x, y, and z. Without Android what would spur iOS’s development?

One last thought though on all of this, and that is mobile payment, buying things online. Maybe someone else out there knows, but doesn’t being able to use your phone to make payments and the way it does subject the phones or carriers to some part of the PCI standard? If so, how many of us or them are truly compliant?

Android Security: Google or Carriers issue?

By Leave a Comment

In the world of Android a couple of disturbing articles have come out recently. Google is no long patching 4.3 (Jellybean) and earlier versions. Also the amount of malware for Android increased by 75% last year. This begs, who is to receive blame on the vendor side?

We all know people do not patch apps. Maybe they don’t like “new” terms that come with the update (most terms are the same as the prior versions). A lot get not the best information. Patching is important, and we all know that. In the world of PC’s we all know about Patch Tuesday (Microsoft, Adobe), and know how long it can take Apple to patch flaws in OSX and iOS (which they completely control and is out of the carriers hands). So what about Android, the worlds most popular phone OS?

The announcement this week that Google is no long patching WebView for versions 4.3 and earlier started me thinking more about this. Yes, Google is “abandoning” 930 Million users. Yes, They come out with new versions of Android so fast that the OS is fractured all over the place. The question is though, is Google doing the right thing? I personally think so. The reasoning why places a bunch of blame on the carriers.

Outside of iOS (iPhone), the carriers control when consumers get updates to their Android (and Windows) phones. In the world of Android, Google announces a patch, update, new version, then it gets sent to the device manufacturers. They have to test against their hardware and customization that they have done to Android for their devices (the look and feel of the OS you see). Then it gets sent to the carriers (Verizon, AT&T, Sprint, etc.) where even more testing has to be done against the carriers modifications to the OS (special built in apps, their radios, any network lock downs or features such as tracking cookies). Basically once Google releases the new version/patch/update getting it onto most peoples phones is out of their hands, the exception being the Nexus devices which Google controls. The longer an update take to get out there, the more chance there is for a breach. The easier it also may be for malware to get on the phones, and could be a reason the amount of malware for Android increased by 75% last year.

So the question arises, why does it take so long to hit our phones. the obvious and simple answer to me is money. Why bother pushing patches and updates, let alone new versions of the OS to phones especially ones that are only a year or two old, when you can try to force people to get new hardware, and either extend or get new contracts to get the latest? Security as a Service you can almost think of it as, but not quite. Seriously, the carriers have a cash cow on their hands with Android and doing things this way. The lastest verion of iOS is out and works on phones that are years old. Apple has it available for those older phones through their updater, although some features may not work on the older phones, it is still available. I am by no means an Apple fan, but the control they have over their updates is what Google needs to have over Android. The carriers don’t care, and won’t unless they lose some major lawsuit because someone’s phone got hacked due to a security update not having been available for that model. When I tweeted to my carrier (Verizon) about this, they sent me a link to their “news” page which has no information on updates. I also tweeted them back as they asked about what I was looking for (latest Windows Phone update, Android Lollipop) for specific devices. Never heard back from them.

The bottom line on this, from my perspective, is that both Google and the carriers are to blame. Google is to blame, not for not patching, but for not controlling the push out of patches and updates to the OS, and the carriers for not pushing out updates and patches in a timely fashion. Until this gets resolved, Android is going to stay heavily fragmented, and security for everyday peoples phones is going to be shaky at best.