Stagefright's vulnerability turned out to be more serious than anticipated. Analysis of the actions of Google and manufacturers, example Windows – in this rather voluminous issue of the Gazebo.
With security Android, today everything is far from so safe and so far there are no signs of movement to resolve the problem. The ecosystem does not cope with maintaining security and things will get off the ground only when it is too late.
Initially Android was conceived as a mass platform. Google started with a clean slate, with no market share, so the company was only too happy to provide everyone with the ability to change the OS at will in exchange for distributing it on manufacturers' devices. The marketing feed was not creative: 'Apple restrict you to one device (iPhone), for Microsoft you are just a customer, but in the case of Android determine what the final device will be. ' Open source Android allowed anyone to tailor the OS to specific hardware, and it was theoretically possible for OEMs and operators to alter Android or fork as they pleased.
Now Android occupies 75-80% of the global smartphone market and this makes it the most popular OS in the world, not only at the moment, but in the entire history of the mobile electronics industry. In this regard, the issue of security is sharply raised. Android still uses the same software update sequence that was developed at a time when the ecosystem really had nothing to update and which really does not work. Too many actors: Google releases Android for OEMs, they make their own changes and release code for operators who can also change parts of the software, and then a commercial product is released.
As you can see, the conceived scheme has long been unusable. And the ecosystem's reaction to Stagefright's vulnerability is further confirmation of how dire the situation is. According to preliminary estimates, about 95% of devices based on Android contain a bug that allows executing remote arbitrary code to receive an infected MMS from a video. Android has various protection mechanisms against losing control of your smartphone, but it gets scary nonetheless. As you would expect, Google, Samsung and LG have announced an early release of a security policy update for their devices as part of the 'Take Security Seriously' initiative. This 'patch' will close the vulnerability on 2.6% of active Android devices, this is the maximum they can achieve. The percentage represents the number of devices based on version 5.1 (at the time of this writing, early August, now this figure is 7.9%) and is only a bold assumption for the top and supported Android devices on the market. In reality, the number of devices that will receive the patch will be much lower.
Even taking into account the possible activation of vendors and the elimination of the vulnerability on all devices with Android 5.1, there will remain 92.4% of devices affected by Stagefright. The gradual update strategy Android does not even remotely resemble something suitable for an OS with twenty-four thousand (!) Individual models of active devices. In an ideal world, failing to update millions of potentially jailbroken devices would be sufficient reason for Google, OEMs, and carriers to sit down at the bargaining table, set aside their brand-specific standards and marketing-imposed differences, and say, 'We can fix this. '. Unfortunately, this is a utopia. In the real world, carriers and manufacturers want to have their customization tools in Android so they can advertise their apps. It seems that no one wants to take on the responsibility of providing aftermarket support for the millions of devices created and sold.
At a certain stage of acquaintance with the problem, it seems that for safety Android doomsday will inevitably come, as it was with the Blaster worm, and that it will become that incentive for real action to solve the problem. Stagefright is no joke, and the ecosystem response Android is only 2.6 / 100 of the required response.
Side Glance Windows
Everyone loves to compare Android and iOS, but such a comparison is not entirely fair given the fact that both software and hardware iOS belong to the same company. . Microsoft Windows could be a more comparable model for successful patch release. The system is very similar to Android in terms of hardware diversity, wide vendor support, and ubiquity. Microsoft has a centralized update system and OS that neither service providers nor manufacturers can interfere with. Due to the fact that hardware support is separate from the operating system and no one has the right to make any changes to the OS, Microsoft has a single code base for updating each version Windows, in this and there is a mature approach to the implementation of updates. This rapid update system has withstood constant security attacks over the years and in this regard Windows is fundamentally different from Android.
The completely closed nature of updates will not work for Android, this 'genie' cannot be hidden back in the 'bottle', however, in order to eliminate the current security threat, manufacturers and operators must agree with a lower level of access to the system. Operators must have a limited tier to custom applications, just like PC service providers. Manufacturers, in addition to the previous restriction, must have access to the system for changing the interface or changing the skins, which would allow them to carry out their favorite interface branding without affecting the main OS.
Not everything goes smoothly with the hardware. Android does not have the same level of hardware abstraction as x86, where drivers for the hardware can exist separately from the OS. ARM and Android are still working on an embedded OS model where generic device drivers are missing. This model will make supporting every update for every device a challenge and will likely require support from Linux and ARM.
Also, it is necessary to firmly dissuade manufacturers in their idea of a two-year update cycle for smartphones for the average user. According to the fragmentation study Android by Open Signal in 2015, the most popular Samsung device is the three-year-old Galaxy S III, and of the 10 most popular devices of the company, 6 devices were released more than two years ago, 2 are not flagships and are not will be updated to the latest OS version. The harsh reality is that manufacturers and carriers only support the devices that are on sale, hence the two-year upgrade plan. Samsung will rush to close the vulnerability on the S6, however, according to the aforementioned study, the smartphone is only 13 in the ranking. To really protect users, the company needs to release updates for the Galaxy S III, S4, and cheaper devices like the Galaxy Grand Prime. Of the top 10 devices, only one patch has been released, the Galaxy S5, which (surprise, surprise) is still on sale.
Microsoft, by contrast, is still releasing security updates for all versions Windows since Vista, which is about 86% of users. Remaining users are running XP, which Microsoft still offers paid security updates after a two-year free support renewal. 8 years for smartphones is, perhaps, a little too much, after all, 8 years ago few people knew about Android, but there is nothing reprehensible in striving to update the security policy of 85% of devices.
Ecosystem participants Android have no strong opinion on how security can harm other offshoots of companies' businesses. Google and Samsung are trying to enter the corporate market (Android for Work, Knox), but the reputation Android in terms of security could play a trick on both platforms. It will be difficult for corporations to take Android seriously when the OS is constantly 'shining' in the news related to vulnerabilities.
A thorny path ahead
Without any real solution to the problem, companies simply patch the holes they find. The application test environment Android promises to protect against exploits, the Play Store 'stronghold' will protect users from infected applications, and operators are working hard to block Stagefright-infected MMC messages. Google, in turn, will release all new components for Google Play Services, but still some aspects will require an over the air update.
In the ecosystem Android there is too little interest in user feedback to expect an immediate Stagefright solution. Operators and manufacturers do not want to side with users, and this selfish position has not yet met with any response. But the consequences are not far off. When the 'doomsday' strikes, users will deeply give a damn about the patch release limitation for the flagship two years ago if their device stops working or information is stolen.
Here's what a Google representative told us, whom we contacted for comments on the topic:
- At the moment, 90% of devices based on Android use ASLR technology, which can protect against the problem
- We have released a patch for the Nexus line and sent it to partners to protect users. Also, we plan to make it publicly available.
- The next version of Messenger will include a patch that will help eliminate the threat at the application level. After the update, the user will need to click on the video to play. We recommend that users of devices with versions Android of Jellybean and higher switch from their default SMS application to our product.
- In August, a patch will be released for the most popular Android – devices:
- Samsung Galaxy S6 Galaxy S6 Edge, Galaxy S5, Galaxy S4, Galaxy S3,
Note 4, Note 4 Edge- HTC One M7, One M8, One M9
- LG Electronics G2, G3, G4
- Sony Xperia Z2, Xperia Z3, Xperia Z4, Xperia Z3 Compact
- Android One
The main problem is that the flagship updates are not enough to secure most of the users, and there is no solution for the rest of the devices yet. The update model Android does not work and you have to start from scratch to rebuild it. Any ideas?
Original material by Ron Amadeo.
Elir: Arrow smart doomsday hours Android moved closer to midnight, at least that's how the situation looks. Google releases patches, manufacturers are trying to close the vulnerability on their own, operators are taking measures to the best of their ability, but the scale of the events is so huge that these actions are inconclusive. Moreover, in the context of the latest news that the new 'version' of Stagefright now attacks smartphones by playing infected MP3 files. There is no reason to panic as such, if you do not use unsecured clients for messaging and do not download programs from unverified sources. However, the inaction of companies, which should sound the alarm first, is somewhat alarming. We will follow the news.