Once again this falls back to your carrier or OEM providing OTA updates, and not so much on Android.
It’s a shame Android == Google and because of vendors' laziness we are left with a strong incentive to buy Google branded devices for the best experience.
I run a custom ROM and I’m happy with it. I do it for the more frequent security updates and feature pushes. Unfortunately when non techies ask me what phone they should get I usually recommend an iPhone, just for the security updates, and because custom ROMs are not practical for most users.
I’m doing the same, but even then. My Samsung S3 contains a lot of BLOBs that most likely have many (known) security issues and never get updated, even though CyanongenMod provides updates for Android itself…
Update: and also the Linux kernel is version 3.0.101, it is no longer supported upstream.
The author neglects, as many do, to mention the main reason for this and similar developments: the users don’t care and will not spend money on secure phones. The author also doesn’t mention there are suppliers of secure phones. Here’s a few for Android:
They cost a lot of money but mainly due to low volume. Brings us right back to original point. They mention in article that hardly anyone is putting security software on their mobile phones despite all the risks. There’s actually tons of vendors that go way past antivirus. Basically nothing spent. The manufacturers sell people what they will actually purchase instead of what they’re said to need. Almost all vendors of secure, cell phones and alternative OS’s without huge, app ecosystems went out of business or were acquired. They were punished for it. So, the manufacturers therefore shouldn’t give a shit about anything except what sales. Capitalism 101.
People on demand side need to demand, with cash ready, for a vendor to differentiate on basic security with steady, fast updates. An initial experiment might go further with suppliers taking the lead in a low-risk way. That would be to offer updates and maybe basic security apps for a monthly fee that’s reasonable. Similar to what people already pay for PC security software. That should cover the cost of developing and deploying infrastructure to patch all their images. They can even make some money off it. If customers don’t go for that, they shouldn’t give them shit because anything else will just be a loss on manufacturers' end.
I’m for sane regulations or liability on software. Meanwhile, we have a market-driven system where users don’t care about security in practice. They rarely pay for it. They’re getting what they’re paying for.
The cheapest of those phones is $600+ with the second cheapest being $1000+. Getting past the price-volume catch-22 is almost impossible.
For the largest part of android’s user base, those prices, and even a quarter of the cheapest offering, is out of reach, and this is why I did not mention it. For many users, $50 is already a stretch (think outside of the US) and expecting them to pay even more for security when there are cheaper alternatives is going too far. You can blame the users if you want, but that’s not going to help solve the problem.
As I mentioned in the post, what has a real chance of improving things is Google playing a much larger role in forcing manufacturers (and carriers!!) to keep phones up to date.
“For many users, $50 is already a stretch (think outside of the US) and expecting them to pay even more for security when there are cheaper alternatives is going too far. You can blame the users if you want, but that’s not going to help solve the problem.”
It’s a fair point but kind of a cheat. You’ll actually get more insight looking at other end of market. For many users, they can afford the $600-3000 to have at least one private communications, storage, and/or computing device. This is everyone upper-middle class on up. Plus execs, I.P. makers, marketing, etc for midsized and up businesses that can have business cover it. Plus government sector dealing with secrets under TS/SCI. That the many solutions available for this sell so low that they don’t show up in mainstream publications shows even this group barely cares about securing their devices vs Blackberries or iPhones as status symbols. This group is also smart enough to know better about value of privacy & has people coming after them specifically. Still little uptake although Cryptophone’s sales show a subset of them are wise. :)
Next we look at other end of market. They can’t afford cryptophones. The volume catch-22 might be impossible as you said. Is there demand, though? We can look at apps instead of phones as there’s private alternatives to a lot of them easily found with Google searches. Market share indicates almost nobody uses them. Even secure messaging that was usable, free (Signal), or cheap (Threema) hardly got uptake vs Facebook or WhatApp. Same with storage with them defaulting to whatever came on the phone or using a free service without much privacy like DropBox. Same for files on the phone. No demand in mass market = no reason to do anything for them. Whatever demand is there is tiny.
So, what to do? Answer is actually simple. I mean, Mr. Murphy tells us the simple things are always hard but it’s simple. Users buy what they think is cool, has great cost-benefit, necessary, useful, etc. iPhones were cool/beautiful, Androids were like cheaper iPhones, Blackberries had great enterprise integration + management, Windows Phone had some of the support of Microsoft’s ecosytem, SymbianOS had… each of these things had a reason other than security to be successful in the market. Likewise, all the consumer gadgets, virtual/server appliances, SaaS apps, etc. The simple model is to build one of those that just incidentally does security right on inside and operationally on supplier-side. It becomes an extra differentiator they probably don’t give a shit about but at least you’re doing your part as ideological supplier. Can also use yourself as benchmark in media against big players showing how apathetic they are.
What you won’t do is convince people to buy secure phones. Not 90-99% of them. Still narrowing down the exact number. Building products and services that bake security in from the start with a guarantee that will continue (eg in charter, EULA, and/or acquisition terms) is best bet. I mean, it might be as simple as a nice-looking phone with good specs, a promise of no spyware, no bloatware, Advanced Task Killer etc for power-saving, and extra benefit of weekly to monthly updates. Throw some kind of paid, monthly service on top of it like automated backups of contacts and photos (include “you know the ones”). Anything to keep revenue in for a product they want as security cost extra and you’ll need the revenue to survive while trying to change the mobile world.
Note: You’ll learn more about getting secure phone sales on Barnacl.es than here. Just a tip. ;)
BlackBerry’s Android line (PRIV, DTEK50, DTEK60) get monthly security updates. The DTEK50 is US$229 (it’s a slightly modified and rebadged Alcatel Idol 4). Although I don’t know what the update lifetime for each device is.
Fairphone 2 gets monhtly OS updates as well. Even the google-free OSS version does: http://code.fairphone.com/
Awesome tip, thanks!
Do you have any Blackberry source I can link to concerning their security update policy?
The best I can find where BlackBerry themselves are specifically talking about monthly updates is this post, which is specific to the PRIV but was from before the DTEK ones were released.
Anything else official is just vague marketing things where they say they’ve been fast at getting updates out.
So in practice, the updates are happening, but they don’t have any official policy for them. At least not anywhere that I can find.
I added your tip to the end of the post: https://cpbotha.net/2016/11/27/android-security-in-2016-is-a-mess/ – thanks again!
I agree. I currently have (for a few months now) a support ticket open with LG asking them to update their flippin' software.
Let’s face it. Currently mobile phones are impossible to keep in a trusted, secure state.
Even dumb phones had a baseband - it’s essentially a device that’s loaned from a carrier.
I hate my Android phone with a passion. Even if I managed to convince Sony to release an upgrade for that model I still would have to go through Orange that was kind enough to fill it with irremovable crap (without rooting the phone).
The mobile phone landscape is in a worse state than IoT security - at least people don’t think their IoT shit is safe and most of them can be separated from the global network if you have to run one.
I’m fairly confident that my phone is secure enough to prevent it being remotely compromised by some bored ne'er-do-well whose only ambition is to take down Kreb’s blog. You don’t hear of smartphones being compromised on such scale that they would set records for the DDoS traffic they’d produce.
Do I think it would be secure against a targeted attack by Mossad/FSB/NSA? Heck no, but if they were part of my threat model I’d be more worried about Hellfire or polonium in my drinking water.
Film at 11.