Platform Fragmentation as a Security Issue

Interesting article about the difficulty Google has pushing security updates onto Android phones. The problem is that the phone manufacturer is in charge, and there are a lot of different phone manufacturers of varying ability and interest.

Posted on February 11, 2013 at 6:49 AM • 28 Comments

Comments

indeedFebruary 11, 2013 7:13 AM

the telecoms where i live also produce their own build and never update the software again, theres countless ppl using 2.1 or 2.3 because they are stuck in 3yr contracts still.

Troels A.February 11, 2013 7:40 AM

Fortunately most devices are easily rootable, which allows you to install custom ROM's that can keep you up to date.

I worry more about the lack of encryption on Android-devices. Apple were out pretty fast with a cryptographic TPM for their iPhones (since the 3GS), but many Android-manufacturers don't use one. That leaves the user with either no data encryption or software-encryption (which is painfully slow for mobile devices and degrades performance massively).

HaukeFebruary 11, 2013 7:41 AM

I am honestly shocked by some of the mistakes Google made with Android. Seems their Web-App-Beta-Releases workflow doesn't work well with hard- and firmware.

Y||BFebruary 11, 2013 7:44 AM

In the android market, only Google itself and the community projects seems to care if their software gets patched.

The manufacturers and networks in contrast seem to be more interested in selling new devices/contracts. Unless there is a warranty on software, I also don't see that change.

As an example, I could name the US vs international Xoom 3G (Google did support the US version, whereas Motorolla supports the international one), but there are dozens of othera

mozFebruary 11, 2013 8:38 AM

If the phone manufacturer is in charge then the phone manufacturer is responsible. We should be hitting out at them and the network operators. They are the ones who should be forced to provide the updates. Google even provides an own brand ("Nexus") for which they do the updates. These, whilst not perfect, have a far better record than any of the others. Anyone who is concerned about this should be telling their colleagues to only accept Nexus phones / tablets etc.

ChrisFebruary 11, 2013 8:39 AM

Actually, the problem is the phone manufacturers and the cell carriers are both in charge. If it were just one or the other this problem would be a lot eaier to fix.

ChrisFebruary 11, 2013 8:39 AM

Actually, the problem is the phone manufacturers and the cell carriers are both in charge. If it were just one or the other this problem would be a lot eaier to fix.

ChrisFebruary 11, 2013 8:42 AM

Grr. Stupid double post. I blame the cellphone manufacturers. And the wireless carriers.

Peter GowenFebruary 11, 2013 8:44 AM

It's worth pointing out that carriers often have as much power over updates. They'll signal to manufacturers which phones they think consumers will care about being updated, and sometimes reject manufacturers' updates if they don't function well enough.

KhurtFebruary 11, 2013 8:56 AM

"Fortunately most devices are easily rootable, which allows you to install custom ROM's that can keep you up to date."

Unfortunately Troels A., that's only a solutin for the 1% of the user base that knows what that means

Nicholas WeaverFebruary 11, 2013 9:20 AM

Its a big incentives problem:

Both the carrier and the handset vendor need to cooperate in securing updates. Yet since the vendors get no post-sale revenue, why should they spend the money? And the carriers charge the same whether it is an up-to-date phone or not.

This is very different from a Google Nexus phone or an iPhone, where the handset vendor gets significant post-sale revenue, so therefore benefits from users having updated devices.

MeFebruary 11, 2013 10:12 AM

@ Chriss:

Huh, part of me figured the double post was on purpose to drive the point home that two is often worse than one.

timFebruary 11, 2013 10:20 AM

@Troels A

Fortunately most devices are easily rootable,

There are three problems with this comment. The first is that the vast majority of people who use any type of device will have no idea what you are talking about. So being able to 'easily root' a device to 'fix it' is not a serious security control.

The second if you can 'easily root' your phone - so can malware. But I'm sure whatever anti-virus software you bought will catch that ... right?

And lastly is that if you have to "easily root" your phone to actually use it - perhaps you bought the wrong phone to begin with?

AC2February 11, 2013 1:05 PM

@ Troels A

Sorry, but what does a TPM have to do with "either no data encryption or software-encryption"?

Wouldn't that be whether the ARM core supports AES/ SHA instructions?

AC2February 11, 2013 1:16 PM

@tim: " if you can 'easily root' your phone - so can malware"

'rooting', in the Android context at least, is more often about using inbuilt functionality to load a ROM of your choice, rather than having to exploit a security hole...

But yes, 'easy' is relative, particularly if your phone doesn't have one of the official Cyanogen builds...

bitmongerFebruary 11, 2013 1:22 PM

@ACS

Actually lack of a TPM / smartcard or some other secure embedded hardware key storage is a problem. How should software encryption manage to provide at least say a 2^80 brute force when a phone is stolen while locked?

With s/key passphrase that would be an 11 word passphrase. That is a suboptimal user interface.

progeoFebruary 11, 2013 1:23 PM

It is nothing wrong with Android and Google!
My Google Nexus 4 has a system encrypting full mobile software and if you are lack of it why not try for instance Kaspersky Mobile software for Android?

bitmongerFebruary 11, 2013 1:24 PM

Replying to myself ... I mean 8 word password. There are 2048 words in s/key dictionary. So a 32 character soft keyboard unlock password. I mean could have a better use interface, but the point is, its not a trivial problem...


Garick

Petréa MitchellFebruary 11, 2013 2:26 PM

In the general case, it's even worse than that article makes it out to be. Since this is a text-messaging vulnerability, it's reasonable to assume it only applies to Android devices that are tied to current phone contracts and thus at least have the possibility of being updated. If something came along that affected all Android devices including the millions of tablets that aren't tied to phone contracts and thus are still running 2.x and will be for years to come, this would be nothing in comparison.

Troels A.February 11, 2013 3:03 PM

@ tim:
Whether or not other users knows how to root a phone is more or less irrelevant to me. While i would definitely like to see everyone get secure, i care the most about my own security.

Second of all, you don't seem to understand the process of rooting very well. It's not just something malware can do out of the box. It has to be done by the bootloader (which is locked, even for a rooted phone. Rooting a phone opens up the recovery to allow custom ROM's to be installed, but the ground-security still happens at the bootloader). Rooting your phone and using correct settings (Android also has it's own kind of UAC for rooted phones) is, ultimately, going to give you more security than an unupdated unrooted phone, because you have very little control over the latter.

@ AC2: All CPU's (ARM, x86, you name it) can be programmed to do encryption - some just do it faster due to built-in hardware accelweration, so you can always do software encryption.

The difference lies in key-management and speed. Without a TPM, the keys have to reside in memory and can be dumped, and the CPU has to do the decryption/encryption which slows the platform down. With a TPM chip that has an embedded encryption processor, the keys are never exposed (even the user or potential malware can get to the keys). Also, since the TPM does the encryption/decryption work, the CPU doesn't have to to anything, which means there won't be any slowdowns like what some Android-devices suffer from.

As much as i dislike Apple and prefer Android over iOS, i must give credits to Apple for getting this right. Even law-enforcement have massive problems accessing iPhones with a string passphrase, and it's done by a TPM so there is no CPU slowdown to worry about. They were even smart enough to iterate the PIN/passcode hash 30000 times.

Jeff WilliamsFebruary 11, 2013 3:39 PM

This is the opposite of the monoculture problem pointed out by many years ago by Dan Geer and Chuck Pfleeger many years ago. The question isn't whether diversity is a problem. The question is what's the optimal level of diversity and standardization to encourage a healthy security balance.

Craig McQueenFebruary 11, 2013 4:05 PM

@Nicholas Weaver:

"Its a big incentives problem:

Both the carrier and the handset vendor need to cooperate in securing updates. Yet since the vendors get no post-sale revenue, why should they spend the money? And the carriers charge the same whether it is an up-to-date phone or not."

Why should they spend the money? Perhaps for reputation, goodwill. Savvy customers would do their homework, and pick a brand with a good history. I try to do that when I buy something expensive.

Troels A.February 12, 2013 3:29 AM

@ derp: No they don't. They have tools to brute-force the password. That's it.

I remember reading that the iOS TPM can only do around 70 PIN-guesses per second (because of the 30000 hash-iteration delay), meaning that once you go beyond a 5-6 character password (that involves letters, numbers and especially signs), it's going to get very hard to crack. An 8 character password that isn't weak to dictionary attacks is sufficiently strong to protect you.

AndyGFebruary 12, 2013 7:00 AM

Savvy customers can still get blindsided: it wasn't until after I'd bought my Moto that their (lack of) update policy became clear.

It would be nice to be able to get security updates from Android HQ instead of relying on the vendor -- much like we get Windows updates, regardless of the brand of PC we bought.

Rooting and ROMs are great for individuals but poor for the herd. Percieved risk/reward is balanced away from reward.

aaaaFebruary 14, 2013 5:32 PM

@Troels A Rooting has its own risks, especially for inexperienced users.

Android does not have passwd and any application installed on rooted phone can get root access just by calling su. That is not secure at all.

Yes, I know that you can install SuperUser, but oddly enough it is not said in any rooting manual I found. Inexperienced user will not do it.

On the other hand, first thing you find when you google "android rooting" is One Click Root tool. It looks very attractive, because it is simple to use.

Unfortunately, that tool installs browser hijacker into your computer and god knows what other malware.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..