No matter who is to blame, Google's name is on it so they own it.
"That Broadcom bug makes me not want to use anything other than an iPhone or Pixel."
That's what I heard from an admittedly security conscious friend while talking about him getting a new phone. The bug being referenced here, in case you're unaware, affected over 1 billion phones that use a Broadcom Wi-Fi chip and would have been an easy way for them all to be hacked in any number of ways.
Most likely the phone you're reading this on has a nasty, exploitable bug.
You don't have to worry about it if you have an iPhone or a Pixel (or any Nexus that's still supported) or an Android-powered BlackBerry because it was patched before it was disclosed to the public. But the Pixel, late-model Nexuses and Android BlackBerrys sold in minuscule numbers compared to all the other Android phones (I'm being very generous here). That means millions and millions and millions of other Android-powered phones are still vulnerable. Including the Galaxy S8, even though every Android partner has had access to the patch as long as Google and BlackBerry and Apple have.
In "real life" this is both a problem and not a problem. One thing goes hand in hand with every announcement of malware or other tricks and tools that can be used to remotely hack a phone: it almost never happens. But it still could. Simple logic says one day it will. And unfortunately, outside of some sort of government oversight on phone software (which nobody wants), there is no way to fix it.
Not long after the release of the HTC Dream/T-Mobile G1, a security flaw was found where anyone could take control via outside software. Early iPhones all used the same admin credentials for remote logins. This sort of thing comes with the territory — all software has bugs or holes that can be exploited. These early bugs were promptly fixed and updates were sent to the phones. That's not how it works anymore, at least for Android.
All software ever written has bugs. Good software has had them patched.
Because Android is given under an open-source license, Google has no control of how it's used outside of the requirements for access to Google Play and the associated apps. It's tough to wrap your mind around that unless you're familiar with open source software, I know. But Google simply can't force a company who makes Android phones into doing anything more than meeting a few minimum requirements designed to make them compatible with the APIs Play Store developers use to write apps. Even those are in question by courts in Europe.
This puts another company in control of the majority of the software we call Android, and with control comes a lot of responsibility. I truly believe Samsung (for example and because it is such a large part of Android) cares enough to want all of its customers to be immune to things like the Broadcomm bug. But that takes work and commitment that it is unable to give. It's not that Samsung doesn't care, it is just unable to fix it as fast because of how its business works. The same goes for every company that makes Android phones, possibly even more so because none have the resources that Samsung has.
It says Android right on the box, so this is Google's problem.
Software is hard. Doing it right — patching every known bug as soon as it's disclosed — is even harder. Adding yet another middleman means it's damn near impossible.
Ultimately, all this falls on Google's shoulders. The Android name is on the box, on the phone, and on your mind when you buy a new phone. This might not be fair to the people at Google who work hard to patch bugs and issue updates or security bulletins, but that doesn't matter. Android is Google's baby. When brand new phones from any company are running Android and have severe vulnerabilities, all eyes look towards Mountain View.
Google has done things to address the problem, and it is doing even more with Project Treble. I'm sure one of the long-term goals is to fix the issue somehow, whether that means a complete rewrite of the Android underpinnings or altering the usage license or pulling a rabbit out of a hat. It knows as well as we do that it owns this problem, and rather than cry foul it is trying to address it.
I hope it can do so before it's too late, because "not wanting to use anything other than an iPhone or Pixel" is a sentiment nobody wants to hear.
Reader comments
It's been 9 years and Android still has a bad reputation when it comes to security
That's an interesting read. But perhaps someone could explain why BlackBerry are able to patch their phones so quickly but Samsung can't?
Incentive maybe? BlackBerry has built their reputation on mobile security.
And that's the thing... I think you are overthinking this and it's a pointless topic to discuss. People who value security and appreciate companies that care buy Google phones or BlackBerry. Those who don't buy something else. It's a free market and people vote with their wallets. End of story. And I wish this topic would just be put to bed.
More important to them, blackberry has a reputation for being secure and they don't want to lose that just because of android.
They WANT to patch their phones, that's the difference....
If they didn't, what exactly would be the reason to purchase a BlackBerry device. Not trying to bad mouth the phones or anything, but that's one of their major selling point.
It depends on lot of things in my opinion. In how many countries they sell, what kind of testing they do and so on.
Yes, Nexus and Pixel devices are the quickest receiving updates, but in all the years they've also been the ones with the most annoying bugs in my experience. On my Samsung devices I can't remember a big one (except during a beta testing I optedin) so I absolutely prefer slower but better tested updates over quick and dirty updates.
So how is this different from someone hacking your wifi card on your laptop???? I think as more the phone becomes a computer this will always be the case...not sure there's much you can do.
The opposite is true here. On a phone SoC, the Wi-Fi component isn't isolated the way it is on a PC. A WiFi chip on your PC acts on its own and is monitored by the system. On a phone, it's part of the system.
This should be, IMO, the catylist to put BlackBerry in a stronger position with other firms like Samsung to work on a device that is more secure from the core and each layer of the device. It would put a high end BlackBerry device on the market and help them and someone like Samsung. Win, win, if you ask me. But I wish it wasn't easier said than done.
Security on Android is fine.
Except it's not because most phones don't get the monthly security updates that Google releases. My unlocked Galaxy S7 was updated to the July patch yesterday but was previously on the April patch. 3 whole months without a single update and still on 7.0 not the latest 7.1.2. I'm going to get a Pixel 2 when it is released, I've had enough of Samsung's lack of updates.
Slow updates really don't bother me, I'd rather have better hardware and the extra software features. I have nothing critical on my phone.
Your in luck. My European unlocked HTC 10 is still with the January security patch :(
Yes and no.
It's fine as in nobody is getting hacked, at least not in any numbers worth reporting.
But very soon someone will find yet another flaw, and it will affect millions of phones. Google will patch it, and it will still affect millions of phones for a good while.
Isn't this already fixed on the Galaxy S8/S8+ with the July 2017 update?
For the models that got the July patch, yes. I'm sure the patch for other carrier branded models is coming shortly.
AT&T branded S8 here and I got they July update in the middle of July. I've had an update every month with the S8. Maybe Samsung and AT&T are starting to care.
BlackBerry KEYone checking in :D
And still I haven't seen a single person who has been a victim of any malware on Android - whether in my own social are or in forums. Personally I think that some people make it a bigger problem than it really is as .
So how would those in your social circle know if they had been the victim of malware? Most malware is designed for persistant exploitation, whether it it is click jacking or turning your phone into a bitcoin miner bot.
It is a problem, because some Android devices are literally the most secure mobile devices out there with iOS trailing somewhere behind less than ten devices. Problem is those 10 devices are less than 1% of the market. Most Android devices are still secure as long as morons don't sabotage their own security, but for the reasons provided, are much less secure than they ought to be.
Dealing with any non Google or Apple oem is dangerous in itself because of having multiple sets of privacy and security protocols. Example, Google is the best major company in this game for privacy, but if you have a Samsung phone, that doesn't help much because Samsung is absolutely terrible on both privacy and security and your real protection is the weakest... You get the worst of all the fingers in the punch bowl.
There are a few things required for you to be secure on Mobile.
1. You need to be on the most up to date OS version. Right now, that's 7.1.2 (or any of the Betas higher). Being on 7.1.1 or 7.1.0 or 7.0.x is not the same thing and is inherently less secure. Same thing applies to iOS builds, etc.
2. You need to leave your bootloader locked and avoid root, jailbreak, etc. Obviously there are reasons to do those things, but they all compromise security.
3. You must be on a device that regularly gets security updates within 48 hours of them being released. Right now that's Google, BlackBerry, Apple and sounds like Nokia is shooting for the same.
4. Your device must be from an OEM that isn't going to compromise your security off the factory floor. Huawei, Honor, ZTE and several others are off the list from the start. Note, the Huawei Nexus so far is the sole exception as they had almost no access to the software that they leave compromised on their native devices.
5. You must have Google Play Services working and on the latest version (on Android) and be using the Google Play Store as the source for all of your apps.
6. You cannot sabotage your own security by doing dumb af things, like disabling the security protections built into Android. If you have 1 through 5 going for you and avoid dumb af things, it is as close to impossible as makes all odds to become compromised without other factors being involved, such as a "hacker" having physical access to your device and knowing your weak ass passwords, etc.
All that hopefully sounds like common sense. If it doesn't, that should start some questions being asked.
Security against third party threats aside, the people keep forgetting that Google and Android are, in essence, a colossal ad corporation whose platform works as a huge vacuum cleaner, is scooping your data for its own use in first instance and, when necessary, you can for the US government (much like the others, but like Microsoft, Microsoft, Yahoo, Apple etc). There isn't inherently any safety on any device we currently use, but regardless of what they do to pretend to be improving their safety, it is Android devices leaks data round the clock. You need to just download a traffic sniffer to see what happens to your device. It connects to Google headquarters, and but also to NASA centers, pharmaceutical companies (depending on what app you are using). What these pings are doing and why they exist is unclear. Because it's single non Google apps doing the job and not Google itself often. Google is the enabler. And it's agnostic. You can use qq and we chat and see your connection going through Shenzhen, and where the base company is, and but part of your data also goes through Beijing. In substance, neither the platform nor the apps are safe or secure, it is by any means. And there isn't any alternative because people prefer free stuff and choice to security. And the two don't match well. You can't expect safety in an ecosystem based on fake free apps and a platform that's ad based and works for a lot of entities all of which seem very interested in knowing much more than they need about you. And it's in a regime of quasi monopoly.