English

Timely Rollout of Google Security Patches

There’s a new /e/ update now and it got the patch level to July 5th.

1 Like

This is technically incorrect on many levels, and also harmful if people read it and think that DPI is a proper threat mitigation vector.

Secure the devices,

Then, please “enlighten” us…

Okey, since you ask for it.

No, a good business firewall filters connections which use common NAT-backports. A good business router rather has decent MPLS-support etc.

No. There is no magic here, you might think that is the case, but ask your IT when they last patched their firmware / software of the corporate firewalls. Remember that this is in a thread where people are upset due to lack of information and a three month delay of security updates (for mobile devices).

Most Internet data is encrypted, i.e. DPI requires either worthless encryption (such as SSL or TLS <=1.2) or you have a certificate problem since your client machines has to knowingly allow MITM-attacks perpetrated by the firewall (do note that from a technical device perspective DPI is the same as MITM).

And yet I have not even gotten close to the issue that the purpose of mobile devices is their mobility. I just got agitated by the utter stupidity of suggesting DPI as a security measure (which somehow is an argument that up-to-date software on mobile devices is not really necessary?).

Also, how would you handle QUIC (which undoubtedly will become the standard transport in a few years)?

I mean, using DPI as a measure to secure mobile devices is similar to staying inside as a measure to prevent sunburn. It is a way of reframing the problem rather than offering a solution.

1 Like

Thanks for the information, well prepared. I have been referring to the point of view from @Alain_Guillet , and since you have been asking:

They update our Sophos UTM continously, and yes, it defends us against known CVE issues as well.

Yeah, but there is no big reason to fear anything. In fact, people have become frightened due to various press articles, but seriously, who has been threatened? Does anyone of the readers really know how big the threat is to them? That is why I believe it might be much more important to scan various apps to find malicious behavior. (Remember, Android is not iOS.)

Just feel about it as you like…

2 Likes

I didn’t want to answer you anymore in this thread but since you cite me I feel pushed to do it. By the way, I think you don’t want to understand or, worse, you want to be right as suggested by your last sentence:

Blockquote
Just feel about it as you like…

There are two things:

  • Some of us work in companies that require smartphones have regular updates and here we don’t know when will be the next one if ever. Is it useful or not from an IT point of view is not the question because it is compulsory (don’t forget deciders read the news :wink: ).
  • You are a power user and this is not the case of at least 80 % Fairphone users. So they behave as they always do and they don’t pay enough attention typically to apps or webpages they visit. If a security update can decrease the risk of troubles, why should we accept there is none or always delayed (June update at the end July, 2 or 3 days before some phonemakers announce they deploy the August update)?

Yes, you are right that these security updates are not a panacea and yes, you are also right we talk to much about CVEs in the news now but security updates can reduce the risk for most of the users who don’t pay attention to what they do (there is a reason if Microsoft now forces the updates of Windows 10 except for professional versions).
Note that I don’t care about Android upgrades since they are useless in terms of security.

4 Likes

Sometimes someone just has to accept delays in life. Ask Samsung why the A series of Galaxy phones gets security patches only every three months. Oh wait, these phones are not fair anyway, uh-oh! A billion dollar worthy company does not supply monthly security patches, that is pretty unfair! How can people even live with these Samsung phones? It is a disgrace!! [/sarcasm]

The reason is quite simple: A common home user has no IT security department, hence someone has to keep the system protected. Microsoft rolls out system security updates directly, they are capable to patch ANY (non-corporate) Windows system by themselves, while integrating security patches in Android is so much different, because every device has its own build supplied by the company that made it.

An ISO image of Windows will install on 99.9% of all modern PC systems, so be delighted to receive monthly updates on Windows patchday (which is every 2nd Tuesday of a month, BTW).

Maybe Samsung is to blame for not providing monthly updates for their Galaxy A series phones, but other vendors behave so much worse, they do not seem to care about security at all and just want to sell their cheap stuff. You can call that unfair! Seriously, are we really upset about a two month old security patch level, although we all know that Fairphone is aware of supplying security updates and will continue to do so within a reasonable timeframe? It takes time and money to implement and test (several) builds, and I bet Fairphone have to budget their resources very carefully, as we all probably understand that they have been manufacturing and selling niche products, so the profit they make cannot let them jump very far…

3 Likes

Why people take bad examples to illustrate what they say? You take Samsung as a bad example and so I will take HMD as a good one. It is a much smaller company than Samsung but they can upgrade and update all their models.

You say updating and upgrading software has a cost and I agree on this. That is why for the same hardware you will find the Nokia phone (HMD) more expensive than a phone with no support. It is a choice a company does.

I am quite surprised by what you say about Android since Google is so fed up with companies not updating fast enough that it updates more and more components of its Android software through its services. This is a contradiction of the peculiarities each phone has according to you. What was true a long time ago is no more.

Sarcasm does not help to discuss but I doubt you really care.

It is still true, you are referring to the next Android generation, Android 11, which follows this path. (Remember, the Fairphone 3 runs Android 9.) The message from Google directed to the smartphone vendors is: “If you cannot keep up with security patches for whatever reason” - and that seems to be true for Fairphone as well - “we will support you finally to get your act together.” And I am absolutely fine with that. Still it is an offer from Google, so what I would like to see from Fairphone is that they take this offer and make the Fairphone 3(+) run Android 11 in the future, that would be nice!

Every sarcasm includes some irony.

FYI:

The new FP3+ explains - in my opinion - a lot of problems and concerns adressed in this topic.

Instead of applying monthly security patches, they seem to have focused on upgrading to Android 10.
Communication was bad, since they - understandably - didn’t want to blow the whistle, raise expectations and especially endanger todays presentation.

And they were busy with some other projects as well:

  • the new FP3+
  • starting the Fair Cobalt Alliance
  • developing new materials.

It seems to be a tightrope walk, to secretly develop things while not disappoint (frustrated) customers. For me personally, they did it; but I can understand as well, if others happen to disagree.

Edit:
PS @rae must have had a hard time, not being able to tell what’s going on while trying to appease angry and frustrated users. I hope she got some cheers today for managing this quite successful. :grinning: :sparkler: :ribbon:

14 Likes

Now we should watch out in the future when FP starts having difficulties in rolling out regular updates again : it will probably mean they’re on something big and that we should expect an annoucement within 6 months! :wink:

5 Likes

It appears with Android 10 and not 11 (https://www.computerworld.com/article/3394578/android-security-updates.html) but it will require a long time before replacing completely monthly updates so we go back to the starting point :wink:

If may just may add to the discussion.

I do believe security and upates are important. I would like them faster. But, I use my phones until they fall apart, which, credit to the manufacturers, is usually way past end of support. So, a brand that offers updates for longer has my preference.

If I take a step back and consider that there are enough potential leaks for Google even to be able to put out a security update every month, this means that in general my phone is not safe. There will always be an attack vector that we don’t yet know about. And we won’t know how long it will have been out in the wild until it is caught en patched. It’s not like hackers wait until the previous lot is patched before they search for a new one.

In short, for me the sheer amount of vulnerabilties lessens the stress on timing a bit. These days social engineering and external companies not storing your passwords safely are a bigger threat for the average user.
If you work for a company that is the target of ransomware, I can understand an extra level of vigilance towards smartphones, especially for key personel.

Are we, the it security conscious people, equally vigilant with the air pressure in our wheels, the time of day we go out, the amount of hours we slept before driving, the expiration dates of our food, our weight, smoking? Some of these things could actually kill us.

I won’t buy a phone that doesn’t offer updates. The tempo can be a bit slower for me.

6 Likes

:100:
Totally agree!
Couldn’t have put it better!

1 Like

Just noted that my phone did a ‘google play system update’ today to 1st Sept patch level. So definitely already we’re benefitting from being on Android 10 :slight_smile:

4 Likes

Isn’t it just that Android 10 displays this information? AFAIK the play services used to update themselves independently anyway.

No. With Android 10, Google restructured the OS to take back control of some critical elements of the OS so that they could be updated independently of device manufacturers (like the media framework). It means they can apply critical bug fixes, and do so on a monthly basis. These elements are called collectively the ‘google play system update’ and is separate to both ‘google play store’ and ‘google play services’ which are all independently updated too.

You can check the google play system update in Settings > About Phone > Android version > Google Play system update.

6 Likes

Ok, thanks for the clarification.

In which of those categories falls the exposure notification api that “magically appeared” when the FP3 was still on Android 9? “google play services” if I understood you correctly.

2 Likes

Yep, the exposure notification is part of the play services.

3 Likes