Timely Rollout of Google Security Patches

Samsung has released their August security patch.

https://security.samsungmobile.com/securityUpdate.smsb

For avoidance of doubt, these security releases are comparable to (git) cherry picking a hundred commits into the production build.

I had a look at the patches (see for example https://source.android.com/security/bulletin/2020-08-01) and most of them are just a couple of lines in one file (although a small number are significantly larger) and can be applied automatically (through, for example, git apply or another competent diff tool).

I’m quite stumped by the delays in pushing the security patches (in general, not only for FP), it seems that two developers easily can push the patches to a custom tree in a day or two, and another day or two for testing in a decent CD/CI-process. How come phone manufacturers running custom Androids (like all of them) cannot push the customized security patches within days of release of the security patches in the main AOSP-tree?

Have I missed something?

2 Likes

Two things: Samsung is MUCH larger and probably gets preferred treatment from the carriers for having their updates tested.

AFAIK the OEM get the patches one month before Google officially publish the contents of the update, so they should have enough time to implement them in a timely fashion.

Fairphone semt to have their things together early 2020, when they managed to deliver monthly updates still during the month which the patch date displayed. But since, speed and frequency have decreased significantly. Probably due the fact that the whole process was of course impacted by the pandemic.

As far as I know, Fairphone has outsourced the OS development to a company in China. But I am not sure if that is true. Maybe @formerFP.Com.Manager can go a bit more into detail on this?

Best wishes - and things can only get better here
Thomas

1 Like

I wonder why Fairphone didn’t choose to implement Android One instead of its very close version of Android. Updates would be easier and faster.

To get security updates that are meant to be pushed monthly on a quarterly basis to me would be a reason to rethink my smartphone choice.

Sorry to say it that directly: From my humble point of view people should better rethink using all these invasive services and apps from Google, Facebook, TikTok and all the others because THIS is a real existing, daily threat. Don’t get me wrong, security updates are very important indeed, but hands on: How big is the probability that your smartphone gets hacked because you haven’t installed the security patch relased two months ago? Maybe if you are a super VIP or otherwise exposed person, but most people here are surely not.
I personally would rethink my smartphone choice if there was no alternative to a Google (or otherwise) infected OS.

1 Like

No offense, but this is just classic whataboutism.

No need to say sorry. There’s a lot of truth in what you say. I’m using the full Google Suite and WhatsApp so everything on my smartphone is probably going to Google and every message I get and write on WhatsApp is probably going to Facebook. In that regard I’m probably a glass person.

The thing is that I don’t really mind them getting my data because at the moment it does not seem like they use it in ways that I mind. They use and sell it for advertising as far as I know, right? Well, you could speculate they do other things with the data and maybe it’s true but maybe it’s not. In that way I’d think scientifically and demand proof for harmful use. Not just proof that they could use it in a way thats harmful because that’s quite obvious. (If there is I’d be really interested cause then I’d really rethink).

I’m thinking about stuff like banking and passwords and insurance and things like that. Those should be rather safe in Google’s hands and probably profit from timely security updates.

In the end you are right. Trading your privacy for the comfort of the Google services and WhatsApp is potentially dangerous and a valid reason to rethink choices. But I think it’s kind of a separate point from the problem with security updates not being timely

It’s not about whether or not users are VIP. Data protection and data security should not a privilege.

It is also about being able to use your smartphone seriously in a business environment. Updates are necessary in any case. But well, if Fairphone only wants to sell the devices for kidding, they don’t have to worry about that.

That’s another good point. In some businesses it’s mandatory to use a smartphone that’s up to date in terms of security if there’s anything business related on the phone… (luckily I’m not affected)

1 Like

Erm no. For me it’s weird to see that people are super concerned about security of their phones and the data on it (which is itself somehow weird because a smartphone is inherently an insecure device) while on the other hand they have apparently nothing to hide and hence use all the invasive apps and services with zero concerns and don’t care where their data goes. You see the contradiction? Data privacy and data security belong tightly together, you cannot really have one without the other.

That’s not my point, but you are right of course. The point is, in reality it makes almost zero difference if you receive a security update in this month or the next as long as you get security updates continuously.

4 Likes

Some of us don’t have the right to use a phone without security updates in our working environment and it can make you laugh but Android is commonly used in such environments with specific apps developed by these companies. It was already said in this thread but it seems you don’t accept this reason…

In my company the security patch level has to be newer than one year. Which basically only shuts out phones where software support was dropped completely.

I know that other companies could be more restrictive, though. :wink:

3 Likes

In my company the phone is provided and it’s their business to take care of security patches. :wink:

2 Likes

For my part I’d be glad if @formerFP.Com.Manager could confirm if Fairphone really intends to only roll out monthly security patches every third month. I’m still not sure if I understood her statement the right way to be honest.

The security risk is relative to what you do with your device, and how careful you are and what you do to protect yourself.

If you have a phone and never switch it on, it’s secure, no matter what the security patch level is… extreme example I know, but you get the point. It’s not just up to OEMs to protect us. I’m more worried about the data I’m giving away freely right now than potential CVEs being exploited.

Although that doesn’t mean I still don’t want as current as security patch as possible. But it does mean I don’t demand new updates immediately because the risks are small

5 Likes

Everybody moaning about lack of security patches: Please check your apps you are using everyday, because some of them suck (your) personal data (e.g. by reading the clipboard), and you do not even know about it. Someone can have the phone secured with the latest security patches available, but the real threats are coming from the apps someone uses. Just my two cents.

4 Likes

That’s exactly my point.

2 Likes

If these companies are able to develop specific apps, why do they not offer secure VPN to route internet data traffic through their business network which is secured by the firewall? Or do they mistrust their own IT infrastructure, too?

2 Likes

Why do you think it is not the case?

Everybody accepts a different level of security and I have no problem with this. You all think about stealing data but it can also be destroy your data and yes you can have a backup and every Fairphone user has one since all are power users.

Erm yes. My thread was about Fairphone not providing Google’s monthly patches to its customers via Fairphone OS updates.

This has nothing to do with which apps people install and how thoughtlessly they configure and use them. Don’t get me wrong, I totally agree with you here - but that is a different kettle of fish.