Samsung Decides Not To Patch Kernel Vulnerabilities In Some S4 Smartphones

An anonymous reader writes: QuarksLAB, a security research company, has stumbled upon two kernel vulnerabilities for Samsung Galaxy S4 devices, which Samsung has decided to patch only for recent devices running Android Lollipop, but not Jelly Bean or KitKat. The two vulnerabilities (kernel memory disclosure and kernel memory corruption) were discovered in February 2014 and reported to Samsung in August 2014, affecting the samsung_extdisp driver of Samsung S4 (GT-I9500) devices. Bugs break ASLR and lead to denial of service (DoS) state or even elevating attacker privileges.

The new normal for Android

[Anonymous Coward]

The number of exploits is increasing exponentially but the vendors are scaling back security patches across the board.

MBA's FTW.

Re:The new normal for Android

[sexconker]

Yup, Android is no longer a platform I can recommend.
Of course, iOS isn't either, and MS burned all bridges with Windows 10, so fuck it, I'm not buying any shit from you assholes anymore.

Re:The new normal for Android

[AK Marc]

Android is safer if you root it and abandon the official versions. TouchWiz isn't that good anyway. Every other maker's UI is better than TouchWiz. My S3 was abandoned on an old version of Android, but I'd have to go boot it to see what. So Samsung has a habit of abandoning older generations. And iOS isn't any better, with less than 1 year support for my 3G, about the same as I got on my S3.

Android has the slight edge, because I can root it and go with a generic, or use a maker like Oppo with weekly OS updates, if you want to update that often.

Re: The new normal for Android

[cyber-vandal]

Great if CM support your phone. I've got a Note 2 and there's been no new milestone for a year. In any case isn't this a bug in the Samsung drivers so I'm not sure how CM would be able to fix this one.

Re: The new normal for Android

[drinkypoo]

Great if CM support your phone. I've got a Note 2 and there's been no new milestone for a year. In any case isn't this a bug in the Samsung drivers so I'm not sure how CM would be able to fix this one.

Forget CM, go to XDA and look for other ROMs for your phone. Based on a quick glance over the appropriate forum, I suggest Resurrection Remix [xda-developers.com]. Yeah, the names of these things are ridiculous. I'm running something called "KatKiss" on my Asus Transformer Prime. You can have it with a choice of three kernels, two without fsync (internal flash is abysmally slow) and one with. I am using the one with because data is more important to me than a couple more frames per second.

Re:

[dotancohen]

Forget CM, go to XDA and look for other ROMs for your phone.

I would love to know how to do this. Go ahead and call me an idiot, but I've gone through the ROMS for about a day and a half and then asked on the forums for suggestions, but I got no help on that:
http://forum.xda-developers.co... [xda-developers.com]

How does one "look for other ROMs" and know if those ROMs support the needed features? Especially for devices such as the Note which have exceptional hardware that may not be supported in the ROM (S-Pen).

Re:

[drinkypoo]

I would love to know how to do this. Go ahead and call me an idiot, but I've gone through the ROMS for about a day and a half and then asked on the forums for suggestions, but I got no help on that

OK, here is your short short short form of how to change your ROM.

Step 1, find your ROM. First, you go to XDA-Developers and find your device, then you look at the first page or so of the applicable "Android Development" forum at the different active threads. If you have an enormously popular device, you will also want to look at page 2. Look for threads with high post counts. The thread titles should tell you which version of Android the ROM is based on. Check inside the threads to see what is working/nonw

Re:

[ArmoredDragon]

You didn't answer his second question though, which was finding out which features a rom supports. On my Galaxy Note 4, basically no AOSP roms support the fingerprint sensor (not a big loss, admittedly) they don't support call recording apps (and before somebody rants, yes, it's legal to record your own calls in 40 states even if the other party isn't aware) and they don't support amr wideband (aka HD Voice.)

I presently use AICP on my Note 4. It has a call record option in the dialer app, but it isn't autom

Re:

[drinkypoo]

You didn't answer his second question though, which was finding out which features a rom supports.

Yes I did. "Check inside the threads to see what is working/nonworking."

Re:

[ArmoredDragon]

Yes I did. "Check inside the threads to see what is working/nonworking."

That rarely if ever covers that though. Take for example the HD Voice and voice recording features. None of the roms mention that those don't work, you just have to find out after installing it.

Re:

[drinkypoo]

That rarely if ever covers that though. Take for example the HD Voice and voice recording features. None of the roms mention that those don't work, you just have to find out after installing it.

Sorry you've found that to be the case. For all four of my android devices covered on XDA-Developers (nobody there cares about the mk908, you have to go to freaktab) the information is quite good.

Re:

[macs4all]

OK, here is your short short short form of how to change your ROM.

OMG, I feel like I' m taking Crazy Pills!

Let me get this straight: (And this is to all of those who are advocating "Custom ROMS") :

1. There is a Security Vulnerability in the "stock ROM" of some Device.

2. OEM abandons said device.

3. Device is on a platform with a longstanding and nearly Universal practice of doing exactly this same thing, time and again.

4. Suggested Solution is to remain on said Platform, and purposely and permanently break Device's bootloader's security in order to install random, un

Re:

[drinkypoo]

4. Suggested Solution is to remain on said Platform, and purposely and permanently break Device's bootloader's security in order to install random, unsupported, un-vetted "Custom ROM" from the Internet.

Who's gonna steal your antique phone?

Given that the Custom ROM could very well be a Trojan itself, doesn't this cycle seem like the "cure" could be just another disease?

You don't think anyone would notice? I do.

And even if that isn't the case for a particular iteration, doesn't the next vulnerability simply end you up at Step 1, above, but simply with the "Custom ROM" instead of the OEM ROM?

Nothing is supported forever. When Apple drops an iDevice, you're just fucked. When an Android device is dropped, at least there's hope.

Re:

[macs4all]

4. Suggested Solution is to remain on said Platform, and purposely and permanently break Device's bootloader's security in order to install random, unsupported, un-vetted "Custom ROM" from the Internet.

Who's gonna steal your antique phone?

WTF are you even talking about?

Given that the Custom ROM could very well be a Trojan itself, doesn't this cycle seem like the "cure" could be just another disease?

You don't think anyone would notice? I do.

Maybe, maybe not. Depends on a bunch of factors, not the least of which is the User's ability to look in the right place, get the download from the right place, etc. Far too many variables for something so critical.

And even if that isn't the case for a particular iteration, doesn't the next vulnerability simply end you up at Step 1, above, but simply with the "Custom ROM" instead of the OEM ROM?

Nothing is supported forever. When Apple drops an iDevice, you're just fucked. When an Android device is dropped, at least there's hope.

Ah, but that's the difference that makes ALL the difference: Almost ALL Android Devices are "Abandoned" on the day you buy them; but almost ALL, if not ALL, Apple Devices are supported for two years or more; by which time, most users are shopping for an Upgrade anyw

Re:

[drinkypoo]

Almost ALL Android Devices are "Abandoned" on the day you buy them;

Literally the only Android device I've got which got no updates is the Sony Xperia Play. I learned my lesson, and Sony can DIAF. (They explicitly promised ICS for it, but never delivered.) Every other device I've got has had at least two substantial upgrades, or will be getting them. TF201 got two. Moto G had one, is getting another. Nexus 4, not a problem. My crappy MK908 TV stick had two updates. All of these devices got at least a couple of years of support.

YOU brought up length-of-OFFICIAL-Support. you lose.

You don't even understand the argument, iFanboy

Re:

[macs4all]

Almost ALL Android Devices are "Abandoned" on the day you buy them;

Literally the only Android device I've got which got no updates is the Sony Xperia Play. I learned my lesson, and Sony can DIAF. (They explicitly promised ICS for it, but never delivered.) Every other device I've got has had at least two substantial upgrades, or will be getting them. TF201 got two. Moto G had one, is getting another. Nexus 4, not a problem. My crappy MK908 TV stick had two updates. All of these devices got at least a couple of years of support.

If this is such a non-issue, then why have there been hundreds, if not thousands, of posts by frustrated Android users, and dozens of articles ( including the one you and I are posting under), that say differently?

YOU brought up length-of-OFFICIAL-Support. you lose.

You don't even understand the argument, iFanboy. The argument is that once official support is over, your iDevice is garbage. At least there's a chance that someone will support your Android device. Now go throw your old Apple devices in the landfill and shut the fuck up.

Well, at the expense of possibly making part of your argument for you, even after Apple ends Official support for a particular Device, which is almost always long after that device is pretty-much completely out-of-circulation, you aren't screwed. For example, Apple produced [wikipedia.org] iOS 5.1.1 in May, 2012,

Re:

[JonJ]

Discussing with someone who's so deluded he thinks the XDA developers forum is a good place to get ROMs is meaningless anyway.

Re:

[drinkypoo]

If this is such a non-issue, then why have there been hundreds, if not thousands, of posts by frustrated Android users, and dozens of articles ( including the one you and I are posting under), that say differently?

Because there are so many more Android users than iOS users, and because they are less willing to give Google a free pass than iOS users are Apple.

But even after that completely reasonable length of OFFICIAL support, those few that are still rockin' that "antique" kit are free to Jailbreak their iOS devices, and take their chances with "Custom ROMS" from sources like Cydia.

Cydia offers an alternate app store, not iOS updates. It's equivalent to rooting, not to reflashing.

Re:

[macs4all]

If this is such a non-issue, then why have there been hundreds, if not thousands, of posts by frustrated Android users, and dozens of articles ( including the one you and I are posting under), that say differently?

Because there are so many more Android users than iOS users, and because they are less willing to give Google a free pass than iOS users are Apple.

Boy, anyone who has hung around Mac-oriented Forums knows what a larf-riot THAT comment is! Apple Users are some of the pickiest mofos you'll EVER see!

But even after that completely reasonable length of OFFICIAL support, those few that are still rockin' that "antique" kit are free to Jailbreak their iOS devices, and take their chances with "Custom ROMS" from sources like Cydia.

Cydia offers an alternate app store, not iOS updates. It's equivalent to rooting, not to reflashing.

Meh, I will admit I never was interested enough to really know what Cydia was, and wasn't.

Re:

[macs4all]

Discussing with someone who's so deluded he thinks the XDA developers forum is a good place to get ROMs is meaningless anyway.

I defer to your superior knowledge on that subject!

I assume there are perfectly conscientious makers of Custom AOSP builds, and that some of them might even have good enough compatibility for a few handsets to make it tempting to load them; but even without the Trojan factor, there still are significant compatibility problems with enough Devices that it seems dangerous to mess with unofficial ROMS.

Re:

[drinkypoo]

Boy, anyone who has hung around Mac-oriented Forums knows what a larf-riot THAT comment is! Apple Users are some of the pickiest mofos you'll EVER see!

Nonsense. They will cry about things they don't like, like the Macintosh developers of old complaining about every little change Apple made, but they won't actually do something about it and leave the platform. They're not picky at all, they're just whiny.

Meh, I will admit I never was interested enough to really know what Cydia was, and wasn't.

But you were happy to present incorrect information about it as if you knew what you were talking about anyway. One button 4 life!

Re:

[dotancohen]

OK, here is your short short short form of how to change your ROM.

Step 1, find your ROM. First, you go to XDA-Developers and find your device, then you look at the first page or so of the applicable "Android Development" forum at the different active threads. If you have an enormously popular device, you will also want to look at page 2. Look for threads with high post counts. The thread titles should tell you which version of Android the ROM is based on. Check inside the threads to see what is working/nonworking.

Thank you, I see that you really are trying to help. The issue with checking what is working/nonworking is that each thread has on average hundreds of replies, some in the tens of thousands. I _have_ gone and read them, and I still don't know what has been resolved or not. Examples, from the current first page of results:

XDA: DEVDB [ROM] [5.1.1] DarkLord Note 5 Full Port (Fastest, Smoothest) [03/10/2015] 1 2 3
Replies: 10,717

XDA: DEVDB [ROM][AOSP]Minimal OS HLTE Unofficial 2015/10/01 1 2 3
Replies: 38

Re:

[AK Marc]

Sold as new in June 2010. Last update or patch, 4.2.1, November 2010. 6 months support. No patches after that.

Re:

[AK Marc]

Nope, the wife, who loves Apple, got one on discount. No mention of "discontinued" at the time. 6 months support on a new device. That's my experience with Apple. Funny how so many here try to convince me that reality is wrong.

Re:

[Lumpy]

Arduino phone....

http://www.instructables.com/i... [instructables.com]

If you control the source.... you control the spice....

Re:

[BronsCon]

Android is fine if you get a Nexus device and either install something like Cyanogen or make sure you install Google's updates as they're released. I took the latter route and the updates are flowing.

Sure, they only promise to keep those updates flowing for 18 months after they stop selling it (or 3 years from when they started, whichever is longer) but I'm likely to have already replaced this phone by that point, anyway; and if not, Cyanogen.

Re:

[BronsCon]

Get the Nexus 6 and a HOTG SD reader if you need SD card support. You won't regret it.

Re:

[macs4all]

Of course, iOS isn't either, and MS burned all bridges with Windows 10, so fuck it, I'm not buying any shit from you assholes anymore.

There are many reasons why iOS shouldn't be recommended, but one thing that Apple actually should have some cred for is that they provide updates for fairly old devices. As far as I know Apple still supports the current version of iOS on devices as far back as iPhone 4s (released in 2011). That's quite remarkable to even have two years of supported updates in the Android world.

And on the Tablet side of things, Apple has continuously supported the iPad back to the iPad 2 (2011), too, up through the present, even doing updates specifically designed to improve performance under a newer version of iOS.

Re:

[macs4all]

And you'll see that they didn't really do a good job. Do a google for "slow _____ after update" and watch the complaints flow in.

That's one of the main things about Android -- the hardware and support software / features come in fast and hard... After two years, things start getting slower because of new features.

It pretty much follows this cycle with iOS:

Version x.0 comes out. People bitch to high-heaven about broken/slow stuff, battery drain, etc. REAL bugs are present. Only the brave and foolhardy install this version.

Version x.0.1 comes out, usually within a week. Some bitching subsides, some continues. Version x.0.2 comes out about 2 weeks later. Most bitching stops. A few random people still have (imagined?) issues. Version x.1 comes out about a month or so after x.0. Bitching ends from all but the small g

Re:

[account_deleted]

Comment removed based on user account deletion

What kind of dumbass company...

[tlambert]

What kind of dumbass company is going to spend money porting a new version of an OS to an old platform, with no payday for doing so?

Mobile phone vendors make their money selling new phones. You want a new Android, get a new phone. Your contract will be up in 2 years, and at 18 months, you will be offered a new phone with early renewal, so just wait until the contract is up, re-up the contract, and get the new phone with the fix.

KTHX BAI.

Re:What kind of dumbass company...

[TheRaven64]

Mobile phone vendors make their money selling new phones. You want a new Android, get a new phone.

Sure, but the new phone I get will be from a vendor that I can trust to support it for its lifetime. I may upgrade my phone after 2-3 years, but I'll probably hand the old one off to someone else or use it as a spare. If the phone becomes useless after 1 year, then I'll factor that in when I calculate the value of the phone - if I can amortise the cost over 4 years rather than 2, then the cost of the phone is not as good.

Your contract will be up in 2 years

What kind of idiot signs a 2-year phone contract in 2015?

Re:

[thegarbz]

What kind of idiot signs a 2-year phone contract in 2015?

Was this a rhetorical question? Because the answer is most people.

Re:

[TheRaven64]

Really? Where on earth do you live? I'm not sure anyone in this country still offers two-year contracts. Most people are either on pre-pay or one month rolling contracts. 18 months is about the longest, and they're rarely much cheaper than the one-month version, so there's little incentive to sign up for them (especially given that you're likely to get a better deal in six months, so being locked in for 18 months doesn't make sense even if it is cheaper at the start).

Re:

[thegarbz]

Australia, Europe, China, a few years ago Canada. The vast majority of the people are on 2 year contracts which come with a phone. The 2 years is up (well in reality the 1 year and 11 months is up because god forbid a carrier lets a competitor offer you something first) and you get a "free" phone (which isn't really free but people believe it anyway while they keep paying). The people on pre-paid schemes are school kids who can't legally sign up to a contract but are able buy a phone and pre-pay, and the pe

Re:

[Threni]

> What kind of dumbass company is going to spend money porting a new version of an OS to an old platform,
> with no payday for doing so?

Well, that's kind of the point. Companies should be forced to state up front how long the phones are going to be kept up to date (from both a security and Android version point of view) and if they don't they can be sued for breaking the terms under which people bought the phones in the first place.

No-one expects Microsoft to provide updates for windows xp, but they d

the kind of company that wants my $$$

[mschaffer]

These "dumbass" companies have a few more generations of device sales before this becomes a major problem. Then something has to give.

Re:

[jeremyp]

What kind of dumbass company is going to spend money porting a new version of an OS to an old platform, with no payday for doing so?

Apple.

Well, OK there must be a payday. Perhaps they see the fact that you can put the latest iOS onto a 4s as a selling point. i.e. if you splashed the cash for one in 2011 you would feel better knowing that, theoretically, you could still have the latest OS four years later even if unreality you replace it after two years.

Re:

[Lumpy]

Port it? are you really that completely clueless?

You simply fucking compile it with the same compiler flags you used for the first version. Compiling android 5.1 for a 4.4.4 phone is absolutely trivial.

And how about just release the god-damn bootloader lock so if people want to do it themselves on out of warranty hardware, they can. HTC and Samsung HATE their customers by locking the bootloader down so hard it's insane. Latest samsung phones are deemed to never EVER be able to run a full cyanogenmod.

Re:

[BronsCon]

The problem is the stupid skins manufacturers are putting on top of Android to "diferentiate" themselves from the competition. Those need to be updated to work properly with whatever has changed under the hood in the new Android version. And they don't want to do it.

Not sure what you're talking about re: HTC locking down their bootloaders, they have a developer site where you enter your IMEI and get instructions for unocking your bootloader. Unless you're on AT&T or Verizon; they *require* locked boot

Re:

[BronsCon]

What advantage do you get by changing to a different bootloader when the one on the device will load whatever you tell it to anyway? S-ON also prevents malicious entities (or software) from modifying your bootloader (e.g. to inject malicious processes at boot time) and radios (e.g. to force connection to rogue towers), in case you're an interesting enough target for those types of attacks. For the record, S-OFF is possible on HTC models that I have seen; I had it on my M7 and my friend's M8, so I'm not sur

Re:

[tlambert]

Port it? are you really that completely clueless?

You simply fucking compile it with the same compiler flags you used for the first version. Compiling android 5.1 for a 4.4.4 phone is absolutely trivial.

You obviously do not *get* how Android partner companies deal with porting android. Most of the bits for various phones do *not* get integrated back into the main line sources.

Any given android version on any given phone is generally a stable snapshot of whatever was top of tree when the work on the phone started, plus local additions for device support.

Internally, Samsung treats each new phone as a one-off porting job. They've got an entire group that does nothing but one-off ports of whatever is a top o

Re:

[macs4all]

What kind of dumbass company is going to spend money porting a new version of an OS to an old platform, with no payday for doing so?

Mobile phone vendors make their money selling new phones. You want a new Android, get a new phone. Your contract will be up in 2 years, and at 18 months, you will be offered a new phone with early renewal, so just wait until the contract is up, re-up the contract, and get the new phone with the fix.

KTHX BAI.

Why, as shown by this chart [wikipedia.org], that most evil of evil companies [apple.com] (according to many Slashdotters), that's who!

Why aren't there lawsuits over this?

[Rainbow Nerds]

I don't understand why phone manufacturers and carriers don't get sued for things like this. Carriers have typically required two year contracts for phone subsidies, and normally it's possible to buy a phone two years old and get it free. At least that's how it is in the US. That means you can buy a phone that's as much as three years old and have a reasonable expectation to use it for two years because that's the contract with your carrier. That means manufacturers and carriers should provide support for a minimum of five years. That means a phone released in October 2015 should have support until October 2020. I think a customer has a reasonable expectation of this. If nothing else, that should be grounds for a lawsuit against manufacturers and carriers. There's also the issue of delays in fixing vulnerabilities both with the manufacturers and then the carriers. Again, I think there's a reasonable expectation for security updates in a timely manner. Also, when phones ship with locked bootloaders and customers can't choose to unlock them, it makes it very difficult to install a patched version of the OS. This also voids the warranty if you're able to do it. Customers are screwed no matter what they do in this situation, which is why carriers and manufacturers should be sued in the absence of specific laws to protect customers.

I can't help but wonder if the decision to not provide software updates to older phones is partly because people don't see a huge difference between models and this is one way to push people to buy newer and more expensive phones. I can't say it for certain, but it wouldn't surprise me if that's part of the decision process.

Re:

[AmiMoJo]

There is nothing to sue over. Unless you can show that you were attacked by malware or forced to stop using the device because of proven, legitimate fears then you have nothing to sue for. What loss have you suffered from this vulnerability?

That's the thing about most of these supposedly critical flaws in Android. They are never that bad, we never see massive botnets because of them, we never see massive identity theft or any kind of practical, in the wild exploit. The people who do become victims do it to

Re:

[drinkypoo]

The people who do become victims do it to themselves, usually by installing some dodgy app store and disabling the Google malware protection.

The whole point of sandboxing is to protect me whether the software is malicious or malfunctioning. If it doesn't do that, then it's defective — especially if there's a known defect with a known mechanism. I've had to go around manufacturers for fixes for these problems because Motorola is not what you would call responsible about bringing out updates, nor is Asus. A bit frustrating, really. On the other hand, I was able to do that. Can't do that with Apple.

Re:

[AmiMoJo]

I understand your feelings but for there to be a lawsuit there has to be some harm done. You can't just sue because someone does something to don't like.

Since there are no viruses making use of this flaw it seems entirely theoretical at this point.

Anyway, the latest update they released fixes it. It's your own fault if you didn't install it when offered (it's OTA).

Re:

[drinkypoo]

I don't understand why phone manufacturers and carriers don't get sued for things like this.

They do, when they make promises to bring out updates until a date, or a certain number of updates, etc, and when the affected class is sufficiently sizable to attract leeches, I mean lawyers. But when no promises are made and no damages can be proven it's difficult to squeeze blood out of a corporation.

Because lawsuits aren't for justice

[rsilvergun]

they're to put money in a lawyers pocket and a $5 off your next phone coupon in yours. It'd probably be too hard to sue over something like this. It's too hard for a jury of 50 somethings (who are the only folks that could take 6 months off for the trial) to understand. How's that joke go? 10 people too dumb to get out of jury duty...

Re:

[Rainbow Nerds]

I would argue that this kind of bugs constitute a defective product. Then I could invoke my rights for compensation/repair (at least based on EU law regarding sales of defective products).

I agree it's a defective product and I started thinking about this after I made my post. My idea was to try to force manufacturers to honor their warranty, which is supposed to protect against defects. Also, because Samsung knew about this vulnerability in August 2014 and continued to sell the Galaxy S4, they're knowingly selling a defective product. That ought to be more serious than simply selling a defective product.

Article is FUD

[the Hewster]

This article makes no sense. It says the vulnerability affects the Galaxy S4 but only if you are running an outdated firmware (like Kit kat). However, there is an official (pushed OTA) update to Jelly Bean on this device, so all you have to do to not be vulnerable is apply the update! Same as usual: if you want to avoid vulnerabilities, update your stuff regularly.

Re:

[msauve]

You make no sense. The summary says "Samsung has decided to patch only for recent devices running Android Lollipop, but not Jelly Bean or KitKat" and the article says "Samsung just confirmed to us that the JB and KK families will not be patched and that the vulnerabilities are only patched on the LL family."

So, explain how "an official (pushed OTA) update to Jelly Bean" fixes things.

Re:

[the Hewster]

Actually, there is also a Lollipop 5.0.1 update (also pushed OTA) for the Galaxy S4 i9500 (the phone of the article). I have it running currently on my S4. source: http://www.sammobile.com/firmw... [sammobile.com]

Re:

[msauve]

...and is the vulnerability at issue fixed in that update? Do you know there will be another to address it?

Re:

[Walter White]

... only if you are running an outdated firmware (like Kit kat). ... update to Jelly Bean on this device ...

You apparently did not know that Android versions are named in alphabetical order. Jelly Bean (4.1) predates Kitkat (4.4) You cannot "upgrade" to Jelly Bean from Kitkat.

Apologies if your post was sarcasm. I interpreted it as ignorance.

Re:

[ohnocitizen]

This should not be modded up. Samsung leaves their older devices without upgrades. I'm still using an S3, and I shouldn't have to buy a new phone because the locked down device I purchased was made by a company that refuses to upgrade their older phones.

Samsung does patch kernel vulnerabilities ..

[nickweller]

Considering the current version is fully patched, I don't understand how you would spin this into Samsung not patching kernel vulnerabilities.

"Samsung has decided to patch, but only for recent devices running Android Lollipop, and not for those with Jelly Bean or KitKat."

Re:

[AK Marc]

Apple doesn't either. I bought a 3G at about the end of its sale, and got one year support.

Re:

[peragrin]

bullshit.

Software wise apple supports out to at least 3 years and with iOS 9 out to 5 years of previous build models.

if you bought a 3 year old phone and then expected updates you got what you deserve.

Android models rarely get one year of updates, and almost never get 3-5 years of bug fixes.

Re:

[phayes]

Most android phones already have outdated software when sold and only go downhill from there because they are never updated.

Re:

[Lumpy]

HTC ONE M8.... still stuck on the craptastic 5.0... HTC and AT&T suggests throwing it away and buying a new phone if I want updates.

Re:

[BronsCon]

It's not that they're no longer updating it, but rather that they're going to update directly to Marshmallow [ibtimes.com]. If you don't get that update when HTC releases it, perhaps it's time to switch to a carrier that doesn't block updates in the name of selling phones.

Also, what do you find so craptastic about 5.0? And shouldn't that be 5.0.1 if you're actually up to date? Nothing really changed (on my Nexus 6 at least) from 5.0.1. to 5.1.1, so you're not really missing out on anything exierience-wise. As for secur

Re:

[Lumpy]

Bluetooth stability, phone stability, etc... A LOT of phones have problems with 5.0.x

Re:

[BronsCon]

Sounds like a phone problem, not an Android problem. Shoddy drivers, perhaps? Google doesn't write (most of) those. My N6 is rock solid.

Re:

[phayes]

Until you get a malicious SMS or your phone gets Powned in one of the myriad of other ways Android is vulnerable... But that wouldn't happen to you, you're too low in the food chain to be of interest -- until you do get infected... I've seen it happen.

Re:

[BronsCon]

Examples, please? I've seen iPhones pwned by malicious SMS, as well. It happens to the best of us, get over yourself. What's funny about it is that even after my best friend fell victim to one of several iPhone SMS vulns, he still swears the platform is secure. He refuses to let facts cloud his argument and I don't expect you'll be any different.

Re:

[drinkypoo]

Look at the number of current-version apps you can still get to run on a KitKat phone, and compare that to the apps you can get for a 3G iOS device today.

I still have a device running Gingerbread because it only has 512MB RAM and that's a bit tight. It's just a clock now, and occasionally plays some music or acts as a Kodi remote, so no problem. It's kind of amazing though how much software will still run on that, or at least, doesn't require any later API support. Who knows how well it will run on a 1.5 GHz (OC'd) single core, even if it does have a decent Adreno.

Re:

[phayes]

Snort, talk about trying to turn lemons into lemonade... Apple supports it's devices for multiple years and has been successful in drawing users to upgrade their OS as time goes on. Not everyone rushes out to buy the latest iDevice. Many, like me forgo 3 or 4 cycles -- and yet we still have the latest OS. The reason so much android software still supports antique OSes with multiple well known security weaknesses making them a security nightmare is precisely because Android has been able to do the same.

Oh go

Re:

[BronsCon]

popping up unrelated ads when I surf the net

Yes, we know iOS has ad blockers now. Don't worry, Android has had them for years. Not sure WTF you're talking about here.

sniffing my credentials when I connect to my bank

Or here. Elaborate?

Re:

[phayes]

Androids are getting Powned left right & center due to their abysmal security & Bronsco thinks I'm talking about ad blockers?!?! Just how deep in the "sand" do you have your head stuck in?

Re:

[BronsCon]

You're right phase, this Bronsco guy sounds like a real douche. Care to point to the specific vulnerabilities you're referring to, along with any documented cases of them being actively exploited? No, 3rd-party browsers injecting their own ads do not count; it's easy to avoid that by not being the idiot that uses that browser, and it's certainly not a vulnerability in the platform.

I asked you to elaborate, that's precisely the opposite of sticking my head in the sand. I know my platform is no more or less

Re:

[phayes]

You come to France & sign the NDA's my clients have had me sign & we'll talk.

Oh, do keep your head up where it's been hiding and deny that any problem exists, after all, you not falling victim to Android's multiple failings means that they doesn't exist, right?

Re:

[BronsCon]

I never said they don't exist, just that I've never seen them exploited as I've seen the (supposedly fewer and less serious) vulnerabilities in iOS exploited. You sure talk a big game for someone who can't even spell a username correctly that's on the screen right in front of him. But you're right, this is a prime example of my denial that any issue exists:

I know my platform is no more or less secure than any other

Right. That's denial right there. Dumbass.

Re:

[phayes]

I know my platform is no more or less secure than any other

Right. That's denial right there. Dumbass.

Lol, that right there is stupidity masquerading as rank ignorance. "no more or less secure"... Only if a bicycle is "no more or less fast" as a sport motorcycle.

Hey sparky, I am not your your mother or your wetnurse. Go talk to Cisco. Go talk to Check Point, Go talk to Palo-Alto. Go talk to the TippingPoint people now at HP. You'll have to show that there is something in it over and above overcoming your ignorance to get answers.

In short, put some effort into discovering just which mobile platform is causin

Re:

[BronsCon]

It's not like iOS was just hit with ad-blasiting malware or anything. By the way, how does Marshmallow hold up? I'm asking out of genuine curiosity, having just updated, but I'm not expecting any more from you than geneal puffery.

Also, is it the platform or the retarded skins and apps every manufacturer wants to bake into their distributions that cause most of the issues? I aske because I'm aware of a number of issues caused by Touch-Wiz and Sense. These issues don't exist for Nexus devices.

I'd apologiz

Re:

[BronsCon]

Gah... typos... this is why i don't post from my phone...

Re:

[phayes]

You're an android user admittedly ignorant of how the repeated and generally unpatched critical vulnerabilities of his cherished platform have made Android into a security nightmare. You compare iOS vulnerabilities for people that downloaded code from unvetted third parties or from Chinese developers that performed the same bone-headed move with innate Android bugs that in most cases will never be corrected until people replace their phones with new models so that their maker will be motivated enough to upd

Re:

[BronsCon]

You're an android user

Thanks for highlighting that incorrect assumption. I didn't give you my full bio but, in addition to being a user, I am also a developer (apps and roms alike) and, in addition to Android, I also use iOS, Windows, several distros of Linux, a couple of BSDs, and my primary OS of choice is OSX. Hardly a fanboy.

Android bugs that in most cases will never be corrected until people replace their phones with new models so that their maker will be motivated enough to update them.

Are you implying that newer versions of Android aren't affected by the vulnerabilities you know of? That's what it sounds like; if that's the case, I don't know what we're arguing about. Older versions o

Re:

[phayes]

You can quit attempting to put words into my mouth, I have no intention of falling for your strawmen.

Android's abysmal adoption rate of new OS versions is well known. Marshmallow is and will be irrelevant for months until it's adoption rates become significant & given how frequent new & different attacks have been released for android over the past few years I have little confidence that marshmallow will bring significant change because any new bug is still no more likely to be patched by upgrading

Re:

[BronsCon]

You can quit attempting to put words into my mouth,

Where have I done this?

I have no intention of falling for your strawmen.

What strawmen?

Android's abysmal adoption rate of new OS versions is well known.

I never argued this.

Marshmallow is and will be irrelevant for months until it's adoption rates become significant

I don't care about anyone else's devices, only my own. The adoption rate for Marshmallow is 100% for the devices I am concerned about. That's as significant as it gets.

given how frequent new & different attacks have been released for android over the past few years I have little confidence that marshmallow will bring significant change because any new bug is still no more likely to be patched by upgrading to a fixed version than present versions of Android have been.

That's getting a little closer to what I've been trying to get out of you. Since it seems you have no concrete information regarding what I actually care about, I suppose time will tell.

That someone with the experience you claim would be so apparently clueless as to ignore these points and to keep bringing up "but how's marshmallow" like it makes any difference just shows that you still haven't understood the problem.

No, I understand the problem quite well. There are a number of known vulnerabilities in versions of A

Re:

[BronsCon]

As as I.

Should read:

As was I.

I might also add that, while your children (why would you drag them into this? but you did, so I digress) may be well-behaved, that offers no indication that you are; this conversation actually hints to the contrary.

Re:

[phayes]

Where were you attempting to put words in my mouth and then knocking down strawmen?

Are you implying that newer versions of Android aren't affected by the vulnerabilities you know of?

So, have you stopped beating your wife and abusing small children yet? You know, this isn't the 1950's anymore and punishments are severe nowadays for these acts.

I don't care about anyone else's devices, only my own.

The key admission which makes every single statement you have made up to this point defending Android as a platform a fraud. How unsurprising that in addition to your puerile name calling that you are also a liar only interested in yourself.

Re:

[0123456]

When you buy an iOS product you are buying from a company determined to make it obsolete within a year or two of you buying it.

Can't talk about phones, but my girlfriend's iPad had been out for a year or two when I bought it for her a couple of years ago, and it's still getting the latest iOS releases. I believe only the original iPad has been made obsolete by Apple so far.

Meanwhile, the local electronics store is still selling the Nexus 7, which probably gets its last OS upgrade from Google next week.

If Google don't fix this crap, they're going to toss the cheap phone/tablet market to Microsoft.

Re:

[JackAxe]

Apple stopped supported my first gen iPad after 2 years and I have not received any updates since. But in comparisoin, my Nexus One -- which got its last OS update at 2.3.6, a phone that's about 5 years old -- I was still given the option to update Google's services up until I retired the phone this year.

It's a mixed bag with Android and one that's overall better IMO, as the OS since early on has had so many useful features, some of which Apple only more recently implemented into iOS and others that th

Re:

[macs4all]

When you buy an iOS product you are buying from a company determined to make it obsolete within a year or two of you buying it.

Can't talk about phones, but my girlfriend's iPad had been out for a year or two when I bought it for her a couple of years ago, and it's still getting the latest iOS releases. I believe only the original iPad has been made obsolete by Apple so far.

Meanwhile, the local electronics store is still selling the Nexus 7, which probably gets its last OS upgrade from Google next week.

If Google don't fix this crap, they're going to toss the cheap phone/tablet market to Microsoft.

Or to Apple, which now sells the still-supported iPad mini 2 and iPhone 5 for relatively low prices.

And yes, the original iPad is the only unsupported iPad, as I sit here typing this in my still-supported iPad 2, and my still-supported iPhone 4s sits waiting for me to "re commission" it as for iPod Touch-like duty (not going to use the phone part anymore) for my roomate's use.

Re: Samsung != Apple

[Karlt1]

Android phones are not driven in obsolescence by a team at Apple who urges developers to move onto the new API as soon as possible. So the App Store doesn't stop having current apps for Android phones for much, much longer than with Apple. Look at the number of current-version apps you can still get to run on a KitKat phone, and compare that to the apps you can get for a 3G iOS device today.

Xcode 6 supports iOS back to 6.0. That includes every iPad introduced except the first one and every iPhone introduced

Re:

[macs4all]

Android phones are not driven in obsolescence by a team at Apple who urges developers to move onto the new API as soon as possible. So the App Store doesn't stop having current apps for Android phones for much, much longer than with Apple. Look at the number of current-version apps you can still get to run on a KitKat phone, and compare that to the apps you can get for a 3G iOS device today.

When you buy an iOS product you are buying from a company determined to make it obsolete within a year or two of you buying it.

Another of your bullshit half-truths, as usual.

One of Apple's Terms and Conditions for entering the IOS App Store is that your App MUST SUPPORT the most recent version of iOS.

Another of the T&C for an App to REMAIN in the iOS App Store is that your App must be UPDATED in a timely manner TO SUPPORT the latest version of iOS.

NOWHERE does Apple MANDATE that an App MUST NOT remain Compatible with an OLDER Version of iOS .

Prove me wrong.

In fact, one of the reasons that there is an issue with iOS "

Re:

[AK Marc]

The last day to buy a brand-new iPhone 3G from Apple was June 2010. The last iOS update was November 2010. 6-months of support, for those who bought them near the end of the run. Brand new phones, sold as the *only* iPhone available at the time, so I bought the newest, best available, and got about 6 months support on it.

https://en.wikipedia.org/wiki/... [wikipedia.org]
https://en.wikipedia.org/wiki/... [wikipedia.org]

My Samsung got very little support. I didn't get a single version upgrade on it, and there were maybe two bug f

Re:

[macs4all]

The last day to buy a brand-new iPhone 3G from Apple was June 2010. The last iOS update was November 2010. 6-months of support, for those who bought them near the end of the run. Brand new phones, sold as the *only* iPhone available at the time, so I bought the newest, best available, and got about 6 months support on it. https://en.wikipedia.org/wiki/... [wikipedia.org] https://en.wikipedia.org/wiki/... [wikipedia.org] My Samsung got very little support. I didn't get a single version upgrade on it, and there were maybe two bug fix patches. What does get support is rooting Android and using a generic package. Though that option isn't available for iPhone, so you are left with phones abandoned the moment they aren't sold anymore.

Your particular iPhone 3G situation is an admitted Outlier. However, unless you are a total liar, you will have to admit that Apple's OS Update support for both iOS AND OS X is second to none.

The current, just-released version of iOS, 9.0.1, is compatible with iPhone 4s to 6s, iPad 2 to iPad Pro, and iPod Touch 5 and 6. OS X 10.11, El Capitan, also just released, is compatible with almost all Macs introduced since 2007 [apple.com].

And if you compare that sort of support with the Russian Roulette style of "Updating

Re:

[AK Marc]

Your particular iPhone 3G situation is an admitted Outlier.

It's just one I happened to live through. Screw *ME* once, shame on you... Apple did screw me with that one. It wasn't a hypothetical. It actually happened to me. So it matters more to me than the examples you bring up.

And if you compare that sort of support with the Russian Roulette style of "Updating through Random ROMS" you are advocating for Android, you are either a liar or are delusional.

Yeah, the forums filled with complaints on iOS9 wiping devices didn't happen. And if you close your eyes and update random ROMs, you'l have bad results. Most people find one they like, and stick to regular updates from a popular and well supported line of ROMs.

Re:

[UnknowingFool]

I had a 3 Gen iPod Touch 'go out of support' for new iOS versions less than a year after I bought it. I shouldn't be penalized that way for buying an Apple product late in the period when it is being foisted off on the market as 'current.' Incidentally that iPod is probably the last Apple hardware I will ever buy. There were two iPods that I bought before it.

Let's look at your claim: You had a iPod Touch 3rd gen [wikipedia.org]. It was released Sept 9, 2009 and discontinued Sept 1, 2010 when the iPod Touch 4th gen was released. It started out with iOS 3.1.1 (July 2009) and could be updated to 5.1.1 (May 2012). For only one year was your model "current". The OS was updated for almost 2 years after it was discontinued. I'd have to say your claim is shakyt. For your claim to make sense you would have to buy it after May 2011 in which the current model would be the 4th gen.

Re:

[AK Marc]

The last day to buy a brand-new iPhone 3G from Apple was June 2010. The last iOS update was November 2010. 6-months of support, for those who bought them near the end of the run. Brand new phones, and got about 6 months software support on it.

https://en.wikipedia.org/wiki/... [wikipedia.org]
https://en.wikipedia.org/wiki/... [wikipedia.org]

So what he described did happen. It happened to me, with the iPhone 3G. I didn't realize that the "minor" upgrade from the 3G to the 3GS would make the 3G obsolete and unsupported. At the t

Re:

[UnknowingFool]

The last day to buy a brand-new iPhone 3G from Apple was June 2010.

What does the iPhone 3G have to do with his iPod Touch 3rd gen? He made a specific claim which appear not to be supported by facts.

Re:

[AK Marc]

He gave a bad example. I gave a better one. Apple has done it as well. That was his point. I supported his point, even if I didn't address his facts.

Re:

[UnknowingFool]

No he didn't and you missed the point. I questioned whether or not his example is actually a fabrication. As for your example, it is the only case that that Apple has done whereas many, many Samsung models barely are updated as it is also up to the carrier. In relevance to this story some US carriers have not updated S4. I do however find it curious that someone so anti-Apple would ever purchase an iPhone.

Re:

[AK Marc]

http://www.oppo.com/en/smartph... [oppo.com] What about the Oppo?

Re: It's OK - Android is open!

[cyber-vandal]

How do you fix bugs in the proprietary closed source drivers?

Re:

[Anne Thwacks]

Even those of us whose phones are not directly affected are indirectly at risk. Surely we can join a class action against the people responsible for polluting the phonosphere with pathetically insecure software. If the manufacturer wishes to end support for a phone - he should be required to open source ALL the code, and release ALL hardware documentation. Or face fines that would obliterate the company instantly in each and every country where phones could conceivably work.

And if a company dies, the IP

Re:

[drinkypoo]

If the manufacturer wishes to end support for a phone - he should be required to open source ALL the code, and release ALL hardware documentation.

I'd like to see that as much as you would, perhaps even more. But that's not SOP in any industry, what makes you think we have a hope of getting that for mobiles?

Re:

[Hognoxious]

In my day we used a magnetised needle and a microscope. And we had to grind our own lenses.