No One Cares About the Security of Unlocked Android Phones(hackernoon.com) |
No One Cares About the Security of Unlocked Android Phones(hackernoon.com) |
Sounds like they're talking more about disreputable or negligent OEMs than anything to do with having an unlocked bootloader or unlocked SIM.
Past phones I've owned that weren't as good with security updates depended on me being able to unlock the bootloader so I could keep them as up to date as was feasible. No timely security update from Samsung or HTC? Find a patched version of the ROM image built by some helpful developer on XDA and flash the phone.
Even today, as I only buy Nexus/Pixel/etc Android phones, they're still sold as "unlocked" in terms of SIM because I don't have any desire to give a carrier more influence over my device than I have to. Again, not an issue with security as even my older Nexus devices are getting security patches (if not the big, hardware-dependent OS updates).
Personally, I purchased a BlackBerry Priv (which runs Android) and couldn't be happier. Phone is/was very cheap compared with the other flagship devices and it runs really fast. Came factory unlocked direct from BlackBerry and has zero bloatware on it. I get frequent O/S updates for security patches as well, which is far more than I can say about my previous phone (Galaxy S3 from AT&T).
Despite most people's apathy, or even hatred, of BlackBerry, they have always done security very well. The Priv is no exception - secure boot, hardware keystore, modified Linux kernel, FDE enabled by default, work/personal account separation, external SD card protection, their DTEK software, etc. Some of their security features are included as part of the base Android OS, yes, but their security model as a whole from start to finish is far ahead of all competitors.
Also, does it get the security patches in a timely manner ? I kinda remember them refusing to commit to that
http://penguindreams.org/blog/android-fragmentation/
Since then, I've become more and more frustrated with other ARM boards. Android fragmentation is directly related to ARM fragments and it's a huge mess. Things like device trees help, but ARM is missing the standardized architecture that Intel, Power, et. al. have.
Then you wouldn't get all location data, call logs, and application usage data sent to China, you'd get them sent to the US, via Google, for better user experience and more targeted ads.
The result would be literally the same.
Something is off.
So while I think that windows devices are as easy to infiltrate as ever, a lot of people have simply stopped using them, and replaced them with - coincidentally, not intentionally - more secure platforms.
Usually, the underlying issue is complex enough that it takes years or decades to make the problem like 95% better. But the community around the issue has become entrenched, and won't go away just because the problem is basically solved. There's plenty of excuses at hand to justify the continued existence of the group - the problem is never 100% gone, so there's always something new to address, and they can always say that we have to be on guard for the problem coming back. But the effect is the same - the noise gets louder as the signal gets weaker.
If you're paying attention, you can see this pattern play out for all sorts of things.
In this case, we have both made the computers and browsers a lot more secure, and a lot of consumer-level computing activity has, for a bunch of reasons of which security is certainly one, moved to drastically more locked-down devices. Good luck building a botnet of iPads and Android phones. Many of the hacks that get the most publicity are super-complex one-offs that are in theory highly dangerous, but in practice are so valuable that they would only ever be used by state-level actors against handpicked national security targets, because you have to spend millions to find them, and they will become worthless about a week after the appropriate companies become aware of them.
https://news.ycombinator.com/item?id=12957927
True security and privacy cannot be had without free/libre software. It's not a solution in its own right, but it's a necessary step to mitigate issues such as these.
A commenter in the linked thread also mentioned other Android OSes working on hardening.
When software is Free, the end-user's relationship is inherited from the developer's relationship to the software [0]. As such, the definition of security is a completely shared one.
When software is not Free, the developer's and end-user's perspective are at odds. For starters, they're likely on opposite sides of a financial transaction [1]. The security of non-Free software is thus defined in terms of the developer's interest. Many desires will still align, like securing against most third-party attackers. But some will certainly not, like the business interests of the company and its partners (including the domestic nation-state).
[0] Indeed, a source of much complaint / usability problem.
[1] I'm certainly not rejecting the idea of trading money for software/services, but highlighting a deep-seated principle agent problem. It'd be really nice to find a way to set up a workable economy around Free software, lest we continue to lose to app stores and "open-washed" webcrapps.
edit: Per an email from Amazon, http://www.bluproducts.com/security/ has instructions.
BLU Products has identified and has quickly removed a recent security issue caused by a 3rd party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices. ... The affected application has since been self-updated and the functionality verified to be no longer collecting or sending this information.
While in theory everything could be made to work fine and the right people would be held accountable and dropped from any use, probably this is where some form of vertical integration starts to really matter in practice.
That just left me gaping at the sheer brass required to do this, but I understand how it could happen. I'm sure there are some people who want to fix the problem, and others who say "Why bother? We may lose a few technically savvy (aka pain in the neck) end users, but the great unwashed are never going to know or care about whether this was fixed. Our customers know that their customers are the great unwashed, so they aren't going to care either as long as we're cheaper for them."
Or TL;DR, "Screw 'em, what are they going to do, organize a boycott by people who think chips are something you eat?"
If you expect your flag privileges to mean anything more than that, you should probably avoid using "flag" as a downvote, because your flag privileges can be quietly stripped from your account --- in fact, there's any number of heuristics that can do it by cron job, without the moderators even knowing who you are.
The "flag" feature is there to mark stories as off-topic and wholly inappropriate for HN. Nobody on HN thinks this is off-topic for the site.
Just some advice!
There are thousands of kernel variants between every Linux distro. You always need to recompile drivers. nVidida and AMD/ATI get by this by providing binary blobs and a shim layer than can compile and link the two.
In the Windows/Mac world there is one version of the kernel officially maintained and distributed by their respective companies. They can keep the kernel consistent for a given release. That's what you have one set of drivers for Windows 7, one for 8 and one for 10, instead of a different set of drivers for each and every service pack.
Android could, at a minimum, standardize the kernel for every Android version. With that, binary drivers could work across devices.
How do you want to boot your kernel? There is no BIOS or UEFI or other standardized firmware, that would initialize at least one CPU, RAM, storage and load your kernel from there. Every ARM implementation boots in different way.
After you boot up, how do you enumerate devices that your kernel can use? There is no PCIE or other plug and play bus, that can enumerate attached devices. Your OS has to know what is available. Poke a wrong port and your board freezes. This is the reason, why Device Tree is a thing.
Linux kernel does not require all drivers baked in - kernel modules existed for decades already. Monolithic does not mean that everything is one big blob. NT is also monolithic, for example.
† on properly updated devices such as the Apple ones as well as Nexus+Pixel. Probably this is where some form of vertical integration starts to really matter in practice.