How frequently do vulnerabilites affect TLS on Android?

2 points by CAPSLOCKSSTUCK 236 days ago | 3 comments

It's a bit of a hand-wavy question, but my Samsung S21 will get its last security update in January, and I was trying to figure out how many vulnerabilities/CVEs (say, in the past few years) would have affected the threat model I care about (mostly just TLS to my financial institutions).

Moreover, if I access the web through mobile Firefox (which is updated via the Play Store for longer than my phone gets system-wide security updates), how bad are the vulnerabilities really?

I found a study that brushes on some of these topics ("Common Security Vulnerabilities in Android Apps: A Comprehensive Guide" published in IJFMR), but I would be curious to see something like:

- a concrete vulnerability, even if it only affected a small number of Android devices - a combination of flaws that would have ostensibly allowed an attacker to get my credentials/access to my financial accounts - something affecting Firefox specifically

(Disclaimer) I'm upgrading to an in-date smartphone, but I just thought it would be a fun exercise since we always hear about the importance of updates minus the specifics . . . .

leakycap 236 days ago |

Do you specifically want Android?

It takes a lot of work to have a secure device when you're using a carrier-subsidized Android device.

More than a lack up updates, personal choices like which apps you install/behavior like what websites and extensions you use/uses of the device like what type of network you connect to has more potential for security risks than the immediate lack of updates.

~~~

Request a copy of your data from Samsung via the account data request, open it in Excel, and tell me if you want to use anything they make for your personal confidential communication. I loved my Samsung device but a single request of my data export made me close my account and get rid of all the Samsung devices I owned.

CAPSLOCKSSTUCK 236 days ago | |

My device is not locked and I don't have a Samsung account, but I generally agree with your assessment of the risk profiles of those activities.

leakycap 235 days ago | | |

Without a Samsung account, there is still a shocking amount of data collected but I'm not sure how you'd go about getting a copy to inspect.

I don't enjoy iOS, but Android felt like an unreasonable risk considering the way it's put together by vendors and distributed.