Google confirms Android attacks; no fix for most Samsung users (opens in new tab)

I have the strongest level of "Play Integrity" on a Xiaomi phone that hasn't received any updates since the beginning of 2020. Google Pay and co work fine. It makes sense when you remember that PI is not about security at all, that's just an excuse.

Play Integrity is just spyware - it does not provide any degree of security.

Pixel 6a used to show a September patch as the latest, but tapping "check for updates" found a new one. As mentioned in other comments here, apparently tapping those buttons twice may help.

You might be on a slow rollout group, I got the December patch on my Pixel 7.

The December updates for Pixel 7 and Pixel 7 Pro are available to manually download on Google's website [0], so the updates do exist, although Google might not be rolling them out to the general public quite yet. But the December update for Pixel 7a are completely missing from that website, and trying to update from the Settings app also shows no updates available.

[0]: https://developers.google.com/android/ota

Specifically for 7a:

Rumor is the Pixel 7a December update rollout was paused due to a severe wifi bug. You might not want to upgrade manually at this time, even if you find images available for download.

(The rumor is somewhat weak, it's apparently everyone regurgitating one seemingly AI chat.. Google needs to state the reason publicly.)

My 7 is on the December one.

> pure android phone

Do these even exist? Last phones I'm aware about were Android One program, but it ended years ago.

The link suggests Google Pixel, but it's not pure android phone, it's full of Google junk software.

I thought Google was moving stuff out of the open source stock android branch and into their proprietary pixel development branch, such that the functionality of stock android has been diminishing to the point that a phone running stock android would be barely usable as the device we'd expect. Maybe I've read wrong and misunderstood though.

If you are buying now, you want a device on a v5 Linux kernel with BPF support, where the bootloader can be unlocked and VoLTE is implemented in the 3rd-party ROM.

LineageOS has a build roster of current devices at this URL:

https://lineageos.org/Changelog-30/

The Pixels are the most flexible, but don't buy a model from Verizon (they don't allow unlocked bootloaders).

Most other OEMs require you to generate an unlock token and send it to them, then wait a week, which is extrememly inconvenient (and sometimes they just stop and refuse, as I understand OnePlus has).

If you want a locked bootloader at the end of the process for security, then you will be on a later Pixel with Graphene.

> Being reliant on a single OS permanently nailed to the hardware is no less crazier.

Locking OS upgrades to a network vendor is substantially crazier. It creates pockets where the hardware vendor ships a security update but your network doesn't care to ship it and isn't incented to. It is BANANAS.

Please try to e-recycle rather than normal land-fill trash.

Just because one layer of the security stack is compromised doesn't turn your device into a paperweight. I know many people who use out-of-support and vulnerable devices and I am not aware of a single one getting pwned by a system exploit, it is always some kind of phishing or scam. This is anecdotal evidence but I couldn't find actual data, as most don't distinguish between malware that rely on system-level vulnerabilities (as in 0-day) and the ones that don't (like fake apps that steal credentials, mine crypto or inject ads). But it is clear that the former are a minority on Android.

If you don't know what to do with it because your security standards are so high, just give it to someone with lower standards then you, or use it for some project that doesn't involve sensitive data. And if security is broken to the core, there is probably some vulnerability you can exploit to root your phone and do whatever you want with it, including installing a custom ROM.

Still, I agree with you on making it mandatory to provide an unlock method, at least for out-of-support phones.

Are apples drivers open source?

It’s “Fuchsia” with a “chs” not a “sch”. Where do you get your information that it’s dead?

We have an OS security update that is only release to users of a specific hardware, once approved by their mobile operator. It may be added to vendor-specific OS versions some time later (weeks, month or never). The vendor-specific may not be approved by a telco if the vendor doesn't have a relationship with that telco.

Now think that millions of people use the same OS on many different flavours, on different hardware, on multiple operators.

What an inneficient way of doing things.

How quickly did GrapheneOS roll out the update?

Is the patch already available for GrapheneOS?

Not working for me on Android 16, additional taps of the "Check for update" button in the bottom-right don't change the fact that it says "Your system is up to date" and that the last change was last month.

I had the same experience as peer comments. I'm on Pixel 8 and Google Fi. When I check for updates, I'm told I'm up-to-date with the last update being over a month old.

I don't see it yet either and have mashed it a bunch (Pixel 7, T-Mobile). Says it's running October's update with no updates available.

Thanks that worked, so weird that you have to do it twice...

Pixel 2 stopped getting updates almost 5 years ago

In other words, if you ever need to install anything on your device, you do need to worry. What even could be trusted, a random app from Play Store?

What if an existing app gets an update that exploits the vulnerability?

For sure that's not going to happen to an app released by a major company, but there are lots of less known app created by many different developers.

In other words, continue as normal: Don't install random crap you don't trust. That this is even newsworthy is kind of strange.

Threat model is probably third party ad and tracking libraries that pay to get into apps. If I caught it, I'd expect it to be from an app to use a parking deck, a colorful desk lamp, an otoscope etc where the developers sold out years ago

The point was surely more that apps being exploited via the Play Store can be mitigated there without client OS updates. The only hole here requiring the update needs a sideloaded attack.

CVE records are public. All info is there.

I'd imagine the dalvik part to be pretty open to static analysis?

On the desktop JVM, I've seen bytecode that decompiled to a form more readable than the original source I got access to later...

Oh, but they will, given enough time.

Remember Kevin Mitnick's most successful approach, social engineering :)

If that truly is an issue then Android is a fundamentally broken OS.

How many different models of PCs get released? How hard is it to patch any of their OSs?

If you can't support 50 different models, then perhaps you shouldn't be releasing 50 different models.

Weird how LineageOS supports ~300 devices while still managing to release patches.

I bet this CVE's patched quicker on a samsung device running LineageOS than the stock OS.

The real difference is that Google has a more competent software development process and release process than other android OEMs, regardless of how many different devices they have.

That's still one OS. Customization is mostly userspace "system" apps that they swap out and maintain, but reused across all their phones with some small variation. Hardware enablement will differ between models, but that's just the cost of doing business.

Can be a pain to move the whole suite to a new major (porting all their inhouse apps, getting all the hardware enablement from vendors updated to match, ...), but we're not dealing with a major upgrade here.

A security patch is "just" a matter of taking the last release, applying the diff, build, qa, release. No customization.

The fix was released in September according to GrapheneOS, so you'd think they could have it out for the flagships

If they choose to release 50 models, they need to factor in the cost to maintain security on 50 models.

And 5000+ laptop models per year, yet linux runs on (pretty much) all of them. This is an entirely self-inflicted problem. They don't deserve an ounce of mercy.

They must release drivers and firmware for all the devices that they no longer support.

https://www.androidauthority.com/phone-update-policies-16586... has summary of phone manufacturers update policy. It looks like for now the answer is: if you don't want an IPhone then grab Pixel and install GrapheneOS on it.

So no decent options for out-of-box experience.

If the flaws were just about missing premium features, that'd be one thing.

But it's not. It's petty and abusive. For example, you can't see (I think it was) heart rate if you have a Samsung smart watch, but don't have a Samsung phone. They've gone out of their way to just not provide that, if you instead have a Pixel phone. And you need like 5 gigantic apps installed to manage it. Why is it not just one single Samsung wear app? Because they are abusive.