iPhone vs Android for system software updates

Discussion in 'Smart Phones and Devices' started by biggles, Nov 6, 2019.

  1. biggles

    biggles [H]ard|Gawd

    Messages:
    1,851
    Joined:
    Jul 25, 2005
    Focusing purely on system software updates for this thread. We all know that Android software updates are inconsistent across manufacturers. And that updates are not done nearly as long as they are on iPhone. I have read that iPhones get updated for at least 5 years. Even the best Android phone from a software standpoint, the Pixel, gets only 3 years of software support.

    The question is should buyers like me care about this? On an abstract level, it seems like Android phones would be quite vulnerable to malware due to this. I have been buying Android phones for years mostly due to lower cost. But it makes me wonder whether there are serious security risks that ought to be factored into future device purchases.

    Related topic, Windows 7 support officially ends in December, so PC users would be at risk after that. Are Android users with devices no longer being updated at similar risk levels? Or is Android more secure than Windows even when using outdated versions?
     
  2. CHANG3D

    CHANG3D [H]ardness Supreme

    Messages:
    4,807
    Joined:
    Jul 23, 2010
    i would argue that Android risk level is far worse than Windows due to the fact that it’s way more common for Windows users to have (updated) antivirus software while also having longer support.
     
    NIZMOZ and auntjemima like this.
  3. T4rd

    T4rd [H]ard as it Gets

    Messages:
    16,609
    Joined:
    Apr 8, 2009
    I do agree that Android and all manufactures using the OS should emphasize longer and faster software supe support. 3 years is mostly adequate, but I think it should be 4 years minimum, given that I see a lot of people still with 4-5 year old phones and it's certainly not that they can't afford a new phone, it's just that they don't care since they use their phones for little more than calls, messaging, and email, and it still lasts them through the day just fine with that minimal usage. So manufactures should take more responsibility to update and secure their phones, esp now that they're charging more than ever for new ones.

    It's almost as if manufactures are forcing people to hold onto their phones longer now too with the steep price increases we've had the past couple years. I know that hardware is generally plateauing now too, and that since the market is almost saturated at this point, so sales are slowing overall, which I'm sure it's another contributing factor to increasing prices. But we should be getting more of an ROI from OEMs now too given that they've matured significantly in software development and its been made easier for them with Treble. They definitely have the resources for it too.
     
  4. Aurelius

    Aurelius 2[H]4U

    Messages:
    2,556
    Joined:
    Mar 22, 2003
    We should all care, really.

    It's ridiculous that you can't own an Android phone for more than the length of a two-year contract (or instalment plan) without wondering if you'll even get security updates, let alone feature updates. Some hardcore Android fans like to claim Apple is about planned obsolescence, but that seems more like Google's strategy if you go by the length of update schedules. It's like a giant middle finger to anyone who isn't a middle-class North American or European that can buy a new phone every two years like clockwork.

    And the problem is that malware writers can bank on this. It doesn't matter that Google just released a patch that's hitting all the high-end phones, because attackers know that your old phone will never get that fix. They can use a year-old exploit knowing that millions of Android phones are permanently vulnerable to it. I can't help but think that Android is one day going to suffer a malware attack on the level of Windows' Blaster worm (that is, it spreads very far and very quickly) and that Google's poor update policy will play a large role in its distribution.

    For that matter, it baffles me that Android OEMs are allowed to skip security updates. They're only obligated to provide four updates per year, once every 90 days, and it's not clear that extends beyond the second year. There could be a worm wreaking havoc and Google would have to twiddle its thumbs while vendors leave the vulnerability exposed because they don't feel like releasing a fix. That's slightly horrifying. If Google did things correctly, it would force vendors to provide every security update for the support life of the phone.
     
    CHANG3D and UnknownSouljer like this.
  5. biggles

    biggles [H]ard|Gawd

    Messages:
    1,851
    Joined:
    Jul 25, 2005
    Asking the question differently: which has a higher risk of successful malware attacks during the year 2020?
    1. Windows 7 PC (MS support of course ends Dec 2019)
    2. Android smartphone on Android Pie (in other words, phone won't be updated to Android 10)

    Both situations involve devices no longer getting OS updates.
     
    jmilcher likes this.
  6. CHANG3D

    CHANG3D [H]ardness Supreme

    Messages:
    4,807
    Joined:
    Jul 23, 2010
    Like I said before, Windows having an up to date antivirus software is much more common. Even if Windows 7 isn’t getting more updates, Windows Defender, which Microsoft has built-in, should still get malware definition updates. (One can also easily find better free third party software.)

    Google doesn’t have any built in malware scanner. Most android users also don’t have any antivirus app installed. And most of those apps takes a huge hit on battery life.

    It’s also way easier to install a new official version of Windows on your computer than installing a new official version of android on your device.
     
  7. T4rd

    T4rd [H]ard as it Gets

    Messages:
    16,609
    Joined:
    Apr 8, 2009
    There's Play Protect, which is supposed to scan all your apps and new apps for malware and is built into the Play Store or Play Services. Not sure if it's worth a damn, but it's there.

    It's important to distinguish between OS/feature updates and security updates on Android. Because there are monthly security patch levels that apply to Android across versions 10, 9, and maybe 8 as well, where OEMs can apply current security patches to their phones without them needing to be on the lasted Android version (10 at the moment). So there are phones out there on Android 9/Pie still getting security patches from the past month or two and will continue to do so despite not running the latest version of Android.

    Hard to say which platform is more vulnerable considering the unknown amount of zero-days constantly being discovered and sold online at any moment for both platforms, then also considering the 3rd party applications on both OSs at any one moment that always introduce a larger attack surface for a potential exploit. There are multiple variables when taking into account how vulnerable a system can be; network availability (open/public vs secured/private network), OS patch level, 3rd party application patch level, system permissions for installed applications, and arguably most of all is user awareness so that they don't unwittingly circumvent all aforementioned security controls in order to install malware directly. For example; in order acquire "free" premium content such as a movie or game that they didn't want to pay for.
     
  8. Vermillion

    Vermillion [H]ardness Supreme

    Messages:
    4,115
    Joined:
    Apr 5, 2007
    The whole damn mobile landscape is a giant shitshow in my opinion. Sure you have Pixel which gets updates monthly and iPhone which gets updates but outside of those what gets updated on a regular basis? OnePlus seems to be doing pretty good. They were updating my 6T roughly every other month. Essential PH-1 gets updates as fast as Pixel in some cases but it's a old phone now.

    That said things like Play Protect and not going outside the Play Store keep an Android phone pretty safe. For all the OMG THE SKY IS FALLING exploits found in Android over the years none of them have been turned into some crazy destructive malware which Windows seems to have on a regular basis. So from that point of view an unpatched device really doesn't matter to the average user because they're not going off and doing shit like side loading an app from some 3rd party site. Don't get me wrong, I'm all for making OEMs and carriers update on a much faster schedule but overall the reason they aren't being pressured to do so is because there really hasn't been that mobile malware like Wannacry that causes havoc worldwide. If that ever happens though the updating of devices will change pretty damn quickly.

    As for length of time I personally think 3 years is enough. Typically batteries are failing by then for many and iOS devices may get updates for a year or two after that but those updates aren't all unicorns and rainbows. Our oldest iPad in the house is 4-5 years old which makes it iPad Air? Air 2 maybe? It just stopped getting updates as it won't get iOS13. However, the last 2 years or so of updates have just sucked. They just made it slower and filled it with garbage Apple apps that we never use. So the consumer seems to get screwed no matter what we do.

    Win7 vs Android for security? It's a crapshoot. Win7 may have anti-virus but Defenders engine won't be getting updated anymore. Definition files may get updated but newer malware may not be able to be cleaned. Play Protect on Android is based on Google Play Services so you're always getting the latest stuff as long as you run Play Services.

    Bottom line is if you're really worried about updates on a mobile device get Pixel or iPhone or at least a OnePlus device. As for Windows 7, lock it down and ride it out. For any platform the weakest link is the user. So be smart and typically you're going to be safe.
     
  9. CHANG3D

    CHANG3D [H]ardness Supreme

    Messages:
    4,807
    Joined:
    Jul 23, 2010
    Last edited: Nov 8, 2019
  10. Vermillion

    Vermillion [H]ardness Supreme

    Messages:
    4,115
    Joined:
    Apr 5, 2007
    And no APK can install from a downloaded browser unless you knowingly allowed Unknown Sources and then manually click Install. Let's keep things in perspective here. Clickbait headline is clickbait. 600 million devices? No. That's 600 million installs and that browser has barely 5% of the mobile browsing market. So that math doesn't add up out of the roughly 2.5+ billion (number from May 2019) Android devices out there. So even if we go 5% of 3 billion we only get 150 million. That means in reality the max number of users exposed to this is probably more like 150 million and we're missing the number of people who actually had Unknown Sources allowed which would make that number exponentially smaller since it is disabled by default. Then the user still had to click INSTALL. Like I said...clickbait headline is clickbait.

    Oh and Play Protect DOES scan anything that was installed including sideloaded apps.
     
  11. CHANG3D

    CHANG3D [H]ardness Supreme

    Messages:
    4,807
    Joined:
    Jul 23, 2010
    MiTM attack is not just installing apps...
     
    Trimlock likes this.
  12. Vermillion

    Vermillion [H]ardness Supreme

    Messages:
    4,115
    Joined:
    Apr 5, 2007
    I know that. That doesn't change the fact that the article made a big brouhaha out of nothing. The MITM attack was because the idiot coders of UCBrowser used HTTP instead of HTTPS to download the APK which couldn't be installed without Unknown Sources being enabled and the user actually OKing the install. So for this to be exploited an attacker would have to intercept that request and inject their own APK while hoping the user has Unknown Sources checked and that they are dumb enough to click INSTALL. Again clickbait headline is clickbait and they made this issue sound a lot more egregious than it really was.

    That article puts the fear of God into someone not knowledgeable about this stuff when it didn't have to.
     
  13. Fremunaln

    Fremunaln Limp Gawd

    Messages:
    150
    Joined:
    May 3, 2019
    If Android OEMs made 4-5 year system updates (DIFFERENT FROM FEATURE UPDATES), that would be great. Im not holding my breath due to the following reasons:

    Carriers and their terrible policies (Looking at you ATT and your policy of disabling system updates directly from say the OEMs own software updater)
    Android phones barely hold their value 6 months after launch. I doubt as a mfg you want to extend the life of a sold unit, for the expense of a future sale.
    OEMs like to play their games with OS cycles. (Looking at you Samsung).


    Apples got them beat hands down. Apple not only satisfies the system only updates, but includes at least a couple nice feature updates as well.



    Sad to say it, but if you want an Android device AND Security from the MFG, your out of luck besides buying a new phone at the time of launch. (Stupid af)
     
    UnknownSouljer likes this.