Snapdragon chip flaws put >1 billion Android phones at risk of data theft

DWolvin said:
Not really- Google is running apps that are not base Android, and that goes so far as some skinning of the UI. Both updates that happened while I had the Essential were on my phone they were released. Both times I had the OS update before the Pixels (other than people running beta), because it was completely stock.
Click to expand...

There is no such thing as completely stock Android.

If you grab all the source files from the Android project it won't compile.

It requires at least some modification in order to work.
 
Zarathustra[H] said:
There is no such thing as completely stock Android.

If you grab all the source files from the Android project it won't compile.

It requires at least some modification in order to work.
Click to expand...

I don't pretend great expertise, but wasn't that the entire point of Nexus phones (old I know). Otherwise I read that as saying that the Essential team was able to grab the release files from the release point (github? semi kidding) and add their needed items and compile faster than Google. If I'm misreading, my bad! (and I figure I am misreading)
 
DWolvin said:
I don't pretend great expertise, but wasn't that the entire point of Nexus phones (old I know). Otherwise I read that as saying that the Essential team was able to grab the release files from the release point (github? semi kidding) and add their needed items and compile faster than Google. If I'm misreading, my bad! (and I figure I am misreading)
Click to expand...


I'm not an Android developer either, but my understanding is that there are more vanilla like android ROM's that have been modified less, but that it just won't compile without modifications.
 
blackmomba said:
Depends on the variant I think, example the S8 Asian model used an Exynos chip while the NA model used Snapdragon
Click to expand...

I think it has to do with the available LTE bands the radios in each SoC supports.

Snapdragons are better aligned with the available US networks, which is why I believe they use them for U.S. models.
 
Snapdragon intentionally making their stuff faster at the expense of security...
 
GoodBoy said:
Then why the fuck has this been publicly announced...

I do know I already have the August 1st Android patch...
Click to expand...

I just checked my Pixel 3.

It says August 5th.

Screenshot_20200812-184226~2.png
 
Zarathustra[H] said:
I just checked my Pixel 3.

It says August 5th.

View attachment 269483
Click to expand...

For what it's worth, the Pixel Security Bulletin for August (these are patches beyond what is included in Android) includes two CVE's (CVE-2020-3646 and CVE-2020-3647) which are related to Qualcomm. One related to Video and the other Kernel. The descriptions sound sort of similar to what is described in this article, but they must be different, because the CVE numbers don't match.
 
GoodBoy said:
Then why the fuck has this been publicly announced...
Click to expand...

From the Article said:
Check Point is withholding technical details about the vulnerabilities and how they can be exploited until fixes make their way into end-user devices. Check Point has dubbed the vulnerabilities Achilles. The more than 400 distinct bugs are tracked as CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208 and CVE-2020-11209.
Click to expand...

So they have announced that the vulnerabilities are real, and their significance, but not how they work or how to abuse them.

Sounds fair to me.
 
UnknownSouljer said:
You're right. We probably can't. But this is also an application that is extremely specific and esoteric. 99.9% of people aren't looking for an application that's capable of doing this. Still, if that's a function you need, kudos to Android.
Click to expand...
Honestly I wasn't aware that Apple didn't support this functionality... I use it all the time. As a home user. It's standard practice for access point placement and troubleshooting.
UnknownSouljer said:
I somewhat disagree. It's true that Samsung has way more model numbers than Apple. But Apple does have a complete product stack from $0-$1000+ (the iPhone SE's existance in the first place was to be a lower costed phone that could be solid in places like India and China in order to gain marketshare. So there is more than one way to skin a cat). It's Samsung's choice to produce as many model numbers as they do. Even Samsung's Android competitors don't do this. OnePlus, Google, et al are just fine without making a bunch of model numbers.

Also, directly to the contrary, if you choose to make that many models and you can't support them all, whose fault is that? No one has forced Samsung to do so.
Click to expand...
I'm not a fan of Samsung's approach to phone models, but it seems to me that they do cover a broader section of the market than Apple does, and have for quite some time.

As to why Samsung didn't bother putting everything under a CI/CD process to begin with, I have no idea; their software is the reason I use Pixel devices.

UnknownSouljer said:
They have and they haven't. Battery gate effects Samsung devices just as much as on Apple. But your entire premise is wrong. The purpose of "nerfing" wasn't specifically to older models, it's to devices with more worn batteries. There are two options when it comes to dealing with the issue of old batteries: either have your phone randomly reset under load or limit the power draw an old battery is capable of using (which has the effect of making the device slower). Apple choose the latter, Samsung more or less chose the former. For most, I'd say Apple's approach is better since it actually allows you to use your device rather than have it reset on you.
However for either case the problem is solved simply by installing a new battery. I know, because I have done it. I had one of the "affected devcies" the iPhone 6S+ and I used that phone for over 4 years replacing the battery twice. And I got all my performance "back" both times. And neither time was I "forced" to upgrade. I would probably still be using that phone if other items in it didn't break, making it easier to just upgrade rather than repair (in my case, it was the rear camera that essentially had broken IBIS).

A lot of people still don't understand this issue, and there is a lot of FUD surrounding it. I still hear people complain about the cost of replacing a battery so they just instead upgrade their device with another $700-$1000 device? That makes no sense to me. Batteries are by their nature disposable, there isn't any chemistry that won't degrade over time. And the smart batteries found in these phones are incredibly good at managing them (and they're expensive and require a tech to replace). Spending $70-$120 every 2 years to maintain a $1000 device and use it for another 2 years is more than reasonable. Again considering the initial cost of the device and the fact that at some point it has to be replaced.

EDIT: Also as an FYI this is why Apple has become more transparent about it's battery preserving features, with the "battery health" section as well as the ability to turn on and off power management, and turn on and off smart charging. Battery gate has basically been eliminated from a number of angles, but that doesn't prevent the issue of needing to replace a battery when it comes time. For most that's after about 2 years. Again, replacing your battery after two years seems like a more than reasonable alternative to buying a new phone, especially for those of us who feel their current devices are fast enough and don't want to have to spend another $700-$1000 on another phone.
Click to expand...

On balance, it's hard to fault Apple for doing the Apple thing, that is, finding the single way to do something that's probably best for the majority of their customers and then doing it that one way and disallowing any other way, by default, while not communicating to users what's going on let alone why.

Really just telling folks that's what's up would likely have sufficed. IMO, they made the right choice (keep the device functioning).
 
Last edited:
UnknownSouljer said:
I agree. There are tradeoffs with everything. If you're referring to me personally, that's why I've recommended people go with specifically Pixel devices or devices you can update yourself through custom ROMs.


You're right. We probably can't. But this is also an application that is extremely specific and esoteric. 99.9% of people aren't looking for an application that's capable of doing this. Still, if that's a function you need, kudos to Android.


I somewhat disagree. It's true that Samsung has way more model numbers than Apple. But Apple does have a complete product stack from $0-$1000+ (the iPhone SE's existance in the first place was to be a lower costed phone that could be solid in places like India and China in order to gain marketshare. So there is more than one way to skin a cat). It's Samsung's choice to produce as many model numbers as they do. Even Samsung's Android competitors don't do this. OnePlus, Google, et al are just fine without making a bunch of model numbers.

Also, directly to the contrary, if you choose to make that many models and you can't support them all, whose fault is that? No one has forced Samsung to do so.


They have and they haven't. Battery gate effects Samsung devices just as much as on Apple. But your entire premise is wrong. The purpose of "nerfing" wasn't specifically to older models, it's to devices with more worn batteries. There are two options when it comes to dealing with the issue of old batteries: either have your phone randomly reset under load or limit the power draw an old battery is capable of using (which has the effect of making the device slower). Apple choose the latter, Samsung more or less chose the former. For most, I'd say Apple's approach is better since it actually allows you to use your device rather than have it reset on you.
However for either case the problem is solved simply by installing a new battery. I know, because I have done it. I had one of the "affected devcies" the iPhone 6S+ and I used that phone for over 4 years replacing the battery twice. And I got all my performance "back" both times. And neither time was I "forced" to upgrade. I would probably still be using that phone if other items in it didn't break, making it easier to just upgrade rather than repair (in my case, it was the rear camera that essentially had broken IBIS).

A lot of people still don't understand this issue, and there is a lot of FUD surrounding it. I still hear people complain about the cost of replacing a battery so they just instead upgrade their device with another $700-$1000 device? That makes no sense to me. Batteries are by their nature disposable, there isn't any chemistry that won't degrade over time. And the smart batteries found in these phones are incredibly good at managing them (and they're expensive and require a tech to replace). Spending $70-$120 every 2 years to maintain a $1000 device and use it for another 2 years is more than reasonable. Again considering the initial cost of the device and the fact that at some point it has to be replaced.

EDIT: Also as an FYI this is why Apple has become more transparent about it's battery preserving features, with the "battery health" section as well as the ability to turn on and off power management, and turn on and off smart charging. Battery gate has basically been eliminated from a number of angles, but that doesn't prevent the issue of needing to replace a battery when it comes time. For most that's after about 2 years. Again, replacing your battery after two years seems like a more than reasonable alternative to buying a new phone, especially for those of us who feel their current devices are fast enough and don't want to have to spend another $700-$1000 on another phone.
Click to expand...

IMHO it's the smartphone model which is fundamentally flawed.

If you need special customized binaries for each device, of course it is going to be extremely labor intensive when you go to patch them, and because of this it is going to be unmanageable.

Android needs a common binary distribution, just like windows, where if you patch something in the kernel, it can be pushed out to all Android based phones, regardless of who manufactured them.

The phone manufacturers shouldn't be providing much more than drivers.

If they need anything special software wise they can provide it as hardware locked apps that run on top of the unified binary codebase of Android.

Essentially, the Windows model. (Or the Linux model)

This is only a problem because of a fundamentally flawed distribution model and idiotic software customization by phone makers.
 
Zarathustra[H] said:
This is only a problem because of a fundamentally flawed distribution model and idiotic software customization by phone makers.
Click to expand...
It's Google's catch-22; they marketed Android as an operating system that was extremely modular and thus customizable by both the manufacturer and the carrier; in a sense, it's Google's fault for starting it out that way. Apple has an advantage here because they didn't allow customizations that I'm aware of / remember; most of the first iPhones weren't really worth owning unless you were actually getting unlimited data and so on.

Now it's snowballed into a problem. A big one, despite Google 'leading the way' with their Nexus and now Pixel devices, and both manufacturers and carriers doing a better job. They all have to be almost perfect to keep the bigger vulnerability discoveries from causeing mass havok, and they don't cumulatively have it all together.

This is really Apple's three-fold 'advantage': their hardware is closed, their software is closed, and their patch process is closed. I'm not a fan of closed stuff in general, but this is one case where the model is working out alright.
 
The answer here is, don't sideload applications you don't trust 100% and make sure you trust the source 100% as well!

Also don't use custom rom's unless you know intimately where every line of code came from and what it is and does. Because in the end from a security standpoint there is noone to hold liable and without that you don't have any assurance of security.

Security for our devices comes down to Liability. How much financial damage can a hack cause and ultimately who is responsible. If I'm a good little user and use my x brand phone with their software, and do all patches and follow all of the rules and I'm hacked. That vendor has some liability on their hands. If MILLIONS of those users are hacked then that vendor has a LARGE issue on their hands. It is incumbent on the distributor to make sure that the devices they sell, software they promote/distribute is secure. This is the whole reason that Google started vetting applications more carefully.

So just be careful, don't install shit. And if something doesn't feel right about a app kill it. Do your performance or device health scans regularly and maintain.

Do you have ANY CLUE how many vulnerabilities your OS is exposed to without proper patching? Do you have ANY clue how many vulnerabilities your NETWORK adapter has? What about your modem? Router? Drivers for your various PC components?

Take a look at the CVE database some time. While this is news because it is a bit sensational and all at once exposure. In the realm of vulnerabilities... it's not nearly as scary when you realize how scary the REST of the environment is.
 
IdiotInCharge said:
Honestly I wasn't aware that Apple didn't support this functionality... I use it all the time. As a home user. It's standard practice for access point placement and troubleshooting.
Click to expand...
I'm not aware if they do or don't. I'm taking it on faith that what Kamikazi said is truthful on its face.
 
You must log in or register to reply here.
Back
Top