Too many perfectly usable phones are put into a questionable security situation by lack of vendor support for keeping key software up to date.
But what’s the actual risk of using an Android phone on a stock ROM without updates? What’s the attack surface?
It seems like most things that’d contact potentially malicious software are web and messaging software, but that’s all done by apps which continue to receive updates (at least until the android version is entirely unsupported) eg. Webview, Firefox, Signal, etc.
So are the main avenues for attack then sketchy apps and wifi points? If one is careful to use a minimal set of widely scrutinised apps and avoid connecting to wifi/bluetooth/etc. devices of questionable provenance is it really taking that much of a risk to continue using a device past EOL?
Or do browsers rely on system libraries that have plausible attack vectors? Perhaps images, video, font etc. rendering could be compromised? At this point though, that stack must be quite hardened and mature, it’d be major news for libjpg/ffmpeg to have a code-execution vulnerability? Plus it seems unlikely that they wouldn’t just include this in webview/Firefox as there must surely be millions of devices in this situation so why not take the easy step of distributing a bit more in the APK?
I’m not at all an Android developer though, perhaps this is very naive and I’m missing something major?
Indeed not. So I’m trying to better understand how vulnerabilities at the system level are exploited. It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured.
Based on this thread I’m beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their attack surface.
It’s a bit hard to find the details of the vulnerabilities let alone POCs.
I would assume the APIs provided by android use the underlying system libraries so if left unpatched then any app that makes use of the APIs could potentially be an attack surface? This is all my assumption and it would be nice for someone that specialises in Android security to comment.
The app, in the scenario where we’re trusting the author/store, is only part of the surface to the extent it’s exposed to a potentially malicious payload. eg. a trusted solitaire game using a vulnerable API doesn’t exacerbate that vulnerability because it doesn’t expose it to untrusted input whereas a PDF viewer would because the PDF could be coming from anywhere…