cross-posted from: https://lemmy.ca/post/1926125

Too many perfectly usable phones are put into a questionable security situation by lack of vendor support for keeping key software up to date.

But what’s the actual risk of using an Android phone on a stock ROM without updates? What’s the attack surface?

It seems like most things that’d contact potentially malicious software are web and messaging software, but that’s all done by apps which continue to receive updates (at least until the android version is entirely unsupported) eg. Webview, Firefox, Signal, etc.

So are the main avenues for attack then sketchy apps and wifi points? If one is careful to use a minimal set of widely scrutinised apps and avoid connecting to wifi/bluetooth/etc. devices of questionable provenance is it really taking that much of a risk to continue using a device past EOL?

Or do browsers rely on system libraries that have plausible attack vectors? Perhaps images, video, font etc. rendering could be compromised? At this point though, that stack must be quite hardened and mature, it’d be major news for libjpg/ffmpeg to have a code-execution vulnerability? Plus it seems unlikely that they wouldn’t just include this in webview/Firefox as there must surely be millions of devices in this situation so why not take the easy step of distributing a bit more in the APK?

I’m not at all an Android developer though, perhaps this is very naive and I’m missing something major?

  • GenderNeutralBro@lemmy.sdf.org
    link
    fedilink
    arrow-up
    8
    ·
    11 months ago

    To get a real answer, you’d need look at the security patches that you’re missing out on. Here’s a brief write-up of the July Android security patches: https://www.bleepingcomputer.com/news/security/android-july-security-updates-fix-three-actively-exploited-bugs/

    So this month, you’d be missing out on some pretty severe fixes if you are running a phone with a Mali GPU (which includes many phones with chips made by Mediatek, Samsung, and Google) if your phone is not receiving timely security updates. I’m not aware of any vendors besides Google who commit to monthly security patches (please let me know if there are any), so this is a problem even on actively-supported models.

    There’s also a patch for a bug in a graphics library. While that was previously patched in Chrome, other apps using the system implementation would still be vulnerable.

    Historically, I recall some very severe bugs that had no real defense except “pray that nobody targets me”. For example, I ditched my Galaxy S7 specifically because Samsung went months and months without integrating Google’s security patch for Blueborne, which made it possible for anyone in your general vicinity to potentially gain full control of your device. I was not comfortable giving up Bluetooth entirely, and not comfortable leaving my device wide open to attack.

    • BuoyantCitrusOP
      link
      fedilink
      arrow-up
      4
      ·
      11 months ago

      It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured. Apps that aren’t pulling in random untrusted content are far less of an attack vector (eg. one’s bank app isn’t connecting to everything, just to the bank, pinterest is hopefully escaping user content, etc.)

      Based on helpful details at the other thread (eg. Project Mainline, baseband isolation) I’m beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their exposure. Which wouldn’t necessarily mean “giving up bluetooth entirely”, just not using it when you’re in bluetooth range of an untrustworthy party eg. if you just use your headset to make zoom calls at home and are fine not having it on the subway.

      Thanks for the reply. Definitely appreciate the point that lacklustre updates mean we need to pay attention even if we’re vaguely covered by our vendor. I think you’ve convinced me to subscribe to CVEs for android too, I’ve only had alerts for my browser. Really too bad they don’t make smaller Pixels.