62
submitted 1 year ago by NightOwl@lemmy.one to c/askandroid@lemdro.id

Is it still safe to use as long as apps continue to be updated and is supported by the play store?

How long would you say someone could safely use an Android phone that no longer gets security updates for?

top 30 comments
sorted by: hot top controversial new old
[-] argv_minus_one@beehaw.org 2 points 1 year ago* (last edited 1 year ago)

“Your” phone belongs to some overseas crime ring and they're letting you borrow it. That's how insecure it is.

Doesn't even matter if you install apps or not. Plenty of RCE vulnerabilities crop up that require zero user intervention to exploit.

[-] henfredemars@lemdro.id 1 points 1 year ago

True that many potential RCEs are found, but I think there are a few points to keep in mind.

  • RCE classification is often conservatively assumed when it is theoretically possible even if it is not been demonstrated. Android bulletins appear to assume any memory corruption could be an RCE.
  • Remote code is no longer sufficient for privileged control. Next, you have to use it to break out of a restrictive sandbox for whatever service or application you have compromised.
[-] argv_minus_one@beehaw.org 1 points 1 year ago

Plenty of RCEs are in privileged components, like the operating system or the baseband firmware.

And yes, it is correct to assume that any attacker-controlled memory corruption is likely an RCE vulnerability.

[-] henfredemars@lemdro.id 1 points 1 year ago

The baseband firmware is not so privileged anymore. Most new phones, like the Google Pixel 7, have IOMMU to force the baseband to communicate through a very restricted interface to the kernel. Certainly, you can interfere with texts and calls, but a baseband RCE doesn't yet compromise the data stored on the phone by itself--not to diminish the seriousness or to suggest that we shouldn't patch such an exploit immediately.

RCE, the "remote" aspect, in the operating system? So directly in the kernel and accessible remotely, such as through the networking code? I'm curious now. Most of the ones I've seen are in some other component that is sandboxed. True system-level privilege RCEs seem to be relatively rare. Usually, you get RCE, then you need privilege escalation to do something especially interesting.

Indeed; I'm sometimes able to leverage even a few bits of memory corruption into execution in many cases, though the hardened allocator in Android makes this a serious PITA to arrange to overwrite something useful.

[-] Thorny_Thicket@sopuli.xyz 2 points 1 year ago* (last edited 1 year ago)

I'm really stubborn about updating my devices and it'll perhaps bite me in the ass one day but so far it haven't. My phone has been trying to force the Android 13 update on me for 6 months now and my laptop I'm not going to update any further from MacOS Catalina even though there have been several updates after that.

Why? I don't fix stuff that's not broken.

[-] scrooge@infosec.pub 8 points 1 year ago

But it is broken, old software is usually riddled with security vulnerabilities

[-] Thorny_Thicket@sopuli.xyz 1 points 1 year ago

Yeah. That's why I said it'll might bite me in the ass one day.

Other than that it all works just fine so I don't want for fuck with it. My experience with software updates is that they always break something and slow down my devices.

[-] argv_minus_one@beehaw.org 6 points 1 year ago

It has already bitten you in the ass. You just don't realize it yet.

[-] NightOwl@lemmy.one 6 points 1 year ago

Not updating desktop OS seems pretty crazy to me. Is the reason because it might break some applications you use?

[-] Thorny_Thicket@sopuli.xyz 3 points 1 year ago

It will break some applications and I don't like the UI on the new MacOS.

I've always used old devices that you often even can't get updates for so this has always been the norm for me. I know it's not the smartest thing to do but my great luck has brought me this far so lets see how long it'll last.

[-] NightOwl@lemmy.one 3 points 1 year ago

Sounds like Linux might be way. Last OS that a lot of my devices ended up getting have been Linux with how well they run once the majors OS start upping the system requirements.

[-] Thorny_Thicket@sopuli.xyz 3 points 1 year ago

My next laptop is probably going to be the Framework one so Linux definitely is an option. I'm interested in it but seems a bit tricky to deal with so we'll see.

[-] tiredOfFascists@reddthat.com 3 points 1 year ago* (last edited 1 year ago)

Not if but when it bites you, it likely will not be pretty.

You're rejecting dozens of not hundreds of ways to avoid having bad things happen, just a couple examples being having your identity stolen or losing data. These risks already exist no matter what you do, but they are several times more likely with every few months that you go without security updates.

Besides that, you will eventually be forced to update, either because your device dies and has to be replaced or because of something like software you require refuses to run on your 8 year old OS. When you get that new OS, the jarring effect will be much worse than if you just allowed your devices to evolve as designed. Updates are not a bug, they are an extremely valuable feature.

Your reasoning that it ain't broke so you don't fix it leads me to believe you have never written software. All software is inherently broken. Products under development for 30 years still have flaws so fundamental it's hard to even imagine. I say all of this as someone who has had his hard drive wiped accidentally by software bugs, had email and other accounts randomly hacked, and personally worked with broken ass software from the world leading giants. And as a software developer I can say for sure: all software, no exceptions, is barely working. No matter how solid it it seems, some random weird edge case can cause complete failure

Update your shit. It's not even that often that stuff breaks in (non Windows at least) OS updates these days

[-] Thorny_Thicket@sopuli.xyz 1 points 1 year ago

Pirated software breaks almost every time I update.

load more comments
view more: next ›
this post was submitted on 25 Jul 2023
62 points (100.0% liked)

Ask Android

2200 readers
3 users here now

A place to ask your questions and seek help related to your Android device and the Android ecosystem.

Whether you're looking for app recommendations, phone buying advice, or want to explore rooting and tutorials, this is the place for you!

Rules
  1. Be descriptive: Help us help you by providing as many details as you can.
  2. Be patient: You're getting free help from Internet strangers, so you may have to wait for an answer.
  3. Be helpful: If someone asks you for more information, tell us what you can. If someone asks you for a screenshot, please provide one!
  4. Be nice: Treat others with respect, even if you don't agree with their advice. Accordingly, you should expect others to be nice to you as well. Report intentionally rude answers.
  5. No piracy: Sharing or discussing pirated content is strictly prohibited. Do not ask others for a paid app or about how to acquire one.
  6. No affiliate/marketing links: Posting affiliate links is not allowed.
  7. No URL shorteners: These can hide the true location of the page and lead people to malicious places.
  8. No lockscreen bypasses: Please do not comment, link, or assist with bypassing lock screens or factory reset protection.
  9. No cross-posting: Please take the time to make a proper post instead of cross-posting.
Other Communities

founded 1 year ago
MODERATORS