Google might have to rethink Android's updating strategy, if vulnerabilities like this keep coming out. Of course it would be nice to never have to update some devices, but it's not viable if they are: a) As complex as an Android phone and b) Connected to the internet/phone network.
I completely agree. They can force their OEM's to follow rules regarding the installation of Google Play services and apps yet they cannot seem to force them to update their software. Every OEM that wants Google Play services and apps should be required to supply OS and critical security updates to their phones for at least 3 years.
Well, given that the exploit has been around for three years, April isn't actually that impressive. I would be more likely to guess that NSA has paid for this 0-day several times trying to prevent it from being released. I don't think that's even a very tinfoil hat scenario. The tinfoil hat scenario is that this exploit was added and ignored at the request of the NSA.
The ability to remotely tap and track almost a billion people with just their phone number? That sure makes metadata valuable...
What if the Android update system is split into two channels: critical updates and feature updates.
The latter can be issued via the OEM or carrier - whereas the former is issued by Google. Since Google own the trademark on the Android name (http://developer.android.com/legal.html), perhaps Google can enforce a rule that an OEM which ships it's device without compliance with the above cannot call their device an "Android device".
The issue as I understand it is that's impossible, because there's no motivated stakeholder who can perform regression testing to validate the critical update channel. And the device builds have deviated far enough from vanilla Android+kernel that they require their own.
Tbh, Google needs to work with the Linux groups pushing for more coherent ARM/device flexibility frameworks, then ban carrier and device manufacturer build modification below a certain level of abstraction. Otherwise they revoke Android branding + access to GApps.
Then they would at least have a base for eventually saying,
"We're going to enable a critical update channel where users take updates directly from Google. We will release these updates to you with a lead time in proportion to the severity. Unless the user has explicitly opted out, they will automatically receive the update after that period. If it breaks your phone, then users are going to stop trusting you as a manufacturer / carrier."
I've been saying this for years. Google needs to provide security updates to all versions of Android which don't change APIs or functionality. Just drop-in replacements to fix exploits. These need to be offered for a period measured in years to every version of Android they release.
Microsoft still releases regular security fixes for Windows Vista!
I really hope they do because I've been using Android since the G1 and am about to ditch it due to lack of updates being given to me on all the devices I have bought. Yes, I know that the manufacturers should push them out but I've got numerous devices including barely year-old Samsung devices (Galaxy Note 10.1 2014 edition) and they don't have recent Android versions. I also have an Android phone from Sony and my wife has a Samsung Android phone - no updates there!
(This is separate to the issue that there is ever-changing UI guidelines on Android making each app feel entirely different to another one which is like being in a nightmare and not being able to wake up or understand how it SHOULD behave).
As someone else said, you wouldn't be happy with a laptop that did not let you install Windows updates.
This is the same problem we have with Android, and I'm getting really tired of it and ready to jump ship. It's all very well saying Nexus devices will be updated but why distribute Android to all other manufacturers if they won't get or push out updates? I can't see anyone clapping for Microsoft if they just pushed out service packs and updates for the Surface exclusively.
The update strategy has been rethought and, frankly, I'd be surprised if anyone needs to release an OS update to fix this. Google clearly can and will just update the Hangouts app (if they haven't already). I'd expect most other manufacturers to just put an update for their OEM messaging app on the Play Store (if they don't already have a hook in something like an updateable OEM framework app they can use).
So the Hangouts bit is just about triggering the problem without user intervention? If an attacker can find another way to get you to play a malicious video, there's still a hole? That's clearly more serious.
It just requires opening the video. The average user will probably open a video from an unknown sender without thinking twice because why would a video message hack their phone. I would imagine given that it controls phones it would also be possible to make a worm from this that resends the video to everyone in the contact list.
What about video in browser? It seems like video is replacing gif everywhere and those autoplay. I've seen websites that have video as backgrounds. Wouldn't stagefright handle those videos also?
> But Adrian Ludwig, the lead engineer for Android Security, told NPR the flaw ranks as "high" in their hierarchy of severity; and they've notified partners and already sent a fix to the smartphone makers who use Android.
It sounds like the fix can't be (or isn't being) made in the hangouts app.
