Android security in 2016 is a mess.

Summary

Your phone probably contains banking, payment and personal information that can be remotely stolen via numerous known and unknown bugs in the Android software. This is attractive to criminals.

Vendors (LG, Samsung, Xiaomi, etc.), after selling you their phone, have no incentive to keep your phone’s software up to date with Google’s fixes. Your Android phone is probably out of date and therefore a gaping security hole through which attackers can steal your stuff from the safety of their own laptops.

Read on for more.

Between 1.3 and 1.4 billion Google Android phones in March of 2016. Click image for source.
Between 1.3 and 1.4 billion Google Android phones in March of 2016. Click image for source.

An illustration: MediaTek / BLU phones are uploading your data.

You might recently have read about the incident with the popular BLU phones sold by Amazon in the US (interestingly, the author deleted their article from both hackernoon.com and from medium; I now link to the Wayback Machine’s stored copy). It turned out that these phones were regularly sending bunches of personal information to servers in China: text messages, call logs, contact lists and so forth. After more investigation, it came to light that this was happening via a low-level piece of software called ADUPS.

When Google had previously updated its systems to check for ADUPS, MediaTek (they make the chipset in millions of low-end phones) simply modified their system software to evade Google’s checks. Nice one MediaTek!

This is a painful example of the fact that the software on your phone, although based on Google’s software, is customised by the phone vendor. The further frustrating effect of this is that when Google releases security patches to Android (which they do regularly), there is very little incentive for the phone vendor to spend money on updating phones they have already sold.

What about A-list phone makers?

I bought my LG G3 in 2014 here in South Africa. It was LG’s flagship in that year, and sold extremely well. LG is a well-known smartphone OEM.

However, only because I took steps to flash the official KDZ image (V30a-ZAF-XX), which consumers would normally not do, am I now running Android 6. However, my security patch level is 2016-03, meaning there are 6 months of security updates I don’t have. (You can check your Android security patch level by going to Settings | General | About Phone | Software info.)

Before you think six months lag is not too bad, here’s a nice example vulnerability from the November 1 Android security bulletin:

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.

In short, your phone could be hacked wide open from afar through a single innocent-looking email, MMS or web-page.

My friend’s South African LG G3 is still stuck on Android 5.0 (V20n-ZAF-XX). Most probably this is being blocked due to his carrier (MTN). In any case, 5.0 does not even show the security patch level, so we have no idea how many months of security fixes this phone is missing.

(LG seems to be tracking Google’s security updates quite well, but somehow these updates are not reaching phones.)

A scary little aside

I just tried Check Point Labs’ QuadRooter Scanner app on my “updated” LG G3, and this is what I saw:

LG G3 with Marshmallow and Android security patch level 2016-03 is vulnerable to QuadRooter.
LG G3 with Marshmallow and Android security patch level 2016-03 is vulnerable to QuadRooter.

So my manually updated LG G3 is still very much vulnerable to QuadRooter. In theory, my phone could be (or already has been) rooted and pillaged by any old innocent-looking app, although I keep mostly to the official Play Market, so the risk is slightly mitigated.

At this stage, even as a relatively knowledgeable user, there’s not much I can do to patch my phone against this vulnerability.

Google’s leniency cuts both ways: More than a billion Android users, but most of them vulnerable.

It’s fantastic that Google’s openness and leniency with Android has helped to make smartphone technology accessible to more than a billion users (probably closer to 2 billion taking into account Chinese Android phones not connected to Google services, see Ben Evans’s post). However, this same leniency allows manufacturers to be irresponsible about keeping their customers safe.

The fundamental problem here is that there are a great deal of Android phone vendors who make phones from absolute entry-level to top-of-the-line flagships, who have very little incentive to spend money on post-sale security updates.

Once you’ve paid for the phone, you’re not important enough anymore to have a secure(ish) telephone.

What can we do?

Buy an iPhone. No really.

I’ve been using Android since the HTC Desire Z. I love Android, because I love Linux which I have been using since 1993.

However, if money is no object, my only sound advice can be to buy an iPhone. Apple is still shipping security updates, albeit on iOS 9, for the iPhone 4s which was released in 2011 (5 years ago). The iPhone 5 is still being kept up to date with iOS 10.

Furthermore, in terms of phone encryption, iOS 4, released 6 years ago, was already more advanced than than Android 7 Nougat, released in August of this year. In short, already then Apple made better choices in how exactly different files are encrypted, whilst Android implemented full disk encryption, which for the smartphone usecase is not the right choice. In Nougat, Android has finally also changed to file-based, but they’re missing important parts of the puzzle. The phone encryption blog post I link to is insightful, please take a look.

Stick with Android Pixel or Nexus.

If you prefer sticking with Android, the best choice is getting an official Google device, which means either a Nexus or a new Pixel. Google’s policy for Pixel and Nexus security states that they will ship security updates either for three years after device introduction, or for 1.5 years after the device was last officially sold from the Google Store, whichever is longer.

Unfortunately, iPhones are really expensive, and Google’s new Pixel devices are also aiming for the higher-end market. The previous generation Nexus phones offer a more mid-range but very temporary reprieve.

In other words, most normal consumers on a budget, i.e. the largest part of the Android user base, actually of the smartphone-using world, are stuck with insecure, vulnerable phones. This is not cool.

Consider installing a custom ROM.

Installing a custom ROM such as Cyanogenmod brings with it another set of issues with regard to the phone being rooted, and with regard to driver-level support of proprietary hardware. In any case, this is not something your average consumer will have access to, but Android gurus can certainly apply.

Efforts like CopperheadOS (hardened Android) are certainly promising, but it will be quite a while before they are accessible to the largest group of Android users.

Update: David Metcalfe pointed out in the comments that you can buy a secure Android phone from Copperhead.  If you are in the US or Canada, and you have some budget, you could buy the LG Nexus 5x or the Huawei Nexus 6P with CopperheadOS pre-installed. It’s great that this is available, but due to price and geography not really accessible to most Android users.

Keep manufacturers honest.

Ideally, Google starts taking a much harder line with manufacturers who put Android on their phones. They could for example maintain and publish a list of phone models that are kept up to date with the latest security fixes, and a list of those that aren’t.

I was happy to see that at least Huawei has a pretty good record in terms of keeping their Android phones up to date (although the results were probably skewed as they counted the Huawei-produced Nexus 6P phones, and these formed the majority of the test set, doh). This factor will play a role in the next smartphone that I buy.

Do you know of any (other) manufacturers of more affordable Android phones who are committed to keeping their users safe? Please let me know in the comments!

Addendum: Android phones with acceptable security update records

Blackberry PRIV, DTEK50 and DTEK60

lobste.rs user jabberwock tipped me off to the fact that Blackberry’s Android phones get monthly security updates. Read more at CrackBerry and here in the BlackBerry Android security bulletin for November: It looks like these phones receive monthly updates (when not blocked by the carrier, sigh) and have already received the November 2016 update.

Here is the original blog post where BlackBerry explained their security patching policies for the PRIV.

Google’s 0-shot neural machine translation system shows intriguing evidence of an interlingua

In recent research (full paper also available), researchers from the Google Brain and Google Translate teams have shown intriguing evidence of a so-called interlingua, that is, a language-agnostic common representation of sentences with the same meaning from different languages.

What I also found interesting about this work (and related to the above finding), is that they’re able to perform translations between language pairs that the system has never trained on.

A further pleasant surprise was seeing how they used the t-SNE visualization technique to embed the high-dimensionally represented sentences in 2D, in order to study the interlingua phenomenon.

Why it’s healthy that Microsoft and Google are eating Apple’s lunch

Last week Apple announced their new Macbook Pro laptops.

Their great innovation (a “game-changer” in their words) was a sliver of a touch screen above the keyboard which is able to show touchable context-specific buttons. They’ve dubbed this the TouchBar. Although the OLED technology is certainly pretty, one could almost hear the enormously disappointed collective “MEH” uttered by millions of users and suddenly erstwhile Apple fans world-wide.

Was Apple, in the form of the Phil Schiller really trying to sell this? By the way, if you represent Apple, a company traditionally known for its great design sensibilities, should you not spend just a little more money to dress a little better than the couture equivalent of an old Lada? Suit up man!

Phil Schiller not suiting up.
Phil Schiller not suiting up.

Collectively, the internet was disappointed. Why no touch screen? Why no new iMac (last refresh a year ago) or Mac Pro (last refresh 3 years ago)? What is happening at Apple?

The day before, on October 26, 2016, Microsoft revealed the Surface Studio. Watch this introduction:

… and also this video with Microsoft partners who have in secret been working with the Studio:

Even if you did not like Microsoft, you can get a good sense of the emotion around this new product.

They’ve managed to make something that speaks to the imagination. When I see this, as an outspoken Microsoft critic, I do get the distinct feeling that the Surface Studio is a physical artefact of the science fiction dream that my reality is gradually (and very pleasingly) turning into. My less nerdy technology-critical better half’s first reaction was: When can we get this?

It seems that Microsoft has convincingly out-Appled Apple.

In other words, Microsoft has somehow become sexy whilst Apple seems to have developed strong feelings for the Lada.

As an interesting related tidbit, a friend, whom I was trying to convince NOT to get Google’s new Pixel XL phone because reasons, recently sent me this short post on The Verge by Vlad Savov, a camera phone expert who until recently was of the educated opinion that the iPhone 7 was still the king of the smartphone castle. He writes:

On the basis of my extended experience with Google’s Pixel, I consider it an all-around better phone than the iPhone 7. The final exhilarating straw that broke the camel’s back was the photo below, coming straight out of the Pixel XL’s camera, undoctored other than for a horizon adjustment.

WHAT IN HEAVENS IS HAPPENING?! OUR WHOLE WORLD IS COLLAPSING!

Perhaps not…

During a Signal App conversation (you should really use Signal, it now has privacy-conscious Giphy support) with another friend, I realised that what’s happening here, is in fact wonderfully capricious human emotion interfering with the machine that is capitalism.

Left to its own devices, the nature of capitalism means that successful companies tend to evolve into capitalistically optimal dead ends. In other words, large successful companies lose the will to innovate, because they realise they are able to make more money at less risk by simply not rocking that boat. Instead of investing in innovation, they invest in sales and marketing to milk their large customer-base.

Ironically, Steve Jobs explained this idea quite eloquently during this interview where he talked about the decline of Xerox:

Fortunately, when a company like Microsoft throws an innovation curve-ball that appeals to our emotion and to our imagination, they can rock the boat for everyone.

Even although we’re talking about three absolute behemoths, it’s gratifying that they, as well as their smaller competitors, keep each other on their toes through the fickle wonder that is human behaviour.

Here’s to hoping that AI never manages to model or predict our precious caprice. :)

The Monthly [Weekly Head Voices #50]

HEY!

I’m still here, and it seems I really have to catch up on my backlog of WHVs, all the more as I was starting to notice the beginnings of BPP (Backlogged Posting Paralysis, of course). So I’ve spent a few minutes gathering a selection of life snippets of the past six weeks (week 21 through week 26) and will now proceed blasting them out this old Web 1.0 exhaust. I wasn’t completely idle blog-wise, however. I did write a post about my EuroVis 2011 and my Schloss Dagstuhl SciVis seminar adventures.

Before the blasting commences, I would like to present some relaxing visual input brought to you via my cell phone camera, which at the time of capturing found itself in my hand, itself being inside the chapel in Herberg op Hodenpijl, a short westward cycle from my house:

Herberg op Hodenpijl chapel roof detail.

The picturesque surroundings are home to the chapel, which hosted an art exhibition at that point, and an organic restaurant and grocer. Most (all?) of the produce comes from a small farm across the road that you can also visit. The goats are really friendly. You could do worse than popping by on a sunny day.

Herberg op Hodenbijl chapel roof detail.

The rest of this post has been categorised, with nice headings, so that you can skim through it even faster.

Health and well-being

  • In a recent cooking insert on the television, two chefs prepared Loup farci en croûte, or sea bass filled with julienne vegetables in a pastry of a thousand layers. Take a look at the video clip: The chefs put an amazing amount of effort into preparing this visually beautiful and apparently delectable dish.
  • My TNR and since recently also business partner, who can often be found hurtling down mountains on various and high-speed forms of personal transportation, and when he’s not is involved in a number of other extreme sports activities, managed to break two fingers on his right hand cycling over the flat and otherwise uneventful piece of earth between the computer science and physics buildings on our campus. Go figure.
  • In a recent study with 48000 (yes, that’s fourty eight thousand) men followed over a period of 22 years, a strong correlation was found between drinking six cups of coffee per day and a lowered risk of prostate cancer. Also men (but can you still call them men?) drinking fewer than 6 cups of coffee per day had a lower risk. The study did correct for other lifestyle factors. The linked summary also mentions other studies in which coffee drinking has been associated with lower risk of Parkinson disease, type 2 diabetes and liver cancer. I guess I can worry less about this addiction than, euhm, the other ones.

Nerd News

  • Dropbox has recently activated functionality they call shareable links, meaning that you can request a unique http://db.tt/some_code link for any file or directory anywhere in your dropbox and share it with anyone else (also non-dropbox users), who is then able to download said file or directory given the link. There’s a page on the website where you can manage all of your shared links, for example deactivating ones you don’t want people to access anymore. Read the help on shareable links for more information.
  • As you might know, I keep a lab journal documenting in some detail my daily work activities. I also maintain a personal journal, mostly for dumping stuff that might be interesting for this blog. I used to do all of this in Google Docs, but for the past few weeks I’ve experimenting using TiddlyWiki (this is a single file JavaScript-heavy wiki implementation) on my Dropbox for all my journaling and personal knowledge base needs. It’s been going swimmingly for at least two reasons: 1) It’s available also when I’m offline. 2) The idea of being able to break out into a new wiki page (called a tiddler) at the drop of a hat takes some getting used to, but fits the non-linear nature of my journal and personal knowledge base entries much better than the mostly linear google docs.
  • I’ve settled on using the free tonido personal cloud software to make all the files on my home server available via the internets. This means I can get to all of my music, photos are whatever no matter where I am. Pretty neat! (I have too much to fit on my 50G dropbox account. There’s also the PogoPlug software, but the free version has its limitations.)
  • Just a few days before Google+ (Google’s new social networking religion, in case you’ve been sleeping for the past week) hit the internets, I installed the Google +1 button on this blog, see right at the bottom of every post. So now you know what to do with every post: Click my +1 button, then click my facebook like button, then leave me some snarky comment right here. Easy as 123, and I’m a happy camper.

Comedy

Whilst flipping through channels one Saturday night,  I flipped right into the stand-up comedian Demetri Martin. I made a note of it in my journal, and now here we are. Watch him present his research findings on his large pad, with his pointer:

That’s it for now dear readers. I really do hope to be back soon, and I hope to do so with a slightly more focused contribution. See you on Google+!

UPDATE 2011-07-23 note-taking strategy

To you I might appear fickle, but I guarantee that it’s just hyperactivity. I’ve since adjusted my note-taking strategy again. As you will have seen in the comments, Pieter Kitslaar subtly influenced me to go searching for a note-taking solution that syncs between phone and everywhere else. Fortunately, I ran into the SimpleNote universe and I’m now officially in note-taking heaven. I have Flick Note on my Android, the SyncPad extension on Chrome (for sometimes) and ResophNotes on Windows and on Linux with Wine. All apps work exactly as I would expect a super-fast and efficient note-taking app to work, with real-time incremental searching, hotkeys everywhere, and best of all, offline use and transparent syncing. ResophNotes is especially cool, definitely give it a shot.

So I’m using this SimpleNote setup for all my personal knowledge base and general note-taking needs. For detailed work and lab journaling, I’m now using linear OpenDocument files on my Dropbox, which solves the offline problem I had with Google Docs, which I do still adore for collaborative work.

Lemme know in the comments what you think!

Weekly Head Voices #5: Google Docs, Bad Netbook Karma, Cold does not cause cold.

It’s been a terribly quiet week blog-wise, but I did make that promise four weeks ago, and, seeing that I want to be a columnist when I grow up (hint hint employers of columnists) and those guys and girls simply HAVE to think up something interesting every single week, I too am going to do my best to add sweetness to the shortness that you see before you.

Speaking of shortness, I did get some off-blog (yes, face-to-face!) feedback on the previous edition of the WHV. Said (highly appreciated) feedback concerned the length of these posts, more specifically, that there was too much of it. It’s important to remember that I in fact do write these things with the chronically time-challenged in mind. One of the measures I take is to bold the most important themes in each paragraph, so that one can easily skip on to the next paragraph if the mentioned theme does not take one’s fancy. This week, I’m going even further by employing section headings! As always, please feel free to skip paragraphs and sections.

Before jumping in, I give you the traditional WHV photo, this time of my little Weber doing its thing (thanks to some crucial material supplied by my friendly neighbour) on the most brilliant of all South African celebrations: National Braai day!

My humble little Weber on NBD 2009.
My humble little Weber on NBD 2009.

Geeky Google Docs love affair

Google Docs is Google’s fantastic attempt (well, it was initially developed by Writely, which was soon assimilated by and has since been happily functioning inside of The Google Supermind) at an office suite. The whole thing, including Documents, Spreadsheets, and Presentations, runs in your web browser. This means that you always have access to your stuff from anywhere, and you never have to install any extra software. With the offline functionality, you can continue working even without an internet connection.

This was already pretty neat, but then they had to go and make it even neater. In my line of business, one of the coolest features is the fact that you can concurrently edit the same document with any number of collaborators. I’ve written research proposals together with colleagues before, where at a number of occasions we were actually editing the same paragraph of text from two different cities, and Docs didn’t break a sweat merging our edits in real-time. This functionality also eliminates the very irritating “Could you send me the latest version of the proposal” emails, the subsequent waiting and then the infuriating expired time window when the latest version finally arrives in the email.

A recent feature which is admittedly less impressive to the public at large, but made my geek heart miss several beats, was the built-in equation editor. Imagine my surprise when I tried this out for the first time and realised that it is in fact a real-time LaTeX math typesetter: You type your incredibly complex formula in standard LaTeX, and Google Docs shows the typeset math updated in real-time. This is even useful if you’re NOT using Google Docs but just want to fine-tune the formulas in your LaTeX article.  Check the screenshot below:

Screenshot of Google Docs equation editor.
Screenshot of Google Docs equation editor.

90% of MS Office users probably don’t use more than 10% of its functionality. Google Docs covers this 10% more than adequately, but without the complexity, the platform lock-in and the cost. Next time you’re considering emailing someone a Word document or Powerpoint, have a look at Google Docs first!

Netbook Bad Karma

On an extra partition, my netbook (Asus 1005HA-H, the computer I’m currently in love with) has the absolute latest development version of the Ubuntu Karmic Koala (9.10 – will be released at the end of October) Netbook Remix. Linux distributions, and especially Ubuntu, have been making great progress recently on state of the art hardware. On this netbook, suspend to ram for example works out of the box, which is quite an achievement for Linux-kind. However, whereas battery life under the bundled Windows with the Asus Super Hybrid Engine (don’t laugh, to me it sounds like some knid of giant fighting robot power source) is an astounding 9+ hours, under Linux it’s a quite disappointing 4 or 5 hours. One very obvious factor is the CPU running at 1GHz at idle under Linux and 850MHz at idle under Windows.

Even installing and configuring the latest eeepc acpi utilities, including kernel module, from the testing repository at StatUX http://www.statux.org/content?page=repo, although enabling bunches of hotkeys, didn’t solve the battery problem. The CPU was still running at 1GHz.

I’m curious to see what the case will be at Karmic release, preferably with the stock Ubuntu Netbook Remix and not too much user fiddling. I’m considering writing a short review at that time, hopefully less critical than my previous attempt with Ubuntu Feisty beta (7.04) on my HP laptop.

Brand new Visual Data Analysis lecture block

For the past 4 years, I have been taking care of the Medical Visualisation parts (2 lecture blocks) of the TU Delft master-level Data Visualisation course (IN4086). Since the beginning of this year, I also give my very own dedicated 5 ECTS Medical Visualisation course (IN4307), which I have designed with the sole purpose of producing MedVis NINJAS. I take great joy in corrupting promising young minds with my special brand of evil science. :)

In a very recent development, it seems that I will now also be taking care of the Visual Data Analysis block of the general Data Visualisation course. I somehow blurted this out during a recent meeting, and now have the privilege of designing this one from scratch too.

This is quite interesting, because visual data analysis, or visual analytics as it’s sometimes called (urgh), is primarily associated with Information Visualisation, and being a MedVis fanatic I’m supposed to be a Scientific Visualisation guy. To cut a long story short, InfoVis and SciVis are two sub-fields in the broader field of Visualisation, but the communities behind them might as well come from different planets, in spite of the best efforts of some of my colleagues to unify everything. In any case, it turns out that we (when I say “we” I mean Jorik) have been secretly publishing suspiciously infovis-friendly articles the past few years. Look:

I find this a very interesting and gratifying development. An increasing number of my research collaborations in the medical research field are also benefiting from visual data analysis techniques. Keeping in mind the clichéd but no less real data explosion, we, as visualisation people, can greatly increase our value to the client. The forthcoming Visual Data Analysis lecture block I’m designing is just one step in the evolution of our science.

The End, my friend, also of your common cold misconceptions.

Pressing Ctrl-Shift-C in this Google Doc draft (how’s that for subtle product placement?), I can see that I’ve once again passed the 1000 word mark (1200 to be more precise).

Whoops.

I had even more planned, but instead I’ll conclude with a hopefully useful snippet of information, especially in the light of the coming winter. Many people I run into still somehow believe that there’s a causal relationship between being cold, as in going outside in cold weather, and getting a cold, as in sneezing and having a running nose. Well, I’m here to tell you that it’s an age-old myth. A myth I say! See this quote from the Wikipedia article on the common cold (emphasis mine):

An ancient belief still common today claims that a cold can be “caught” by prolonged exposure to cold weather such as rain or winter conditions, which is where the disease got its name.[9] Although common colds are seasonal, with more occurring during winter, experiments so far have failed to produce evidence that short-term exposure to cold weather or direct chilling increases susceptibility to infection, implying that the seasonal variation is instead due to a change in behaviors such as increased time spent indoors at close proximity to others.[6][10][11][12][13]

Just to ram that point home: Going outside in the cold, or being exposed to cold weather or direct chilling, very probably does not increase your chances of catching the common cold! Similar to this is the work on influenza. It turns out that there’s a link between the flu and absolute humidity: The lower the humidity, the higher the chance of getting the flu. It’s quite probable that you catch the flu virus not from going outside in winter, but from staying inside your heated and hence slightly drier home.  Chalk one up for all the kids getting told, unfairly and without scientific basis, to dress up before going out or risk getting ill.

On that rebellious note, have a super duper week!  (… and please do your thing in the comments below …)