Conversation

This Tweet was deleted by the Tweet author. Learn more

You should be avoiding Android as a whole if you think they deliberately put in backdoors, because backdoors can be hidden in open source code as bugs. The same applies to other software where Google plays a substantial role including the Linux kernel and many other projects.

1

This Tweet was deleted by the Tweet author. Learn more

It's worth keeping in mind that desktops and laptops have similar issues. They have huge numbers of components, many with their own complex firmware like HDDs/SSDs, Wi-Fi, etc. It's even rarer to have proper firmware updates on those than phones.

1

Replying to

AOSP offers much better privacy and security than a traditional operating system without a strong security model and strong exploit mitigations too. LineageOS hinders some of that, but most is still intact. Most devices not having full security updates is a huge issue though.

1

This Tweet was deleted by the Tweet author. Learn more

Having the AOSP security updates doesn't mean you're receiving most of the critical security vulnerability fixes. A disproportionately large number of the security issues are in device-specific code, lots of it closed source. Having most fixed wouldn't really help much anyway.

1

Replying to

An attacker doesn't need hundreds of vulnerabilities available, although there are hundreds of serious unfixed vulnerabilities after a year of not receiving updates from the vendors and only applying AOSP security fixes and upstream kernel fixes (and the latter is not a given).

1

Replying to

An attacker only needs a few good vulnerabilities to have a working exploit chain. It makes sense for them to target SoC vendor code portable across millions of devices but harder to update than AOSP code. Shipping the AOSP updates alone leaves many critical gaping holes open.

1

Replying to

For example, vulnerabilities in the GPU driver can often be exploited from a web browser. A vulnerability in audio / video handling can be even more exposed. These areas involve huge amounts of closed source vendor code in driver libraries / firmware requiring updates from them.

1

Replying to

There's a lot of open source code that's device-specific and needs security updates. Lots of it isn't included in AOSP. Devices also use a specific kernel branch to implement drivers and it requires proper maintenance. However, upstream (kernel.org) drops support.

3:34 AM · Nov 3, 2018Twitter Web Client

Replying to

Note that there aren't upstream branches for 3.4 and 3.10 that are maintained anymore, and there are many Android devices under 5 years old using those. The Nexus 5X and 6P are 3 years old and use 3.10, as do other Snapdragon 820/821 devices. People don't take over this work.

1

Replying to

I recommend reading kroah.com/log/blog/2018/ by one of the core kernel developers (Greg KH). > CVE numbers for Linux kernel-related issues are usually released weeks, months, and sometimes years after the fix was merged into the stable and development branches, if at all.