My phone is on the latest (Feb) stock firmware, it has been unlocked, and then rooted with Magisk. After that, the only other things that I did was to deny a bunch of permissions to a bunch of apps (altogether too many to list, but the only app to complain about anything is 'Play Store Services' )
That's the background. Now, when I go to Settings->About phone->Android version the "Android security patch level" shows "February 5, 2020" which, obviously, is not the latest security patch for Android 10, and I was convinced that because PH-1 was a Project Treble phone, it would be getting security directly from Google, so what am I missing (or have I messed up with the intended flow of things by blocking too much from Google)?
As far as I know, security updates are still delivered via OEM patches. If you want security updates for this phone, you have to flash another ROM.
MarSOnEarth said:
I was convinced that because PH-1 was a Project Treble phone, it would be getting security directly from Google, so what am I missing (or have I messed up with the intended flow of things by blocking too much from Google)?
Click to expand...
Click to collapse
From what I know about Treble, it does NOT mean the security updates are provided directly by Google. It only makes it easier and faster (by separating the OS framework from the hardware-dependent vendor code) for vendors to prepare and release updates. But the updates are still packaged and released by the vendors.
The Project Mainline changes that, so the security updates would be delivered straight through Google Play. But we are out of luck with the PH-1 here...
kt-Froggy said:
From what I know about Treble, it does NOT mean the security updates are provided directly by Google. It only makes it easier and faster (by separating the OS framework from the hardware-dependent vendor code) for vendors to prepare and release updates. But the updates are still packaged and released by the vendors.
The Project Mainline changes that, so the security updates would be delivered straight through Google Play. But we are out of luck with the PH-1 here...
Click to expand...
Click to collapse
Ahh. Thank you for this clarification.
With my (paranoid) online hygiene + AFWall I'm still very comfortable using this phone as is, and the feedback from the Android 11 thread is reassuring that there will be another lifeline for this hardware. Life's good.
Hopefully with Android 11 we will be able to some how load in monthly security updates.
I'm using LinageOS right now. Works really good including monthly security updates. There is only one problem with the microphone in voice calls when the loudspeaker is on.
Essential delivered security updates. They closed up shop in February. Only way to get security updates is via 3rd party ROM.
You can get Google Play security updates OTA, but they're not thorough like normal security updates.
Related
Researchers at Bluebox Security have revealed a disturbing flaw in Android's security model, which the group claims may affect up to 99 percent of Android devices in existence. According to Bluebox, this vulnerability has existed since Android 1.6 (Donut), which gives malicious app developers the ability to modify the code of a legitimate APK, all without breaking its cryptographic signature -- thereby allowing the installation to go unnoticed. To pull off the exploit, a rotten app developer would first need to trick an unknowing user into installing the malicious update, but hackers could theoretically gain full control of a user's phone if the "update" posed as a system file from the manufacturer.
Bluebox claims that it notified Google of the exploit in February. According to CIO, Bluebox CTO Jeff Forristal has named the Galaxy S 4 as the only device that's currently immune to the exploit -- which suggests that a security patch may already exist. Forristal further claims that Google is working on an update for its Nexus devices. In response to our inquiry, Google told us that it currently has no comment. We certainly hope that device manufacturers do the responsible thing and distribute timely security patches to resolve this issue. Absent that, you can protect yourself by installing updates through the Play Store and Android's built-in system update utility.
Source:
http://www.engadget.com/2013/07/04/bluebox-reveals-android-security-vulnerability/
They ust read this here and on an Australian news website, news.com.au, they recommend;
So what can I do about this?
- Do not allow apps from unkown sources. To do this go to Settings, Security and untick "allow unknown sources".
- Well, the news isn't good. Until further notice, news.com.au recommends that you don't download any non-Google apps.
- Bluebox has recommended that users update their operating system to the latest version.
- Also, if you have any apps which store your personal information such as credit card or PayPal information (like eBay, Amazon or Etsy), you should remove this information immediately.
- Remove any personal information from your phone (do you have your credit card pin stored in your notes? Get rid of it)
Crap advice for majority of users I feel.
Most users will have 'unknown sources' off by default but they advise not download any non Google app even from the play market as mentioned elsewhere in article.
They say to update your phone, how easy is that to do when carriers and manufacturers don't release up to date firmware for phones..
That is fine for people like us that flash new Roms all the time but for normal folk it's not a viable solution.
I don't really think the threat is so great, going by those that report such though we all had better stop using android..
I am more concerned with apps using other apps permissions/data flaw
and google play update/install protocall being not encrypted/catchable and falsifyable.
Regarding what is stated in article, this was known almost day 1 which is why from beginning android said dont install non market stuff. And it has also been known crapware has entered market.
So all in all, its an obvious article.
Sent from my GT-N7000 using Tapatalk 2
I totally agree baz77, this has been know for a very long time now. There are also quite a few apps in Play that are "crapware".
The issue has been fixed on Google's side and CyanogenMod (08/07 nightly and yesterday's security release CM10.1.1.)
Now, it is up to the OEMs to follow
I guess I got it wrong, it is a separate issue, glad the pros getting it fixed, they need to be applauded! Salute!
Sent from my GT-N7000 using Tapatalk 2
I've noticed that I seem to be missing a few updates that I expected I'd be one of the first in line for as a Nexus 4 owner.
Firstly, the Master Key vulnerability fix doesn't seem to have reached my phone. At least, according to Bluebox security scanner
Secondly, I still have no visibility of the new Google Maps redesign
My phone is a generic operator free Nexus 4 running stock (custom kernel though). Anybody else still waiting, or have I fallen off the automatic updates conveyor belt so far?
Where are you from? App updates from Google reach different parts of the world at different times.
thisisgil said:
I've noticed that I seem to be missing a few updates that I expected I'd be one of the first in line for as a Nexus 4 owner.
Firstly, the Master Key vulnerability fix doesn't seem to have reached my phone. At least, according to Bluebox security scanner
Secondly, I still have no visibility of the new Google Maps redesign
My phone is a generic operator free Nexus 4 running stock (custom kernel though). Anybody else still waiting, or have I fallen off the automatic updates conveyor belt so far?
Click to expand...
Click to collapse
We are sailing in the same boat. Rooted with only custom recovery rest stock.
vanmarek said:
Where are you from? App updates from Google reach different parts of the world at different times.
Click to expand...
Click to collapse
Based in the UK. If you've had the vulnerability patch already, did it come in the form of an app download or an ota update?
I'm in the UK and had the Maps update the day it was released.
thisisgil said:
Based in the UK. If you've had the vulnerability patch already, did it come in the form of an app download or an ota update?
Click to expand...
Click to collapse
Google hasn't released a patch for the vulnerability that's why you haven't gotten it. All they have done so far is release the code to their OEM's so they can patch their individual versions of Android. More than likely Nexus devices will get the patch in the 4.2.3 OTA whenever it gets released. In teh mean time their is an app in the Playstore, ReKey, that will address the vulnerability. Or you could just turn off install apps from unknown sources in the security settings which will also take care of the issue temporarily.
As for the other app updates they can take up to 2 weeks to deploy to all phones.
Had the Nexus 6P - but even with Franco kernel and normal use battery life wasn't long enough. Saw the release of the S7 Edge unlocked which was great so I went and picked it up from best buy last night. Big reason is the monthly update cycle and keeping everything patched from a security standpoint without the Verizon bloat and slow release cycles.
Went to check the patch level and saw "Android security patch level: May 1, 2016". Checked for updates and are none.
Anyone else experiencing this? Appears to be missing June for sure and the newly released July security patches.
kennedyd013 said:
Had the Nexus 6P - but even with Franco kernel and normal use battery life wasn't long enough. Saw the release of the S7 Edge unlocked which was great so I went and picked it up from best buy last night. Big reason is the monthly update cycle and keeping everything patched from a security standpoint without the Verizon bloat and slow release cycles.
Went to check the patch level and saw "Android security patch level: May 1, 2016". Checked for updates and are none.
Anyone else experiencing this? Appears to be missing June for sure and the newly released July security patches.
Click to expand...
Click to collapse
Yeah mine has the same update. Does yours have the briefing feed on the left of your home screen? I noticed mine doesn't like the carrier ones do.
Same here..
Alaris said:
Yeah mine has the same update. Does yours have the briefing feed on the left of your home screen? I noticed mine doesn't like the carrier ones do.
Click to expand...
Click to collapse
Yep - same with me - no briefing feed when you swipe left - nothing there.
Wonder whats happening - would hope Samsung provides updates to their own phone.. ?
I'm guessing it's because the phone just came out that they haven't released an update with the latest security patches yet. They probably have to set up their update servers for this new phone and a bunch of other behind the scenes stuff to get updates rolling. I would assume that it will get something within the next couple weeks and then continue to keep up with the other variants.
Does this variant of the S7 Edge have an unlocked bootloader?
No unlocked bootloader - just not tied to an individual carrier i.e. verizon, etc. with the extra bloatware.
Still no updates yet to the SM-G935U.
Ended up returning it and going back to my Nexus - no updates really sucks.
Has anyone figured out how to get briefing on the left screen. I used that a lot and i can't get it to work. Even went to the play store and Samsung store, got briefing but it won't let me enable it on the home screen settings...?
I've gone round and round with Samsung support about this particular unlocked device. The bottom line is that they are saying OTA updates for these devices might not be available because those are normally pushed through the carrier. They suggested to use their Smart Switch tool to apply updates. Even though this is a terrible idea and they should use OTA (with the invention of non-carrier WiFi these days ), I checked using this tool and surprise... there were no updates available.
I'll spare everyone the entire conversation, but this is how it ended:
"We understand. If you have an unlocked the latest updates for firmware and security can be done through Smart Switch. If you have checked for an update using Smart Switch and there aren't any currently available, we couldn't speculate on when that may change. In many cases this wouldn't be delivered OTA because OTA updates are normally pushed by carriers. Unlocked devices may not be able to get updates directly from the carrier currently being used. ^Jay"
Mine just updated today with the August 1st security patches. If had to guess, they waited until the Olympics were over since they handed these unlocked devices out to every athlete in attendance and they didn't want them receiving updates during the event.
Hopefully now that the unlocked models have received their first update, they will continue to get regular updates at the same time as other variants.
just checked for update - 164.13 mb ) ( g935v flashed to g935u)
Interesting
secsquirl said:
Mine just updated today with the August 1st security patches. If had to guess, they waited until the Olympics were over since they handed these unlocked devices out to every athlete in attendance and they didn't want them receiving updates during the event.
Click to expand...
Click to collapse
Thanks for posting this one, thats good to hear. I wonder if they will proceed further. Good to hear Samsung's infrastructure will support updates in the future. I wonder if its only for security patches or if they will do incremental updates to OS as well, like Android N for example.
Just got this tonight. I didn't have automatic update turned on but I checked and this showed up. Idk if i should do it or not.
I'm on T-Mobile with the SM-G935U. I got the update a few weeks ago and now it shows the Aug 1,2016 Android security update.
As far as root and bootloader unlock should i not do the update or just go for it?
Can the sm-g935U be flashed using DFS Tools? Does these codes bring up the diag menu?
##3424#
###366633#
Can someone please try those codes and see if the diag menu shows.
Thanks
PapaDocta said:
Can the sm-g935U be flashed using DFS Tools? Does these codes bring up the diag menu?
##3424#
###366633#
Can someone please try those codes and see if the diag menu shows.
Thanks
Click to expand...
Click to collapse
Those codes don't bring up anything. Neither does *#0*# - I'm still on the damned May 1, 2016 Security update and it doesn't seem to think I need one.
Hi, whats the latest security patch level? I just got my phone and it is showing after the firmware update 1-Apr-2017. My company is not permitting me to access exchange due to old security patch level. What is the latest version and is there a way to force it or install it somehow? Thanks.
April 1st is the current patch level.
thanks for the response, this will be a problem for me then as our admins will require the patch to be installed in a week or 2 after being released by Google.
samitro said:
thanks for the response, this will be a problem for me then as our admins will require the patch to be installed in a week or 2 after being released by Google.
Click to expand...
Click to collapse
Your admins seem a bit clueless when it comes to updates on android phones, let alone non-pixel phones.
In most cases, the patch level will be 15 to 20 days behind on the flagships in unlocked regions with no carrier bs.
The gap widens as major upgrades loom in (ex: from 6.0 to 7.0).
The s7 was left on an old security patch for a few months until 7.0 came out with the latest ones.
Oh, and as the device becomes older, updates switch to 4 month cycles, check the samsung security website for more details on what devices are on what release cycles. Currently, this is anything older than the S6.
EDIT: Link: http://security.samsungmobile.com/introsm.html
Not so good I was looking forward to move away from my iPhone. Thanks anyway.
I purchased an S8 and found out that the security patch is outdated and is not supported by my employer
OP are you using Microsoft Intunes/Company Portal to handle your Exchange account?!
May release is already out since 25th~ of May in some (if not most by now) markets, run an update.
JaeMelo said:
OP are you using Microsoft Intunes/Company Portal to handle your Exchange account?!
Click to expand...
Click to collapse
No, my company required Airwatch MDM to access corporate email.
Skander1998 said:
May release is already out since 25th~ of May in some (if not most by now) markets, run an update.
Click to expand...
Click to collapse
My S8 is the USA unlocked version. No update till now. (Already checked)
sabaatworld said:
No, my company required Airwatch MDM to access corporate email.
My S8 is the USA unlocked version. No update till now. (Already checked)
Click to expand...
Click to collapse
Can you please screenshot your settings -> software info page?
sabaatworld said:
I purchased an S8 and found out that the security patch is outdated and is not supported by my employer
Click to expand...
Click to collapse
Your employer is an idiot if he thinks all android phones will be on the latest security patch, only the pixel is updated monthly.
Skander1998 said:
Can you please screenshot your settings -> software info page?
Click to expand...
Click to collapse
Here you go
peachpuff said:
Your employer is an idiot if he thinks all android phones will be on the latest security patch, only the pixel is updated monthly.
Click to expand...
Click to collapse
My employer doesn't require I use any specific phone, they require that the phone I use on their network be patched with the latest OS Security patch (whether Android, Apple or Microsoft). That doesn't make them an idiot, it makes them conscious about data-loss/breaches. As a consumer of technology you REALLY want that.
More employers are requiring that mobile phones have monthly security patches applied. So far only Apple and Google fit the bill. Google has even cranked up the price of their mediocre flagship because they KNOW this. All the other mobile manufacturers are just handing the business market to Apple and Google by being blind to this.
And I can verify what the OP said. I just purchased an Unlocked S8+ and the security patch level is April 1, so it's 2 months behind the Samsung promised "montly security patching".
Received a firmware update today plus security patch for June
Now you can easily hide the nav bar for immersive experience. Very nice addition.
mbashat said:
Now you can easily hide the nav bar for immersive experience. Very nice addition.
Click to expand...
Click to collapse
It's a very welcome edition and saves messing around with adb commands to get the full immersive experience, shame though that you cannot enable or disable it yet on a per app basis.
daleski75 said:
It's a very welcome edition and saves messing around with adb commands to get the full immersive experience, shame though that you cannot enable or disable it yet on a per app basis.
Click to expand...
Click to collapse
I have checked and the good news is that you do have the option to select which apps run in full screen mode. Not all apps are supported though.
To do this select Settings>Display>Full Screen Apps.
mbashat said:
I have checked and the good news is that you do have the option to select which apps run in full screen mode. Not all apps are supported though.
To do this select Settings>Display>Full Screen Apps.
Click to expand...
Click to collapse
Thats something else and only means the app is filled to the 18.5:9 screen ratio. That was there since launch of the S8(+)
my last was april... shame Samsung...
I hear Verizon and Google have released a ota of the Sept security patch for Verizon's pixels yesterday.. if you have a Verizon be sure to check for update manually in settings, about phone, software update..
I saw it on my Pixel XL this morning but not on my wife's Pixel. I have no details except the size of ~55MB since that is all that shows. It is not available for download in the OTA images or the factory images section. I assume it will not work over the standard OTA mechanism since the phones are rooted, and I have no interest in taking the patch blindly anyways.
The september 2017 Security Patch should have been released already. But due to some reasons, Google has delayed the upcoming monthly security update. The reason for the delay could be the release of a new stable Android 8.0.0 Oreo firmware update for Google Pixel and Nexus phone. Under the AOSP project, Google released 3 sets of monthly updates. One for the latest Android 8.0 Oreo, another for 7.1 Nougat, and finally the Marshmallow. Today, the Google Pixel XL device is receiving the September 2017 security patch OTA.
The first Google devices to receive the September 2017 Security Patch are the Unlocked Pixel XL 128 GB on AT&T and Verizon. That means, the US carriers shall receive the OTA update before the global roll out. The international variant of Pixel, Pixel XL, Nexus 6P, and Nexus 5X may receive the next security patch as soon as today. So stay tuned as we will list the update here.
The OTA update for AT&T Pixel XL brings the firmware build number OPR3.170623.007 dated September 5th 2017 level based on Android 8.0.0 Oreo. This an upgrade over the previous OPR6.170623.012 August 5th 2017 8.0.0 Patch.
This September OTA update comes in a very small OTA package. It weight about 50.61 MB in size. The changelog states the following.
This update fixes critical bugs and improves the performance and stability of your Pixel XL. If you download updates over the cellular network or while roaming, additional charges may apply. Update size 50.6 MB
Note: Google Pixel XL users have reported that the OTA notification shows that it is based on Android 7.1.2 Nougat, whereas the Pixel devices are already running 8.0.0 Oreo. However, upon update, the Android version is based on 8.0.0 Oreo and September 2017 security patch level. So it could be an error from Google’s side.
Download Google Pixel (XL) September 2017 Security Patch OTA update
One of the users for Google Pixel XL have managed to capture the latest OTA update from the LogCat file. September 2017 security patch.
AT&T Google Pixel XL 128 GB | OTA Download | google_marlin_marlin
Verizon carrier Pixel XL | OTA download |
8.0.0/OPR3.170623.007 from 8.0.0/OPR6.170623.012
Android 8.0 – Oreo for Pixel XL
Official factory images
Official full OTA images
Build for Global, Bell, Telus, Telstra, TMoUS, Sprint, USCC, Rogers/Fido
Android 8.0 – Oreo for Pixel
Official factory images
Official full OTA images
Build for Global, Bell, Telus, Telstra, TMoUS, Sprint, USCC, Rogers/Fido
Soon the official factory images for September 2017 Security Patch will show up. Also, download OTA update image from above and install it via ADB sideload method.
What's in the security patch
There are 30 issues resolved in the security patch dated 2017-09-01 and 51 in the 2017-09-05 one. Google notes that the two security patch level strings provide “Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices.”
Google devices will receive the latter patch, while devices from other manufacturers will also feature OEM-specific fixes. This month’s bulletin also includes a new section that lists patches that are specific to Google devices.
Vulnerabilities range from moderate to critical, with the most severe possibly enabling remote code execution when browsing, using email, or MMS. However, Google notes that there are no reports of customers being affected by these security issues.
Still not interested? Some people are willing to give up root for a little while in order to improve their security... Only someone who thinks having root 24/7 is better than improving security is something different.. I know with this patch it stops people from remotely controlling you're device... I think if I was rooted I'd unroot and add this security protection...
Pixelxluser said:
Still not interested? Some people are willing to give up root for a little while in order to improve their security... Only someone who thinks having root 24/7 is better than improving security is something different.. I know with this patch it stops people from remotely controlling you're device... I think if I was rooted I'd unroot and add this security protection...
Click to expand...
Click to collapse
If someone is rooting, why not apply the update and reroot. We all do that every month. I just did mine for this update. I get the loss of security if you root but you dont need to give up root to update.
Pixelxluser said:
The first Google devices to receive the September 2017 Security Patch are the Unlocked Pixel XL 128 GB on AT&T and Verizon. That means, the US carriers shall receive the OTA update before the global roll out.
The OTA update for AT&T Pixel XL brings the firmware build number OPR3.170623.007 dated September 5th 2017 level based on Android 8.0.0 Oreo. This an upgrade over the previous OPR6.170623.012 August 5th 2017 8.0.0 Patch.
AT&T Google Pixel XL 128 GB | OTA Download | google_marlin_marlin
Click to expand...
Click to collapse
I would like to know where you copied & pasted this info since at&t does not sell the pixel, so, I can't see them releasing a ota.
Last I knew, google controls this
Sent from my Pixel using XDA-Developers Legacy app
I was rooted on Oreo and updated to this new build and my service still sucks? I'm right next to a cell tower and my phone is going from -64 to -80dbm and its making my battery tank. I'm about to go back to 7.1.2.
I think a big misconception is trying to pull people away from improving their own security and safety by using the whole oh you will lose root if you do that and may lock you're bootloader.. just because you personally don't care about you're own safety doesn't mean you should try to prevent someone else from improving their own safety.. come on the fact is it's just root you will be fine to live without it for a little while it's not going to hurt you to give it up for a few...
And another thing is all the new pixels and Pixel XL are gonna come preinstalled with these new security patchs so you all might as well get used to it...
I don't understand why Google doesn't post these on their website immediately. I have a Pixel on Verizon and have no way of accessing it until they finally publish the update to their site or zi just start receiving it. It's always this awkward way with a lot if confusion. It would also be nice if they fixed the few small bugs in Oreo (i.e. picture in picture mode causing reboots when you turn the screen off/back on). It's just a little annoying.
The Sept security patch also fixes a Bluetooth problem. It's recommend to update to any software with Sept security patch and later security patch
Google is still working on getting the September security patches out the door, but it has posted a security bulletin detailing the changes. Several of the flaws noted in the bulletin are part of an enormous Bluetooth vulnerability discovered by Armis Labs, which bills itself as an IoT security firm. The "BlueBorne" attack exposes billions of Android devices to complete takeover by hackers, but it's not only Android. The same flaw exists in Windows, Linux, and some versions of iOS.
BlueBorne is dangerous because most devices have Bluetooth active even when it's not actively being used, and an attacker does not need to pair with the target device to completely take it over. There are eight vulnerabilities listed by Armis, four of which are critical (though Google's classifications differ). The most severe issues are the two remote code executions, which allow an attacker to completely own a device without the user even knowing. These flaws are present in the Bluetooth Network Encapsulation Protocol (BNEP) service, which is used for internet sharing and networking.
You don't even need an internet connection to infect a device, and the Android demo above is wild. If one of the affected devices has Bluetooth on, it's a target. The attacker can gain complete control of the phone to launch any app, install malware, and exfiltrate data. Armis estimates that about 8 billion devices are vulnerable, including 2 billion Android phones, tablets, set top boxes, and watches. There are another 2 billion Windows devices and around 1 billion iOS phones and tablets affected. BlueBorne doesn't work on iOS 10, so the damage is mitigated there.
BlueBorne vulnerabilities in the security bulletin
Most of the vulnerabilities in Android reported by Armis affect all recent builds of the OS, so Google is adding a lot of patches to AOSP. It's up to OEMs to push those out to devices, though. Anything with a patch level of September 1st, 2017 or later will have the necessary fixes. It's going to take time for this patch to roll out, and in the meantime, there are a lot of vulnerable devices.
This was took from Android polices website
It's also recommend that the devs here on xda get rid of the software which is vuneralable to theses problems.. it doesn't really show good faith of a Dev if they know there's security problems in the roms but yet keep them posted for someone to download and install...
Pixelxluser said:
It's also recommend that the devs here on xda get rid of the software which is vuneralable to theses problems.. it doesn't really show good faith of a Dev if they know there's security problems in the roms but yet keep them posted for someone to download and install...
Click to expand...
Click to collapse
Boring.......
Pixelxluser said:
It's also recommend that the devs here on xda get rid of the software which is vuneralable to theses problems.. it doesn't really show good faith of a Dev if they know there's security problems in the roms but yet keep them posted for someone to download and install...
Click to expand...
Click to collapse
Do you even know what the ... ah not worth it
Sent from my Pixel using XDA-Developers Legacy app