> These gaps between upstream vendors and downstream manufacturers allow n-days - vulnerabilities that are publicly known - to function as 0-days because no patch is readily available to the user and their only defense is to stop using the device. While these gaps exist in most upstream/downstream relationships, they are more prevalent and longer in Android.
Ouch. Maybe acknowledging it means that they can act on improving that ecosystem with their downstreams?
The downstream vendors just don’t give a hoot. It’s been more than 10 years now and their behavior hasn’t changed. Google has moved mountains to throw as much as they can into userspace which can be patched by Google directly, but that effort has hit its limits. The rest will just never get better, because phone manufacturers love forced obsolescence, and when any exploit causes a serious issue they can just disingenuously point their finger at Google and say “well they made the software”.
Now hold on.. Google made not just the software but the structure that makes it practical for Google and hardware makers like Qualcomm to get their cake and the vendors to somehow be responsible for the gap it causes when every vendor has to integrate drivers separately into orphans of the Linux kernel.
Many vendors happily joined Android One which Google seems to have silently killed, so I don't think they are that happy losing reputation to sell Android phones they can't properly support.
Not so unhappy that they will stop doing it. They earn their reputations by continuing to bring these poorly supported products to market despite the situation being very well established.
It's not even just downstream vendors. Google itself only supports its devices for three years. I bought a Pixel 4a on release in 2020 and next month will be my last security update.
I've been using third party ROMs on Pixel 3. They receive monthly security updates to some extent, but obviously the hardware specific "vendor binaries" are still outdated. Frankly, I cared more about the open nature of the ROM than about security/privacy. These days, I assume all my data is available for sale everywhere anyways.
You can’t expect part time open source contributors to work for free for you. Instead volunteer to take over maintenance by reviewing PRs and traiging user bug reports.
The delay in updates is what originally pushed me to move from Android to iOS a while back, and years later it’s still an issue. You would think at least Nexus/Pixel would get updates quickly, but that still isn’t always the case. It seems like even within Google there are some issues that need to be addressed before they can lead other manufacturers by example.
The situation on Android is utterly insane. I bought a Pixel via my carrier a few years back only to find out that my _carrier_ was responsible for software updates, and they held them back so they could add their own bullshit to the OS. I was months waiting for a major Android OS version on a flagship Google device.
Google have been quite irresponsible on some of their own devices too. For example the Chromecast With Google TV is actively being sold (and new product revisions released), yet it is still running Android TV 12 despite 13 coming out in December 2022.
Apparently even they are struggling to update the device because of its lacklustre storage (8GB, only 4.4GB usable) which means there simply isn’t enough space for large OTA updates.
While I agree that Google and manufactures needs to do better, the article shows that the amount of detected in the wild zero days are higher for iOS than Android in the newest stat (2022) while it used to be higher for Android.
I think it's half bad, half good. It would be nicer if we could have a proper upgrade path for the system but this downside pushed some very clever solutions which are making Android the most secure platform which exists right now in my opinion.
Microsoft Exchange being listed alongside entire operating systems with comparable numbers of ITW vulnerabilities is somewhat something I relate to after running such systems.
I believe that I see you in the web-bugs issue, so to add more info, here is a safari screenshot with the crazy slow load time. I am getting 52Mbps from fast.com at the moment, rest of the web is snappy. In chrome it takes ~9.25s to finish rendering which is still slow compared to other sites imo.
I posted on the github thread - it looks like there is a visibilty: hidden; that never gets removed so the page looks blank even though all the elements are there.
FWIW, I filed a bug a few days ago for the issue I was seeing. A profile showed that Firefox was spending all of its time evaluating a regex. Which is weird because Chrome uses the same regex engine. https://bugzilla.mozilla.org/show_bug.cgi?id=1845775
Doesn't load for me (115, macOS), but I do have uBlock Origin, which blocks two domains and some "3rd party" scripts. Google will always be Google, and I'm not going to unblock those.
Took a while to load in mobile Safari as well, but it did eventually when I waited a while. Interestingly it works almost immediately in desktop Safari?
> The Android security team then decided that they considered the issue a “Won’t Fix” because it was “device-specific”. However, Android Security referred the issue to ARM. [...] While ARM had released the fixed driver version in October 2022, the vulnerability was not fixed by Android until April 2023
What's going on there? If bug is in Android's source repo, where it has to be fixed and released by the Android team, it seems like a valid bug in Android. Marking it "Won't Fix" seems inappropriate since they did eventually fix it.
Ouch. Maybe acknowledging it means that they can act on improving that ecosystem with their downstreams?