Hi Loic, you partly address my concerns.
2010/9/27 loic <[email protected]> > - Once a flaw is detected in the Linux kernel and a patch for that > flaw is integrated in the Linux kernel, how is this patch sent to the > phones (if it is at all) ? > This IMHO highly depends on manufacturer, carrier and android version. As for the distribution: AFAIK some android versions can be updated OTA. Are phones patched at all? No, if manufacturers don't release updated firmwares, security issues are likely to remain unfixed. - Is the end user notified that he should install this new update ? > That would be really cool, but no. There is no notification mechanism, because manufacturers more or less "cook" their own firmwares with their own changes. This is called "fragmentation", it leads to the undesireable problem that there are many different versions of android in the wild. And that's not all, because the end-user has no means of even knowing there is an issue to be addressed. May I refer to my earlier thread "Not a single security announcement?"<http://groups.google.com/group/android-security-discuss/browse_thread/thread/8502e95086b9552e?hl=en> - Is this update process the same for all phone vendors > (HTC,Samsung,...)? > No, see above. HTCs are currently upgraded to FroYo OTA by the carrier, whereas Samsung only releases firmware through their software "Kies". There are multiple problems that arise from these points you mention. What if your phone is no longer supported by your manufacturer? If you're unlucky, the device has a special bootloader and there will be no ROMs provided by the development community. But unfixed security issues can (and without a doubt WILL) be exploited. Your phone then might download rouge apps that make expensive phone calls, forward all your contacts' mail adresses to a spammer, ... This highly undesireable situation is not because the OS itself is inherently insecure, it's because of the relation of OS manufacutrer, phone manufacturer and carrier. Regards jan -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
