On Fri, Feb 11, 2011 at 10:25 AM, peterw <[email protected]> wrote: > Is this more evidence that a fear a number of us have expressed > recently, that Google doesn't bother backporting security fixes to > older Android OS releases, is justified? E.G., anyone who can't > upgrade past Android 2.2.x/2.3.0/2.3.1 will always be vulnerable to > this new attack?
It's not quite that simple. Some patches are backported, but more important is what your Android distributor does. It's conceivable that some carrier, OEM, or open source Android distributor will ship a (say) Froyo with backported fixes from later Android versions. The ideal would be for a distributor to upgrade everyone to the latest Android version ASAP, and also include their own fixes for bugs that they responsibly disclose to Google and provide an open source patch for. Still waiting for that to happen on a serious scale... Unfortunately, carriers and OEMs have proven more likely to do the opposite: to not even ship patches and new platform versions that Google ships, and to introduce even more vulnerabilities. So, yeah, the installed base will stay vulnerable for way, way too long, but it's not only Google's fault. Mobile platforms are proving to be a massive step backward in security, which is unfortunate because they were poised to be a massive step forward. Alas. (Still, I find that Android is the only shipping OS with a plausible internet-era design. Implementation and deployment problems are bad, but only Android is even trying.) https://www.eff.org/deeplinks/2011/01/dont-sacrifice-security-mobile-devices -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
