For once the headline is underselling the scope of the issue.
"some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets."
It’s an app signing key. I don’t think it will work for firmware. But I’m not sure. Can someone more knowledgeable about Android’s chain of trust chime in?
Signing your app using this key would allow you to name your app system.uid.android, effectively giving you root for free. You probably won't be able to sign firmware in the Linux sense of the word, but in android world "firmware" is loosely defined and is often used to talk about the android ROM.
On android only the apps and updates are signed. In the normal system state is the only writable part the encrypted data partition, system,vendor and product are readonly mounted and can be only be mounted in the writable mode after an update is verified and the update binary mounts the partition writable.
Google can add certificates to the CRLs (certification revocation lists) for things they control, but generally, Samsung owns and keeps their private keys, including this one.
I don't know if this has changed since I last looked a few years ago (around 2018-2019), but:
The app-signing key can't be changed without just creating a new app, and creating a new app means you users won't be able to upgrade - they have to manually uninstall, go to the app store, and install the new one.
It's not just an app store thing, I think I remember Android itself verifies that the upgrades have the same key as the old version.
The article is rather misleading. It is almost certain that Samsung used HSMs to sign their APKs, so the key itself could never actually leak unless someone had physical access to the HSMs themselves and managed to somehow delid it and then put it back together without anyone noticing. I'm not too familiar with the documented attacks on delidding HSMs, but I believe that delidding chips causes permanent damage to them in such a way that they will never function properly again.
It's much more likely that an employee's account was compromised and then used to sign malicious APKs, or something similar. Once Samsung realized, they could get the logs of every APK signed with the HSM and then revoke those certificates individually through a software update. Not really sure if they actually did that or not, but either way the key doesn't necessarily need to be replaced.
> revoke those certificates individually through a software update
Android doesn't really do revoking certificates in this way. The only way to fix a leak of a system key is to generate a new key and use replace the entire system image.
I hope you're right that this is merely a remote signing account being compromised, because I don't see Samsung building six years of new system images.
I mean considering the level of shitware samsung install on their phones (and make difficult to remove or disable) it will be hard to tell the difference between the official stuff and straight up honest malware.
I used to feel that way, but since the S10 series, there are very few things built into the Galaxy line that fall in the description of shitware anymore. McAfee's device protection shit definitely, but other than that, I can't think of any forced crapware on my last 3 unlocked Galaxy devices.
We do, I've not come across a locked device in recent years. Only the cheapest prepaid ones still are. Most people I know don't buy them with a contract anyway, they just buy the device outright. Obviously it's always unlocked then.
I bought a Galaxy A33 the other day for my mother. It came full of crapware. All kinds of Samsung this-or-the-other. Some of the apps can be disabled, but not all. Like parts of Bixby (= Samsung's assistant? no idea) can be disabled if you click through a warning, but others cannot.
There is also a bunch of 3rd party crap pre-installed, like MS Onedrive, Facebook, Tiktok.
And it pushes hard to use Onedrive instead of google drive.
There's also a separate, Samsung store, and some functions seem to require a Samsung account.
Last shitware i can remember was the 3rd party IR remote control software they bundled with Note3/4, because a couple years later it was updated to have ads on lockscreen. But it was easily disableable from the app list.
The latest Samsung device i have is tab s8 from this year and the software i would call bloat was all the Google stuff like Youtube, Youtube music, Duo, Chrome, Google search. And worst of all the Google assistant that you have to go to multiple places to disable.
You bought a android phone.
Google forces Samsung to put their Google crap on it and activate/ configure it a certain way before they certify the device firmware for Google play store download/access.
If you don't want it the only option is a non android os such as oxygen.
I agree. In fact I have to install MORE Samsung software (their Good Lock apps) because I loathe the UX of modern Android. Good Lock's customization options make for a better experience IMO.
> OEMs have mitigated the issues above in previous updates. A new security update from Android is not required to mitigate these issues. Ensuring your device is running the latest version of Android is a general best security practice for users.
Though the ars story says Samsung is signing their first party apps with it still. So who knows.
This is true in the sense that most android devices are small/cheap off brand or Chinese devices sold across low-income markets, like Africa and the Middle East. Any mid- or top-tier Android devices, such as Pixels and Galaxy devices which compete directly with Apple, are usually on a monthly security update cadence for at least 3 years.
A new Samsung Galaxy S22 (and above) has 5 years of support. 4 major Android updates and 1 year of security updates. For the Pixel 6/7/Pro (including the cheaper 6a), it's also 5 years, but only 3 major Android upgrades and 2 of security updates.
Not as good as an iPhone (5-6 years), but it's improving.
If you include years where you only get a security update, but not an OS update, then the 2014 iPhone 5s is still supported today, since it's last update was in August.
that's an important distinction. i don't have an android, but i get the sense that by "supported" we are talking about continuing to receive security updates. i am not sure my assumption is correct, though. do new samsung phones stop receiving security updates in 5 years?
You get at least 5 years of security updates with a new Samsung flagship[0]. During those 5 years, you'll use 4 major Android versions (there's a new one each year, like iOS). The last year of support is essentially security patches for the Android version released in the previous year.
On top of this, since Android 10 (2019), some security and feature updates come directly from Google (delivered via the app store) and continue after the brand stops supporting the device.
These security updates Apple, Samsung, etc, release years after the phone reaches end-of-life are a bit misleading. The update for the iPhone 5S fixed an exploit on Webkit, but everything else remains unpatched. Same with the update Samsung released for the Galaxy S7 (released before they had a 5 year support policy)... it fixed a GPS bug. That's it.
So while these updates are better than nothing, it's important to understand that the device is not up-to-date or secure.
---
[0] The 50-100 dollars device sold in low income markets won't have the same level of long term support as $500+ devices. We can't compare them to Apple here as Apple doesn't compete in that market.
I'll repeat myself: long term OS support is better on iPhones. With this said, we must look at what the "security updates" are fixing.
Above you mentioned that the 5S received a security update in August. According to the changelog, all they fixed was an exploit on Webkit (essentially the browser). They didn't even update Webkit/Safari to the latest version (it doesn't work on iOS 12).
Do you know how Android would handle that security update? A simple app update via the Play Store, no restart required. Someone running Android 7, which was released 2 years before iOS 12, is using the latest version of Webview/Chrome (108)... in this regard, Android is actually better than iOS.
There's a big difference between iOS and Android here. On iOS, things like Safari, Photos, Camera, Mail, etc, are part of the system and fixes/new features are presented as part of an updated OS. On Android these things are updated individually via the store and, if applying the same thinking as Apple, receive many "major updates" and many "security updates" every year.
Another point to consider when comparing updates is that since Android 10 (2019) different parts of the system get updates directly from Google ( see: https://blog.esper.io/what-is-project-mainline/ ). A security update for WiFi/Bluetooth, for example, may not need a system update from the OEM.
Android's fragmentation problem forced Google to come up with other ways to update Android. Even for features, many (eg: the alternative to airdrop, a feature to detect/warn about earthquakes, covid app support, etc) are backported to outdated devices without Samsung, etc, releasing system updates.
I don't deny that Android is messier behind the scenes than iOS or am even saying that you should buy an Android device... but it's not as bad as you seem to think.
I don't know how to feel about those "security updates". That iPhone 5s is still running an outdated Safari browser, for example. The device isn't secure.
When I think about long term support, I'm thinking about the kind of support Windows, Linux LTS, etc, provide. When Apple, Samsung, etc, release the type of updates you mention, they're just fixing one of the many security problems the device has.
It's like fixing the lock on a door of a building full of broken windows and call it secure. I guess it's better than nothing, but it's not proper maintenance.
The changelog for iOS 12.5.6 mentions a fix for a Webkit exploit, so I guess Webkit was updated? The current version of Webkit/Safari doesn't run on iOS 12 (released in 2018) though (as far as I'm aware).
On a side note, if we want to use this a proof of good long term support, then Android is even better. Phones running Android 7 (2016) are using the latest Chrome/Webview version (108). The difference is that updates are delivered via the Play Store and not as system updates.
> The difference is that updates are delivered via the Play Store and not as system updates.
You're claiming that the security issue detailed in the article will be fixed through the Play Store, for devices no longer receiving updates from the device maker?
There are advantages to the iOS model of six years of full support followed by security updates for many years later, especially when an actively exploited issue is discovered.
> You're claiming that the security issue detailed in the article will be fixed through the Play Store, for devices no longer receiving updates from the device maker?
Yes. The Webkit equivalent (Webview) is updated via the Play Store ( https://play.google.com/store/apps/details?id=com.google.and... ). A bug on Webview would be fixed with an app update, which doesn't even require a restart. Makes sense if we think about it... we don't need a system update to update Chrome/Firefox/Edge/Safari on our computer.
On iOS, a fix or new features on the email, photos, phone, messages, etc, apps are presented as a security/new OS update. On Android, you get an app update.
It's not only apps, they can also update system parts. For example, if there's an issue with the "module" that deals with media, wifi/bluetooth, etc, Google can issue an update and the phone receives it via the Play Store. This article (scroll down) has a list of all modules that can be updated: https://blog.esper.io/what-is-project-mainline/ . I don't know if it's from Google or the different SoC makers, but they can also update things like GPU drivers on newer devices (the user obviously doesn't see any of this).
And Google can backport features without updates from the brand. For example, during the pandemic, Apple and Google added support for Covid apps... in Google's case, they released an update via the store and every phone going back to Android 6 (2015) got it. That's also how they added support for earthquake detection/warnings, nearby share (similar to airdrop), etc.
> There are advantages to the iOS model of six years of full support followed by security updates for many years later, especially when an actively exploited issue is discovered.
Long term support is good and Apple is ahead here offering 5 or 6 major updates. However, it's important to understand what these "security updates" bring.
The iPhone 5s isn't as secure as the iPhone 14 because iOS 12 isn't supported any more. This security update, which was essentially a browser update, reminds me of Microsoft releasing a patch for EOL Windows XP or Win 7 because some malware was taking computers left and right. They fixed one problem, but many remain and you can't consider XP to be safe.
I have used iPhones before (iPhone 5) and am aware of the benefits of Apple's system updates, but we're screwed when those 5 or 6 major updates end. Your browser might get a patch like this, but it's still outdated and doesn't support new web features. On Android, because they are detached from the system, the device maker could be out of business and your 6 year old device running an old Android build will have the latest Chrome, photo gallery, email, etc.
> A bug on Webview would be fixed with an app update
TFA isn't about web browsers. It's about the security keys for multiple vendors leaking to the public.
>Łukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets.
These companies somehow had their signing keys leaked to outsiders, and now you can't trust that apps that claim to be from these companies are really from them. To make matters worse, the "platform certificate keys" that they lost have some serious permissions.
It got better in the past 2 years. The latest Pixel or Samsung gives you 5 years of support. 3 major updates + 2 years of security updates on the Pixel and 4 major updates + 1 year of security updates on a Samsung. An iPhone gets you 6 major iOS updates, I think.
It's taken them up to the past 2 years to still be this much less than a competitor? We've had smart devices like this since 2007. It took 13 years to get to a point of still being inferior.
I agree with this.
5 years seems like plenty until smartphones sufficiently plateau resulting in longer ownership.
I believe this is another case of HN's biases versus the 80-90% that the major players actually build for.
And ironically, I highly doubt the majority of the users here on HN use their devices through their EOL. They just like the idea, philosophically.
I'm still using my iphone 6s plus from 2015. Smartphones sufficiently plateaued for me a long time ago. It's a shame the rest of you fine folks find everything so inefficient ;-)
I'm guessing there's a generational aspect to this as well, and if the devices are the person's only compute device. The assumption on my part is that the younger users are the ones to upgrade quickly as it is upgrading their only compute device. For someone like me, I'll always prefer a desktop/laptop to use for the sheer usability aspect. I just hate the small screen and hunched over posture of using a phablet-like device. That's me and my opinion, and we all like different things.
Apple didn't start with 6 years of support. Everyone keeps improving.
Android has to play catch up because of the way it works and because OEMs don't control everything. Apple develops their own SoC, while most Android OEMs have to use a SoC from Qualcomm or Mediatek... which also need to support new Android versions. All this is improving... slowly. In other areas it has been better than iOS for years (eg: apps like the browser receive updates via the app store even after end-of-life, same with some Android features).
Everything has trade-offs. A $500 Windows laptop gets better support than my $3500 Macbook Pro, and we've had laptops for a long, long time. Still, I own a Mac. I also use Android because it lets me do more than iOS.
If Qualcomm stops supporting a particular chipset version after N years, all the Android OEMs that use Qualcomm chips can't do anything about it. Apple, however, builds their own SoCs, so they can support them as long as they want.
Google has recently managed to strike some better deals with Qualcomm to get updates for 5 years for the latest crop of Pixel devices. I agree it's still not as good as Apple, but that's just how market forces work, and shows you who has the most leverage.
I don't think anyone is trying to "impress" anyone; merely stating the facts as they are.
> Google has recently managed to strike some better deals with Qualcomm to get updates for 5 years for the latest crop of Pixel devices
The last 2 generations of Pixels use Google's own SoC (developed with Samsung?) called Tensor[0].
Google deserves some criticism here. The main force behind Android is now behind Apple and other Android brands. Samsung uses a mix of Qualcomm and Exynos, and their flagships get 4 major Android updates. OnePlus, which relies on Qualcomm and Mediatek, will do the same for "selected devices"[1]. A Pixel 7 only gets 3 major updates... at least the phone receives security updates for 5 years, but they need to improve.
Samsung improved it's update process (and probably pipeline?) dramatically in the past years[1] and the software became much better and more polished.
I received the Android 13 update in November and less than two weeks later another security update. This indicates to me that they roll out updates as fast as possible. Normally I get the monthly security update in the first half of the month.
EDIT: I should probably mention that I usually only buy Samsung's flagships but the midrange device are getting the same treatment AFAIK.
> I should probably mention that I usually only buy Samsung's flagships but the midrange device are getting the same treatment AFAIK.
I really don't have that kind of money to just drop on a phone that will inevitably fall from my pocket and break because it's too damn big. My phones cost less than 200€, and since they aren't samsung they get timely updates.
That was just a GPS (?) update. I have an S9 too, if you check the security patch level (Settings > About phone > Software information), it’s still at March 1, 2022 (and there aren’t any further updates scheduled).
Manufacturers have been extending the support life cycle for the past few years. Samsung provides five years of updates for most phones, for example, with four years of Android updates. Still not great, but a lot better than the single year of updates you used to get.
Extremely cheap brands don't tend to do updates much, especially Android version updates.
Mid-range phones land somewhere in the middle; some have budget hardware with decent support, but other brands get good hardware for dirt cheap in exchange of basically no software support after buying the phone. The latter is great if you're planning on using custom ROMs to extend the life time of your dirt cheap hardware, but quite terrible for people who are used to buying phones four times the price and expecting the same level of support, thinking they just scored a good deal.
Sounds like the mitigation might be just blacklisting the publically seen malware sideloadable APKs, that's a pretty weak mitigation if the keys have leaked.
In the world of Android, apps are signed (including system/platform apps) through a trust-on-first-use system. There's no PKI with roots and intermediates which could support easily enabling a quick fix.
On Android, an updated app is validated by the system to be signed by the same signing key hash as was used previously.
The most recent (v3, IIRC) apk signing scheme allows you to update an APK and sign it with the old key, and committing a future new signing key, which permits re-keying an app.
To use this, I believe you need to ship a platform (operating system) update, as the underlying apps are signed using old APK signing schemes.
These OEMs are likely not always shipping the latest OS version, but could look to techniques used in the custom firmware world, where there are tools to allow reflashing the OS without losing app data when changing system signing key.
It requires engineering effort for already released devices though, so I suspect we will see very little action - as usual, the eyes are on the future products, not on previously released products.
I assume Google play protect will be used to carefully patrol and detect apps on devices signed by the leaked keys, but this isn't hugely helpful for anyone concerned about "zeroday" style targeted attacks against them.
So why exactly can't they do an OS update with the new signing keys? OEMs put out OS updates all the time. Plus if they don't want to do that, they could update their individual apps to use the v3 signing schema. They've had 6 years to figure this out.
So the signing key for Samsung Android phones were leaked so that any software that is loaded is signed such that it comes from the App Store is trusted. The problem for OEMs is that developing and distributing a new key requires a Firmware update and it isn't trivial to develop for QA/QC because if they make a mistake with the keys then devices could be unable to load apps from the App Store.
>> and it isn't trivial to develop for QA/QC because if they make a mistake with the keys then devices could be unable to load apps from the App Store.
Well then they better do some f..ing testing. They're only one of the biggest tech companies in existence. Making phones isn't trivial either!
Making a phone is dead easy: contract one of the ton of third party manufacturers in China to supply you with one of their white-label designs, pay for them and ship them.
The stuff around it is where the complexity lies: making sure you get updates and have infrastructure to distribute these to customers, that you apply for and get certifications from regulatory agencies and, in the US, carriers, deal with e-waste and warranty regulatory requirements (which is a pain in the EU), establish a supply chain for spare parts...
Not any app installed from the app store but any app signed using Samsung's keys. Such an app could get any permission it pleases when installed. The app store can easily block apps signed with Samsung's keys, but a few people can probably be convinced to download the app outside the app store, which could easily be flagged by Play Protect if it is a Google-flavored phone, preventing install. I don't know if these systems have actually been updated to do this, but I imagine they would be.
The main issue to me seems to be sideloading apps, playstore apps seem to be protected. Sideloaded apps could be anything since its the app key that is compromised.
> The main issue to me seems to be sideloading apps
I think you could phrase that better. Sideloading apps is not an "issue", it's an incredibly important tool that developers can use to audit the behavior of apps.
Google could do what Apple does, and allow sideloading for a limited time only to those with a paid developer account.
With the continuing security problems, it is increasingly being proven out that Apple got the app ecosystem right, from the get-go, with their walled garden approach. The benefits of such vastly outweigh the costs to a few tinkerers (and malicious actors) when you're building a product for the average bear.
No need to be so draconian. Security should be built to protect users, not Apple's profits. Play Protect could easily flag the APK downloaded outside the Play Store with Samsung's keys and prevent install.
> Google could do what Apple does, and allow sideloading for a limited time only to those with a paid developer account.
that is the worst idea I have heard in a long time. what happens to developers, like me, that cannot afford a "paid developer account"? and whats to stop Google (or Apple) from raising the fee so high that it prices out important people from the process?
I continue to be astounded when seeing takes like this on a site called Hacker News. If this had been the attitude in the 80s and 90s, we'd be in a Microsoft (or IBM) monoculture today and the web wouldn't exist.
> allow sideloading for a limited time only to those with a paid developer account.
I think this is confusingly phrased and the replies relate to that confusion.
A free Apple developer account allows 'sideloading' for a limited time, currently a week IIRC, and a paid account extends this to a year, which is technically limited but probably not what most people would understand by the phrase.
Anybody can sideload without a developer account, but your phone will have to connect to your home WiFi network at least once a week for your PC or Mac to keep the app on your phone authorized.
If you do have a developer account, your device only has to connect to your home WiFi network once a year for your computer to keep the app authorized.
No thanks, hard pass. A big reason I use Android rather than iOS is because I can install whatever I want on the hardware I've purchased. I put up with Android's worse security posture because I value this.
> These companies somehow had their signing keys leaked to outsiders
I can dream, but I would love to know what this "somehow" is. Such a leak is a major security threat to a sizeable portion of phone users. Disclaiming what happened and what you are doing about it would be good.
Generally speaking I don't have much trust in anything a large company is building. In this case, this is very likely they haven't used an HSM for something at the root of the security for stuff like Samsung Pay... This is a major smell to me.
Multiple independent business units developing apps and needing to share the same signing key. Probably contracting out development to other firms.
Neither Google or Apple offer robust ways to effectively delegate App develop while retaining secrets needed to publish an App. So you effectively need a FTE managing and supporting all of these groups.
Can you do that for App/Play Store Apps? How does that work with companies that don't have offices. As a result of COVID, our org is permanently WFH and we shifted all of our datacenters to cloud providers.
not too long ago i belive there was a dump of samsung IP materials, and proprietary tech resources, if it wasnt there somehow, the method could have been in there.
>I’ve avoided Samsung anything for years because of their total disregard for security and total contempt towards their users.
The thing is, if you live in the west then all the other major Android brands aren't better at all. There just are no good options anymore. HTC went bust, OnePlus turned to shit, LG threw in the towel, Sony's SW updates cycle is unimpressive for how expensive they are, Google Pixels are buggy as hell and not available in every country, and Motorola, Nokia and Blackberry are basically rebadged Chinese OEM designs. This lack of good options explains why Android lost so much market share to iOS in the last years.
Excluding Chinese phone makers, Samsung is pretty much the only big player in town from a western aligned nation, that has its shit mostly together as of present, promising 5 years of updates, having service and distribution centers in most countries around the world and a wide portfolio covering all price brackets.
For example, if you're in the market for a new relatively affordable mid-range ~300 Euro phone, then Samsung is pretty much your safest bet in the Android space.
Sure, there are better option like Fairphone but those are far away from being globally mainstream.
That's funny since the Pixel 6 has had so many people complaining about various bugs.
Google has no quality consistency both with SW and HW, it's all hit and miss with their Pixel range. Some turned out great, some were abasically e-waste.
IMHO they peaked with the Nexus 5 and then went downhill after that. Then current Pixel 7 seems to be an exception.
* Buggy pull down brightness switcher.
* Buggy do not disturb mode
* Camera app bugs out when taking photos, random frame drops in video recordings.
* Sharing menus - slow, suggestions are poor.
* broken launcher + third-party launcher support.
* buggy compass calibration
* buggy 911 support
1. GPS didn't work in the background for me. A few OS updates and some Waze updates later it seems I do get turn-by-turn directions.
2. GPU artefacts in Minecraft and Firefox. A few OS, Minecraft and Firefox updates later and it all "just works".
3. Fingerprint sensor works well except when you need it. Murphy's law for sure.
4. I'm in a low signal area and it seems to be unable to receive calls sometimes. I've had people tell me they called and my phone just didn't ring (it's not do not disturb).
Overall is a decent phone but it was a struggle for the high price it had.
> . I'm in a low signal area and it seems to be unable to receive calls sometimes. I've had people tell me they called and my phone just didn't ring (it's not do not disturb).
My 5G/LTE performance definitely seems much worst than the Pixel 3a XL I had previously.
For about 300 eur you can get 1.5 used iPhone SE 2020 in perfect condition. I know, I’ve bought several recently. Not saying Apple is the greatest in general but that’s an alternative. I personally don’t regret switching over to iPhones years ago. And I only ever buy iPhones from Apple. And I buy them used because they’re insanely expensive otherwise.
That aside, Samsung’s shittiness extends far beyond smartphones. Their TVs are a disaster, their appliances fail just outside warranty, their wearable and speakers are spyware just like the rest of their products… the only thing from them not on my shitlist are semis or components like ram because there isn’t much that can go wrong on this kind of commodity product.
You're moving the goal-posts. I was talking about new phones, not second hand one, as many people prefer buying new for the full 2 year warranty and that added peace of mind. A basic new SE is 550 Euros, far away from the ~300 Euros price bracket. Also, I haven't found used iPhones to buy directly from Apple in EU. Maybe you can point me in the right direction.
I tried to get my mom a 2020 SE since that's the phone my employer gave me and she hated the tiny, dim, low resolution display but she loves her Samsung A52 though, with its big and bright OLED display while being cheaper than the SE. Also battery life is longer on her A52 than on my work SE.
Different people have different requirements for a smartphone that go beyond the brand and reputation (display size, brightness, USB-C, etc). iPhone SE is not a one-size fits all solution for everyone.
Samsung isn't actually that bad. They augment parts of Android's security model under the 'knox' branding (which is mostly marketing, yes, but they do improve a few things, especially because their Enterprise users ask for these). It's not quite grapheneos but I wouldn't call it disregard for security. For example, they have added an IKEv2 VPN client to the supported system VPN options since Android 6 or so.
They also pioneered the work container before Google started offering this as part of AOSP under the name 'Work Profile'. A feature which is really nice for privacy, separating a user's personal activity from their work activity.
And they're really good at rolling out security patches. Even before apps like SnoopSnitch drew attention to Android OEMs playing loose and fast with patch levels and missing out patches, Samsung was one of the most complete in this area. https://9to5google.com/2018/04/12/android-security-update-mi...
I was a mobile MDM admin of a huge fleet until last year. No commercial involvement with the vendors though because in our company each country picks their own models but technical management is global.
I do have complaints about Samsung like the huge amount of crapware they ship. Upday, facebook, etc. And their ads in their apps. And it's bugging the users to sign up for a personal onedrive account even when they're already signed in to a corporate one :(
But on security I consider them quite good for an Android vendor.
Are you assuming Samsung's updates rigorously use SSL, with proper certificate checking, or do you know that to be the fact?
These sorts of consumer-device companies often take other unwise security-through-obscurity, or only "folk-secure", shortcuts elsewhere – rather than defense in depth.
For example, thinking their app-signing keys secure, maybe they used something other than SSL, or SSL in some no-certificate-validation-mode.
It happens more than it should, with giant consumer-electronics conglomerates, even!
Let me play devil's advocate here: Could it be that these keys were forced out of these companies by governments and used for their spying business ... and then got lost somewhere there (where the incentives of protecting them is not that high)
While it's obviously bad that people are making malware with this key, I do wonder if there could be a silver lining. Samsung and Google lock a lot of cool permissions behind system apps. I wonder if you could use this key to sign you own apps (or make modified versions of existing system apps) and get the benefits of rooting without actually rooting (especially on devises that don't allow unlocking the bootloader)?
I'm wondering if this something that can be used to finally create a tiny apk that will replace bixby.apk with something that unconditionally launches google assistant?
133 comments
[ 5.0 ms ] story [ 204 ms ] thread"some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets."
That Sony Google TV? MediaTek.
Google Chromecast? MediaTek.
Blu-ray Player? MediaTek.
Random IoT device? Likely MediaTek.
They’ve known about it since 2016!?!
The app-signing key can't be changed without just creating a new app, and creating a new app means you users won't be able to upgrade - they have to manually uninstall, go to the app store, and install the new one.
It's not just an app store thing, I think I remember Android itself verifies that the upgrades have the same key as the old version.
https://source.android.com/docs/security/features/apksigning...
It's much more likely that an employee's account was compromised and then used to sign malicious APKs, or something similar. Once Samsung realized, they could get the logs of every APK signed with the HSM and then revoke those certificates individually through a software update. Not really sure if they actually did that or not, but either way the key doesn't necessarily need to be replaced.
Android doesn't really do revoking certificates in this way. The only way to fix a leak of a system key is to generate a new key and use replace the entire system image.
I hope you're right that this is merely a remote signing account being compromised, because I don't see Samsung building six years of new system images.
I bought a Galaxy A33 the other day for my mother. It came full of crapware. All kinds of Samsung this-or-the-other. Some of the apps can be disabled, but not all. Like parts of Bixby (= Samsung's assistant? no idea) can be disabled if you click through a warning, but others cannot.
There is also a bunch of 3rd party crap pre-installed, like MS Onedrive, Facebook, Tiktok.
And it pushes hard to use Onedrive instead of google drive.
There's also a separate, Samsung store, and some functions seem to require a Samsung account.
The latest Samsung device i have is tab s8 from this year and the software i would call bloat was all the Google stuff like Youtube, Youtube music, Duo, Chrome, Google search. And worst of all the Google assistant that you have to go to multiple places to disable.
If you don't want it the only option is a non android os such as oxygen.
To add injury Bixby hijacks a physical button and Samsung Pay a swipe direction.
https://news.ycombinator.com/item?id=33823946
An important comment from the original story:
> OEMs have mitigated the issues above in previous updates. A new security update from Android is not required to mitigate these issues. Ensuring your device is running the latest version of Android is a general best security practice for users.
Though the ars story says Samsung is signing their first party apps with it still. So who knows.
Not as good as an iPhone (5-6 years), but it's improving.
On top of this, since Android 10 (2019), some security and feature updates come directly from Google (delivered via the app store) and continue after the brand stops supporting the device.
These security updates Apple, Samsung, etc, release years after the phone reaches end-of-life are a bit misleading. The update for the iPhone 5S fixed an exploit on Webkit, but everything else remains unpatched. Same with the update Samsung released for the Galaxy S7 (released before they had a 5 year support policy)... it fixed a GPS bug. That's it.
So while these updates are better than nothing, it's important to understand that the device is not up-to-date or secure.
---
[0] The 50-100 dollars device sold in low income markets won't have the same level of long term support as $500+ devices. We can't compare them to Apple here as Apple doesn't compete in that market.
You really can't compare full OS updates AND security updates to years where you just got security updates.
Above you mentioned that the 5S received a security update in August. According to the changelog, all they fixed was an exploit on Webkit (essentially the browser). They didn't even update Webkit/Safari to the latest version (it doesn't work on iOS 12).
Do you know how Android would handle that security update? A simple app update via the Play Store, no restart required. Someone running Android 7, which was released 2 years before iOS 12, is using the latest version of Webview/Chrome (108)... in this regard, Android is actually better than iOS.
There's a big difference between iOS and Android here. On iOS, things like Safari, Photos, Camera, Mail, etc, are part of the system and fixes/new features are presented as part of an updated OS. On Android these things are updated individually via the store and, if applying the same thinking as Apple, receive many "major updates" and many "security updates" every year.
Another point to consider when comparing updates is that since Android 10 (2019) different parts of the system get updates directly from Google ( see: https://blog.esper.io/what-is-project-mainline/ ). A security update for WiFi/Bluetooth, for example, may not need a system update from the OEM.
Android's fragmentation problem forced Google to come up with other ways to update Android. Even for features, many (eg: the alternative to airdrop, a feature to detect/warn about earthquakes, covid app support, etc) are backported to outdated devices without Samsung, etc, releasing system updates.
I don't deny that Android is messier behind the scenes than iOS or am even saying that you should buy an Android device... but it's not as bad as you seem to think.
When I think about long term support, I'm thinking about the kind of support Windows, Linux LTS, etc, provide. When Apple, Samsung, etc, release the type of updates you mention, they're just fixing one of the many security problems the device has.
It's like fixing the lock on a door of a building full of broken windows and call it secure. I guess it's better than nothing, but it's not proper maintenance.
How do you know?
On a side note, if we want to use this a proof of good long term support, then Android is even better. Phones running Android 7 (2016) are using the latest Chrome/Webview version (108). The difference is that updates are delivered via the Play Store and not as system updates.
You're claiming that the security issue detailed in the article will be fixed through the Play Store, for devices no longer receiving updates from the device maker?
There are advantages to the iOS model of six years of full support followed by security updates for many years later, especially when an actively exploited issue is discovered.
Yes. The Webkit equivalent (Webview) is updated via the Play Store ( https://play.google.com/store/apps/details?id=com.google.and... ). A bug on Webview would be fixed with an app update, which doesn't even require a restart. Makes sense if we think about it... we don't need a system update to update Chrome/Firefox/Edge/Safari on our computer.
On iOS, a fix or new features on the email, photos, phone, messages, etc, apps are presented as a security/new OS update. On Android, you get an app update.
It's not only apps, they can also update system parts. For example, if there's an issue with the "module" that deals with media, wifi/bluetooth, etc, Google can issue an update and the phone receives it via the Play Store. This article (scroll down) has a list of all modules that can be updated: https://blog.esper.io/what-is-project-mainline/ . I don't know if it's from Google or the different SoC makers, but they can also update things like GPU drivers on newer devices (the user obviously doesn't see any of this).
And Google can backport features without updates from the brand. For example, during the pandemic, Apple and Google added support for Covid apps... in Google's case, they released an update via the store and every phone going back to Android 6 (2015) got it. That's also how they added support for earthquake detection/warnings, nearby share (similar to airdrop), etc.
> There are advantages to the iOS model of six years of full support followed by security updates for many years later, especially when an actively exploited issue is discovered.
Long term support is good and Apple is ahead here offering 5 or 6 major updates. However, it's important to understand what these "security updates" bring.
The iPhone 5s isn't as secure as the iPhone 14 because iOS 12 isn't supported any more. This security update, which was essentially a browser update, reminds me of Microsoft releasing a patch for EOL Windows XP or Win 7 because some malware was taking computers left and right. They fixed one problem, but many remain and you can't consider XP to be safe.
I have used iPhones before (iPhone 5) and am aware of the benefits of Apple's system updates, but we're screwed when those 5 or 6 major updates end. Your browser might get a patch like this, but it's still outdated and doesn't support new web features. On Android, because they are detached from the system, the device maker could be out of business and your 6 year old device running an old Android build will have the latest Chrome, photo gallery, email, etc.
TFA isn't about web browsers. It's about the security keys for multiple vendors leaking to the public.
>Łukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets.
These companies somehow had their signing keys leaked to outsiders, and now you can't trust that apps that claim to be from these companies are really from them. To make matters worse, the "platform certificate keys" that they lost have some serious permissions.
https://arstechnica.com/gadgets/2022/12/samsungs-android-app...
Are you claiming that the Play Store will push an update to fix this issue on unsupported devices?
You're not impressing me at all here.
https://www.statista.com/statistics/619788/average-smartphon....
If, on average, people are replacing their phone within three years, 5 years or more of support is largely marketing.
And ironically, I highly doubt the majority of the users here on HN use their devices through their EOL. They just like the idea, philosophically.
I'm guessing there's a generational aspect to this as well, and if the devices are the person's only compute device. The assumption on my part is that the younger users are the ones to upgrade quickly as it is upgrading their only compute device. For someone like me, I'll always prefer a desktop/laptop to use for the sheer usability aspect. I just hate the small screen and hunched over posture of using a phablet-like device. That's me and my opinion, and we all like different things.
Android has to play catch up because of the way it works and because OEMs don't control everything. Apple develops their own SoC, while most Android OEMs have to use a SoC from Qualcomm or Mediatek... which also need to support new Android versions. All this is improving... slowly. In other areas it has been better than iOS for years (eg: apps like the browser receive updates via the app store even after end-of-life, same with some Android features).
Everything has trade-offs. A $500 Windows laptop gets better support than my $3500 Macbook Pro, and we've had laptops for a long, long time. Still, I own a Mac. I also use Android because it lets me do more than iOS.
Google has recently managed to strike some better deals with Qualcomm to get updates for 5 years for the latest crop of Pixel devices. I agree it's still not as good as Apple, but that's just how market forces work, and shows you who has the most leverage.
I don't think anyone is trying to "impress" anyone; merely stating the facts as they are.
The last 2 generations of Pixels use Google's own SoC (developed with Samsung?) called Tensor[0].
Google deserves some criticism here. The main force behind Android is now behind Apple and other Android brands. Samsung uses a mix of Qualcomm and Exynos, and their flagships get 4 major Android updates. OnePlus, which relies on Qualcomm and Mediatek, will do the same for "selected devices"[1]. A Pixel 7 only gets 3 major updates... at least the phone receives security updates for 5 years, but they need to improve.
[0] https://en.wikipedia.org/wiki/Google_Tensor [1] https://www.xda-developers.com/oneplus-four-platform-updates...
source: have owned a samsung and took notice of when the update came
I received the Android 13 update in November and less than two weeks later another security update. This indicates to me that they roll out updates as fast as possible. Normally I get the monthly security update in the first half of the month.
EDIT: I should probably mention that I usually only buy Samsung's flagships but the midrange device are getting the same treatment AFAIK.
[1] https://www.androidpolice.com/2021/02/22/samsung-solidifies-...
I really don't have that kind of money to just drop on a phone that will inevitably fall from my pocket and break because it's too damn big. My phones cost less than 200€, and since they aren't samsung they get timely updates.
Extremely cheap brands don't tend to do updates much, especially Android version updates.
Mid-range phones land somewhere in the middle; some have budget hardware with decent support, but other brands get good hardware for dirt cheap in exchange of basically no software support after buying the phone. The latter is great if you're planning on using custom ROMs to extend the life time of your dirt cheap hardware, but quite terrible for people who are used to buying phones four times the price and expecting the same level of support, thinking they just scored a good deal.
Anyone can do a ELI5 on the app signing key replacement difficulty?
It isn't covered in the article and seems too high level for a layman like me.
On Android, an updated app is validated by the system to be signed by the same signing key hash as was used previously.
The most recent (v3, IIRC) apk signing scheme allows you to update an APK and sign it with the old key, and committing a future new signing key, which permits re-keying an app.
To use this, I believe you need to ship a platform (operating system) update, as the underlying apps are signed using old APK signing schemes.
These OEMs are likely not always shipping the latest OS version, but could look to techniques used in the custom firmware world, where there are tools to allow reflashing the OS without losing app data when changing system signing key.
It requires engineering effort for already released devices though, so I suspect we will see very little action - as usual, the eyes are on the future products, not on previously released products.
I assume Google play protect will be used to carefully patrol and detect apps on devices signed by the leaked keys, but this isn't hugely helpful for anyone concerned about "zeroday" style targeted attacks against them.
Well then they better do some f..ing testing. They're only one of the biggest tech companies in existence. Making phones isn't trivial either!
The stuff around it is where the complexity lies: making sure you get updates and have infrastructure to distribute these to customers, that you apply for and get certifications from regulatory agencies and, in the US, carriers, deal with e-waste and warranty regulatory requirements (which is a pain in the EU), establish a supply chain for spare parts...
I think you could phrase that better. Sideloading apps is not an "issue", it's an incredibly important tool that developers can use to audit the behavior of apps.
With the continuing security problems, it is increasingly being proven out that Apple got the app ecosystem right, from the get-go, with their walled garden approach. The benefits of such vastly outweigh the costs to a few tinkerers (and malicious actors) when you're building a product for the average bear.
that is the worst idea I have heard in a long time. what happens to developers, like me, that cannot afford a "paid developer account"? and whats to stop Google (or Apple) from raising the fee so high that it prices out important people from the process?
I think this is confusingly phrased and the replies relate to that confusion.
A free Apple developer account allows 'sideloading' for a limited time, currently a week IIRC, and a paid account extends this to a year, which is technically limited but probably not what most people would understand by the phrase.
If you do have a developer account, your device only has to connect to your home WiFi network once a year for your computer to keep the app authorized.
I can dream, but I would love to know what this "somehow" is. Such a leak is a major security threat to a sizeable portion of phone users. Disclaiming what happened and what you are doing about it would be good.
Generally speaking I don't have much trust in anything a large company is building. In this case, this is very likely they haven't used an HSM for something at the root of the security for stuff like Samsung Pay... This is a major smell to me.
Multiple independent business units developing apps and needing to share the same signing key. Probably contracting out development to other firms.
Neither Google or Apple offer robust ways to effectively delegate App develop while retaining secrets needed to publish an App. So you effectively need a FTE managing and supporting all of these groups.
I’ve avoided Samsung anything for years because of their total disregard for security and total contempt towards their users.
The thing is, if you live in the west then all the other major Android brands aren't better at all. There just are no good options anymore. HTC went bust, OnePlus turned to shit, LG threw in the towel, Sony's SW updates cycle is unimpressive for how expensive they are, Google Pixels are buggy as hell and not available in every country, and Motorola, Nokia and Blackberry are basically rebadged Chinese OEM designs. This lack of good options explains why Android lost so much market share to iOS in the last years.
Excluding Chinese phone makers, Samsung is pretty much the only big player in town from a western aligned nation, that has its shit mostly together as of present, promising 5 years of updates, having service and distribution centers in most countries around the world and a wide portfolio covering all price brackets.
For example, if you're in the market for a new relatively affordable mid-range ~300 Euro phone, then Samsung is pretty much your safest bet in the Android space.
Sure, there are better option like Fairphone but those are far away from being globally mainstream.
That hasn't been my experience.
Google has no quality consistency both with SW and HW, it's all hit and miss with their Pixel range. Some turned out great, some were abasically e-waste.
IMHO they peaked with the Nexus 5 and then went downhill after that. Then current Pixel 7 seems to be an exception.
Like what?
1. GPS didn't work in the background for me. A few OS updates and some Waze updates later it seems I do get turn-by-turn directions.
2. GPU artefacts in Minecraft and Firefox. A few OS, Minecraft and Firefox updates later and it all "just works".
3. Fingerprint sensor works well except when you need it. Murphy's law for sure.
4. I'm in a low signal area and it seems to be unable to receive calls sometimes. I've had people tell me they called and my phone just didn't ring (it's not do not disturb).
Overall is a decent phone but it was a struggle for the high price it had.
My 5G/LTE performance definitely seems much worst than the Pixel 3a XL I had previously.
That aside, Samsung’s shittiness extends far beyond smartphones. Their TVs are a disaster, their appliances fail just outside warranty, their wearable and speakers are spyware just like the rest of their products… the only thing from them not on my shitlist are semis or components like ram because there isn’t much that can go wrong on this kind of commodity product.
I tried to get my mom a 2020 SE since that's the phone my employer gave me and she hated the tiny, dim, low resolution display but she loves her Samsung A52 though, with its big and bright OLED display while being cheaper than the SE. Also battery life is longer on her A52 than on my work SE.
Different people have different requirements for a smartphone that go beyond the brand and reputation (display size, brightness, USB-C, etc). iPhone SE is not a one-size fits all solution for everyone.
https://www.apple.com/de/shop/refurbished/iphone
They also pioneered the work container before Google started offering this as part of AOSP under the name 'Work Profile'. A feature which is really nice for privacy, separating a user's personal activity from their work activity.
And they're really good at rolling out security patches. Even before apps like SnoopSnitch drew attention to Android OEMs playing loose and fast with patch levels and missing out patches, Samsung was one of the most complete in this area. https://9to5google.com/2018/04/12/android-security-update-mi...
I was a mobile MDM admin of a huge fleet until last year. No commercial involvement with the vendors though because in our company each country picks their own models but technical management is global.
I do have complaints about Samsung like the huge amount of crapware they ship. Upday, facebook, etc. And their ads in their apps. And it's bugging the users to sign up for a personal onedrive account even when they're already signed in to a corporate one :(
But on security I consider them quite good for an Android vendor.
(Do we expect Samsung better protects its TV keys, than its smartphone keys?)
These sorts of consumer-device companies often take other unwise security-through-obscurity, or only "folk-secure", shortcuts elsewhere – rather than defense in depth.
For example, thinking their app-signing keys secure, maybe they used something other than SSL, or SSL in some no-certificate-validation-mode.
It happens more than it should, with giant consumer-electronics conglomerates, even!