70 comments

[ 0.23 ms ] story [ 130 ms ] thread
Reminds me of the Android File Transfer bug that disables MacBook keyboard/trackpad if the phone is locked. It was recently marked as "obsolete", despite all Android documentation (and even software on the phone) suggests the user use it, and the bug still exists on Lollipop:

https://code.google.com/p/android/issues/detail?id=39548

I don't really understand how this has slipped through the cracks; Google has a decent number of MacBooks in their offices last time I was there, so maybe copying files just isn't popular? Either way, it's a pain that the tool is closed source and the maintainer won't maintain it.

I've found Android File Transfer rarely even works for me nowadays. I ended up paying for a third party app called SyncMate, but it works flawlessly and even restores the ability to mount the phone and have everything just work easily instead of the broken media transfer protocol Google is trying to force on everyone.
Wow thank you for pointing this out. I couldn't figure out why once in a while AFT would completely screw my Macbook. You're my hero of the day.
That covers roughly two-thirds of the billion-plus Android devices in use, according to Google

Wow. How is this even remotely acceptable? I get that they want to focus on the latest and greatest, but leaving 2/3 of your users out in the cold, in 2015's security climate is absolutely insane!

Nevermind the fact that upgrading is a non starter for most users.

From what I can tell, it doesn't affect Chrome, which is compatible with 4.3 devices. It's just a bug in the default browser, which they stopped working on a long time ago.
Isn't it a bug in the default browser and WebView, which affects every single application using WebView?
Maybe they are hoping they'll be able to force ISPs to release upgrades for phones, since that's what's stopping the upgrades, not unwillingness by the users.
I don't think that's a play that will work. Considering that with the basic apps, the buck stops with Google (they could push something out via the Play store), it's all on them for refusing to support.
How do you push updates to webview through the play store?
I thought this was just about the browser, not the inbuilt web view functionality. My bad!
No worries, friend :)
Neither the old android browser nor the old webviews could be updated through the play store.
Could they in a modern phone? I thought that was part of the point of Google's slightly sneaky updates to "Google Play Services" -- that it allows them to do their own OTA updates sidestepping carriers.

(See e.g. http://arstechnica.com/gadgets/2013/09/balky-carriers-and-sl...)

Not even Google Play Services can update binaries on /system partition. That's the manufacturer's playground, (often signed and checked at boot).
The problem is that Google can't force phone vendors to support old devices or carriers not to slack on allowing them. Suppose they did release a patch for 4.3 – how long would it take for the phone vendor to update their custom UI value-subtraction patches, package a release, test it, ship it to the carriers, who will do their own branding and testing, etc?

This only applies to old devices so the manufacturer sees it as pure cost unless many people get exploited so badly that they will never buy a new model again; similarly the phone carriers only consider this a problem if you leave your contract – and given that the most likely reaction is “Android sucks – I'm buying an iPhone” or “Verizon/AT&T/etc. sucks – I'm switching to the other one” they obviously haven't been feeling much pressure to change.

What we need is a legal fix to avoid them punting the costs onto customers: e.g. not shipping security updates within, say, two months requires the carrier has to unlock your phone and release any remaining contract without penalty. Unless it affects revenue, they're going to continue to treat support as a cost-minimization exercise.

Couldn't they have the Play Store and/or Google Play Services not work on unpatched devices? That would probably force carriers to update.
I'd like to think so but it seems equally likely that carriers would either push you towards their own stores or tell you that you need to buy a new phone if the message was anything less aggressive than “There is a critical security available which must be installed before using the web. Please contact your carrier to ask for it”
They actually do this on a lot of the oldest devices, but probably not for the same reasoning. I occasionally come across phones that are too old to support Google Play Services (<2.2 IIRC), so they're stuck on the Android Market, which no longer works.

It would seem that's not made OEMs/Carries feel the need to update them.

Are you sure? I think that the Android Market on 1.6 (ADP1) still works.
Perhaps the dev phone has a slightly different situation? I know someone with a 1st generation HTC Wildfire (formerly) for testing and when you the market throws a connection error and refuses to go any further. I've seen the same thing on other Android phones from that era.
You could argue Google have already fixed the bugs - in Android 4.4 and newer - and that it's the carrier and manufacturer's responsibility to issue those updates. In many cases even if Google issues a patch, carriers and manufacturers don't bother to issue an update for their own devices. So is Google really entirely to blame here?
It's a bit of a strange relationship:

The manufacturers can't insist that google support older versions with proper patch releases for bugs like this, because they aren't paying for it.

On the other hand, google really can't expect to drive the manufacturers test & release cycles. I expect that even a minor release is an expensive testing effort on their part, so they are understandably reluctant to do this off cycle.

I think this is the point of some of google's recent changes, but it's unclear how well that will work in practice.

As they say: you can't have your cake and eat it too.

If Google takes credit for those phones and stamps its logo of approval on the phone, they need to take the blame for the consequences.

Google really needs to figure out how to keep Android phones updated, preferably for 3 years, because I think that's how much most people keep their phones.

The biggest problem Google is facing regarding that is the fact that essentially every OEM creates its own "distro" of Android, which makes it very hard for Google to fix everything. Some of the bugs could be in software of those OEMs.

I think Google should build-in deeper customization frameworks that allows OEMs to customize the OS quite a lot, while still doing it in a "standardized way" that would allow Google to fix the problems.

In a way Google chose this. They could've done what they did with ChromeOS - make Chromium OS open source, but only promote Chrome OS, which is why all OEMs choose the proprietary Google version instead of the open source one. That's how Android should've worked as well. But they probably thought of this too late.

The thing about all these counterfactuals that people come up with for how Android should've been done is, if Google HAD done them, what would the market for smartphones looke like now? We don't know. It's possible (I think it's probably likely) that all the compromises and concessions Google made with the carriers and manufacturers are part of why Android has the market share it does. Google was playing catch-up with Apple, it's not like they had the luxury of time.
Google has figured out a way and are slowly deploying it...

When people talk about Android updates that can include several things:

- Launchers

- Apps (e.g. Camera, Browser, Calculator, and so on)

- Operating system components (services, drivers, etc)

- Linux kernel

A normal Android update has the ability to update all of the above. However most of the user-impacting and security impacting issues are at the "apps" level (since Android apps are largely isolated from the underlying OS via a Java-like VM).

So what Google have been doing is leaving the Kernel and OS components to the OEMs and providing app updates via the Play Store even onto older devices. So now on the Play Store we have:

- Chrome (replaces Browser)

- Google Services (updates a large chunk of APIs)

- Google Search (more APIs, Google Now, and so on)

- Google Voice (more APis, etc)

- Google Keyboard (built in keyboard)

- Gmail (will replace email eventually)

- Google Launcher

- Google Calendar

- Google Camera

- Google Talkback, Text-To-Speech (accessibility)

- Google+ (replaces SMS Messenger)

And so on...

Which is a really bad solution.

The proper solution would be to put the AOSP version on the store, but keep it open.

Also Google Play Frameworks should be split in the AOSP parts of their libs and the few actually closed parts.

Vendors often don't ship AOSP apps at all, they ship their own dialer, messenger, email client, camera, gallery and all the other apps. So AOSP apps in the app store would not update them anyway.
But would allow the user to install them.

It would have the same effect as the Google Apps in the store, without losing AOSP.

Unfortunately, Android device manufacturers have no obligation to update their old devices. Many that only support 4.2 or 4.3 haven't even pushed out the latest updates with the security fixes to those versions.

This is one reason the latest Android releases don't have a 'Browser' app and have Chrome as the default (as they should). Granted, some manufacturers probably still have 'browser' because they want more control over their users.

From 5.0 forward, there is no "browser" that isn't chrome. The system webview is the chrome rendering engine and receives updates through the play store. If an OEM wants to ship their own browser to retain control, it's still chrome underneath, just with some custom UI.

(this was also true in 4.4, except that the 4.4 webview doesn't receive updates other than via a full system update)

Just to be clear, an OEM or google play app is still free to ship their own rendering engine, see firefox. But the builtin stuff on android is all chromium now.
in practice though, i don't think there's any OEM that uses a non-standard rendering engine, except for the forks like amazon's silk browser.
Correct me if I am wrong, but this seems to be a bug in the default browser, which was not updatable. Android now uses Chrome as its default browser, and it is automatically updated when you activate your terminal. Same thing for the new Chromium-based webview. The solution is to update the terminal to a new version of Android and yes this is not without issues.
I guess web and app developers can start slowly by just blocking older versions of Android:

http://ruby-journal.com/how-to-block-old-ie-version-with-rai...

You're getting voted down, but this is quite true. Having ancient unpatched devices out there doing things is a menace to anything those devices share a network with.

It's in pretty much everyone's best interests to make those devices as non-functional as possible as fast as possible.

I think the eventual solution will be a software subscription fee that ends up going to the carriers. They are motivated to get people to upgrade their phones right now, and unless they are legally obligated or financially compensated, I doubt they will change their practices to enable people keeping their phones.
There used to be hardware rental and line maintenance charges in fixed line phone networks. There still are in cable networks. It's just another source of revenue, and it doesn't encourage software updates.
On Argentina, carriers usually block software updates so your phone gets "old" and they can sell you a new one, with a more expensive plan because you know this new phone requires a bigger plan, the one you already have doesn't fit

that's all they care about, you paying them.

As I remember it, most of these critical bugs are in the Android browser, which is considered a core part of the OS in those versions. The trouble with that is there's no way to update it without doing all the work of a whole OS update, including the usual mess of getting approval and merging changes from device manufacturers and local carriers.

It seems more understandable that way that Google told them to just upgrade to a newer Android version instead.

Maybe we should give them a 90 day deadline to fix them.
Or what, you'll disclose them?
It sounds like that is what Google thinks is the right thing to do.

Note: I don't.

(Hint: They're already disclosed.)
Agreed. But it's disappointing that Google doesn't feel the same responsibility that they think Microsoft has.
I doubt the carriers would care. There have been a bunch of published exploits that haven't motivated them to push updates.
If you can figure out a way to make phone manufacturers and mobile service providers care about any kind of deadline for updates, you'll be doing the world a great service.
You mean like the roughly 6M different variants that Windows runs on where Google has made the same demand? :)
OEMs don't customize windows. Google isn't actually capable of shoving proper OS updates to all android phones. It's the manufacturers and service providers that want you to throw out your phone every year and drag their feet on updating anything.
Do we really need to make all threads with any relation to Google about the whole "90 days vs. Patch Tuesday"?
Enforced how, on who, by whom? Google can say "They're fixed already, just upgrade to Android 5.0.1". Manufacturers and Carriers can say "Meh, we're still testing it". Enforcing such a rule requires holding a particular party responsible, and that party must have some authority to hold other involved parties responsible for doing their parts.

Probably the best thing that could be done overall is Google's already-complete plan to move the web browser, and as much other code as they can, to Play store apps that they can centrally auto-update. But getting that solution onto the vulnerable phones required them to, once again, just upgrade to the newest Android.

Agreed, placing all the blame on Google is not fair. Besides Google, carriers, and manufactures, there's one more party involved that no one seems to talk about, users. Google only promises to update their software for 18 months. If you're going to milk years and years out of your smartphone, don't you have some responsibly to update outdated apps with updated ones from the Google Play store?

I have an old Galaxy S3 that Samsung no longer updates, yet these bugs don't effect me because I've replaced the built in browser with Chrome, which still receives regular security updates. What's stopping users of old phones from installing Chrome or Firefox?

Some truth to that, but replacing your web browser doesn't actually fix the bug entirely. The problem is that the WebView elements inside applications still use the vulnerable Android Browser to display content. You can't change that behavior or update the Android Browser without an OTA update of the whole OS.
True, but you have to download the malicious app from the app store. Here Google has a good track record of removing them from their store. Also, the user can exercise some common sense by not installing apps from untrusted sources. If the users does not pay attention to the app's permissions, any app could be harmful without needing a browser exploit.
Out of curiosity, did you actually replace the Browser app, or did you just install a new one? If the stock Browser is still installed, you may consider the fact that it can probably be launched from Chrome with a specific URL intent.
Google hasn't pushed Lollipop out to all their own devices yet. I just talked to tech support yesterday, and was told if I wanted 5.01 on my brand new Nexus 5 (came from the Play Store two days ago and is on 4.4.4), I would have to figure out how to flash it myself. They would not help me with that at all.

I can probably manage to flash it, but the typically phone user probably shouldn't be attempting that. "Just upgrade" is not a valid response when they refuse to push the upgrade to all users.

(comment deleted)
No, this is and should be Google's problem. Carriers have no say expect in certain markets, and hardware manufacturers do what Google dictates. The requirements to carry Google Play is pretty steep, and there should be consequences for not following the agreements.

I bought a Nexus One, and one a half year later it was insecure with no updates. That can never be acceptable. If Debian can ship updates for a five year old distribution, I'm sure Google can. Android is slim by comparison.

How come it's a Google's problem if the browser in question is part of AOSP, and therefore could (and should) be updated as any other open source project. Google may be able to fix those bugs, but doesn't have to.
AOSP is not at all like most other open source projects. And even if the bugs would be fixed or backported to upstream AOSP, it's not going to magically be sent as an OTA update to customers.

This is a real issue and it's Google's platform, they should take action to not leave customers at peril or force them to buy a new device. Google is the only one who has the power to make sure that the updates get all the way to the customers' devices. This might mean exerting pressure on the device manufacturers and operators who make downstream changes to Android.

Otherwise we'll end up with millions of vulnerable devices that could be used (and are currently used) as zombies in botnets.

Fixing the bug is trivial, but getting the fix out to users is anything but. Google's original model for Android was to have as few restrictions on the manufacturers and carriers as possible. This arguably allowed them to gain a foothold in a market that was starting to be dominated by iPhone, but they're feeling the pain now as the try to lock Android down harder.

Google is moving as much stuff out of AOSP and into closed-source Google Apps package as possible for a variety of reasons, not least of which is that it gives them increased leverage over manufacturers by increasing the amount of work they'd have to do to make a forked AOSP device competitive with official Android. This helps them prevent hostile forks as well as enforcing things like updates and not too much mucking around with the UI. This only goes so far, especially when it comes to compelling updates of devices already running obsolete versions.

Both Google and the manufacturers have very little leverage in practice over the carriers, who seem to be the usual stopping block in delaying updates for various unspecified "testing" requirements.

But Google doesn't control push to the end users, it's phone manufacturers/cell service providers that do that. If it was a Chrome for Android, then yet, it's part of Google Play Services that is pushed independently. So, bottom line, there is no real need to use Android browser anymore, and IIRC it's not even included to the Lollipop release.
Regarding the Nexus one that's surprising and disappointing. I was under the impression that the Nexus line used vanilla android (no device manufacturer or service provider customizations) and would be update-able as long as the hardware could handle the new OS.
Samsung Galaxy Nexus (GT-I9250) has Google's logo on it was the first such example. It shipped with Android 4.0 and the last version supported is 4.3, 20 months of software updates.
Chrome is available for Android 4.0+ which amounts to 85%+ of Android devices in the installed base, according to https://developer.android.com/about/dashboards/index.html

It's a non-issue, as with other bugs Google recently closed as NTBF.

These stats are based on people visiting the Google Play store. They are almost meaningless.

I have an Android phone that works perfectly well and is paid for; I don't have money to burn to buy a new phone. I got it after I bought a Windows 7 computer - which will likely be updated for many years to come. When purchsed, the phone cost almost as much as my computer did. However ... the phone is running version 2.3.3 and can not be upgraded (and has not been updated for a few years now). And most new apps do not support this Android version (and have not for a few years now) so I have given up on visiting the Google Play store. My wife has an identical phone and has not bothered either trying to get new apps for a few years now.

It's a "non-issue" only because Google (which I generally support) has a shitty policy when it comes to supporting old versions of their products.

Statistics based on visits to the Google Play store are certainly not meaningless. If you have a Kindle device you don't have this problem. Or, if you have a phone in China that's AOSP-based but using a Chinese portal's ecosystem you are probably running their browser.

That leaves you among the small percentage who are in the Google ecosystem, but running an old version of Android. perhaps it was Google fault for OK'ing Google logo devices with trailing-edge OS versions when you bought your phone. But they've fixed that now with Android One and the inexpensive Moto phone.

And, on top of that, if you really want a newer version of Android without buying a new phone, there's a decent chance that CyanogenMod or other aftermarket releases support your device. Google has never stopped anyone from "bootlegging" the Google ecosystem into such configurations.

The stats are reported by google play services running on your phone, not by actual visits to the play store. As long as your phone can access the play store, it gets counted.
Actually normal support for windows 7 ended this month. You're only getting security updates for that now, not new features.