←back to thread

Google confirms Android attacks; no fix for most Samsung users

(www.forbes.com)
208 points mohi-kalantari | 1 comments | 08 Dec 25 16:32 UTC | HN request time: 0.404s | source
Show context
ptx ◴[08 Dec 25 19:55 UTC] No.46196795[source]
Never mind the December security patches, Samsung haven't even released the November patches yet, the ones for the critical severity RCE. Unless you have a "major flagship model" [1], because apparently only the richest users deserve to be secure.

[1] https://security.samsungmobile.com/securityUpdate.smsb

replies(5): >>46197211 #>>46197252 #>>46197442 #>>46197717 #>>46203041 #
riedel ◴[08 Dec 25 21:13 UTC] No.46197717[source]
Why would you want security, if you get 'play integrity' for phones that received no updates since 2 years. Google's current security practices are more than dubious IMHO. Now they are not releasing any source for security patches for 3 month, to 'protect' vendors that are too slow updating. As if there is no chance for bad actors to reverse engineer those patch sets.
replies(2): >>46198658 #>>46200028 #
ycombinatrix ◴[09 Dec 25 01:01 UTC] No.46200028[source]
Play Integrity is just spyware - it does not provide any degree of security.
replies(1): >>46200626 #
riedel ◴[09 Dec 25 02:36 UTC] No.46200626[source]
Sorry for my irony. While I do not think it is spyware on itself, it sure is a way to force vendors to bundle spyware.
replies(1): >>46203090 #
yaro330 ◴[09 Dec 25 09:41 UTC] No.46203090[source]
Elaborate please. PI on its own is just an insurance API for banking and similar apps to ensure that they can do secure compute on the device. It can also be used to check if the device that the app is running on is a genuine Android device, since no VMs or custom ROMs can pass hardware integrity.
replies(2): >>46205510 #>>46206367 #
1. subscribed ◴[09 Dec 25 14:51 UTC] No.46205510[source]
Well, only it isn't.

Very old, unpatched and rooted devices can fairly easily pass device integrity check.

It primarily assures the software vendor that the phone is running Google buttplug in the privileged mode.

Remember, handsets running on ANCIENT versions of Android with no patches for years. Whilst seems to be important to raise under the Forbes article (rightly) fussing about a couple of zero-days.

"Custom roms" (whatever that means) can easily spoof the checks in the specific situation (mainly hardware that allows for several things).