Its a self created problem of locked down user hostile devices. Operating system and software upgrades are not locked to the hardware manufacturer in the laptop world (not yet, for the most part). It is a pipe dream of mine that someday these attacks are used as an excuse by some government perhaps the EU to force opening up devices for install of other operating systems, maybe forced to open sourcing firmware etc.
The problem is that the “self” in that statement is not the consumer. They have no choice, yet the bear the burden. The people who made these choices benefit from it.
The manufacturers do not have the problem. They created a problem for many users as a side effect of forced obsolescence making consumers in richer countries buy new hardware every few years.
The original sin of Android was that it was made for phone manufacturers, not end-users. And phone manufacturers were in turn subservient to cellular companies. Back then cellular companies demanded network-specific devices, with network-specific software. Android was made to fit right into this relationship.
The continuing problem with Android, and a display of Google's lost interest in Android, is that they still stick to this paradigm in 2024. Nowadays phone manufacturers ship stock Android with add-ons, and cellular companies no longer have the power to demand anything. If Apple can ship iOS 18 worldwide next Monday, why can't Google?
Google certainly contributed to it. But whether the issue for consumers was caused by hardware makers or by OS makers it is not a self-imposed wound for the consumers -- they had nothing to do with it.
Androids are less locked-down than iOS devices. The problem is that Google used to not have the ability to require long term support from device OEMs and now that it has the market power to demand long term support they seem reluctant to prioritize that in license agreements.
Then there are devices, like in China, where Google Mobile Services is not on many phones so Google has no leverage at all re supporting updates.
There is nothing in principle requiring Android phones be locked down, but its a de facto reality that manufacturers of almost all phones have made them locked down and you have to research to even know beforehand if you can even do something as little as a bootloader unlock or a rooting. Why is os and phone model so tightly integrated and locked together, when in the pc world you can generally install any os on any computer? That's what I was saying.
Which is to say I think you are speaking in terms of what you can do within the android's playground itself, its certainly much more open than ios in that regard. But when it comes to the fact of being able to change the playground itself ie install whatever os you want on the hardware or upgrade the os on the phone then suddenly most phones aren't any better than iphones either. Some are slightly better in that you can at least unlock the bootloader or root it, but I don't know if much progress has been made beyond that in being able to reverse engineer or otherwise them to able to install anything you want on them. That was the point with respect to I was speaking.
> There is nothing in principle requiring Android phones be locked down.
There is; it's called the Android Compatibility Commitment. If a phone manufacturer wants the Google Play Store, their phones need specific security requirements. Which includes measures to lock down the phone to prevent piracy of the store, which for most manufacturers is achieved through a locked bootloader.
> Why is os and phone model so tightly integrated and locked together, when in the pc world you can generally install any os on any computer?
Qualcomm is the reason. Qualcomm wants OEMs to buy new chips every year, and for that to happen, consumers have to buy new phones every year. To upgrade Android (across kernel versions), OEMs need Qualcomm to provide updated drivers, which Qualcomm has been reluctant to do, because their sales will be undercut by chips they sold years ago. Android phones are closer to Mac than PCs, as there's one hardware-maker who determines which models become obsolete, and when, based on the software they choose to update (or not).
That's something that I've found really notable about Linux, compared to Windows. Windows drivers seem to work across versions, whereas binary Linux drivers are typically specific to a kernel minor release.
Does Microsoft just maintain broad kernel backward compatibility, or are driver authors doing more work to support more Windows versions? Is it a fundamental architecture difference with how each OS implements their kernel APIs?
And thats my point, you should not need OEM support for a pure software issue of operating system upgrades. I do not ask Dell or Lenovo before writing 'apt update && apt upgrade' when on my pc. I do not need to ask Dell or Lenovo before plugging in a flash drive with the iso of my favorite os or to upgrade the next version of the same and so on. These are things that if the device wasn't locked down, shouldn't have required the OEM's direct involvement in the first place.
Laptops work because the BIOS provides a universal abstraction layer and because support is upstreamed in the Linux kernel. Supporting phones for longer would require them to also upstream support.
Its true that a lack of standardization on phones makes things a bit harder but its as you said, still the key point is that they need to make the firmwares opened up. If manufacturers want to keep it all locked down then they deserve and should expect these type of attacks all the time. If they don't want these to happen, they should make their firmwares available and upstreamed or at least not cause roadblocks toward reverse engineering of the device by means of cryptographic locks or otherwise.
It is the reason why I have Windows tablets not Android ones. I know there are OS updates. And once they are dead I have options for Linux tablets now.
Fragmentation is not the problem. The problem is inability to change os or firmware. If control of upgrading or changing os wasn't solely with the maker there wouldn't have been an issue in the first place. I bet for example many of these bugs might be due to the much older linux kernels in use in phones. Again something easily solved by making the os easily changeable and not presenting cryptographic etc roadblocks to reverse engineering, if they don't even want to open source the firmwares at least. At the end of the day these are software bugs not hardware bugs, so the solution as with any software is to be able to push fixes. It does not matter if there are a million different Android phone platforms, a fix to some bug in the Linux kernel for example should work the same on all of them. More importantly, as a piece of pure software this should be something anyone working on Linux or Android should be able to fix as happens in the more sane world of laptop, server etc hardware. If we weren't locked to the manufacturer for all operating system and software support this won't be a problem in the first place. Imagine how ridiculous it'd be if we had a Dell XPS 13 OS, a Lenovo Thinkpad T14 OS etc that went out of support the moment the model is discontinued instead of the sane and normal situation where your Debian or whatever os continues receiving software updates as long as Debian wants to support it.
By "alternate" I don't necessarily mean some obscure os, but any os in general , in fact I rather specifically had in mind Android or Linux. By alternate here I meant the fact of being able to install any you want instead of being stuck with whatever ancient Android version and Linux kernel the original came with. Ie if your phone came with an ancient Android, you should be able to without OEM support install a newer Android or a recent Linux or anything else you'd like.
And honestly I doubt 99.9% of these attacks are anything hardware specific but rather generic software bugs like buffer overflows in the kernel, so hardware is in any case a moot point.
