Android

20239 readers

481 users here now

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

💡Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.

Support, technical, or app related questions belong in: !askandroid@lemdro.id

For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id

💬Matrix Chat

💬Telegram channels / chats

📰Our communities below

Rules

Stay on topic: All posts should be related to the Android OS or ecosystem.
No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.
Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.
No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.
No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.
No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.
No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.
No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.
No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!
No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities

Lemmy App List

See thread

Chat and More

founded 2 years ago

MODERATORS

ijeff@lemdro.id

ladfrombrad@lemdro.id

Paradox@lemdro.id

multimoon@lemdro.id

mikestevens@lemdro.id

Devgard@lemmy.world

limerod@reddthat.com

Netrunner@lemdro.id

Google wants to make Android phones safer by switching to ‘risk-based’ security updates (www.androidauthority.com)

submitted 3 days ago by nemeski@mander.xyz to c/android@lemdro.id

7 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] henfredemars@infosec.pub 16 points 2 days ago

Instead of bundling all available security patches into the next ASB, Google now prioritizes shipping only “high-risk” vulnerabilities in its monthly releases. The majority of security fixes, meanwhile, will be shipped in quarterly ASBs. Google defines “high-risk” vulnerabilities as issues that are crucial to address immediately, such as those under active exploitation or that are part of a known exploit chain. This designation is based on real-world threat level and is distinct from a vulnerability’s formal “critical” or “high” severity rating.

Reckless behavior! You cannot adequately rate a vulnerability's real risk, and we have a very limited view of what's being exploited in the wild. Threat actors don't exactly publish their successes, and even the smallest bugs can be used to build powerful primitives in ways that can be really surprising (e.g. a single off-by-one null byte overflow that seems minor can lead actual code execution with sufficient control of the heap). Picking and choosing is a direct security compromise that makes Android less secure no matter which way you slice it.

This reads to me as sugar-coating a cost-cutting measure. "Prioritize fixing and patching the highest-risk ones first" my ass. When you know of a bug that could have security relevance, you fix that bug. This just says you can't afford the developers to actually fix your broken code.