Stagefright patches rolling out over the air

Metaratings
17 Aug 2015
00:00
Article

I have quite a few phones I use daily - an LG Nexus 5 now running the 2nd edition of the Android M developer preview, a Nexus 7 (2013) tablet, Xiaomi Mi3, OnePlus One and LG G4. Yes, perhaps that’s a few too many. But guess which phones were patched against the Stagefright bug and in which order? Everyone will probably guess that it would be Nexuses (or is that Nexii) first followed by LG after that big announcement that they, along with Samsung, would be issuing regular ROM patches from now on. Or would it be the geek-centric OnePlus that takes second place after the Nexus? Chinese manufacturers will probably never update their el-cheapo phones, right?

Wrong.

Courtesy of running the developer preview of Android M, my Nexus 5 was already immune from Stagefright when the exploit made the headlines, so that’s number one.

Last week I got an patch for my Xiaomi Mi3 just edging out the Nexus 7 OTA ROM patch. Yes, the company once written off as an Apple copycat Xiaomi fixed the bug and got it out to me before Google did on an official Nexus device. Hats off to them.

I am really impressed with Xiaomi with it’s almost monthly ROM updates and meaningful updates. When the Mi4i was announced, Xiaomi VP Hugo Barra, formerly heading up Google Android it should be noted, announced a number of new features - sunlight display and a tasteful, usable HDR mode among them - that made it to my last generation Mi3 through a ROM update. If anything, the Mi3 is still the best Xiaomi device on one important respect. Berra said that only 1% of users use NFC and removed it from newer Xiaomi phones. Well, that’s a deal-breaker for me as I use NFC all the time for security.

OnePlus One? Sorry, Carl Pei, as of today my OnePlus One still is vulnerable to Stagefright, as is my LG G4, despite what that press release said.

OnePlus did issue a Stagefright patch for the OnePlus One running its in-house, totally stripped down, more vanilla-than-vanilla Oxygen OS rather than the Cyanogen OS that everyone seems to prefer. Cyanogen also has a new version out with the stagefright patch but the acrimonious bickering between the two means that after all things are considered, it is not filtering down to users via over-the-air update.

The stagefright exploit is especially dangerous as it allows an attacker to compromise a phone by sending a carefully crafted MMS message in theory. While mainstream media seems to paint a nightmare scenario with a number of 900 million vulnerable Android devices around, A workaround is quite easy - just disable auto-loading of MMS messages. When was the last time (if ever) you received or sent an MMS anyway?

Stagefright was first made public on July 27. The second edition of Android M, which I have been running since 9 July is not vulnerable to Stagefright, having already been fixed soon after the researchers made the bug known to Google in private back in April.

So Google sat on it for four months before they did anything about it except for uses on the bleeding edge? That certainly seems to be the case.

On a business level, Stagefright is a watershed in Android security. Hitherto, the model has been broken. Phone manufacturers have no incentive to support older phones as they make money from forcing users to upgrade to new phones. Carriers do not want to give up control to the phone makers and prefer to control their customer through their customised phones which adds yet another layer of latency to any update if at all.

But the uproar over Stagefright has shaken up the industry. Samsung and LG took the initiative to announce monthly security updates and not just for their current phones, but for older phones as well, eventually. HTC, Sony and Asus are reportedly to be quietly pushing out OTA updates to patch against Stagefright as did Xiaomi.

Sure, Oppo and OnePlus have ROMs that have been patched, but who actually bothers with flashing their own ROMs outside of the geek world?

Huawei and ZTE are conspicuous in their absence of any Stagefright related announcements, the latter all the more important as they make a small army of house-brand phones. This refocuses attention on the low-end pure Google Android One devices.

Stagefright may be the first shock that woke the industry and forced it to take action and it certainly will not be the last bug that needs patching. Timely security patches as a feature that actually sells phones to the general public? Who would have thought? Miracles do happen.

Related content