[HN Gopher] Critical Bluetooth vulnerability in Android
___________________________________________________________________
Critical Bluetooth vulnerability in Android
Author : photon-torpedo
Score : 413 points
Date : 2020-02-07 09:57 UTC (13 hours ago)
(HTM) web link (insinuator.net)
(TXT) w3m dump (insinuator.net)
| nickcw wrote:
| > As soon as we are confident that patches have reached the end
| users, we will publish a technical report on this vulnerability
| including a description of the exploit as well as Proof of
| Concept code.
|
| It is likely to be a long time to never for most Android phones
| to receive patches for this :-(
| joelthelion wrote:
| On the plus side, could this be used to root phones?
| photon-torpedo wrote:
| > only the Bluetooth MAC address of the target devices has to be
| known
|
| Android has a feature of "Bluetooth scanning" to improve device
| location (similar to Wifi scanning). I'm not sure, but even if
| Bluetooth is disabled in the menu, this might still activate
| Bluetooth occasionally and perhaps reveal the Bluetooth MAC to
| the (nearby) world?
| dspillett wrote:
| IIRC that doesn't enable BT if disabled, only uses it if
| available.
| bepvte wrote:
| It says "Bluetooth scanning -- Let apps use Bluetooth for
| more accurate location detection, even when Bluetooth is
| off." I doubt it makes the device discoverable though.
| matchbok wrote:
| Android is such a mess. Google needs to do a rewrite and dump
| legacy support.
| drummer wrote:
| Quite possibly the worst piece of software ever. Hot garbage.
| [deleted]
| eximius wrote:
| I mean, they kind of are...
| https://en.wikipedia.org/wiki/Google_Fuchsia
| microcolonel wrote:
| Gotta say, having worked with the Android Bluetooth stack, I'd be
| surprised if there weren't lots of serious issues like this. The
| handling of pointers in there is often both _clever_ and _not
| helpful_.
| tjoff wrote:
| > _Only enable Bluetooth if strictly necessary. Keep in mind that
| most Bluetooth enabled headphones also support wired analog
| audio._
|
| Reason #4373 that ditching the headphone jack is pure insanity.
|
| Sigh.
| qubex wrote:
| I'm also still using those SCSI interfaces and keeping a 51/4
| floppy drive in case I need to copy something over from punched
| cards.
| zentiggr wrote:
| Don't go dissing that KSR-35 teletype with the paper tape
| option :) That's how I talked to my 6502 dev board - way
| better then membrane keyboard!
| rorykoehler wrote:
| Don't buy a headphone jackless phone. I haven't and won't ever.
| I will stop using a phone before I use a jackless one.
| hnburnsy wrote:
| Are there phones with no external ports only use wireless
| charging? I don't have any problems with usbc wired headset
| or adapters.
| [deleted]
| ajsnigrutin wrote:
| The problem is, that it's hard to find an otherwise good
| phone with a jack. Want good photos, lots of storage, fast
| cpu, and a good screen? You need a flagship phone. Want
| security updates for stuff like this now? You're either stuck
| with Pixel phones or Samsung galaxy S? ones (or iphones)...
| pixel doesnt have one anymore, galaxy s20 is rumored it wont
| have one, and iphones don't have one.
| komali2 wrote:
| If you want a good camera the pixel 3a is there.
|
| The Galaxy s10 hit the critics like a storm. It got pretty
| rave reviews. I'm on an s9 and I guess that'll be my next
| phone whenever this one dies.
| Ayesh wrote:
| Xiaomi Note series have FM radio, 3.5mm jack, infrared
| (make do remote control), 4 lenses (macro, telephoto, and
| wide angle), and comes at around EUR225 for 128GB/6GB one.
| There is no android security update recently, and the
| current is Nov 2019. But they regularly send security
| updates unlike other Chinese brands.
| mackrevinack wrote:
| samsung s10e is the only phone that checks all those boxes
| and its also the only "small" phone too. I always said I
| would never buy a phone without a headphone jack or a notch
| but i made an exception for the s10e since its a punch hole
| and spent really take away much screen space.
|
| but the way things are going I can't see a phone like this
| ever being made again. so ill be using this for the
| foreseeable future and will probably have to start using a
| custom rom in a few years
| wnevets wrote:
| the 'a' branch of Pixel still have a headphone jack
| nonbirithm wrote:
| I was wanting a phone with a headphone jack but the only
| one that fit my needs was an LG handset that cost $900 and
| wasn't supported by ATT. The Galaxy Note crisis and general
| dissatisfaction with a previous Galaxy ruled out any of
| Samsung's phones for me. On the other hand the OnePlus 7
| Pro was only $499 with everything else I needed in a phone
| - except a headphone jack.
|
| Maybe I hadn't looked hard enough. But my thought at the
| time was for my needs I'd have to spend $400 more for a
| headphone jack on a phone I might not be able to use with
| my carrier.
|
| I ended up getting the 7 Pro and use a dual
| headphone/charging adapter. I hate it and wonder what the
| market has come to if they feel we should put up with this.
| But that's the tradeoff I chose.
|
| My dream phone is one without the rounded corners or curved
| screen, an SD card slot, a decent camera (at least Pixel XL
| quality) and a headphone jack.
|
| I should also mention it's a miserable feeling to think
| that a standard as hideously broken as Bluetooth is here to
| stay because it's won out the short distance wireless
| connection space and there's no going back and retrofitting
| the billions of smartphones that will be forever fitted
| with Bluetooth until they're thrown out.
| anon73044 wrote:
| Moto G8 Plus, better camera, bigger battery, better
| screen resolution, sd slot, under $400 these days.
| kbenson wrote:
| I've been looking to get the new galaxy a51 when it comes
| out in a week or so as a good mid-range phone, and they've
| removed the jack on the new a-series phones as well.
|
| Pretty soon it will just be one or off brands and the
| occasional weird model that have them (if it's not already
| to that point).
| artemist wrote:
| I can think of one phone with a great camera and a
| headphone jack: the Pixel 3a
| sadfklsjlkjwt wrote:
| Nokia also gets prompt Android updates. No headphone jack
| on flagship models though.
| gchokov wrote:
| I haven't missed the jack for a single day.
| squarefoot wrote:
| I don't miss it as well, though that's because I refuse to
| buy anything that doesn't expose analog out. The 3.5 jack is
| certainly not the best engineered piece of hardware and is
| prone to failure, but that should be rather a motivation to
| produce a better one than an excuse to remove it.
| magicalhippo wrote:
| I miss the jack every single day.
|
| Recently the wire of my regular ear buds gave up (as they do)
| and, since I had gotten some BT ones, I decided to use them.
| They're Jabra Elite Sport, which got good reviews from what I
| can recall.
|
| They're dropping out like crazy. It's seldom to get an entire
| minute of music without a small dropout. The area around the
| bus stop at work is particularly bad, with sound drops every
| few seconds until I get away from that area.
|
| I upgraded the firmware and it got a bit better, but still
| pretty poor. If I hold the phone in my hands and keep still
| it's usually ok, but as soon as it goes into my pocket, all
| bets are off.
|
| I don't miss the cable tangle, but I miss being able to enjoy
| music.
| Pxtl wrote:
| Crazy. I paid $25CAD for cheap Chinese-brand behind-the-
| ears headset (Suicen AX-698) and dropouts are very rare for
| me. Happens occasionally - usually when I'm on the road and
| a truck goes by - I assume some of those have very chatty
| RF devices. But still, generally very rare. When I'm at the
| gym working out they _never_ cut for me.
|
| Frustrating reality of modern purchasing - buying the
| "expensive" one often gives you something not substantially
| better than the cheap Chinese junk.
| komali2 wrote:
| I'm fat and so when my belly covers my phone in my
| pocket, like when I'm leaning over, my Bluetooth cuts
| out. Shit sucks lol.
| oefrha wrote:
| Generally the expensive ones are using the same
| components as the cheap ones and simply upcharging you,
| that's why.
|
| https://www.theverge.com/2019/11/7/20943377/chinese-hi-
| fi-au...
|
| That said, I'm happy with my AirPods and Beats, which are
| on the expensive side. The custom Bluetooth chip is
| certainly more seamless than regular Bluetooth.
| amaccuish wrote:
| When I lived in Moscow, there was a bit just outside of my
| metro station, a radius about 10 metres, where my bluetooth
| headphones would just stop working. Absolutely bizarre.
| canes123456 wrote:
| I got the non sport ones due to the great reviews and they
| suck. I would recommend AirPods, even for android.
| cma wrote:
| For the same price I'd recommend buying he latest $30
| ones every year for the next 4-5 years. You'll get better
| battery life, eventually Bluetooth 5.2 with lowest
| latency (sends directly instead of rebroadcasting to the
| other ear), and probably at least one Bluetooth revision
| beyond that adding true stereo support during microphone
| use.
|
| If we're talking AirPods Pro you could buy new $30 ones
| each year for the next 8 years, but atm nothing out there
| seems to compete with transparency mode while still
| having the fit of a silicon tip and no sealed in
| feeling/internal pressure noises.
|
| For me I'm not going to spend a lot on any until the
| latencies are good enough for gaming, along with stereo
| while using the mic, and will stick to the cheaper ones
| until then.
| x0x0 wrote:
| The problem is bluetooth is in year 26 or so of alpha
| testing and wires are extremely reliable. For example, HTC
| appears to be unable to ship a working bluetooth stack.
| retSava wrote:
| Have the same-ish, and it's pretty interesting. I think the
| BT communication is from phone to the right earbud, then
| something else (likely on 2.4GHz too) from right to left
| earbud.
|
| When I switch on the office lights, enter the lift, open
| the fridge door (light again) and similar things, the left
| drops out briefly (on the order of 100ms).
| magicalhippo wrote:
| Yeah, when I walk through the theft detector at one of my
| regular grocery stores, my left earbud falls out as I
| pass through the magnetic field produced by the detector.
|
| It makes some analog radio noises when they fade out and
| back in, so clearly something entirely different from BT.
|
| The right earbud plays music as normal through it all.
| kevingadd wrote:
| Thanks for the heads-up that these have a firmware update
| available. I bought them because reviews suggested they
| were the best earbuds available other than AirPods and I've
| had all the same problems you describe, it's awful.
| magicalhippo wrote:
| The firmware update did improve things a lot, they were
| not really usable before, but the result is still sub-par
| for me at least :(
| bengale wrote:
| Maybe try a different set. My AirPods haven't dropped
| connection a single time I've used them. They connect
| immediately, and to drop the cliche, just work.
| magicalhippo wrote:
| Well yeah I've been thinking about it. But shelling out
| for some with decent sound only to find that they also
| suck would really be a bummer, so I'm tempted to just go
| back to wired.
| 45ure wrote:
| >They're Jabra Elite Sport, which got good reviews from
| what I can recall.
|
| >They're dropping out like crazy. It's seldom to get an
| entire minute of music without a small dropout. The area
| around the bus stop at work is particularly bad, with sound
| drops every few seconds until I get away from that area.
|
| I would suggest reaching out to Jabra, as the symptoms
| suggest a faulty pair. Furthermore, these buds came with an
| extended 3-year warranty, albeit it was for failure as a
| direct result of perspiration.
|
| I use mine the with an iPhone, and also tested them with an
| older Android phone with Bluetooth 4.0. The firmware is on
| release 5.6.0 (6th November 2019). Although, my pair
| doesn't suffer from the same issues as yours. However, I
| have had some issues with the battery life e.g. Jabra Sport
| app and real world usage does not tally and the battery
| life of the buds also deteriorates by 10% or more, by just
| sitting in the charging case, if not used daily.
| neuronic wrote:
| I am probably adding to the pile of fanboyist Apple blah
| blah but I honestly think my AirPods are the single best
| tech purchase I have made in the last 5 years. They took
| away so much hassle and work exactly like I would expect.
|
| AirPods are one fine product for daily casual use.
| Obviously they aren't going to meet an audiophiles demand
| at $150 but AirPods Pro might even be enough in that case.
|
| My AirPods drop out at the rate of once a month or
| something. When it happens it's a quick fix and they have
| been nothing but convenient otherwise.
|
| Would never use wired headphones again unless I am trying
| to analyze a Beethoven piece.
| stiray wrote:
| Hm, I just cant get used how airpods look like while
| people are wearing them. Like they would stick cigarettes
| into their ears. Anyway, I prefer over the ear headsets,
| they just sound better (currently at Sennheiser Momentum,
| sometimes on cable, sonetimes on BT).
| that_jojo wrote:
| I have my $20 wired Sony buds drop out about once every
| never.
| brewdad wrote:
| Mine will drop out when I drop my phone.
| hombre_fatal wrote:
| My wired buds pop out if I do anything more than sit
| still while listening with them. Any other activity I'm
| bound to accidentally karate chop the cord out of my
| ears. Or they catch on something. It's quite a bad
| experience.
|
| I didn't think BT headphones were worth anything until I
| tried them. They are surprisingly liberating for someone
| active like me.
| aedron wrote:
| Have you compared with other BT headphones?
|
| Because in general, BT headphones are great and I
| understand that people love them. But Airpods are not
| among the better ones in my experience. They drop out
| more than my other BT headphones, and the fact that they
| have no volume control is just unbelievably stupid to me.
| rorykoehler wrote:
| I seriously doubt the audio quality of AirPods Pro are
| any good from an audiophile perspective. I have no way to
| test without buying them but I have heard both the new
| macbook pro 16 laptop speakers and the Sony WH-1000XM3
| noise cancelling headphones described an incredible
| sounding by the same people who say Airpods Pro sound
| amazing. I happen to own both and.... the MBP sounds like
| my grammas alarm clock radio at best (I'd give it a
| 2.5/10) and the Sonys are maybe a 7/10. They are decent
| but way too boomy and the Q in the EQ controls provided
| in the app don't provide enough granularity to fix it. I
| feel like we've really devalued certain words in the past
| decade or so. Everyone speaks like they work for
| marketing now.
| chucksmash wrote:
| > I feel like we've really devalued certain words in the
| past decade or so.
|
| For sure.
|
| > Everyone speaks like they work for marketing now.
|
| Maybe we're so inundated that we've internalized it? A
| semi-related thing I've noticed: when people talk about
| movies now, it's never "oh I liked it, it was neat" or
| "it was sappy." Everybody talks about the cinematography
| this, the character arcs that, did you see that tracking
| shot??
|
| It's weird to see the "inside baseball" aspects of
| movies/music/storytelling/etc creep into random
| conversations.
| qubex wrote:
| Not I. I stopped using it well before the iPhone did away
| with it. I'm deeply suspicious of any hole that pierces my
| device's carapace.
| big_chungus wrote:
| The removal is fine if you generally buy high-end equipment.
| However, my phone still has one because I have a cheap phone
| and I don't know what I'd do without the headphone jack. I
| can use wireless earbuds (which are admittedly nice) for most
| of the day, but they die and I like having a physical
| connection. This is especially true of, say, long flights. I
| also like having a backup pair, but backup pairs of bluetooth
| earbuds are very pricey.
| flir wrote:
| How do you deal with the latency in games?
| pizza234 wrote:
| I do play (fast) games and don't perceive any latency.
| However, the number of devices I can connect to my dongle
| is two; when I add a third, the audio starts to crack.
| komali2 wrote:
| Latency is why I'll never "upgrade." I have a pair of
| Bluetooth earbuds in my gym bag but my backpack has wired
| earbuds because sometimes I produce music on my laptop.
| Doing so with Bluetooth latency might not be impossible but
| it'll be the closest thing to it.
|
| And since I don't wanna carry two pairs of headphones
| around my phone needs to have a headphone jack.
| tommit wrote:
| Serious question: do people play mobile games where a
| slight latency would matter at all? Or are you talking
| about the overall immersion that goes missing?
| maple3142 wrote:
| I think it depends on what games are your playing. For
| rhythm games, headphone jack is a must.
| zozbot234 wrote:
| BT latency is annoying enough when listening to media. I'm
| used to pressing the pause button and having the audio stop
| promptly, with no perceptible delay. The video desync (if
| applicable) can also be very annoying.
| tommit wrote:
| That's odd, I have literally never experienced that
| before. What kind of setup are you using? I just tried it
| now, thinking maybe I just never really paid attention to
| any play/pause delay when listening to music or watching
| videos. Nope, it's pretty much instant as far as I can
| tell. I'm using the AirPods Pro and had Gen 1 AirPods
| before that -- can't recall ever having that problem in
| the past 3 years.
| avian wrote:
| Not GP. It really depends on the device in my experience.
| My Denon system has seconds of lag over Bluetooth, enough
| to even make the volume slider on the phone annoying to
| use. On the other hand, my wireless headphones from Sony
| have as far as I can tell zero discernable lag. Both used
| from the same Android phone.
| Konnstann wrote:
| Could be the codec they are using. AptX LL is the best
| for latency as far as I know, but not all headphones
| support it, and you have to go into developer options to
| change it.
|
| The Denon system might be using LDAC which is higher
| quality, but sacrificing latency.
| toast0 wrote:
| As someone who only ocassionally uses audio from my phone,
| the big problem is airplane movies.
|
| Playing the movie is going to use enough battery that I'd
| like to be plugged in. The dongles are easy to lose. I don't
| have a set of bluetooth headphones that I use regularly, so I
| got a pair at the airport, but i need to remember to charge
| them, and they also don't last for the whole movie. Also,
| everybody using bluetooth probably contributes to the janky
| streaming in flight.
| m-p-3 wrote:
| Even if I had a jack, I still need bluetooth for my smartwatch.
| maxerickson wrote:
| I bet it's not particularly true that most bluetooth headphones
| support wired analog audio. It may have been a few years ago,
| not now that the most prominent use case is phones.
| chungus_khan wrote:
| Nice ones tend to, but most others don't seem to anymore.
| Pxtl wrote:
| Yeah, I've five sets of bluetooth headphones around my house
| and only one has a wired port.
| AdmiralAsshat wrote:
| I quickly realized the value of the headphone jack the last
| time I had to turn my device to Airplane mode and realized I
| couldn't listen to any music on the plane using my wireless
| earbuds.
|
| Fortunately, my aging GS8+ still has a headphone jack, and I
| had a pair of analog headphones in my travel bag.
| driverdan wrote:
| You can put a device into airplane mode and still turn on BT.
| RealStickman wrote:
| That kinda defeats the purpose of airplane mode, doesn't
| it?
| duckqlz wrote:
| Nope Bluetooth is ok during a flight.. from the FAA: >
| Passengers will eventually be able to read e-books, play
| games, and watch videos on their devices during all
| phases of flight, with very limited exceptions.
| Electronic items, books and magazines, must be held or
| put in the seat back pocket during the actual takeoff and
| landing roll. Cell phones should be in airplane mode or
| with cellular service disabled - i.e., no signal bars
| displayed--and cannot be used for voice communications
| based on FCC regulations that prohibit any airborne calls
| using cell phones. If your air carrier provides Wi-Fi
| service during flight, you may use those services. You
| can also continue to use short-range Bluetooth
| accessories, like wireless keyboards. https://www.faa.gov
| /news/press_releases/news_story.cfm?newsI...
| vorpalhex wrote:
| Airplane mode has two reasons. One reason is because at
| one point your cell radio risked doing unpleasant things
| to cellular ground stations, and another reason being
| that the FAA wanted you to pay attention to your safety
| demonstration.
|
| Bluetooth was allowed on planes quite some years ago.
| Carpetsmoker wrote:
| Another reason to turn on airplane mode - or at least
| disable mobile - is that your phone will keep searching
| for a network tower when it's out of reach, which will
| drain battery quite a bit faster.
| MichaelApproved wrote:
| I don't know about GS8+ but older devices don't let you
| turn Bluetooth on while in airplane mode.
| marcusjt wrote:
| I used to have an S2, S3, S4 and S6 before my S9 and (as
| far as I can recall) it's always been possible to turn
| Bluetooth on while in airplane mode.
|
| UPDATE: confirmed by later comments in
| https://androidforums.com/threads/turning-on-bluetooth-
| in-fl...
| BenjiWiebe wrote:
| Older device: 2013 Moto X, Android 5.1. Lets you turn on
| WiFi, Bluetooth, whatever, with airplane mode on.
| [deleted]
| numpad0 wrote:
| I can't cite it but wasn't there some requirement coming from
| music industry back in 2010s to remove all analog outputs from
| devices?
| metaphor wrote:
| When did the "music industry" start formally steering
| commercial audio PHY standards?
|
| Characteristic impedance alone is all over the map, Apple
| apparently couldn't align its 3.5mm jack pinout with the rest
| of de facto industry, and form factor is just one of many
| inherent market differentiators.
| gruez wrote:
| Why? For DRM?
| numpad0 wrote:
| I remember it was called "the analog hole" that enables
| piracy, that was going to be closed by a future date, back
| somewhere between 2005-2015.
| 0xcde4c3db wrote:
| My fuzzy recollection is that the "analog hole" stuff was
| mostly pushed by Hollywood with respect to getting around
| encryption on DVD and streaming video (as opposed to
| music, where similar encryption schemes were foiled in
| the market by CD and MP3 already being good enough, if
| not outright superior to the "modern" formats), and that
| with the advent of HD content they eventually settled for
| analog outputs being limited to SD resolution.
| microcolonel wrote:
| Wait until they find out that audio can be reproduced
| with little or no generational loss, because there is
| always an analog signal (since that's the point of
| audio).
| chungus_khan wrote:
| The only way to truly stop piracy is obviously to
| disallow all devices from playing any audio at all.
| numpad0 wrote:
| Actually they've already found out that streaming and
| subscription slaughters piracy unlike stringent
| regulations which promotes illegal activities
| keymone wrote:
| I thought I'd be using the adapter but my Apple headphones that
| come with an iphone are collecting dust for like two years now
| since I got AirPods. Not going back, couldn't care less about
| headphone jack. Now I wish charging port was gone too now just
| to push the industry even further.
| protanopia wrote:
| Phones already support wireless charging. Why remove wired
| charging because you don't use it? It is harder to use a
| phone while it is on a wireless charger vs use a wired
| charger.
| dobleboble wrote:
| There are enough external peripherals (external microphones,
| HDMI output, etc.) that are useful that I hope they don't get
| rid of the lightning port for quite a while.
| TekMol wrote:
| That's heavy. There are tons of phones out there that will never
| be patched again.
|
| The situation on the phone market is so miserable.
|
| The industry forces us to throw away perfectly fine hardware
| after just 3 years or so.
| DangerousPie wrote:
| FWIW, the situation is significantly better in the Apple phone
| market.
| oauea wrote:
| Where can I buy a $200 apple phone? And how do I develop
| software for it without buying a $1000 macbook? Oh, and I
| have to pay $100/year for the privilege of being able to
| develop software for my own hardware, right?
| nxc18 wrote:
| Buy a $400 device and hold onto it for a few years. The
| android device needs to be replaced every 2 years and
| subjects you to misery for the last half of its life.
|
| The old iPhone is going to work as well as, if not better
| than, a new android device - Apple tends to be about 5
| years ahead of Qualcomm in performance, and they actually
| service their devices. My mom is using my iPhone 6S from
| 2015 that feels about as snappy as my 2018 XR. And that
| feels snappier than a pixel 4.
|
| Very few people are software developers so the Mac req to
| develop is a non-issue.
| khill wrote:
| Not true - I replace my Android phones every 4-5 years.
| heavyset_go wrote:
| Don't forget that GPL software is banned from the App
| Store.
| robin_reala wrote:
| Slightly disingenuous: the GPL bans itself from the App
| Store because the App Store imposes additional
| restrictions on the software.
| 32gbsd wrote:
| this, hardware has become a the ugly ducklin to software.
| ChrisCinelli wrote:
| I agree with you that it is a shame that perfectly working
| hardware is left highly insecure after just 3 years (that is
| actually worse for some other manufacturers).
|
| The worst part is that people keep using the phones because are
| not tech savvy or grossly underway the risk and they do not
| feel that they need to spend money on a new phone.
| loeg wrote:
| You can shorten 3 years to 1.5 for typical Android vendors
| (i.e., Samsung) and maybe extend it to 4 or 5 years for Apple.
| There is a marked difference in the two ecosystems' approach to
| support for older hardware.
| madez wrote:
| The solution is rather simple; buy devices with better
| documented and open internals rather than what's cheapest,
| shiniest, and most convenient. There are alternatives, and we
| all vote with our wallets.
| papermachete wrote:
| What are some 2018+ sub-$200 smartphones that run first-party
| LineageOS to no disadvantage over the stock ROM?
| scns wrote:
| Get a used Galaxy S5, should cost less than $100. Has an
| oled screen, so switching ui to dark mode saves battery.
| Has a headphone jack and removable battery. Runs Android 9
| via LineageOS
| papermachete wrote:
| Thanks. Is that the original lineageOS or one of those
| "what works: you tell me ;)" ROMs?
| pmlnr wrote:
| There aren't any, unless you go second hand. LOS and nearly
| all custom ROMs are aiming at widespread, mostly high end
| devices, which is one of the big problems.
| myself248 wrote:
| I've learned this lesson.
|
| If I have $200 to spend on a phone, I will not buy a low-
| end 2019 $200 phone.
|
| I will buy a used (or new-old-stock) flagship that was
| $700 when it came out a few years ago, and is now $200 on
| the used market.
|
| The older flagship will have similar specs to today's
| low-end junk, but also all the enthusiast support, better
| accessory availability, and probably better build quality
| overall, because it was originally intended to be the
| highest of the high-end.
| steerablesafe wrote:
| Flagships have the most idiotic designs though, as far as
| I looked around. Low-end current year $200 phones often
| have removable batteries, headphone jack and dual sim
| support. Flagships typically have none of that.
| papermachete wrote:
| I mean if you can go so far as to install or build third
| party ROMs, it'd be an interesting weekend hobby to
| repair electronics yourself.
|
| I've saved hundreds of dollars of technology on trivial
| home repairs instead of buying replacements.
| smush wrote:
| $300 but that got me a Samsung Galaxy Note 9. Headphone
| jack and all.
| mavhc wrote:
| You'll also have to replace the battery though
| gruez wrote:
| I'm surprised nobody mentioned xiaomi phones yet.
| toast0 wrote:
| Do you want two OpenMoko phones sitting in my drawer? They're
| about as useful now as they were then.
| pixl97 wrote:
| Ah, yes, this is sure to work.
|
| _watches the plan fail yet again_
|
| This is like saying "we dont need regulations in meat
| packing, every individual can become educated in butchery
| cleanliness and track the supply chains for the products they
| buy and everything will be better!"
| madez wrote:
| We surely need regulation that demands at least delayed
| publication of firmware source and hardware documentation,
| I agree. The analogy to regulation in the food industry is
| enlightening.
|
| It's easier to achieve regulation when people care and show
| that they care. It seems to me, voting now with your wallet
| is one of the most direct ways to make a case.
| Normal_gaussian wrote:
| I don't think many people are talking directly to their
| officials about it. It certainly isn't something my local
| representatives talk about, and the political
| consultation groups some of my uni-friends now work in
| definitely don't have it on their radar.
| Mirioron wrote:
| How do I vote with my wallet though? The only alternative
| is an iPhone which fulfills a somewhat different role
| functionally.
| clarry wrote:
| Voting against the tyranny of the ignorant masses (or
| just people who also value convenience; or those who
| can't afford expensive) is a discarded vote. Your pennies
| are not going to change the world.
| madez wrote:
| Unlike in some political systems, in the market the
| winner doesn't take all, but rather all receive their
| votes. Even then, I don't understand the psychology
| underlying the concept "discarded vote". I vote for what
| I think is best. To me that is what votes are all about.
| Is the psychological desire to be part of the winning
| group responsible?
| clarry wrote:
| If you know you're voting for a niche candidate that
| cannot win, then that vote achieves nothing. It amounts
| to as much as not voting at all; voting, then, is an
| empty ritual, just a rain dance. Psychological desire has
| nothing to do with it, it's just hard facts.
| kortilla wrote:
| We're talking about voting with your wallet. The vendor
| you pick doesn't need to "win", it just needs to get
| enough to survive. This is why voting with your wallet is
| much more powerful than voting for winner-take-all
| representatives in a political system.
| madez wrote:
| Even in an archaic the-winner-takes-all vote, the result
| reveals important information besides determining the
| winner. That information can influence other voters, vote
| options, and the winners behavior.
| taspeotis wrote:
| Or just buy Apple. The iPhone 5s was released in 2013 and got
| an update less than a fortnight ago (January 28).
| janekm wrote:
| To put that in perspective, as far as I've been able to
| determine Google provided security updates for the 2013
| Nexus 5 until November 2018:
| https://arstechnica.com/gadgets/2018/03/google-ends-major-
| os... It's doubtful that any other Android vendor provided
| updates for longer...
| shpx wrote:
| Another data point: the first Google Pixel, released
| October 20, 2016, stopped getting security updates in
| October 2019 https://support.google.com/pixelphone/answer
| /4457705?hl=en
| kllrnohj wrote:
| It stopped being listed as having guaranteed updates but
| it already has gotten at least one more update since
| then. Per
| https://developers.google.com/android/images#sailfish
| there's been an update for the Pixel in December 2019.
|
| It is missing the Jan & Feb 2020 updates that the Pixel 2
| received, but it's plausible the Pixel 1 could still get
| a patch for this critical issue.
| joshuaissac wrote:
| While it is not the same as manufacturer support, the
| latest version of LineageOS is officially supported on
| the Samsung Galaxy S4 (2013).
| myself248 wrote:
| S4 here too! The last great flagship, as far as I'm
| concerned. Removable battery (just ordered another!),
| headphone jack, microSD slot, USB OHG, HDMI/MHL out,
| glove-compatible touchscreen, and small enough to fit the
| hand.
|
| I'm gonna keep these things running as long as I can,
| because the prospect of replacing them with something a
| decade newer but inferior in every meaningful way is
| simply sad.
|
| LineageOS is the only reason I don't loathe the whole
| Android ecosystem, to be honest.
| ekianjo wrote:
| You still have to root your device to install LineageOS
| right?
| myself248 wrote:
| TBQH I've never been quite clear on what it means to root
| a device. I just run Heimdall and load the files they
| specify, plug the device in, and a few minutes later, it
| reboots into Lineage.
| joshuaissac wrote:
| To install LineageOS, it is enough to unlock the
| bootloader, which permits the installation of operating
| system images that have not been signed by the
| manufacturer (e.g. Samsung).
|
| Rooting permits applications to have more control over
| the device at runtime. Some devices require the
| bootloader to be unlocked to enable rooting, and others
| do not.
| ekianjo wrote:
| > any other Android vendor provided updates for longer...
|
| Nokia is the best though:
| https://www.counterpointresearch.com/nokia-leads-global-
| rank...
|
| they support even their very old phones to upgrade up to
| the latest version of Android.
| visualphoenix wrote:
| Did this iOS Bluetooth LE exploit ever get patched?
| https://github.com/hexway/apple_bleee/blob/master/README.md
|
| Less dangerous, for sure...
| ekianjo wrote:
| > Or just buy Apple
|
| And get locked in another walled garden? Erm... no thank
| you.
| Humdeee wrote:
| Meh, I prefer that over a gated patch of dirt
| rstupek wrote:
| gated landfill?
| eithed wrote:
| Can you make assurances that iPhone doesn't suffer from
| similar issues, given it's not open source solution?
| lima wrote:
| There's tons of security researchers focusing on iOS and
| the lack of source code access is merely an
| inconvenience.
| prox wrote:
| There a couple of alternative solutions, from convenient
| to effort needed :
|
| iOS ecosystem. Since Apple is a hardware manufacturer
| foremost, you notice from the start you aren't the
| product. Lots of apps, many of high quality.
|
| Librem/Pinephone : Linux phones. While the hardware is
| still closed source in certain parts, it's a step up from
| what we have now. Librem allows you to install any linux
| variant you choose.
|
| Zerophone : Build your own phone basically, very cheap to
| build ($50) , and currently in development.
| objclxt wrote:
| Depends what you mean by "similar issues"
|
| If you mean "a bunch of relatively new Android phones not
| getting security updates because their manufacturer
| doesn't support them", then yes. Apple is actively
| providing not just security patches but entire feature
| software updates for the iPhone 6S, which is 4.5 years
| old at this point.
| eithed wrote:
| Yup, that's what I mean. While I do have an Android phone
| that is patched (Samsung), I understand that many people
| will be hmm... irritated that this vulnerability won't be
| fixed and requires them to upgrade. I'd not treat
| switching to Apple ecosystem as panacea to everything
| though and would be more for security through audit, not
| obscurity.
| why_only_15 wrote:
| Apple's security is heavily audited in a lot of ways.
| They give special phones to researchers that make it
| easier to audit them, and there are significant bug
| bounties.
| dana321 wrote:
| Only because their newer iphone SE is similar enough.
| blub wrote:
| The SE has a similar shape with the 5s, but the internals
| of a 6s, which is two generations older than the 5s.
| ChuckNorris89 wrote:
| Buying iPhone makes sense if you're already invested in the
| whole ecosystem(owning MacBook, iWatch, AirPods, etc.). If
| you're not part of the Apple ecosystem the experience is
| less polished when you need one apple device to play well
| with the rest of your non apple devices.
| tommit wrote:
| Full disclosure: I'm very locked in the Apple ecosystem.
| They do play amazingly well with one another, but I feel
| like that's not at all their main selling point.
|
| You can appreciate the longevity and continued support of
| an iPhone without having an Apple Watch. You can
| appreciate a MacBook for its OS (pre Catalina anyway) and
| build quality (I'm still running a 2014 model -- though I
| have read about recent models' issues) without having an
| iPhone to pair it with. To be fair, you cannot appreciate
| an Apple Watch without an iPhone at all since it won't do
| anything, and I'm no the fence about AirPods and how well
| they do outside the Apple world.
|
| My point is, once you're in the ecosystem, you notice a
| lot of little things that may make your life easier. Are
| they great? Yeah absolutely. Are they what sells the
| product? In my opinion, not at all. Unless it happens to
| pinpoint your exact use case (I need to lock and unlock
| my MacBook 30 times a day and I'm tired of having to
| enter a password, I want my Apple Watch to unlock it),
| it's the product itself that will most likely convince
| you. The way they neatly play together at times is just
| the cherry on top, like when you notice your computer and
| phone now share a clipboard. That's awesome, but not a
| single selling point for anyone.
|
| Now, I will be the first one to say: iTunes sucks. So, if
| you do buy an iPhone, it makes sense IMO to shed out the
| extra 99ct a month for iCloud storage.
| davidy123 wrote:
| While there are cheap computers that don't last well,
| pretty much any computer at the price point of an Apple
| computer will last at least five years, in fact they will
| probably last several times that. Additionally, Thinkpads
| for example have full user service manuals and often
| support users repairing or upgrading parts such as RAM
| and storage that explicitly maintains the warranty.
| vel0city wrote:
| FWIW, you don't need to be in the Apple ecosystem to have
| features like having a secondary device auto-unlock your
| laptop or desktop. Windows has supported a paired device
| unlocking your user account for a while now, and it does
| not have to be a manufacturer specific device. Logging in
| with devices like Yubikeys is also a supported login
| method.
| rjmunro wrote:
| Looks like I need a new phone because of this. Which phone
| would you recommend so I don't make the same mistake again?
| prox wrote:
| Some options, from less effort to more effort : iOS
| ecosystem.Since Apple is a hardware manufacturer foremost,
| you notice from the start you aren't the product. Lots of
| apps, many of high quality.
|
| Librem/Pinephone : Linux phones. While the hardware is
| still closed source in certain parts, it's a step up from
| what we have now. Librem allows you to install any linux
| variant you choose.
|
| Zerophone : Build your own phone basically, very cheap to
| build ($50) , and currently in development.
| djxyeush wrote:
| If you don't expect to lose sleep over third party apps
| (such as Tachiyomi for comic reading) then iphones are
| spectacular. You won't have as much customization but the
| experience overall really does explain why Apple is so
| profitable. Otherwise, Samsung for MST payments. You'll
| still want a wallet/clip, but there's been more than a few
| times I forgot my wallet and MST saved me from a wasted
| trip to the market.
| amanaplanacanal wrote:
| I switched from Android to iOS when my last phone
| (samsung) stopped getting updates. I miss a couple
| things: a good adblocker, and the Swype keyboard. I setup
| a pi-hole at home to take care of ads when I am there,
| but the iOS swype-equivalent keyboard is nowhere near as
| good as the real Swype keyboard on android.
| vesinisa wrote:
| I can attest that my Pixel 3a received the February update
| as soon as it was released directly from Google, and I have
| been overall very happy with this phone. Pixel 3a is the
| cheapest yet (IMHO) best Pixel phone on the market. It is
| guaranteed to receive OTA updates and security fixes until
| at least May 2022:
| https://support.google.com/nexus/answer/4457705?hl=en
| [deleted]
| krn wrote:
| I would only buy a device running Android One, because they
| receive monthly security patches and new Android versions
| for up to 3 years.
|
| The current options include all Nokia smartphones, Motorola
| One line, and Xiaomi Mi A line.
|
| For the best hardware and 5G support, I would look at Nokia
| 9.2 (Snapdragon 8--) and Nokia 8.2 (Snapdragon 7--)
| releases this year.
|
| The best deal is to buy 6 months after the release, when
| most Android devices become heavily (30-40%) discounted,
| but are still quite new.
|
| I prefer Android over iOS because of the freedom to install
| open-source OS-level ad-blockers, such as Blokada[1], which
| greatly improve privacy and battery life.
|
| [1] https://blokada.org/
| zozbot234 wrote:
| Note that "Xiaomi Mi A" devices are the only ones that
| are similar to Android One. Most Xiaomi devices have a
| custom UX and additional weirdness. (Among which is the
| need to "sign up" online for bootloader unlock and wait
| for a timeout period. They do this because resellers used
| to ship bootloader-unlocked versions with "unofficial"
| mods of sorts, often with customers being none-the-wiser.
| Not an issue on the 'Mi A' line, for whatever reason.)
| krn wrote:
| > Most Xiaomi devices have a custom UX and additional
| weirdness.
|
| That's true. Just like Samsung, Huawei, OnePlus, and any
| other Android manufacturer except Nokia, Xiaomi maintains
| its own Android ROM, called MIUI[1]. It's not as vanilla
| as Android One, but at least it also receives monthly
| security patches.
|
| > Among which is the need to "sign up" online for
| bootloader unlock and wait for a timeout period. They do
| this because resellers used to ship bootloader-unlocked
| versions with "unofficial" mods of sorts, often with
| customers being none-the-wiser. Not an issue on the 'Mi
| A' line, for whatever reason.
|
| It's not an issue with Xiaomi Mi A line, because Xiaomi's
| reputation is not affected as much if there is something
| wrong with a smartphone that is not running its custom
| ROM.
|
| Nokia has only recently started allowing to unlock the
| bootloader of _some_ of the models, and has a similar
| process[2].
|
| [1] https://en.wikipedia.org/wiki/MIUI
|
| [2] https://www.nokia.com/phones/en_int/bootloader
| mavhc wrote:
| According to Nokia: Unlocking a device means you may lose
| some of its functionalities, including - but not limit to
| - telephone, radio, audio, video, payment, encryption and
| DRM.
| krn wrote:
| As with probably all Android devices, unlocking the
| bootloader breaks the SafetyNet[1].
|
| And any custom Android ROM requires drivers to be able to
| completely support the hardware of a particular device.
|
| [1] https://www.howtogeek.com/241012/safetynet-explained-
| why-and...
| zozbot234 wrote:
| They're all using the same junk SoC's with zero documentation
| and the crappiest possible level of "board" support anyway.
| You're actually better off buying a device where that support
| has been properly reverse-engineered/forward ported and is
| included in the mainline kernel. (Lots of Allwinner boards
| are "supported" in that way.) But it's ridiculous that we
| have to do this.
|
| Also FWIW, the problem has zilch to do with "Android" per se
| - pre-Android mobile Linux was _even worse_. It 's embedded
| platforms in general.
| munificent wrote:
| That would work better mobile phones were anywhere in the
| vicinity of an efficient market. It's not.
|
| * The barrier of entry is very high: You need a top-tier
| manufacturing system and supply chain. An operating system.
| An entire suite and market of applications. All of the apps
| users expect and rely on (mail, navigation, Facebook, chat,
| Instagram, etc.) must be supported. The hardware is only
| profitable if you manufacture at very high scale.
|
| * Information asymmetry is very high. Users have almost no
| insight into how secure one platform is versus another. In
| fact, they have access to paradoxical information. The _most_
| secure platforms are the ones with the most transparent
| security flaw handling, but those are also the ones that
| _appear_ the least secure because the vulnerabilities are
| more widely reported.
|
| * Products are nowhere near commoditized. A phone is a very
| large constellation of hardware, operating system, and
| software features. There is no apples to apples comparison
| between phones. Maybe you like the camera on one but not the
| screen on the other. One has better apps but the other a more
| stable OS.
|
| This is not a market where consumer choice will effectively
| drive solutions to diffuse problems.
| kees99 wrote:
| My understanding is that each android phone model is unique
| and requires unique OS update (unlike, say, BIOS- or UEFI-
| based x86 PCs, where exact same Windows/Linux/BSD/... image
| can be installed on any of them).
|
| Having a "standard" OS interface for the phone, where there
| is just one OS image for a given OS version, and that image
| could be installed on any phone - now that would be the true
| alternative, which I would be delighted to vote for with my
| wallet.
| jacquesm wrote:
| > My understanding is that each android phone model is
| unique
|
| Sure, but each PC is also 'unique' in that sense, in fact
| I'd happily bet that there are more different kinds of
| hardware combinations for PCs than there are android phone
| models. And yet, that never was a problem.
| zozbot234 wrote:
| Plug-and-Play and then ACPI have been used to get around
| this. Hardware discovery just doesn't seem to be a thing
| on these embedded SoC platforms, and even the hardware
| support itself (drivers, etc.) is extremely sub-par if
| you expect to run the ordinary, mainline kernel.
| jacquesm wrote:
| Even before harware discovery and plug-and-play you could
| do this by simply specifying what hardware you had or by
| 'probing' the hardware for presence of certain
| characteristics (this wasn't always fool proof). The
| hardest parts were when interrupts were still selected
| with jumpers rather than automatically enumerated.
| kees99 wrote:
| 8086 has 256 IO addresses, and hardware of that era had
| fairly simple initialization, so completely naive way to
| find peripheral X was to 'probe' each and every possible
| IO address with something like: for i in
| range(256): poke(i,magic1) if peek(i) ==
| magic2: found!
|
| 256 probes in all is not that bad, and real-world probing
| would only try a handful of commonly used addresses,
| making it even faster.
|
| Phone SoCs on the other hand have many peripherals
| memory-mapped, (meaning there are millions/billions
| addresses to 'probe'), plus there are things like power
| sequencing, GPIO enable lines that need to be asserted,
| and clock-sources configured before peripheral would even
| respond at all. Oh, and that GPIO, or power controller,
| or clock source themselves might be accessible via an i2c
| chip speaking its own protocol, so you need to initialize
| those first, etc, etc.
|
| All of this complexity could be described via linux
| "devicetree" subsystem, and devicetrees are in a usable
| state for some hardware (although DT itself is often a
| labyrinth to navigate). Thing is - factory software for
| most phones have been extremely slow to adopt DT, and
| even some that do use DT, don't do it in a particularly
| portable way.
| cesarb wrote:
| However, every PC descends from the original IBM 5150
| from the 1980s, which gives the PC a common base which
| phones never had.
| zozbot234 wrote:
| > Having a "standard" OS interface for the phone, where
| there is just one OS image for a given OS version, and that
| image could be installed on any phone
|
| Project Treble is working towards this, in a way. But it's
| a huge hack that's still dependent on lots of weird AOSP-
| specific stuff, and doesn't even give you a "single" OS
| image for every device - the "proper" image for your device
| varies by baseline AOSP support (7, 8, 9, 10), "A" vs.
| "A+B" boot and of course 32-bit vs. 64-bit architecture.
| Nowhere near "UEFI-based PC" territory.
| yjftsjthsd-h wrote:
| Eh... remember 32-bit UEFI? It might be smaller, but
| there is still room for weirdness.
| nicolaslem wrote:
| This is why my next phone will be a Librem 5. I know that it
| will probably suck but at least it's moving things in the
| right direction.
| madez wrote:
| I'm in the same boat. If it moves things in the right
| direction, then it doesn't suck.
| prox wrote:
| Indeed! I usually get "but it's still a closed source
| modem" as a counterpoint ... sigh
| squarefoot wrote:
| The closed source modem, or network firmware for that
| matter, isn't much of a problem if it can't see clear
| data and/or access to system memory or execute
| instructions. I'd see it more of a black box not unlike
| old RS232 connected modems: they could see all data going
| back and forth, but encrypting that data would be enough
| since they could never access the system memory to see
| the data before encryption or after decryption. Librem 5
| and Pinephone should work along these lines. Having
| everything 100% open would be better, but in this case
| being closed doesn't create security concerns since all
| personal data is unavailable to these subsystems; only
| the main system, which is entirely open and where the
| user is king, can access them.
| ekianjo wrote:
| > my next phone will be a Librem 5.
|
| Better go with a Pinephone if everything that's been
| written about Librem as a company is even half-true.
| tremon wrote:
| > There are alternatives
|
| Can you name one smartphone device with open internals? I'd
| love to buy one, but I don't think they exist. From
| Replicant's recommendations [1]:
|
| _If compromising on privacy /security is not an option, or
| anything serious is at stake (e.g. political activism or
| journalism in a sensitive area), it is advised to avoid using
| a telephony-enabled device at all._
|
| My impression from the smartphone market is that phone
| platforms have become less open, not more, over the last ten
| years. The PinePhone isn't generally available yet, and the
| Librem 5 current iterations don't have working audio calls.
|
| [1] https://www.replicant.us/freedom-privacy-security-
| issues.php...
| madez wrote:
| Openness isn't binary. One significant step is support for
| the mainline Linux kernel. Another significant step is free
| information about the hardware on a high-level, such as PCB
| schematics and documentation about the used chips. Here are
| some projects that I'm aware of:
|
| Mainline Linux:
|
| https://pocket.popcorncomputer.com/
|
| https://necunos.com/shop/
|
| Mainline Linux + high-level hardware documentation:
|
| https://puri.sm/products/librem-5/
|
| https://www.pine64.org/pinephone/
| kop316 wrote:
| I hope you realize that with the exception of freescale,
| there are no phone and tablet devices where the vendor
| actually cooperate and does that. Many of the devices that
| are documented are because of the open source community that
| actually bother to dig in and do this (without any vendor
| support).
|
| That means there is no Android or Apple device on the market
| today that accomplishes what you say.
|
| The only phones that are out there that can do that are the
| Pinephone and Librem 5. I have beta devices of both, and
| while I am extremely excited to see them mature and turn into
| daily drivers, the fact is neither can actually be a daily
| driver today.
| silenussays wrote:
| But unlike Apple's closed source walled garden ecosystem,
| Android is open source! That means you can patch it yourself!
| Right guys?
| rjmunro wrote:
| In the UK I always wonder if it's possible to bring a claim
| under Part 1 Chapter 2 of the Consumer Rights Act 2015. The
| goods must be 'satisfactory'. Remove code execution over
| bluetooth is not satisfactory, even if it only became apparent
| 3 years later.
|
| https://www.moneysavingexpert.com/shopping/consumer-rights-r...
| 867-5309 wrote:
| a legal battle with a phone manufacturer will cost much more
| than the phone itself. 99% of retailers will say it's nothing
| to do with them, take it up with the manufacturer. phones are
| relatively cheap and transient commodities compared to
| something like houses, where "consumer rights" might actually
| mean something
| jacquesm wrote:
| If consumer rights don't mean anything for > $500 devices
| then there might as well be no consumer rights.
| rjmunro wrote:
| > a legal battle with a phone manufacturer will cost much
| more than the phone itself
|
| You'd only need to do it once to set a precedent, and
| everyone can get their phones fixed or replaced. The
| problem is that the law applies to the retailer, not to the
| manufacturer. As I didn't buy my phone direct, I'd have to
| get the retailer to replace it, and as I went to a high
| street retailer who is suffering from competition from
| Amazon etc, and closing branches, it feels bad to give the
| problem to them.
|
| If I'd bought the phone from the manufacturer direct, from
| Amazon, or from a phone network, I'd gladly go ahead with
| the action because those retailers would have enough clout
| that the manufacturer would care about loosing their
| business.
| fulafel wrote:
| Would the dispute be with the manufacturer or whoever sold
| the phone to you?
| davidgerard wrote:
| Whoever sold you the phone. Your contract is with the
| trader.
| Someone wrote:
| They will say that and will often get away with it, but in
| the EU, that doesn't fly. https://europa.eu/youreurope/citi
| zens/consumers/shopping/gua...:
|
| _"Under EU rules, a trader must repair, replace, reduce
| the price or give you a refund if goods you bought turn out
| to be faulty or do not look or work as advertised."_
|
| So, the manufacturer, in the EU, never has anything to do
| with the consumer, legally.
|
| I think a trader could successfully argue they didn't
| advertise the device as secure, that the user didn't suffer
| from it or, for devices that are out of warranty, that they
| don't need to correct this issue anymore. claiming that it
| wasn't 'faulty' could be harder, but I'm sure they would
| try. If a vulnerability isn't known, is it a fault? Depends
| on whether its cause was generally known, I would think.
| dageshi wrote:
| Unless I'm missing something, it's only for 2 years after
| purchase?
|
| "The legal guarantee covers any defects presumed to have
| existed at the time of delivery and which become apparent
| within a period of two years. However, the crucial period
| is the 6 months after you bought your product:"
|
| https://europa.eu/youreurope/citizens/consumers/shopping/
| gua...
|
| So I'm assuming the bulk of older phones would no longer
| be covered?
| eitland wrote:
| Here in Norway I think it is, but be prepared to argue
| for it.
| michaelhoffman wrote:
| In the UK it is really easy and inexpensive to file a small
| claim, and there are limits to how much cases on the small
| claims track can cost you.
|
| https://www.gov.uk/make-money-claim
|
| I've done it myself and got paid by an intransigent phone
| retailer relatively promptly after that point. My lawsuit
| was about a contractual dispute rather than faulty goods
| though.
| lowdose wrote:
| Didn't you hear of those people returning their VW diesel
| back to the dealer because of a claim under Part 1 Chapter 2
| of the Consumer Right Act 2015?
| tremon wrote:
| I didn't, but it sounds intriguing, what was the outcome of
| that?
| lowdose wrote:
| Biggest forced manufacturing recall ever recorded in
| history. VW Group barely hangs on in Chapter 11 because
| the people for once decided not to accept scapegoating
| some figureheads in a limited hangout.
| swamp40 wrote:
| Yes, put them out of business. That will teach them.
| Lammy wrote:
| It will teach others. No need for the sarcasm.
| ddeck wrote:
| _> VW Group barely hangs on in Chapter 11_
|
| Not sure what you're referring to. Chapter 11 is a form
| of reorganization in bankruptcy in US law.
|
| Volkswagen AG (i.e. the VW Group) is an EUR85 billion
| German company that - despite the massive fines and
| recall - has been consistently profitable, with a small
| loss in 2015 due to the aforementioned issue and earned
| ~EUR12 billion in net profit last year.
| gruez wrote:
| Was it really because of the Consumer Right Act? Part of
| VW's settlement with regulators was that they had to buy
| back a large majority (I don't recall the exact number) of
| the defective cars.
| verbify wrote:
| I'm in the UK, and bought an original Pixel directly from
| Google. The bluetooth daemon would just crash for me rather
| than being exploitable. I just don't think I have a case -
| phone manufacturers don't promise security updates in
| perpetuity. I don't think it passes the test of a reasonable
| person being dissatisfied.
| flir wrote:
| I'd be thinking "fit for purpose" rather than "satisfactory".
| Minor quibble though.
| shadowgovt wrote:
| > The industry forces us to throw away perfectly fine hardware
| after just 3 years or so.
|
| Possibly because of things like this; when a vulnerability
| isn't going to get patched, churn (with new hardware running
| newest OS) protects the ecosystem against mass-compromise.
|
| We can bemoan the lack of patches, but who's paying for the
| patches?
| dspillett wrote:
| At least there is the mitigation that it isn't exploitable
| unless the device is scanning for new devices to pair with, at
| least by my reading of the reports I've seen.
|
| Phones are not usually in that state unless the BT settings
| screen is open. Otherwise it would drain excess battery in
| normal use.
| mtgx wrote:
| > The industry forces us to throw away perfectly fine hardware
| after just 3 years or so.
|
| And even if you don't care about software or security updates,
| it's still true in the sense that most don't have replaceable
| batteries now, and they tend to use batteries that start to die
| out after about 2 years.
|
| They do this on purpose, but it's quite difficult to prove they
| were doing it as "planned obsolescence". This is why I'd fully
| support laws that make it illegal to make battery-powered
| devices that can't have their batteries easily replaced _by the
| consumer_ (not the iFixit guys).
| kop316 wrote:
| Yep. Even Google's own devices that are not supported anymore
| will permanently be vulnerable to this:
|
| https://developers.google.com/android/images
|
| I have a Pixel C that will never have an official patch to this
| exploit. I wonder if this is a user space exploit too, and if
| so, that would mean there's no technical reason for why they
| can't update it.
| zozbot234 wrote:
| I'm pretty sure that Pixel C (dragon) is in the PostmarketOS
| wishlist - you might want to get involved! It does already
| have LineageOS support.
| kop316 wrote:
| Yep it does, I have it on Lineage. However Lineage cannot
| update the Kernel (due to no vendor support), it's stuck on
| 3.10.
|
| I'll take a look at Postmarket, I didn't know they were
| working on it. My issue is that I use the tablet primarily
| as my music workstation, and there are several apps I use
| that depend on Google Play.
|
| I do have a Pinephone, and I would honestly prefer to use
| my time to get a matured OS for that.
|
| EDIT: I looked around on PostmarketOS, I did not see
| anything for the Pixel C? I just saw an external resource
| on how to boot Linux onto the Pixel C
| neilsimp1 wrote:
| My current phone (Samsung Note 5) is too old to receive updates
| and I'm still on Android 7. I hardly use Bluetooth but I'm
| still a little upset.
| ChrisCinelli wrote:
| > That's heavy
|
| Almost every month there are security patches for "critical"
| problems. Just skim throught the blog pages. This is Jan 2020
| for example:
| https://source.android.com/security/bulletin/2020-01-01
|
| Consider this: if I remember correctly somebody on HN was
| saying that in these days the _average_ time from releasing a
| patch and exploit found in the wild is _4_ days.
|
| Consider that the patches hit the open source code a lot before
| they are deployed.
|
| Consider that beside Google, any other Android phone
| manufacturer take around a month before releasing the patches
| even on current models.
|
| The situation has no easy solutions.
| arendtio wrote:
| > Consider that beside Google, any other Android phone
| manufacturer take around a month before releasing the patches
| even on current models.
|
| Still the biggest problem. For my PC I can install updates on
| a daily basis. For my smartphone, I can be happy if there are
| any updates at all.
| ChrisCinelli wrote:
| If your OS is open sourced, the question is: how long does
| it take from the time the patch is discussed in open places
| (ex: mailing list or bug trackers for patch approval) and
| when the patch is deployed?
| butz wrote:
| Great, because of limited Android updates I have to get a new
| phone.
| mavhc wrote:
| Why haven't most of the billions of Android phones been hacked
| already? Most never get updates and seems like there's 100 ways
| to hack them.
| wmeredith wrote:
| The same reason that a billion minnows swimming together is
| safer than 5. There are a billion targets and few few of them
| are worth hacking.
| anotheryou wrote:
| I think phones are also relatively hardened so the attack
| surfaces are not super convenient.
|
| Bluetooth: get in reach of an attacker (and from another
| comment: have your device searching for bluetooth devices)
|
| Web-stuff: if a patched browser doesn't help you are still
| relatively safe browsing all the non-infecting websites in the
| world.
|
| file-stuff: you have to be stupid enough to open files, on your
| phone, from phishy mails (unless you are targeted they are
| always suspiciously generic, even when spreading from a hacked
| acquaintance )
|
| I guess if there was a vulnerability where you could remotely
| gain full control over a phone without any action on the phone
| side you'd indeed have phone botnets. Looks like there are no
| such vulnerabilities.
|
| Take what I write with a grain of salt, I'm actually just a
| noob trying to make sense of this, too.
| markhenrry wrote:
| https://www.printerrepairnearme.com/troubleshooting/fix-hp-p...
| m1r3k wrote:
| My OnePlus 3 phone just got its last security patch and is now
| out of support from the manufacturer.
|
| I use bluetooth constantly for my smartwatch and headphones.
|
| I think it's time for custom firmware just because of this.
| Goodby banking apps and Google Pay, because apparently a newer
| but unofficial OS is more insecure [1].
|
| [1] https://developer.android.com/training/safetynet
| guimoz wrote:
| You can usually still pass safetynet with latest magisk, even
| on custom Roms. Go check the xda forums and you might find
| that.
| m1r3k wrote:
| I know there are means to defeat safetynet but honestly I was
| glad not to tweak my phones anymore and happy without a
| rooted firmware.
|
| I remember the times of endless tweaking and patching after
| some Google Play services update a few years ago.
| zozbot234 wrote:
| > You can usually still pass safetynet with latest magisk,
| even on custom Roms.
|
| It's unreliable by definition. You're better off keeping a
| device around with the stock OS on it, that you only use for
| SafetyNet-required stuff.
| Brave-Steak wrote:
| > Keep your device non-discoverable. Most are only discoverable
| if you enter the Bluetooth scanning menu. Nevertheless, some
| older phones might be discoverable permanently.
|
| Does this mean your MAC address isn't visible while on, non-
| discoverable and connected to a BT device?
| cpncrunch wrote:
| Is there a way to make it non-discoverable? I don't see that
| option on my Nexus 6P running 8.1. You can just turn bluetooth
| on or off.
|
| Or is it just discoverable when you click "pair new device"?
| SwaraLink wrote:
| I suspect that in this case the phone is using Bluetooth Low
| energy "passive scanning". This means that the phone is
| listening for advertising devices (eg beacons) but never
| actually transmitting Bluetooth packets and therefore never
| actually exposing its Bluetooth address over the air.
| baybal2 wrote:
| Actually Android keep bluetooth on even when UI says off for
| Google to radiolocate your position.
| mavhc wrote:
| I thought that was WiFi
| rjmunro wrote:
| Are you sure? I know they keep some WiFi on, but I didn't
| think there was much location value in bluetooth signals
| because most bluetooth devices people use are portable
| (headphones, cars, etc.)
| baybal2 wrote:
| Actually yes, I did investigate that. Can post a
| screenshot.
| whatisthiseven wrote:
| Did you also disable that setting under the "location"
| submenu, which explicitly says it works even if bluetooth
| is off?
|
| Not that this is good design, mind you, but if you turned
| both settings off and still say BT activity, then that is
| much different.
| baybal2 wrote:
| If you do that, it will disable it. Yes, it's a well
| hidden option deep in the menu.
| gruez wrote:
| That can be turned off.
| magicalhippo wrote:
| > For some devices, the Bluetooth MAC address can be deduced from
| the WiFi MAC address.
|
| Which ones would that be? Anyone know?
| aedron wrote:
| So some questions:
|
| > with the privileges of the Bluetooth daemon
|
| Which priviliges is that? Can it access user data? Snoop on
| input/output?
|
| > For some devices, the Bluetooth MAC address can be deduced from
| the WiFi MAC address
|
| So if wifi is off, I'm safe?
|
| I have bluetooth on all the time, because it automatically pairs
| with my car for cellular and audio, and turning it on and off
| would be a hassle. I rarely, however, use wifi unless I have to
| download a very big amount of data, which is almost never.
| e12e wrote:
| > Which priviliges is that? Can it access user data? Snoop on
| input/output?
|
| This is somewhat addressed in a comment/reply by jorge:
|
| https://insinuator.net/2020/02/critical-bluetooth-vulnerabil...
|
| > Hi, the Bluetooth daemon is a process on the Android system
| that runs in the background (daemon) that is responsible for
| managing the Bluetooth controller and handling of various
| Bluetooth related protocols, such as HCI, L2CAP and GATT. As it
| has to process attacker-controlled input it is susceptible to
| attacks. In addition, it has to run with high privileges (not
| as 'root' like on Linux) to support features like: - file
| transfer => read files - share Internet connection => configure
| network and VPN - Human Interaction Devices => emulate keyboard
| and mouse
| oauea wrote:
| > So if wifi is off, I'm safe?
|
| No, the connection packets can still be sniffed from the air
| once your device connects to your car. Then the attacker knows
| your mac address and can initiate the exploit.
| gaius_baltar wrote:
| I'm now wondering if I can use this to root my phone.
| billpg wrote:
| "We could roll out the patches, or we could make all our
| customers buy new phones!"
|
| Stagefright again.
| est31 wrote:
| Judging by the three commits added by the android-9.0.0_r53 tag
| in the platform/system/bt android subcomponent, the vulns seem to
| be UAF + OOB write. All vulnerabilities thus belong into the
| class of vulnerabilities that safe Rust eliminates.
|
| https://android.googlesource.com/platform/system/bt/+/1d788d...
|
| https://android.googlesource.com/platform/system/bt/+/c20f24...
|
| https://android.googlesource.com/platform/system/bt/+/abc302...
| ATsch wrote:
| I think it's extremely silly that every time buffer length
| vulnerabilities get discovered, people start immediately
| jumping how rewriting everything in rust would have stopped it.
|
| Yes, that's not wrong, but a sane (ptr, len) "slice"/"buffer"
| type would have prevented this in any language, not just rust.
| These things happen not because C and C++ lack sophisticated
| ownership semantics, but because without such a type, passing a
| pointer and hoping the buffer is always big enough is just
| easier than doing the right thing.
|
| If this was something funky like a cross-thread race-condition
| dangling-pointer double-free, you'd have a great point. Only
| Rust's unique safety model can prevent that. But with things
| like this, as much as I love Rust and it's community, I
| sometimes feel like many rust fans are much more interested in
| being smug than making real-world progress towards safer
| software today.
| tene wrote:
| The point is that the sane, correct choice is also the easy,
| default choice in Rust. We've been able to implement
| (ptr,len) buffer types in C for as long as we've had C, but
| uint8_t* is both baked into many APIs, and the path of least
| resistance.
|
| We've spent decades pushing the limits of security
| improvements we can get through asking people to please try
| harder and do better with C, but we still see a high rate of
| high-impact errors like this.
|
| Rust's safety model isn't the only valuable thing about Rust.
| Another big valuable part of Rust is that instead of giving
| the programmer a box of unsafe tools and a post-it reminding
| them to be careful, Rust provides sane, safe default tools
| that have been built based on what we've learned from the
| past several decades.
|
| The argument isn't "Only Rust can save you", but that Rust is
| a good choice that both meets the same performance
| requirements, and avoids these problems by default.
|
| If you've got a better solution to persuade C and C++
| developers to consistently and reliably always wrap their use
| of pointers from other APIs into (ptr,len) buffer types, I'd
| love to hear it!
|
| With comments like this, I sometimes feel like many
| developers are much more interested in smugly dismissing a
| group that's made significant real-world progress in making
| it easy to do the right thing than they are in actually
| helping real developers to reliably make safer software
| today.
| Varriount wrote:
| Or Java, or Go, or one of the other 10 or so languages that
| have bounds checking.
| dmitrygr wrote:
| Android accepts contributions and your complete rust rewrite of
| bluedroid would be most welcome
| userbinator wrote:
| It's an 8-bit counter... just allocate a fixed 256 entries and
| be done with it. That reads like code written by people without
| any embedded/low-level experience.
|
| Keeping code simple and without unnecessary abstraction is a
| far more valuable skill than $safe-language-trend-of-the-day.
| e12e wrote:
| I appreciate this comment, because it demonstrates a solid
| approach to simplify the code.
|
| That said, regarding:
|
| > safe-language-trend-of-the-day.
|
| I agree that rust advocacy can sometimes be a bit misguided
| and over-enthusiastic - however how often is an out of bounds
| write _not_ a bug (or a too clever by far hack)?
|
| We've had pretty efficient ways to deal with this in c like
| languages for a long time (eg Pascal, Ada).
|
| (c-like in the sense of being relatively low-overhead, close
| to the hardware wrt memory layout etc).
| bitwize wrote:
| People who know how to do that are expensive, and they still
| make mistakes. Rust enables junior-level JavaScript
| programmers to write kernel/bare-metal level code without
| fear of making these kinds of errors. If you've spent a
| career programming in C and you're complaining about Rust,
| you're right. Rust isn't for you, it's for your replacement.
| AnthonyMouse wrote:
| > People who know how to do that are expensive
|
| Good programmers are expensive. The notion that better
| tools are going to change that is naive.
|
| Rust is good. Use it for things. But the idea that it can
| let people who don't know what they're doing write secure
| code is dangerous. For example, what does Rust do about
| Spectre? Does your junior-level JavaScript programmer know
| how to address that? What about other timing attacks, or
| knowing which crypto to use in which context?
|
| People still have to know what they're doing.
| 0xdead wrote:
| If by "write kernel/bare-metal level code" you mean
| blinking an LED, sure. Writing low level doesn't have to do
| anything with C or any language for that matter. It
| requires a deep understanding of the architecture that
| you're writing code for. Junior JS devs don't have enough
| experience or the skills to do that.
| rafaelvasco wrote:
| "Junior-level JavaScript programmers" "kernel/bare-metal
| level code"
|
| Can't see how that can be. Only a small minority of
| programmers can code low level systems. Only those that
| truly enjoy it, go through the pains necessary to have
| adequate grasp of it.
| leshow wrote:
| > Rust enables junior-level JavaScript programmers to write
| kernel/bare-metal level code without fear of making these
| kinds of errors
|
| I've used Rust for a while, and this isn't really true. At
| the lowest level you still have to build good abstractions
| with judicious use of `unsafe`. It also comes across as
| incredibly hostile, you're not doing Rust any favors with
| this.
| blub wrote:
| "Rust enables junior-level JavaScript programmers to write
| kernel/bare-metal level code without fear of making these
| kinds of errors. If you've spent a career programming in C
| and you're complaining about Rust, you're right. Rust isn't
| for you, it's for your replacement."
|
| That's a pretty silly thing to say.
|
| Writing code that doesn't crash isn't the hardest thing
| about writing low-level code. Sure, it's a problem, even an
| important problem, but there's a ton of other knowledge
| that no JS developer would have. Unless by "write" you mean
| write 2 lines per day with lots of searching in-between
| that has to be thrown away in the end.
| dpc_pw wrote:
| The way I see it it: With C/C++, you have to to have a
| team of 5 senior devs, and they have to cross-check each
| other work all the time. With Rust, you could have 1
| senior Rust dev, and 4 junior devs, and they would arrive
| in a better place anyway, just by the virtue of compiler
| doing 90% of the boring checks and tutoring.
| blub wrote:
| You can't build a quality project only with juniors
| supervised by a senior no matter what technology you use.
| This is such a common programming fallacy, it's
| surprising to see it here.
| miohtama wrote:
| But at least with Rust it won't have out of bounds and
| use after free bugs even if being crap otherwise.
| reyqn wrote:
| It's a valuable skill for sure, but there apparently isn't
| enough people with this skill on the market, which is why
| $safe-language-trend-of-the-day is being developed and gains
| momentum.
| bluejekyll wrote:
| How long must a language be around and prove it's staying
| power before people will stop brushing it aside with the
| "$safe-language-trend-of-the-day" quip? 1 year? 2 years? 5
| years? 50?
|
| How many people must use it? 1k? 10k? 100k?
|
| It's pointless to argue with someone who throws Rust into
| that category at this point because it means nothing. It's
| a slight to allow them to feel ok, that eventually this
| language too will pass, and so it will be ignored.
| zamalek wrote:
| > there apparently isn't enough people with this skill on
| the market
|
| Judging by the number of memory vulnerabilities found each
| year in mainstream operating systems (which are developed
| by some of the best programmers around), there aren't any
| people on the market with this skill. This is very likely
| because all programmers are human beings.
|
| Manually managing memory isn't difficult, it has been
| proven to be practically impossible. I wouldn't care if it
| were Linus claiming otherwise, it's ignoring incredible
| amounts of evidence to the contrary and is much like flat-
| earther.
| atoav wrote:
| As someone who both writes C and Rust I don't think the two
| contradict each other. Rust is very nice to write stable,
| fast and well tested libraries in that can interface with C
| code in.
|
| Learning Rust and with its concepts improved my C code. Even
| if Rust would vanish over night I wouldn't regret learning
| it.
| est31 wrote:
| > It's an 8-bit counter... just allocate a fixed 256 entries
| and be done with it. That reads like code written by people
| without any embedded/low-level experience.
|
| I guess you are talking about the first commit I linked. The
| problem here seems to be that some events of the kind
| HCI_READ_RMT_EXT_FEATURES_COMP_EVT can be shorter than the
| assumed 13 bytes. The code contains no check for that and if
| the events are shorter, it would read data from after the
| allocation. It would use that data to index inside arrays,
| etc.
|
| Now, if you just _allocate_ a buffer of 256 entries but don
| 't do anything else, it wouldn't read data from outside the
| allocation, yes, but it would still read uninitialized data,
| as nothing would be written after the end of the valid data.
| That uninitialized data could e.g. come from previous freed
| allocations. This would hardly be an improvement. You'd have
| to _allocate_ and _zero-initialize_ it, and then you 'd still
| have the problem whether zero is invalid data or part of the
| allocation... Even if code would figure that out, it would be
| extremely smelly code and I'd never merge it in any projects
| I maintain.
|
| The approach done by the patch to just check the length is
| much much better. The length is sent as part of the event.
|
| > Keeping code simple and without unnecessary abstraction is
| a far more valuable skill than $safe-language-trend-of-the-
| day.
|
| This code almost directly maps to the bluetooth host
| controller interface which is part of the published Bluetooth
| standard. So you can't change the core concepts of it. There
| are a few abstraction layers which copy the data for some
| reason from a new/delete managed hidl_vec to a malloc/free
| managed array (check hciEventReceived function in
| hci/src/hci_layer_android.cc). Yes, I'd say that some of
| those layers are indeed unnecessary. But those abstraction
| layers are not where the vulnerability occurs. It occurs in
| the code that parses the message, and the bug is that the
| code does not check the length of the input data. This is a
| classic bug that can occur in C/C++ codebases.
|
| Safe Rust prevents OOB writes/reads by performing bounds
| checks when you index into a slice.
|
| The issue with languages like C is that verifying that code
| is safe is extremely hard, even harder than writing it in the
| first place. This codebase seems to have not been written by
| Google but by Broadcom, so Google would have to verify
| whether what Broadcom wrote is actually safe. With Rust, such
| verification is easy. If your code makes little use of
| unsafe, and most code doesn't actually have to, it's easy to
| verify its safety (at least for the classes of bugs that Rust
| eliminates). Due to the strong typing, other types of bugs
| are made harder to write as well.
| haggy wrote:
| This is not a constructive comment. Saying an entire OS "would
| have been safer on this language" is just trolling. Comment
| should be reported IMO.
| pjc50 wrote:
| The entire _raison d 'etre_ of Rust is that it can be safer
| in exactly these cases where C or C++ is unsafe, and aims
| towards their eventual replacement.
|
| This will take a couple of decades, but it's a worthwhile
| effort.
| zymhan wrote:
| Sure but until someone demonstrates at least a basic PoC
| using Rust to replace some Android C code, suggesting that
| it can is just speculation at best.
| zamalek wrote:
| Google has: https://en.wikipedia.org/wiki/Google_Fuchsia
| zymhan wrote:
| I'm certain that you cannot simply drop-replace an
| Android OS component with a Fuschia component.
|
| My point is, of course Rust is a memory safe language,
| and of course it would theoretically prevent overflow
| exploits, but throwing in "you should've used Rust" when
| this news is announced isn't helping anything. I am
| certain that Android devs are at least aware of Rust and
| it's benefits.
| est31 wrote:
| > I am certain that Android devs are at least aware of
| Rust and it's benefits.
|
| There is still not a single Android ROM component that's
| written in Rust. Cuttlefish uses crosvm which is Rust
| based, but it's a VM for Android testing rather than a
| ROM component. So they aren't even ready yet to
| experiment with shipping small components in Rust. Same
| goes for Chrome btw, it currently has a "no Rust allowed"
| policy, which is IMO very sad.
|
| So yeah I think it's worthwhile to talk about why AOSP
| doesn't have Rust components yet, especially as patching
| is sadly not available (yet) for most deployed devices.
| Large fleets of devices will have the bug for eternity.
| Therefore, prevention of vulnerabilities becomes even
| more important, which Rust helps doing. Your program
| won't be free of them, but as I pointed out above, these
| bluetooth vulns fall into the class that safe Rust
| eliminates.
| eeZah7Ux wrote:
| ...especially when the large majority of HN readers are
| already aware of rust "thanks" to the rust evangelism
| strikeforce.
| dx87 wrote:
| A day or two ago there was an embedded software developer
| here claiming that low-level C developers "know what
| they're doing", so any languages with built-in safety
| features impose unnecessary safety restrictions, and that
| since any software can have bugs, there is no reason to use
| anything but C. Once that kind of stubborn attitude dies
| out, maybe we'll stop seeing people leave comments saying
| "This could have been prevented if they had used language
| X".
| fulafel wrote:
| This is userspace code, it's a legit point to criticise use
| of a memory-unsafe language here. It's 2020 after all, 24
| years after "Smashing the stack for fun and profit" and 24
| years into the golden age of C exploits while safer practical
| systems languages have existed. And also a legit point to
| promote Rust, even if it's a little too new for this
| codebase.
| chungus_khan wrote:
| The transition in perception of UNIX and C from being
| buggy, inconsistent, foot-gun-laden corporate messes to
| being treated like the immutable ancient ways has certainly
| been a trip.
| sadfklsjlkjwt wrote:
| Isn't that because Os's based on Linux don't share a
| single LOC with commercial Unices?
| est31 wrote:
| I've said nowhere that all of Android should be written in
| Rust. I've only said that had _this specific component_ been
| written in Rust, the issues wouldn 't have shown up. Of
| course the code base is old and predates Rust.
|
| But I think this vulnerability serves as an important lesson
| about which language to choose for _new_ projects in the
| embedded area. Thus I 'm very glad that Google uses Rust for
| its new OpenSK security key firmware. I hope that future
| versions of Android will adopt Rust, at least in newly
| written components. Some Google developed Android related
| projects are already using Rust, like Cuttlefish which uses
| crosvm.
| SQueeeeeL wrote:
| I mean, they did link to a bunch of source code spots... so
| it's not completely unconstructive.
| efficax wrote:
| Just in general, you can never take for granted the length of
| the data you're referencing via a pointer unless you absolutely
| control the whole input path and it's amazing to see that
| happening in code written at this level
| 2T1Qka0rEiPr wrote:
| > Keep in mind that most Bluetooth enabled headphones also
| support wired analog audio.
|
| Is this true?
| lathiat wrote:
| I would say the reverse is true. There is absolutely a subset
| that support this but I doubt most is close.
| lima wrote:
| Actual headphones, yes - many of them have an analog jack.
|
| But I haven't ever seen a bluetooth headset that support analog
| audio.
| zeisss wrote:
| My Bose QuietComfort 35 has a cable and jack for analog
| audio. It is quite common among germans, afaict.
| rahuldottech wrote:
| Those are headphones. I think OP was talking about wireless
| earphones.
| Munksgaard wrote:
| My Jabra Elite 85h has jack in addition to bluetooth.
| rahuldottech wrote:
| Again, those are headphones. OP was talking about
| earphones, I think.
| tushar-r wrote:
| Headphones, yep. Earphones? Mostly no.
___________________________________________________________________
(page generated 2020-02-07 23:00 UTC)