This decision may come as a surprise to some of our readers, particularly given the sales figures posted by Samsung for recent product launches such as the flagship Galaxy S3 and Note II. Nonetheless, this year, the XDA Developers’ OEM of the Year is Sony Mobile.
The relationship between XDA and Sony has been frosty in the past, thanks in part to the locking of bootloaders, subsequent lack of updates, and Sony’s efforts in early 2011 to target open source community “developers” with lawsuits in other product categories (such as the Playstation 3). This resulted in many top developers turning a blind eye to anything and everything Sony. They eventually dropped the suit later on in the year, but that was no consolation to the community.
Despite these events, a change was signaled in September of 2011, when Sony’s Head of Developer Relations posted a notice to the community that they supported independent Android OS developers. Then in early 2012, Sony Mobile released the Sony Xperia S, the first Sony Android phone to be released with flagship-level specs. Soon after, Sony signaled a change in their stance towards open source development by releasing a guide for unlocking the bootloader on the Xperia S and then releasing not only the kernel source code but also a guide for building it.
In just over 12 months, they had gone from suing a developer that hacked the bootloader on his own purchased device, to providing the tools to unlock the bootloader on a high-quality device and giving users the instructions to build the kernel source. No other manufacturer had done that, nor have any others to date. That is full-on GPLv2 compliance like we’ve never seen before at XDA.
Here is a list of the other steps they took towards openness in the community in 2012:
In March Sony officially released a public beta of ICS for the Xperia Play when no other manufacturer was officially releasing betas.
In April Sony released ICS for their entire 2011 line of devices, becoming the first manufacturer to do so.
Their Sony Developer Relations team announced a program to allow developers to borrow devices for application testing.
In August the Sony Xperia S became the first non-Nexus device (not counting the Motorola Xoom) to be included in the AOSP device tree as an experimental device. They then followed that up by releasing the AOSP binaries for the Xperia S.
Later in August Sony began open-sourcing their own code for the Dynamic Android Sensor Hardware Abstraction Layer (DASH for short) to the community.
In October they joined XDA at the Big Android BBQ to discuss their plans for further open source interaction in the community.
They announced they would be taking the lead for the AOSP source for the Xperia S and manage it themselves in their own github, and begin merging in Android 4.2.
They continue to utilize their highly active development blog where their developer team discusses their views on Android, and announce preview “Alpha” and “Beta” builds of updated device firmware and seek user feedback.
CyanogenMod custom firmware distribution is maintained for several Sony devices by a number of Sony Mobile developers, in their own time.
Given the recent trend by companies such as Samsung to often overlook the custom ROM developer community (in favor of application developers), it is refreshing to see Sony going far beyond what is required to improve the experience of their devices for anyone interested in developing for the platform. Given their contributions to the Android community-at-large in 2012 alone, and their complete turn around in less than 16 months, Sony is XDA’s OEM of the Year for 2012!
If you’re looking for a couple great options for Sony devices, we recommend the Xperia S or the Xperia T.
Now, what we really want to hear is YOUR top OEM for 2012. Vote below to let us know!
Click to expand...
Click to collapse
The link
The only thing holding me back from this device is the locked boot loader:crying:
Pretty sure one major reason why LG won't make the bootloader open is the exclusive game and software contracts they have on this phone with certain service providers in Asia.
The funny thing about Sony, and other companies, is that they will only release a bootloader like this if someone is not willing to pay to keep it closed. So the praise for Sony here is a bit misplaced, to put it like that. Generally rooted phones receive a limited amount of support afterwards, simply because they believe they don't earn any money on them afterwards.
I.e., the only reason Sony does something like this isn't because they will design their own software shell to operate with other shells. Instead it's for two reasons:
1. They're 100% confident that rooted shells are inferior to theirs, and is locked down in certain ways that makes it useless as far as replacing the original one.
2. They realize that an extremely small number of people actually do root their phones or use a custom kernel.
Now, if they came out and said: "We have a sales philsophy that isn't tied to the locked down shell, and instead one that is focused on the device and the features of the device only. While the software we have can be used interchangeably with other shells, because of the way it's designed from the bottom up to do so - and we encourage the community to create their variants of the surrounding software package". If they did that, they'd deserve praise.
Something like this - well, that's about the same level as praising a mugger for telling you where he's going to fence your stuff.
UIQrules said:
Pretty sure one major reason why LG won't make the bootloader open is the exclusive game and software contracts they have on this phone with certain service providers in Asia.
The funny thing about Sony, and other companies, is that they will only release a bootloader like this if someone is not willing to pay to keep it closed. So the praise for Sony here is a bit misplaced, to put it like that. Generally rooted phones receive a limited amount of support afterwards, simply because they believe they don't earn any money on them afterwards.
I.e., the only reason Sony does something like this isn't because they will design their own software shell to operate with other shells. Instead it's for two reasons:
1. They're 100% confident that rooted shells are inferior to theirs, and is locked down in certain ways that makes it useless as far as replacing the original one.
2. They realize that an extremely small number of people actually do root their phones or use a custom kernel.
Now, if they came out and said: "We have a sales philsophy that isn't tied to the locked down shell, and instead one that is focused on the device and the features of the device only. While the software we have can be used interchangeably with other shells, because of the way it's designed from the bottom up to do so - and we encourage the community to create their variants of the surrounding software package". If they did that, they'd deserve praise.
Something like this - well, that's about the same level as praising a mugger for telling you where he's going to fence your stuff.
Click to expand...
Click to collapse
Well you are actually misguided on this one. Sony's Developer Relations team does not want any of their device's bootloader locked - it's the carriers who desire them locked. At the executive level, Sony has to deal with misperception that unlocked bootloader == rooted phone. They are slowly changing that mindset, but it's an uphill battle. There are a large number of Sony devices capable of being unlocked, and they go to great lengths to make sure they help the user do it.
What will always be a struggle is the carrier's and their hold on the industry. Once that hold gets loosened, then we'll see a lot more positive things.
This might be a silly question, I've not used Samsung in a long time, last one was the S2 haha.....but is it ever going to be possible to root and/or install TWRP on this device without breaking OTA updates? I love rooting my devices and using custom ROMs, I still have need for root access, but to be honest this phone I would be happy keeping as close to stock as possible, I could live without TWRP, but will we ever get root without losing the ability to OTA update? If not then I'll just go custom when the urge becomes too strong haha.
Oh and I have the exynos version.
beta546 said:
This might be a silly question, I've not used Samsung in a long time, last one was the S2 haha.....but is it ever going to be possible to root and/or install TWRP on this device without breaking OTA updates? I love rooting my devices and using custom ROMs, I still have need for root access, but to be honest this phone I would be happy keeping as close to stock as possible, I could live without TWRP, but will we ever get root without losing the ability to OTA update? If not then I'll just go custom when the urge becomes too strong haha.
Oh and I have the exynos version.
Click to expand...
Click to collapse
+1
I too see a growing need for root elevation without destroying core security patch options. Either from stock, or with an aptitude like package management used by ROM creators, so you can even patch android files sooner than Samsung normally would. Because as it stands, the way we root now makes android a security disaster.
In essence this is a design failure by google and android. How could they expect users to be happy with non-configurable systems? That's why we don't have Apple devices, so we can config and alter whenever we would want to. Sigh.. Closed source for android is such a PITA. And so slow with patches..
?
jult said:
+1
I too see a growing need for root elevation without destroying core security patch options. Either from stock, or with an aptitude like package management used by ROM creators, so you can even patch android files sooner than Samsung normally would. Because as it stands, the way we root now makes android a security disaster.
In essence this is a design failure by google and android. How could they expect users to be happy with non-configurable systems? That's why we don't have Apple devices, so we can config and alter whenever we would want to. Sigh.. Closed source for android is such a PITA. And so slow with patches..
Click to expand...
Click to collapse
I agree, people like Samsung who just want to lock down their devices for whatever reason is just getting a bit extreme now. I don't think it's Google to blame though as android is easily rooted in general, it's manufacturers like Samsung that make you jump through hoops to do it. And yes it's exactly why we don't have iPhones haha. I believe every android device should come with a setting in developer options that just activates root with a disclaimer.....take my warranty, I don't care in the slightest, but don't cripple my device that I payed £720 for that is now my property, just because I want to use some of the most useful features and app designed to work with root. After reading through these forums I see Samsung seem more like apple than ever. I mean God the guide to install a custom ROM is crazy haha, perfectly doable, but compared to my le max 2 which was just, plug your phone in, push this through ADB, then flash this zip and you're done, so simple.
beta546 said:
I agree, people like Samsung who just want to lock down their devices for whatever reason is just getting a bit extreme now. I don't think it's Google to blame though as android is easily rooted in general, it's manufacturers like Samsung that make you jump through hoops to do it. And yes it's exactly why we don't have iPhones haha. I believe every android device should come with a setting in developer options that just activates root with a disclaimer.....take my warranty, I don't care in the slightest, but don't cripple my device that I payed £720 for that is now my property, just because I want to use some of the most useful features and app designed to work with root. After reading through these forums I see Samsung seem more like apple than ever. I mean God the guide to install a custom ROM is crazy haha, perfectly doable, but compared to my le max 2 which was just, plug your phone in, push this through ADB, then flash this zip and you're done, so simple.
Click to expand...
Click to collapse
The most important part of your post is often missed by a lot of people.
"lock down their devices for whatever reason..."
No one thinks about the reason it seems. As much as it sucks for folks on XDA, the folks that come to XDA don't think about all of the people that DO NOT come to XDA, or why a device manufacturer that makes their devices primarily for the Corporate world, wouldn't want to let their devices be unlocked by the small amount of XDA folks that buy them.
And before anyone says "the exynos is unlockable!" Remember the Exynos version is international, not USA. There's are so much more benefits to Samsung keeping the USA devices locked than there are downsides. I work for a small corporate company of about 300 employees and I am not allowed to have a device with the bootloader unlocked, period. Why? I don't even know, and I am in the tech field. Each company has their rules and such. Imagine how much contracts Samsung could have with corporations out there for their devices. We used to have one, and look at how small we are. We don't have one anymore because it's cheaper to just have employees front the device cost instead of the company paying for devices! Lame I know. I fought against it but lost.
As far as the original question goes, no, you will not be able to keep OTA and root at the same time. Not for the way OTA are setup, and rooting works.
Jammol said:
As far as the original question goes, no, you will not be able to keep OTA and root at the same time. Not for the way OTA are setup, and rooting works.
Click to expand...
Click to collapse
Now. You mean. It can (and should) change. The way the android permission model is designed, is totally corporate-based, not user-friendly at all. And if Samsung would stay on top of security-patches and push updates (like you have with Win10 now, which are still totally under the user's control without having to 'root' anything), that would be fine, but time and again these smartphone manufacturers have proven to stop giving a hoot after they've released a new model, if they even cared at all about security patching in time, because they apparently really don't. Not enough anyway. If they would, we'd already be running Android 9 on our Notes by now.
Jammol said:
The most important part of your post is often missed by a lot of people.
"lock down their devices for whatever reason..."
No one thinks about the reason it seems. As much as it sucks for folks on XDA, the folks that come to XDA don't think about all of the people that DO NOT come to XDA, or why a device manufacturer that makes their devices primarily for the Corporate world, wouldn't want to let their devices be unlocked by the small amount of XDA folks that buy them.
And before anyone says "the exynos is unlockable!" Remember the Exynos version is international, not USA. There's are so much more benefits to Samsung keeping the USA devices locked than there are downsides. I work for a small corporate company of about 300 employees and I am not allowed to have a device with the bootloader unlocked, period. Why? I don't even know, and I am in the tech field. Each company has their rules and such. Imagine how much contracts Samsung could have with corporations out there for their devices. We used to have one, and look at how small we are. We don't have one anymore because it's cheaper to just have employees front the device cost instead of the company paying for devices! Lame I know. I fought against it but lost.
As far as the original question goes, no, you will not be able to keep OTA and root at the same time. Not for the way OTA are setup, and rooting works.
Click to expand...
Click to collapse
That makes a lot of sense really, obviously there are going to be businesses and companies and such that wpild rely on their workers devices being as secure as possible, for multiple reasons. But again that's not really up to Samsung to decide really, now I agree that although there are a huge number of people that want to modify their devices in various ways, but on the grand scale it's a relatively low percentage of the market. Which is why I think it should always be an option, that way they cater to everyone. If a company has a requirement that all their employees devices stay locked down, they simply don't allow it, and if an employee does it regardless then the consequences would be their own. I guess Samsung could bake in the setting, but with an option at first boot as to leave the ability to unlock intact, or to choose to permanently remove any option of ever being able to do it. That way when a company bought the phones they could lock them all down before handing them out. But in the scenario where people must purchase their own device, they then would have to decide whether to follow company policy, or unlock the phone and risk potentially losing their job at worst because of it....that's just what I think really, but I'm in no way some business or manufacturing giant haha, there will be multiple arguments for and against this entire scenario.
And also thanks for the answer ? It was as I suspected, but always worth an ask.
Voiding the Warranty for unrelated modifications is illegal and there is a better way
It seems we are all getting used to the arrogance and impertinence ...
... with which manufacturers and telephone service operators want to dictate what we do with our property. Let us not forget that «this will void your warranty», though common practice, is not in accordance with current legislation.
Modifications to devices should be protected under the Magnuson-Moss Warranty Act, unless the modification caused the damage you're asking the manufacturer to repair. Manufacturers threatening to void warranties for rooting, even when they have no legal right to do so, is nothing but bullying, banking on the fact that most people are not feeling confident about legal battles with corporations for which time and money are of no consequence. It is about time that reviews took the aspect of rooting/customization friendliness into consideration, so that manufacturers like OnePlus and HTC receive the credit they deserve for being more lenient toward rooting and still receiving updates. If technology journalists pointed this aspect out in their reviews, companies might come to their senses. Being able to use some apps that can do what they do only with Root access is more important than yet another MegaPixel on the camera -- if the other manufacturers do not drop the ball yet again, by dumbing down their phone instead of building the best device they possibly can, this year's phone purchase will be from a brand that is user friendly and provides OTA updates even on customised devices.
As for the «security» fairytale, that's often the last aspect that manufacturers care about, skipping security patches even after exploits have been detected. By the way: if some guy with a mobile phone could really bring down or disturb an operator's network, the operator doesn't deserve better. Most people do not root because they are devious masterminds from a Bond movie who try to mess up their kernels or bring down the global communication networks, but because they want to customize the looks of devices to their liking, fix some flaws or get some software to work. Very few people would keep rooting if manufacturers only guarded their kernels against overclocking beyond what the phone can endure and operators blocked what could disrupt the network -- if they did that and only that, hardly anyone would complain or root.
Security is obviously not what it's really all about. On my SAMSUNG GALAXY NOTE 9, Amazon Shopping, Fakecrook, LinkedIn and a whole bunch of other garbage came pre-installed as system apps that can be disabled but not uninstalled. Like everything imposed on us by Google, these companies have no interest in enhancing their customers' security and privacy, but exactly the opposite, grab as much sensitive information about us as they possibly can and sell it to whoever is interested and willing to pay for it.
On a Windows PC, I can do most things I want to do if I really have to, via editing the Windows Registry if need be and turning off User Access Control (UAC) when the unnecessary extra-click got on my nerves. Millions of people are and have been doing the same without upsetting the space-time-continuum, and corporations can restrict whatever they want to restrict if there is an administrator to do it. In most cases, however, there is not, because after all, it's a Personal Computer (PC), managed by the user at home. If we pay for something -- and quite handsomely so -- we own it, consequently it should be us who, after a warning that can be turned off with a checkmark, have the final say. So far, the corporate world seems to thrive quite nicely with the kind of approach to security that MS Windows is taking, despite surely being the first and loudest ones to complain if there were any real and relevant problems that seriously threaten their dayly operations.
Mobile phone manufacturers and operators use «security» as an excuse to restrict what the owners of those expensive little toys can do, just like governments proclaim «terrorism» as the excuse for spying on and controlling their own populations by grabbing ever more power with authorizing laws that undermine constitutional civil liberties. In our societies, it is to keep track on any possible threats to the Status Quo that might be caused by a shift of public opinion if the media -- these days large corporations themselves -- did not distract us with polemics, sports and celebrity BS, but reported on and kept in focus issues such as ecology, human overpopulation, inequality, tax evasion, poverty, injustice, corruption, lobbyism and so on. In the mobile phone world, they do it to milk us for banalities like boot animations, wallpapers, type fonts, themes, icons and whatever we would like to do to make our phones look nicer. Under Windows, buy a shareware CD with 10,000 fonts, copy the 20 or 30 you like into the respective system folder -- done. On Android, they want to milk us for every bit they can and that's the real motivation for all the bull****, harassment, hoops and loops they make us jump through.
If companies were really interested in user privacy rights and security, the first thing that would be forbidden were advertisements, because a lot of sh.t can come in through those backdoors. Second, why does Apple not allow antivirii and firewalls if security is such a concern? Why are owners of devices with a custom recovery or root being punished by exclusion from OTA updates, given that these updates are supposed to improve stability and security? That's just bollocks and distraction to ram as much advertising down our throat, rip us off for every boot animation, wallpaper, theme, icon or type font that we have tons of lying around on our hard drive, and to obtain as much data from us as possible, in order to know and track what we buy, think, believe, suffer from, like, dislike or do in any place at any at any time.
Apart from a couple of absolute geeks and nerds, nobody would root their phones if adaptation and customization of our phones was easily possible, i.e. if everything except things that could irrevocably damage hardware or networks could be easily modified as we please. The introduction of a/b partition slots for Seamless Updates paved the way for preventing irreparable accidents and could easily be expanded and improved, together with a better design of the user interface and user experience to make the process more comprehensible for average users. Yet, most companies did not even implement a/b partitions, although this approach makes accidents and mistakes when playing around with the device «non-lethal» and saves the Customer Service costs that companies so often cite as the second excuse and pretext for the arrogance with which they keep and exert control over other people's property. With each new generation of phones and every new version of operating systems, the restrictions are getting worse, the options for access and harmless modification less, and that unacceptable trend needs to stop.
If companies want to disencourage people from rooting their phones, they need to stop bombarding us with intrusive ads, stop spying and imposing bloatware and replace it with useful tool bundles (Titanium Backup, decent file managers, cleaners, system tools and the like). It is okay to guard and firewall the indispensable and risky parts (hardware overclocking, network integrity), but only block those irreparable areas while opening up the rest for users to customise to their hearts content, making it as comfortable, easy and intuitive as possible to copy, paste, move and configure everything else between phone and PC. If something goes wrong while doing so, make sure that a system restore point and booting into the alternative partition means that there's no harm, no foul and therefore no problem and no service cost.
Instead of wasting our time hunting for patched partiton files, info on how to get out of bootloops, etc., users could then enjoy and be happier with our phone instead of fixing its shortcomings or, dare I say it, do something fun and entertaining outside while the snow is fresh or the sun is shining.
.
Qui Peccavit said:
It seems we are all getting used to the arrogance and impertinence ...
... with which manufacturers and telephone service operators want to dictate what we do with our property. Let us not forget that «this will void your warranty», though common practice, is not in accordance with current legislation.
Modifications to devices should be protected under the Magnuson-Moss Warranty Act, unless the modification caused the damage you're asking the manufacturer to repair. Manufacturers threatening to void warranties for rooting, even when they have no legal right to do so, is nothing but bullying, banking on the fact that most people are not feeling confident about legal battles with corporations for which time and money are of no consequence. It is about time that reviews took the aspect of rooting/customization friendliness into consideration, so that manufacturers like OnePlus and HTC receive the credit they deserve for being more lenient toward rooting and still receiving updates. If technology journalists pointed this aspect out in their reviews, companies might come to their senses. Being able to use some apps that can do what they do only with Root access is more important than yet another MegaPixel on the camera -- if the other manufacturers do not drop the ball yet again, by dumbing down their phone instead of building the best device they possibly can, this year's phone purchase will be from a brand that is user friendly and provides OTA updates even on customised devices.
As for the «security» fairytale, that's often the last aspect that manufacturers care about, skipping security patches even after exploits have been detected. By the way: if some guy with a mobile phone could really bring down or disturb an operator's network, the operator doesn't deserve better. Most people do not root because they are devious masterminds from a Bond movie who try to mess up their kernels or bring down the global communication networks, but because they want to customize the looks of devices to their liking, fix some flaws or get some software to work. Very few people would keep rooting if manufacturers only guarded their kernels against overclocking beyond what the phone can endure and operators blocked what could disrupt the network -- if they did that and only that, hardly anyone would complain or root.
Security is obviously not what it's really all about. On my SAMSUNG GALAXY NOTE 9, Amazon Shopping, Fakecrook, LinkedIn and a whole bunch of other garbage came pre-installed as system apps that can be disabled but not uninstalled. Like everything imposed on us by Google, these companies have no interest in enhancing their customers' security and privacy, but exactly the opposite, grab as much sensitive information about us as they possibly can and sell it to whoever is interested and willing to pay for it.
On a Windows PC, I can do most things I want to do if I really have to, via editing the Windows Registry if need be and turning off User Access Control (UAC) when the unnecessary extra-click got on my nerves. Millions of people are and have been doing the same without upsetting the space-time-continuum, and corporations can restrict whatever they want to restrict if there is an administrator to do it. In most cases, however, there is not, because after all, it's a Personal Computer (PC), managed by the user at home. If we pay for something -- and quite handsomely so -- we own it, consequently it should be us who, after a warning that can be turned off with a checkmark, have the final say. So far, the corporate world seems to thrive quite nicely with the kind of approach to security that MS Windows is taking, despite surely being the first and loudest ones to complain if there were any real and relevant problems that seriously threaten their dayly operations.
Mobile phone manufacturers and operators use «security» as an excuse to restrict what the owners of those expensive little toys can do, just like governments proclaim «terrorism» as the excuse for spying on and controlling their own populations by grabbing ever more power with authorizing laws that undermine constitutional civil liberties. In our societies, it is to keep track on any possible threats to the Status Quo that might be caused by a shift of public opinion if the media -- these days large corporations themselves -- did not distract us with polemics, sports and celebrity BS, but reported on and kept in focus issues such as ecology, human overpopulation, inequality, tax evasion, poverty, injustice, corruption, lobbyism and so on. In the mobile phone world, they do it to milk us for banalities like boot animations, wallpapers, type fonts, themes, icons and whatever we would like to do to make our phones look nicer. Under Windows, buy a shareware CD with 10,000 fonts, copy the 20 or 30 you like into the respective system folder -- done. On Android, they want to milk us for every bit they can and that's the real motivation for all the bull****, harassment, hoops and loops they make us jump through.
If companies were really interested in user privacy rights and security, the first thing that would be forbidden were advertisements, because a lot of sh.t can come in through those backdoors. Second, why does Apple not allow antivirii and firewalls if security is such a concern? Why are owners of devices with a custom recovery or root being punished by exclusion from OTA updates, given that these updates are supposed to improve stability and security? That's just bollocks and distraction to ram as much advertising down our throat, rip us off for every boot animation, wallpaper, theme, icon or type font that we have tons of lying around on our hard drive, and to obtain as much data from us as possible, in order to know and track what we buy, think, believe, suffer from, like, dislike or do in any place at any at any time.
Apart from a couple of absolute geeks and nerds, nobody would root their phones if adaptation and customization of our phones was easily possible, i.e. if everything except things that could irrevocably damage hardware or networks could be easily modified as we please. The introduction of a/b partition slots for Seamless Updates paved the way for preventing irreparable accidents and could easily be expanded and improved, together with a better design of the user interface and user experience to make the process more comprehensible for average users. Yet, most companies did not even implement a/b partitions, although this approach makes accidents and mistakes when playing around with the device «non-lethal» and saves the Customer Service costs that companies so often cite as the second excuse and pretext for the arrogance with which they keep and exert control over other people's property. With each new generation of phones and every new version of operating systems, the restrictions are getting worse, the options for access and harmless modification less, and that unacceptable trend needs to stop.
If companies want to disencourage people from rooting their phones, they need to stop bombarding us with intrusive ads, stop spying and imposing bloatware and replace it with useful tool bundles (Titanium Backup, decent file managers, cleaners, system tools and the like). It is okay to guard and firewall the indispensable and risky parts (hardware overclocking, network integrity), but only block those irreparable areas while opening up the rest for users to customise to their hearts content, making it as comfortable, easy and intuitive as possible to copy, paste, move and configure everything else between phone and PC. If something goes wrong while doing so, make sure that a system restore point and booting into the alternative partition means that there's no harm, no foul and therefore no problem and no service cost.
Instead of wasting our time hunting for patched partiton files, info on how to get out of bootloops, etc., users could then enjoy and be happier with our phone instead of fixing its shortcomings or, dare I say it, do something fun and entertaining outside while the snow is fresh or the sun is shining.
.
Click to expand...
Click to collapse
Best post I've read in the recent years. Well done!
PS: Love the Angola flag.
Information available on Reddit seem to show that several of Motorola's phones have not had any security patch levels applied since after January. It also seems like as long as the known security issues are just documented as theoretically possible that Lenovo/Motorola seem happy to keep reiterating the same lie that they make security a "top priority" while not actually addressing these problems. It is also frustrating that Motorola seems unwilling to release a version of the Motorola One that is intended to be used in the USA.
It would be nice to have a proof of concept repository similar to Rapid7's metasploit but for the Motorola G-series. Please keep in mind, I am *NOT* talking about violating responsible disclosure. This would not include any unpatched vulnerabilities. Instead, this would be known issues were AOSP has provided fixes to Motorola for over a month and Motorola has selected to still notify it's customers that their device is "up to date" without having addressed the known issues.
I believe only by showing customers what is possible with this exploits can enough pressure be put on Lenovo/Motorola to make "top priority" mean actual action instead of empty posturing.
However, based on my careful reading of the XDA ToS, it seems anything that facilitate the creation of malicious content is not allowed. This seems vaguely worded enough to exclude all proof of concept exploit discussion. But several of the issues left unaddressed by Motorola seem to be fairly easy to exploit. So, is XDA really improving the situation or avoiding transparency in favor of shielding Motorola's poor behavior?
It would be really nice if someone could provide some clarification behind the wording of this ToS and XDA's position on vendors that make security a "top priority" leaving months of patches outside of the scope available to customers if the device is to remain under warranty.
This is what I already said.
Motorola is just a retarded company.
I don't know in which universe this is acceptable.
Someone needs to sh*t in a bag and address it at Motorola, so they see what they sell.
The G6 was my last Motof**k phone.
F**k Motorola. F**k Lenovo and f**k all the retards which work in this companies.
I hope the company dies and never sells a f**kphone again.
I completely understand your level of frustration ThisIsRussia but please don't get the thread locked.
If I were to mail something to Motorola to make a statement, it would probably be a finger-print reader attached to swiss cheese. They keep using user facing features to give the illusion of security while leaving the rest of the product full of security holes.
Yeah, sorry I was a little upset because they are always responding with phrases like "soon it will be updated" etc.
Since February. Its May now.
I just don't use Motorola phones anymore and if someone asked me for opinion I didn't recommend Motorola/Lenovo.
They are a bunch of liars. period.
I picked up the g6 on Fi just to have a cheap phone. I thought it was just the Fi version not getting security updates.. luckily I don't keep financials, etc on. Only good as a glorified phone and music streaming device, but for $99?
Not many budget phones get monthly patches on time. None that are under$150 anyways.
$99 or $150 isn't what I was charged for the Moto G6. It was released for a price of $200.
The Federal Trade Commission has fined D-Link, TP-Link and ASUS for marketing *BUDGET* wireless routers that sold for much less than $200 or $150 or $99 for misrepresenting their products as providing security while "failing to take reasonable steps to secure."
According to David Kleidermacher, Google's head of security for Android, ""Android security made a significant leap forward in 2017 and many of our protections now lead the industry" and also "as Android security has matured, it has become more difficult and expensive for attackers to find high severity exploits."
Google owned Motorola, they should have been able to established policies and procedures for Motorola to make good on David Kleidermacher's statements. Or they should have made establishing those part of terms of the sale to Lenovo.
Lenovo and Motorola also market themselves as providing security even for budget devices with statements as:
* "Prevent unauthorized access with secure biometrics"
* "keeping your devices and systems secure and your digital privacy intact is a top priority"
At no point do they put any exclusionary statement such as "but only if it is not a budget device."
Also, while Motorola One is also a budget device, it does get more frequent updates. However, the Moto One is clearly not intended for purchase in the USA market and is missing support for several LTE bands.
And the Moto G6 is supposed to be a Treble/GSI device were any effort Motorola put into providing updates to flagship GSI devices should also apply to being able to also update the G6 for almost no additional effort.
So, I reject the claim no one should expect Feb 2019 security updates by May 2019 because it is simply a budget device.
Then let's also look at the claim that if financials or similar are not stored directly on the phone then it is not really a big issue.
To respond to that I am going to focus on just one Feb 2019 patch. There have been plenty of other security issues in Jan 2019 to now but for purposes of this discussion, I will just focus on one. The CVE-2019-1988 seems to still apply to still apply to any Motorola phone that is "up-to-date" but has a Jan 2019 security level. This vulnerability as a high impact score of 10 out of 10 and an easy exploitability score of 8.6 out of 10. The attack complexity is low and "could lead to remote code execution in system_server with no additional execution privileges needed."
What would need to result from this for it to be considered a violation of Lenovo and Motorola's marketing of making security a top priority?
What if an email or MMS ("text message") or instant message could do any of the following:
* Open and stream the microphone while the phone is locked
* Take and transmit pictures from either the front or rear camera while the phone is locked
* Send and receive text messages while the phone is locked
* Transmit phone location while the phone is locked
* Access and transmit email and files/documents on Google Drive and Google Docs while the phone is locked
Would any of this be disturbing? Is Lenovo/Motorola really delivering on "[preventing] unauthorized access with secure biometrics" if this is possible while the phone is locked?
I get this is all theoretical and I sound like I have been wearing a tin foil hat (maybe I am ). Anyone want to find out? Anyone want to give me the phone number to a Moto G6? Anyone want to give me the email address that they use with their Moto G6? How confident are people that not having financials stored directly on the phone means CVE-2019-1988 is not a major issue?
So far, people's reactions have been similar to this forum that there is still things people can do to maintain their privacy while using a device in this state. No one wants to believe that a major company would leave them so exposed. Lenovo/Motorola seems to be banking on no one understand the full scope of the problem. But what if a Proof of Concept of a Remote Access Trojan launched not via installing an application but simply from viewing a PNG really happened, would anyone be interested that? Would being able to actually demonstrate a PoC RAT have any positive value in holding Motorola accountable to their marketing claims or simply feed "hackers" with an exploit? If it is already known to be easily exploitable, shouldn't it be safe to assume any criminal that wanted it already has created their own implementation?
What exactly is XDA's stand on a real PoC RAT full disclosure? Is XDA taking on the stance that a RAT disclosure is always only harmful? Or is it that Motorola's actions are harmful?
@chilinux
Relax, you don't need to attack me. I can see you're feeling very hostile.
I didn't say you or anyone should accept it. I said it's common on low end devices. Even low to midrange devices.
I don't care what you paid for it. I have the g6 play and paid $99 for it. And it has been updated to pie with March security patch.
Moto is not great at supplying updates the way they were when they were under Google. Not many companies in China that are shopping phones to other countries are good at it.
It sucks, I was agreeing with you.
So rant at someone else. Geez
madbat99 said:
@chilinux
Relax, you don't need to attack me. I can see you're feeling very hostile.
Click to expand...
Click to collapse
I am very sorry you feel personally attacked. I do admit that I have taken a hostile stance but I wasn't trying to attack you.
My point is that I have already heard from users that the issue is not really that bad. It really seems like a demonstration is the only way to change the Lenovo/Motorola business model of leveraging customer misconception. At the same time, the XDA ToS seems to be at odds with using this forum as the method of giving such a demonstration. To me, this means XDA is passively contributing to Motorola's clearly invalid marketing of using product security to protect against unauthorized access.
Allowing remote unauthorized access is very much part of how the Moto G6 functions.
chilinux said:
I am very sorry you feel personally attacked. I do admit that I have taken a hostile stance but I wasn't trying to attack you.
My point is that I have already heard from users that the issue is not really that bad. It really seems like a demonstration is the only way to change the Lenovo/Motorola business model of leveraging customer misconception. At the same time, the XDA ToS seems to be at odds with using this forum as the method of giving such a demonstration. To me, this means XDA is passively contributing to Motorola's clearly invalid marketing of using product security to protect against unauthorized access.
Allowing remote unauthorized access is very much part of how the Moto G6 functions.
Click to expand...
Click to collapse
XDA needs to cover their butts. They walk a fine line on many things.
To provide members the most information, useful guides, and general Android knowledge; they do have to remain, for lack of a better term, "neutral".
They allow us access to guides, knowledge, and even files, that allow us to take back some semblance of "ownership" of our devices. And that is despite many OEM, and country, restrictions, regulations, and "ownership", be it proprietary or what have you, that threaten their voice.
We, in turn, try to adhere to their rules to maintain an even keel, so to speak. So as not to make it harder, or impossible, to do the good work they are doing.
That said, this may not be the platform to achieve the ends you seek. Even if others share your view, in part, or otherwise.
Make sense?
madbat99 said:
XDA needs to cover their butts. They walk a fine line on many things.
To provide members the most information, useful guides, and general Android knowledge; they do have to remain, for lack of a better term, "neutral".
They allow us access to guides, knowledge, and even files, that allow us to take back some semblance of "ownership" of our devices. And that is despite many OEM, and country, restrictions, regulations, and "ownership", be it proprietary or what have you, that threaten their voice.
We, in turn, try to adhere to their rules to maintain an even keel, so to speak. So as not to make it harder, or impossible, to do the good work they are doing.
That said, this may not be the platform to achieve the ends you seek. Even if others share your view, in part, or otherwise.
Make sense?
Click to expand...
Click to collapse
I understand what it is you are trying to saying that XDA sees it to their advantage to not rock the boat too much. That doesn't mean it makes sense to me.
Here is how I view how the world works when people don't speak out:
https://www.cnn.com/2019/01/12/middleeast/khashoggi-phone-malware-intl/index.html
If Motorola wants to specify that security and safety simply is not part of this product, then I can understand them making that part of their *stated* business model. But Lenovo/Motorola has decided they can market a product as preventing authorized access without doing the work required to actually provide that feature. There should be moral and ethical issues raised when knowingly letting a company mislead their customers to that extent.
There should be room someplace on the XDA forum to create a penetration/vulnerability to put customers of Motorola in a better position for informed consent. The idea that the average person can take the April and May 2019 security bulletins and understand what that really means just doesn't work out. They know what the word "critical" means but usually don't know what RCE is and largely take it as being someone else's problem. The level of conflict of interest on the part of Motorola is not made clear.
Instead, the average person still focuses on if when they are going to see the latest Avengers movie. "CVE-2019-2027" means nothing but if you show them April/May gives criminals all of the infinity gems such that at a click of their fingers half of customers of Motorola have their privacy turn to dust, then that is something they can at least understand. Then they can more meaningfully decide if it is reasonable/safe to use that device without leaving airplane mode permanently on.
chilinux said:
I understand what it is you are trying to saying that XDA sees it to their advantage to not rock the boat too much. That doesn't mean it makes sense to me.
Here is how I view how the world works when people don't speak out:
https://www.cnn.com/2019/01/12/middleeast/khashoggi-phone-malware-intl/index.html
If Motorola wants to specify that security and safety simply is not part of this product, then I can understand them making that part of their *stated* business model. But Lenovo/Motorola has decided they can market a product as preventing authorized access without doing the work required to actually provide that feature. There should be moral and ethical issues raised when knowingly letting a company mislead their customers to that extent.
There should be room someplace on the XDA forum to create a penetration/vulnerability to put customers of Motorola in a better position for informed consent. The idea that the average person can take the April and May 2019 security bulletins and understand what that really means just doesn't work out. They know what the word "critical" means but usually don't know what RCE is and largely take it as being someone else's problem. The level of conflict of interest on the part of Motorola is not made clear.
Instead, the average person still focuses on if when they are going to see the latest Avengers movie. "CVE-2019-2027" means nothing but if you show them April/May gives criminals all of the infinity gems such that at a click of their fingers half of customers of Motorola have their privacy turn to dust, then that is something they can at least understand. Then they can more meaningfully decide if it is reasonable/safe to use that device without leaving airplane mode permanently on.
Click to expand...
Click to collapse
Nope. Nobody is "honest" in marketing. They would sell nothing. Is it right....? No. Is it going to continue? Of course.
There are places to speak out. This isn't IT. Period.
You want a Google device that updates with every patch, you're gonna have to get a Pixel. Flat out. No company truly cares about you're security. They start companies to make money. The end. Right or wrong. Sorry bro. It is what it is.
Unless a company specifically spelled it out in the laws of the country their marketing in they don't have to do it. They can skirt rules and regulations anyway they possibly can. And they have lawyers to make sure they get around that crap. Marketing gimmicks do not equal legal regulation obedience.
if you have a medium to carry out the plan you intend to, find it and do it. just make sure no consumers are harmed in the process. because then the line has been crossed where you're not helping anyone but hurting people.
companies are going to sell their products at the greatest profitt imaginable and that's just the way things are going to be until some company proves that profits lie somewhere else. There isn't much you or I can do about it.
Again, this is not the medium for you to carry out such a vision. the most we hope to do here is to give users the keys to find a way to pick the lock for themselves. Not a way to circumvent the rules, punish the guilty, or vindicate innocence. There are places for that.
I'm going to bed now because I get up for work early. Good luck dude. hope you feel better in the morning.
how many people in the budget phone range are still using phones that haven't even been updated past kit Kat. Just a bit of a reality check. Up-to-the-minute security patches don't mean much to those who are struggling just to have a device to communicate with.
Infinity gems be damned, level-headed decisions with your device make all the difference in the world
madbat99 said:
just make sure no consumers are harmed in the process. because then the line has been crossed where you're not helping anyone but hurting people.
Click to expand...
Click to collapse
I can not no consumers would ever be harmed by anything I ever released. TeamViewer has been weaponized to performing scams. UPX was weaponized to help hide malware from detection. Cerberus antitheft app for Android has the potential to be weaponized. Magisk can be weaponized for malware to avoid detection on Android. To claim any of those projects is "not helping anyone" is really a stretch.
The security audit PoC suite would be similar to previously publicly released project. It would have a method of install via exploit similar to JailbreakMe and it would provide demonstration on what privileged level access provides similar to Back Orifice 2000. Both of those previous project had the potential to weaponize but also helped customers make a better informed decisions about the products they use.
madbat99 said:
how many people in the budget phone range are still using phones that haven't even been updated past kit Kat. Just a bit of a reality check. Up-to-the-minute security patches don't mean much to those who are struggling just to have a device to communicate with.
Click to expand...
Click to collapse
Just a bit of a reality check, I know a medical doctor that discusses information that should be legally protected under HIPAA in the same room as a Moto G6. When a vendor misrepresents the degree to which unauthorized access to a device's microphone is prevented, then more than just people struggling to communicate are impacted. That level of misplaced trust also means the privacy impact extends beyond just owners of the phone.
It is also a level of mistaken trust that was contributed to by people like Ronald Comstock with the XDA Developers sponsorship team which recommended this phone. It might be possible to make an excuse that at the time the recommendation was made it wasn't known how far behind security updates for the product would go. However, the XDA sponsorship team never posted a retraction and the XDA ToS makes it hard to effectively counter the vendor's misrepresentations of the XDA recommended product.
chilinux said:
I can not no consumers would ever be harmed by anything I ever released. TeamViewer has been weaponized to performing scams. UPX was weaponized to help hide malware from detection. Cerberus antitheft app for Android has the potential to be weaponized. Magisk can be weaponized for malware to avoid detection on Android. To claim any of those projects is "not helping anyone" is really a stretch.
Just a bit of a reality check, I know a medical doctor that discusses information that should be legally protected under HIPAA in the same room as a Moto G6. When a vendor misrepresents the degree to which unauthorized access to a device's microphone is prevented, then more than just people struggling to communicate are impacted. That level of misplaced trust also means the privacy impact extends beyond just owners of the phone.
.
Click to expand...
Click to collapse
It can be said that security and privacy are separate issues.
But your insights are well stated.
I remember when a "researcher" seemingly died right before demonstrating how security flaws in insulin pumps could kill a man. (We know who did it Jack) so security is a real concern. And big money will always try to silence what is too expensive to fix. So I get your point. Just goes a little beyond XDA is all I meant. No hard feelings intended, so I hope you didn't take it that way.
madbat99 said:
And big money will always try to silence what is too expensive to fix. So I get your point. Just goes a little beyond XDA is all I meant. No hard feelings intended, so I hope you didn't take it that way.
Click to expand...
Click to collapse
I have hard feeling about this issue but not about what you have said.
I also have a much less issue with "big money" not spending money were it does not need to. But they need to be transparent about that.
What I have hard feelings about is this:
https://androidenterprisepartners.withgoogle.com/device/#!/5659118702428160
And statements from Google related to that page such as:
"Organizations can then select devices from the curated list with confidence that they meet a common set of criteria, required for inclusion in the Android Enterprise
Recommended program ... Mandatory delivery of Android security updates within 90 days of release from Google (30 days recommended), for a minimum of three years"
As appears in this document:
https://static.googleusercontent.co...droid_Enterprise_Security_Whitepaper_2018.pdf
Ninety days from the February 5, 2019 security update bulletin was May 6, 2019. Choosing from that list does not result in mandatory delivery of security updates within 90 days. Google and David Kleidermacher are drowning consumers with willfully misleading information to put trust into devices that aren't held to the criteria they claim they are.
am i the only one who doesn't give a crap about security patches? i just want my phone to work, which my G6 does, just fine.
Dadud said:
am i the only one who doesn't give a crap about security patches? i just want my phone to work, which my G6 does, just fine.
Click to expand...
Click to collapse
You are far from the only one who doesn't care about security patches. I would agree with you that you should not have to care. Addressing problems that are over 90 days old are stated to be the responsibility of Google and Motorola to have taken care of.
In terms of it working just fine, my point is while it appears to normally be fine there is known ways that unapproved behavior can be applied to the product without the owners being aware of them. To me that is not working as advertised and is also not really working fine.