[Dunt Dunt Dunt]

So aside from getting 'noticed' on a public wifi network how else could one potentially draw the a attention of people who would take advantage of an old unsuported os and chipset? Just trying wrap my head around how a breach could happen in a day-to-day practical aproach.

Posted via CB10

Depends on the vulnerabilities that your device has.... for the KEY2 that's only the last two months. You will need to look each month for the new vulnerabilities and see how they can be potentially utilized And that really isn't what I'd call a practical approach....

But I'd suggest that you do your on research on the matter.... see what researchers and tech sites suggest.

[bh7171]

Anti-virus is no substitute. Apart from taking up resources, it doesn't do a whole lot.

https://www.infopackets.com/news/105...ity%20software.

"It is our opinion that antivirus / antimalware apps would only decrease battery usage (requiring too much CPU power to operate to be effective) and should only be installed if and only if the user believes their phone may be infected."

This is actually misleading and an opinion piece. Not "fact". The fact is that the following were noted as being effective and recommended as they did not have any false positives.

MalwareBytes Anti-Malware, Avast Mobile Security, AVIRA Antivirus, Panda Free Antivirus and VPN, Bitdefender Mobile Security & Antivirus, Comodo Mobile Security, Samsung Device Maintenance, Dr.Web Security Space, Sophos Mobile Security, Emsisoft Mobile Security, ESET Mobile Security & Antivirus, F-Secure Internet Security & Mobile Antivirus, Symantec Norton Security, Google Play Protect, Trend Micro Mobile Security & Antivirus, Kaspersky Lab Mobile Antivirus, Webroot Mobile Security & Antivirus, and McAfee Mobile Security.

So these that are effective can be used safely and effectively per the study they just don't recommend keeping the app on the users device except for the time to scan and potentially clean as they use resources unnecessarily.

[conite]

This is actually misleading and an opinion piece. Not "fact". The fact is that the following were noted as being effective and recommended as they did not have any false positives.

MalwareBytes Anti-Malware, Avast Mobile Security, AVIRA Antivirus, Panda Free Antivirus and VPN, Bitdefender Mobile Security & Antivirus, Comodo Mobile Security, Samsung Device Maintenance, Dr.Web Security Space, Sophos Mobile Security, Emsisoft Mobile Security, ESET Mobile Security & Antivirus, F-Secure Internet Security & Mobile Antivirus, Symantec Norton Security, Google Play Protect, Trend Micro Mobile Security & Antivirus, Kaspersky Lab Mobile Antivirus, Webroot Mobile Security & Antivirus, and McAfee Mobile Security.

So these that are effective can be used safely and effectively per the study they just don't recommend keeping the app on the users device except for the time to scan and potentially clean as they use resources unnecessarily.

But they are only useful when doing a scan. They are rather pointless as a 24/7 security guard.

[bh7171]

But they are only useful when doing a scan. They are rather pointless as a 24/7 security guard.

Yes- that is what I noted: "So these that are effective can be used safely and effectively per the study they just don't recommend keeping the app on the users device except for the time to scan and potentially clean as they use resources unnecessarily."

Seems since most of these utilize "whitelisted" issues a user using a device no longer patched say once a month and then uninstalling would be safer and good practice in keep things tidy.

[conite]

Yes- that is what I noted: "So these that are effective can be used safely and effectively per the study they just don't recommend keeping the app on the users device except for the time to scan and potentially clean as they use resources unnecessarily."

Seems since most of these utilize "whitelisted" issues a user using a device no longer patched say once a month and then uninstalling would be safer and good practice in keep things tidy.

They are safer than doing nothing at all, but back to my original point, it is absolutely no substitute whatsoever for up-to-date security patches. Data harvesting can happen in an instant. It won't wait around to the next time you decide to passively scan your device.

[Chuck Finley69]

This is actually misleading and an opinion piece. Not "fact". The fact is that the following were noted as being effective and recommended as they did not have any false positives.

MalwareBytes Anti-Malware, Avast Mobile Security, AVIRA Antivirus, Panda Free Antivirus and VPN, Bitdefender Mobile Security & Antivirus, Comodo Mobile Security, Samsung Device Maintenance, Dr.Web Security Space, Sophos Mobile Security, Emsisoft Mobile Security, ESET Mobile Security & Antivirus, F-Secure Internet Security & Mobile Antivirus, Symantec Norton Security, Google Play Protect, Trend Micro Mobile Security & Antivirus, Kaspersky Lab Mobile Antivirus, Webroot Mobile Security & Antivirus, and McAfee Mobile Security.

So these that are effective can be used safely and effectively per the study they just don't recommend keeping the app on the users device except for the time to scan and potentially clean as they use resources unnecessarily.

“On” as in running or as in , uninstall from device so not running in the background using resources and battery

[bh7171]

“On” as in running or as in , uninstall from device so not running in the background using resources and battery

If I used one (I don't) I would run it as recommended and then uninstall the app and keep it in my GPS library when and if needed. I have actually started doing this more and more with many apps I simply don't use regularly. In cleaning up my sons iPad I noticed this is a method Apple suggests using as well for apps not frequently used.

[bh7171]

They are safer than doing nothing at all, but back to my original point, it is absolutely no substitute whatsoever for up-to-date security patches. Data harvesting can happen in an instant. It won't wait around to the next time you decide to passively scan your device.

Well up to date security patches are actually useless to "data harvesting" if in relation to websites. A monthly patch based on prior findings could never keep up. Is it not up to individual websites to ensure these malicious bots don't extract the data to be used for other purposes. In this context the onus is on the website builders and hosting browsers is it not? Isn't Chrome, Edge, Safari, Firefox, etc already fighting this battle to ensure users are as safe as can be? (Patched or not?)

I have noted before and asked how can Amazon have millions upon millions of tablets in users hands (using older Android OS versions) that connect and interface with peoples personal information and banking information daily on one of the largest e-commerce apps/sites in the world and remain viable to use? If things were that dire with the core OS security wise would they not simply stop allowing their applications to work on these older OS versions? Their liability exceeds almost all other use cases in these terms. Common sense password protection and 2 FA are some of the greatest tools to prevent unauthorized access to peoples data.

[conite]

Well up to date security patches are actually useless to "data harvesting" if in relation to websites. A monthly patch based on prior findings could never keep up. Is it not up to individual websites to ensure these malicious bots don't extract the data to be used for other purposes. In this context the onus is on the website builders and hosting browsers is it not? Isn't Chrome, Edge, Safari, Firefox, etc already fighting this battle to ensure users are as safe as can be? (Patched or not?)

I have noted before and asked how can Amazon have millions upon millions of tablets in users hands (using older Android OS versions) that connect and interface with peoples personal information and banking information daily on one of the largest e-commerce apps/sites in the world and remain viable to use? If things were that dire with the core OS security wise would they not simply stop allowing their applications to work on these older OS versions? Their liability exceeds almost all other use cases in these terms. Common sense password protection and 2 FA are some of the greatest tools to prevent unauthorized access to peoples data.

If you're trying to argue that security patches aren't extremely important, then I don't even know where to begin.

There are dozens of white papers on it, so I'll leave it to them.

People don't seem to understand the concept that vulnerabilities are published one month after having had the opportunity of being patched. This means that every hacker has an available menu of exploits that they may use.

And absolutely remote code execution can harvest information, track keystrokes, and any number of other things.

The vast majority of the times these things occur are without any user knowledge.

[bh7171]

If you're trying to argue that security patches aren't extremely important, then I don't even know where to begin.

There are dozens of white papers on it, so I'll leave it to them.

We all know security patches take place daily, hourly, shoot even by the minute at the app level and certainly on browsers and hosted websites us users use and utilize each and every day. No doubt security is important.

I am asking "how can Amazon have millions upon millions of tablets/devices in users hands (using older Android OS versions) that connect and interface with peoples personal information and banking information daily on one of the largest e-commerce apps/sites in the world and remain viable to use? (Most importantly) If things were that dire with the core OS security wise would Amazon not simply stop allowing their applications to work on these older OS versions? Do you not agree their liability exceeds almost all other use cases on older devices?

[conite]

We all know security patches take place daily, hourly, shoot even by the minute at the app level and certainly on browsers and hosted websites us users use and utilize each and every day. No doubt security is important.

I am asking "how can Amazon have millions upon millions of tablets/devices in users hands (using older Android OS versions) that connect and interface with peoples personal information and banking information daily on one of the largest e-commerce apps/sites in the world and remain viable to use? (Most importantly) If things were that dire with the core OS security wise would Amazon not simply stop allowing their applications to work on these older OS versions? Do you not agree their liability exceeds almost all other use cases on older devices?

Read the rest of my post that I just finished while you were responding.

No app developer or website in the world would be held responsible for security issues arising from an outdated OS. There is not a single terms of service agreement that would include that.

[bh7171]

Read the rest of my post that I just finished while you were responding.

No app developer or website in the world would be held responsible for security issues arising from an outdated OS. There is not a single terms of service agreement that would include that.

Would you not agree Amazon and their likes employ some of the most intelligent and leading minds in terms of security for their apps and products? If those teams allowed know vulnerabilities on older OS versions to proliferate on their apps and hardware would they not be risking the trust of every user (and their banking institutions) that has made them one of the largest e-commerce vendors in the world?

How is it possible that millions of Amazon tablets on much older core OS versions ok to use today for billions of dollars of financial transactions and commerce?

[conite]

Would you not agree Amazon and their likes employ some of the most intelligent and leading minds in terms of security for their apps and products? If those teams allowed know vulnerabilities on older OS versions to proliferate on their apps and hardware would they not be risking the trust of every user (and their banking institutions) that has made them one of the largest e-commerce vendors in the world?

How is it possible that millions of Amazon tablets on much older core OS versions ok to use today for billions of dollars of financial transactions and commerce?

Amazon can build a secure website, and a great app. But if you have code running on your device that has elevated privileges and is recording keystrokes, then what can they do?

Does everyone agree that the length of patch support be increased? - absolutely. For the most part it's gone from 1, to 2, to 3, and now to 4 years with many devices. It's a huge problem.

That's also what projects Treble and Mainline are all about too - getting critical OS upgrades out faster.

[manymachines]

Does everyone agree that the length of patch support be increased? - absolutely. For the most part it's gone from 1, to 2, to 3, and now to 4 years with many devices. It's a huge problem.

That's also what projects Treble and Mainline are all about too - getting critical OS upgrades out faster.

I think 5 years from end of sale should be standard. Google only commits to 3 years from start of sale for its phones. <sigh>

Getting stuff out faster doesn't necessarily mean longer-lived support, alas.

[howarmat]

I think 5 years from end of sale should be standard. Google only commits to 3 years from start of sale for its phones. <sigh>

Getting stuff out faster doesn't necessarily mean longer-lived support, alas.

no one will do that. There is no value in that for any manufacturer

[iMasterus7]

Usually nefarious code is buried in apps you install - some of which can come via Play Store despite the many safeguards.

They can also be downloaded in SMS or email attachments, or when connected to other devices.

Clicking on weblinks can install software on your device too.

Subsequent deletion of bad apps or attachments will likely still leave the dangerous code behind.

Real use scenario is here. I do use BlackBerry KEYone Bronze Edition. My email accounts are in the BlackBerry Hub, also have whatsapp, telegram, signal. Few sensitive apps can be accessed only via the Locker. I use Firefox and Blokada 5. To update Blokada I occasionally permit only Firefox to install apps from unknown source. Firefox warns when it detects potentially nefarious website.

The question: how safe is my use case on this device?

Posted via BlackBerry Passport Silver Edition

[Chuck Finley69]

Real use scenario is here. I do use BlackBerry KEYone Bronze Edition. My email accounts are in the BlackBerry Hub, also have whatsapp, telegram, signal. Few sensitive apps can be accessed only via the Locker. I use Firefox and Blokada 5. To update Blokada I occasionally permit only Firefox to install apps from unknown source. Firefox warns when it detects potentially nefarious website.

The question: how safe is my use case on this device?

Posted via BlackBerry Passport Silver Edition

As safe as any other Android hardware running OS released in 2017 and security patch from 2019 sometime. Many corporate UEM programs won’t allow it for security reasons since only current Android OS (X) and previous Android OS (X-1) are considered updated and supported. That means Android 11 and Android 10 for now are considered up-to-date.

That may change in the future releases to X-2 but doesn’t really apply in reverse to Android 9 Pie and earlier. Officially for now, the KEYone Oreo 8.1 is at X-3 but the Key2 and Key2 LE are exception with final security updates released in year 3 recently.

[iMasterus7]

As safe as any other Android hardware running OS released in 2017 and security patch from 2019 sometime. Many corporate UEM programs won’t allow it for security reasons since only current Android OS (X) and previous Android OS (X-1) are considered updated and supported. That means Android 11 and Android 10 for now are considered up-to-date.

That may change in the future releases to X-2 but doesn’t really apply in reverse to Android 9 Pie and earlier. Officially for now, the KEYone Oreo 8.1 is at X-3 but the Key2 and Key2 LE are exception with final security updates released in year 3 recently.

Your answer is like some standard corporate infomercial, you often refer in your posts here What about some concrete details on what is wrong with my use case?

Posted via BlackBerry Passport Silver Edition

[conite]

Your answer is like some standard corporate infomercial, you often refer in your posts here What about some concrete details on what is wrong with my use case?

Posted via BlackBerry Passport Silver Edition

I don't think a specific answer to your question is possible.

Hackers continually find new and ingenious ways to compromise a device and its data.

The fact is, the KEYᵒⁿᵉ has dozens of PUBLISHED vulnerabilities since patching stopped for it a year and a half ago.

You can have all of the safety equipment with you, but if your boat has a screen for a hull, there is only so much you can do.

[iMasterus7]

I don't think a specific answer to your question is possible.

Hackers continually find new and ingenious ways to compromise a device and its data.

The fact is, the KEYᵒⁿᵉ has dozens of PUBLISHED vulnerabilities since patching stopped for it a year and a half ago.

You can have all of the safety equipment with you, but if your boat has a screen for a hull, there is only so much you can do.

That is the thing, and you know that the devil is in the details. If I don't visit spooky websites and don't install virus apps and don't click on shady links: how can one theoretically get a remote access and control over my (and any) device?

Posted via BlackBerry Passport Silver Edition

[conite]

That is the thing, and you know that the devil is in the details. If I don't visit spooky websites and don't install virus apps and don't click on shady links: how can one theoretically get a remote access and control over my (and any) device?

Posted via BlackBerry Passport Silver Edition

Payloads have often been found in mainstream apps and "not-spooky" websites.

But at the end of the day, I, or anyone else, can't give you an exact figure.

[Chuck Finley69]

Your answer is like some standard corporate infomercial, you often refer in your posts here What about some concrete details on what is wrong with my use case?

Posted via BlackBerry Passport Silver Edition

I have no idea what your actual internet footprint of existence is and I doubt any of us does for ourselves regarding security and privacy. The closest I’m certain of and what I’ve described is the corporate UEM level of privacy and security. Coincidentally, it’s the actual message from BlackBerry Limited and it’s competitors for their respective UEM solutions.

I’m using a Pixel 3a running Android 11 on November 5 security patch and iPhone XR with iOS 14.2 on November updates. That what I’m using for my personal and business uses. I’m considered as secure as possible by UEM standards. I’m obviously subject to any improper security decisions that UEM standards recommend against.

[RLeeSimon]

Sony came with a new phone…

[Dunt Dunt Dunt]

Payloads have often been found in mainstream apps and "not-spooky" websites.

But at the end of the day, I, or anyone else, can't give you an exact figure.

Even the BlackBerry Mobile site got hacked.... but not to spread a virus in that case.

Also just being out in public with your WiFi or Bluetooth on is another big risk. Was a time with my Z10 that I regularly had those turned off via Power Tools and it's geo fencing. But at this point, I'm always using both - turning them off isn't really an option. But anyone stuck on an older version of Android without patches, should consider it.

[eshropshire]

That is the thing, and you know that the devil is in the details. If I don't visit spooky websites and don't install virus apps and don't click on shady links: how can one theoretically get a remote access and control over my (and any) device?

Posted via BlackBerry Passport Silver Edition

The one main item I would worry about is installing apps from unknown sources. Everyone's level of personal phone security is there own. I never allow apps from unknown sources to install on my phone. Google has a hard enough time keeping the app store safe. I never install apps from the Google store unless they come from major vendors.

Only you can decide if running a phone without at least quarterly security updates is worth the risk. I work in data security and personally would not use a phone that is not receiving security updates. We do not let any phones access our company services that is not up to date on security. If you can get by without being up to date, then you need to decide your own comfort level with risk.

You asked the opinion of other forum members of their security comfort level. You have received some great replies about current comfort levels. You are welcome to ignore our comments. I know that several of the comments come from people like myself who work in fields where device security is critical. We can't take chances or allow our customers or their data to be vulnerable. YMMV.