[ajokurvanyad]

So being still on oreo, keyone black, abs number patch, android, how safe can it be? And what are the reál World dangers or attack vectors that could be exploited and how? What can we do, without switching phones, to Protect ourselves with this obsulete dangerous OS?

Posted via CB10

[conite]

So being still on oreo, keyone black, abs number patch, android, how safe can it be? And what are the reál World dangers or attack vectors that could be exploited and how? What can we do, without switching phones, to Protect ourselves with this obsulete dangerous OS?

Posted via CB10

I typically am comfortable with no more than 3 months beyond the last patch - which makes the KEYᵒⁿᵉ useless to me, and gives me until Sep for the KEY².

If you insist on staying with it, all you can do is stick to well-reviewed apps on Play Store and safe websites.

[RoseBud68]

Its only as safe as you want it to be......

[Troy Tiscareno]

As conite and others have pointed out, when "white hat" researchers find an exploit, they notify the manufacturer of the bug, and then 30 days later, they release that information to the public. This is done to motivate the manufacturers to fix the problems, but also to give them some time to do so. Still, the result is that every "black hat" hacker in the world can easily find out about those exploits and start building them into apps or servers or any other method they can think of. If you're on a supported OS running recent patches, that's generally not a problem, because you've probably got updated code that fixes the problem - but when you're on an old OS, there's a long and constantly growing list of exploits that are widely known and available to hackers, and many of them don't require that you DO anything to be exploited other than have your phone active on a carrier.

None of us can say exactly what your risk is - there's no accurate way to measure that - but you are definitely at risk to some degree, and the more days behind you are, the greater the risk. Yes, BB has "toughened" certain parts of the OS, but that doesn't negate the exploits in most cases. You could remove the front door of your house and install a vault door, but if you have a big floor-to-ceiling window right next to the door, that vault door isn't likely to slow down an intruder with a rock. And if your walls are made out of paper (think: Japanese) or straw, that vault door isn't going to prevent your walls from burning down. And if you leave your back door wide open, it makes little difference how strong your vault door is on the front of the house - I can walk right in through the back. Strengthening a single attack vector doesn't necessarily do anything to strengthen the others. And smartphones have literally hundreds of potential attack vectors, with new ones being discovered all the time.

If all you do is browse YouTube for cat videos and stream Pandora or Spotify, then your risk is likely to be low. If you have your email account on there (which is the "key" to much of your online life), or you do financial transactions on there, or you have company secrets or client data on there, then your risk is much, much higher. Only you can really estimate what your risk is.

[manymachines]

Keep in mind that new major releases often have security issues particular to new functionalities. It's not as if the new major release is just like the old one, except more secure. Being at "the latest and greatest" makes you prone to such attacks. Often, the first attack against a new feature is relatively more consequential, as it's low-hanging fruit. People tend to add up all the unfixed vulns and don't factor in the vulns they avoided, or complexity in real-world utilization. Newer is often better, over time, but it's not nearly as clear cut as "new or die", and never has been.

[conite]

Keep in mind that new major releases often have security issues particular to new functionalities. It's not as if the new major release is just like the old one, except more secure. Being at "the latest and greatest" makes you prone to such attacks. Often, the first attack against a new feature is relatively more consequential, as it's low-hanging fruit. People tend to add up all the unfixed vulns and don't factor in the vulns they avoided, or complexity in real-world utilization. Newer is often better, over time, but it's not nearly as clear cut as "new or die", and never has been.

That really isn't how Android and iOS development has worked though.

If you look at the Android security bulletins for instance, you will see very few that are Android 10 exclusive.

Most exploits are against older version actually.

[Dunt Dunt Dunt]

Keep in mind that new major releases often have security issues particular to new functionalities. It's not as if the new major release is just like the old one, except more secure. Being at "the latest and greatest" makes you prone to such attacks. Often, the first attack against a new feature is relatively more consequential, as it's low-hanging fruit. People tend to add up all the unfixed vulns and don't factor in the vulns they avoided, or complexity in real-world utilization. Newer is often better, over time, but it's not nearly as clear cut as "new or die", and never has been.

I'd take being on "the latest and greatest" over the outdated... any day.

Time... is an issue. Both with accumulation of known vulnerabilities, but also with allowing time for "hacker" to make use of these.

Go three months and might only be a dozen or so vulnerabilities on your phone.... but nothing yet in place to attack those vulnerabilities. Wait a year (KEYone), could be six dozen vulnerabilities, many of which will have hacks in the wild.

But Google's Android updates are just the start.... majority of major OEMs add additional patches for their specific hardware or firmware. Samsung had a total of 29 additional patches over and above Google's last month (not all apply to all hardware). I'm not sure if BBMo ever patched anything "extra". Do know that they only provide the security patches not the maintenance release portions for each month.

Google list seven major OEM on their Android Security Bulletins site... I wouldn't by from anyone but one of those. And I'd personally write off the three there that are Chinese owned. Leaving Google, LG, Nokia and Samsung as viable options for new phones going forward.

OP for those that don't want to leave the PKB format or aren't in a position to shell out for a new phone....

• Avoid apps from outside of Google Play (that toggle should be left off for your protection)
• Keep apps updated - Auto updates should be on.
• Don't use old apps - some developer just aren't active.
• Avoiding sites (Porn or Dark Web or wrong URL) with malicious code.
• Limit exposure to emails... have good filters on the server side.
• Reduce your exposure - Turn off Bluetooth, WiFi and NFC at all times - as these access points.

[ajokurvanyad]

- but when you're on an old OS, there's a long and constantly growing list of exploits that are widely known and available to hackers, and many of them don't require that you DO anything to be exploited other than have your phone active on a carrier.

...Say what now??

I ám truly screwed then. This here seems as good of a place as any to let any potential Hacker stumbling on here to find out about my vulnerabilites so here goes:
Use Both a carrier and wifi(some public) ön daily basis, although my banking where áll my apps are up to date I only use on mobile data...but apparently that isn't risk free either. Can they get get into my e-mails via the Hub? I have that set up on keyone and old q10 with BB Blend. Also is Blend a risk? How about my instagram App not being updated since probably last year, is that a threat point? I only update my banking apps, firefox focus and chorme when new updates roll out. I conduct my most sensitive tasks on those, plus the Hub.



Posted via CB10

[ajokurvanyad]

Google list seven major OEM on their Android Security Bulletins site... I wouldn't by from anyone but one of those. And I'd personally write off the three there that are Chinese owned. Leaving Google, LG, Nokia and Samsung as viable options for new phones going forward.

OP for those that don't want to leave the PKB format or aren't in a position to shell out for a new phone....

• Avoid apps from outside of Google Play (that

What about the likes of Motorolla (Lenovo?), OnePlus or Sony?

Also I have the F-droid store, with newpipe from it on but without the permision for to install anything unless I toggle that permission back on. How sketchy is that?


Posted via CB10

[Dunt Dunt Dunt]

What about the likes of Motorolla (Lenovo?), OnePlus or Sony?

Also I have the F-droid store, with newpipe from it on but without the permision for to install anything unless I toggle that permission back on. How sketchy is that?


Posted via CB10

Moto is on the list... but it's now Chinese owned.
Oppo is on the list, they own OnePlus... and are Chinese owned.

You are free to choose to use devices from Chinese owned companies... as I said I "personally" do not.

Sony isn't a factor here... and I doubt they stay in phones much longer.

FDroid has been a BB10 users best friend of late. There have been a few outside security audits (last was in 2018) and I've heard nothing but good things about them.

[bh7171]

...Say what now??

I ám truly screwed then. This here seems as good of a place as any to let any potential Hacker stumbling on here to find out about my vulnerabilites so here goes:
Use Both a carrier and wifi(some public) ön daily basis, although my banking where áll my apps are up to date I only use on mobile data...but apparently that isn't risk free either. Can they get get into my e-mails via the Hub? I have that set up on keyone and old q10 with BB Blend. Also is Blend a risk? How about my instagram App not being updated since probably last year, is that a threat point? I only update my banking apps, firefox focus and chorme when new updates roll out. I conduct my most sensitive tasks on those, plus the Hub.



Posted via CB10

Only a quarter of all the world's Android devices are on Android 10. If all of these hypothetical OS issues were so severe that the average user was in jeopardy the OEM's or Google would have to coordinate fixes or be handled through the Google Play Store.

The main issues one might face are through applications and sources as noted prior. Your bank is responsible for ensuring the security of its application across all devices. Similar to Amazon for all its tablet users on Android Pie and much earlier Android OS versions.

Is a 24 month patched OS more secure than a newer OS? That's for much higher level security experts than here in these forums. New capabilities are obviously less tested or vetted. Neither Android or iOS are new OS. They are annual reiterations of the former.

https://gs.statcounter.com/android-v...blet/worldwide

[bh7171]

So being still on oreo, keyone black, abs number patch, android, how safe can it be? And what are the reál World dangers or attack vectors that could be exploited and how? What can we do, without switching phones, to Protect ourselves with this obsulete dangerous OS?

Posted via CB10

Blokada and NetGuard are also great, open sourced, tracker removing sources. Go to each respective website to download. Using both I find Blokada easier to configure and set up.

[brookie229]

and I doubt they stay in phones much longer.

.....of course we've been hearing about Sony packing it in for it seems like 2 decades now.

[Dunt Dunt Dunt]

Only a quarter of all the world's Android devices are on Android 10. If all of these hypothetical OS issues were so severe that the average user was in jeopardy the OEM's or Google would have to coordinate fixes or be handled through the Google Play Store.

The main issues one might face are through applications and sources as noted prior. Your bank is responsible for ensuring the security of its application across all devices. Similar to Amazon for all its tablet users on Android Pie and much earlier Android OS versions.

Is a 24 month patched OS more secure than a newer OS? That's for much higher level security experts than here in these forums. New capabilities are obviously less tested or vetted. Neither Android or iOS are new OS. They are annual reiterations of the former.

https://gs.statcounter.com/android-v...blet/worldwide

Yes I'd suggest anyone research what the security experts in the real world are recommending...

Global numbers don't really mean much... as sadly there are lots of smartphone users that don't have anything to steal, and thus they aren't a target. They can't afford to use anything but old devices.

Change the chart to only the USA (or your own country) and pull out Tablets.... Right now Android 8 through Android 10 are considered current supported version of Android - chart will show almost 87% of active devices are on a currently patchable version of Android in the USA. But Android 11 is soon to be released (maybe), and support for Android 8 is going to end.... and Android 8 and 8.1's 14% market share will continue to fade. And USA has it's share of those that can't afford to upgrade... they aren't big target either.

I bet if we polled.... I bet 14% or more would say they feel safe going into a Wal-Mart without a Face Mask as well. Just because other will do an unsafe thing and nothing happens to them (that you know of), doesn't make it safe.

[bh7171]

.....of course we've been hearing about Sony packing it in for it seems like 2 decades now.

Yep. The new Xperia 1 Mark II is a gorgeous mobile phone with exceptional camera capabilities. Unfortunately not going to be a good year for expensive, non carrier devices here in US.

[bh7171]

Yes I'd suggest anyone research what the security experts in the real world are recommending...

Global numbers don't really mean much... as sadly there are lots of smartphone users that don't have anything to steal, and thus they aren't a target. They can't afford to use anything but old devices.

Change the chart to only the USA (or your own country) and pull out Tablets.... Right now Android 8 through Android 10 are considered current supported version of Android - chart will show almost 87% of active devices are on a currently patchable version of Android in the USA. But Android 11 is soon to be released (maybe), and support for Android 8 is going to end.... and Android 8 and 8.1's 14% market share will continue to fade. And USA has it's share of those that can't afford to upgrade... they aren't big target either.

I bet if we polled.... I bet 14% or more would say they feel safe going into a Wal-Mart without a Face Mask as well. Just because other will do an unsafe thing and nothing happens to them (that you know of), doesn't make it safe.

Depends on the material of the mask. If one believes cloth or paper is going to protect one from an infected person or prevent infection you probably need to consider the inherent protection capabilities of the mask material, when said user(s) last washed or replaced their now two, three week or even longer worn cloth mask and the virulent particulate size of COVID-19.

https://www.cidrap.umn.edu/news-pers...sed-sound-data

For all us BlackBerry Key and Motion users let's hope our devices are analogous to respirators or well fitted surgical masks in keeping out nefarious activities for the foreseeable future. 😎👍

[ajokurvanyad]

Yep. The new Xperia 1 Mark II is a gorgeous mobile phone with exceptional camera capabilities. Unfortunately not going to be a good year for expensive, non carrier devices here in US.

Will it be viable option though in a year or two, when the price drops to something more reasonable, with security updates coming? It looks like a gorgeous tall phone for when the keyone no longer can serve its purpuse

Posted via CB10

[conite]

Will it be viable option though in a year or two, when the price drops to something more reasonable, with security updates coming? It looks like a gorgeous tall phone for when the keyone no longer can serve its purpuse

Posted via CB10

You get 2 or 3 years of updates (from initial launch date) for an Android device.

That's why it's better to buy a new device instead of a year or two old device - even if it means moving down to a mid-range phone instead.

For $200, I'd get a Nokia 5.3. For $349, I'd get a Pixel 4a. Updates until the summer of 2023.

If you have $500-550 or so, wait for either the Nokia 8.3 5G or Pixel 4a 5G in Sep/Oct.

I'm biased against Chinese phones, and those not running a clean version of Android.

[RBR 1]

You get 2 or 3 years of updates (from initial launch date) for an Android device.

That's why it's better to buy a new device instead of a year or two old device - even if it means moving down to a mid-range phone instead.

For $200, I'd get a Nokia 5.3. For $349, I'd get a Pixel 4a. Updates until the summer of 2023.

If you have $500-550 or so, wait for either the Nokia 8.3 5G or Pixel 4a 5G in Sep/Oct.

I'm biased against Chinese phones, and those not running a clean version of Android.

Agreed. Apart from an old ZTE flip phone that I used to have, I'd never buy anything from a Chinese manufacturer.

[Dunt Dunt Dunt]

You get 2 or 3 years of updates (from initial launch date) for an Android device.

That's why it's better to buy a new device instead of a year or two old device - even if it means moving down to a mid-range phone instead.

For $200, I'd get a Nokia 5.3. For $349, I'd get a Pixel 4a. Updates until the summer of 2023.

If you have $500-550 or so, wait for either the Nokia 8.3 5G or Pixel 4a 5G in Sep/Oct.

I'm biased against Chinese phones, and those not running a clean version of Android.

Ah... but Samsung's dirty version is considered more secure than Nokia clean version..... Which is why Google's Android Enterprise Recommended program was such a joke. Enterprise already knows what Android phones they should buy.

But I get that for folks that want more control over things, Samsung's half walled garden is a short step from Apple's fully walled garden. Do think the Android One program is great... and in many cases Nokia is more timely on their android updates than Samsung. And Nokia has a better track record across the board.... a $200 Nokia will get the full update/patch treatment, a $200 Samsung isn't very likely too get much. The more midgrade phones will get some of the updates and patches.... But some of Samsung's flagships have gone beyond three years of patches.

And now Samsung has joined Apple's iPhone and Google's own Pixel phones and added it's own dedicated security chip in the S20, in addition to the layers that KNOX provides. That helps to explain why, while the average consumer price paid for a smartphone is falling in the US, Enterprise is willing to pay twice that average for today's most secure flagship phones from Samsung or Apple (have no idea if Google's really getting any Enterprise penetration).

[bh7171]

Ah... but Samsung's dirty version is considered more secure than Nokia clean version..... Which is why Google's Android Enterprise Recommended program was such a joke. Enterprise already knows what Android phones they should buy.

But I get that for folks that want more control over things, Samsung's half walled garden is a short step from Apple's fully walled garden. Do think the Android One program is great... and in many cases Nokia is more timely on their android updates than Samsung. And Nokia has a better track record across the board.... a $200 Nokia will get the full update/patch treatment, a $200 Samsung isn't very likely too get much. The more midgrade phones will get some of the updates and patches.... But some of Samsung's flagships have gone beyond three years of patches.

And now Samsung has joined Apple's iPhone and Google's own Pixel phones and added it's own dedicated security chip in the S20, in addition to the layers that KNOX provides. That helps to explain why, while the average consumer price paid for a smartphone is falling in the US, Enterprise is willing to pay twice that average for today's most secure flagship phones from Samsung or Apple (have no idea if Google's really getting any Enterprise penetration).

"Dirty version?" Pretty sure Samsung knows as much, if not more than any other OEM in regards to Android. After all it is usually their updates and changes that drive many of the annual OS update features. And as a former Samsung user pretty certain you are aware how useful many of their applications can be. Samsung Pay is one that was leading and comes to mind.

Although Nokia is doing some good things to identify themselves does anyone think they will dent Samsung's share here in US or elsewhere? Samsung, like Apple, has the ability to crush competitors and take back market share when willing or necessary.

Look at their exploding A line of devices to meet market conditions in a very short period of time.

[bh7171]

You get 2 or 3 years of updates (from initial launch date) for an Android device.

That's why it's better to buy a new device instead of a year or two old device - even if it means moving down to a mid-range phone instead.



I'm biased against Chinese phones, and those not running a clean version of Android.

Just note "Samsung" 😁
As some very good, affordable devices they make are omitted. (A51, A71, A31)

Have you used a recent Samsung on the latest UI for any period of time? It's quite good.... And I'll take their Android browser (or the new Microsoft Edge) over Chrome all day everyday... 👍

[conite]

Just note "Samsung"
As some very good, affordable devices they make are omitted. (A51, A71, A31)

Have you used a recent Samsung on the latest UI for any period of time? It's quite good.... And I'll take their Android browser (or the new Microsoft Edge) over Chrome all day everyday...

I like the Samsung A51 and A71 too. I just don't think they will be as well supported as a Pixel or Android One device at those price points.

[brookie229]

Speaking of Samsung - this is new? https://mobilesyrup.com/2020/08/05/s...urity-updates/ or is that old news?

[conite]

Speaking of Samsung - this is new? https://mobilesyrup.com/2020/08/05/s...urity-updates/ or is that old news?

The extra letter upgrade is new, but they only mention the S line. A line gets less attention typically.