That’s all great - but don’t lure people too much into a false sense of security. While your Nexus 6 may run a shiny new version of Android, underneath it runs a crusty old 2017 kernel full of holes of different sizes. The community is great, but vendor support remains important. LineageOS and other projects can’t fix things in kernels they can’t compile - they can only provide security updates for open source components.
That makes Google’s promise here so key. 5 years of updates is 5 years of kernel level fixes. After that, it’s probably left up to the community.
I really don’t recommend people to go out and buy abandoned Android phones to flash software. LineageOS and other community projects are a blessing in many many ways, but they don’t make your phone completely up to date. And that’s something one should make an informed decision about (buying an iPhone, I decided against that).
> underneath it runs a crusty old 2017 kernel full of holes of different sizes
> LineageOS and other projects can’t fix things in kernels they can’t compile
I think that you're wrong on this, that is unless you decided to use term "kernel" above too liberally, referring to all software running on a device. AFAIK, alternative Android images, such as LineageOS, include relevant - and quite up-to-date! - AOSP common kernels (aka Android common kernels or ACKs; https://source.android.com/devices/architecture/kernel/andro...), which are open source, plus some manufacturer-specific proprietary binary drivers and firmware (though there exist a related, but slowly-moving, project Replicant focused on creating and maintaining a fully open, i.e., kernel + drivers + firmware, Android distribution: https://replicant.us).
No, I’m talking about the Linux kernel. You can check this for yourself. Take a look at the roms distributed on LineageOS as the example project and see if they include kernels that are up to date in any way. For older phones outside of vendor support, those kernels will always be out of date.
Some diligent LineageOS projects are known to incorporate some open source kernel fixes sometimes, or grab newer blobs from other phones from other devices. But there’s only so much to they can do. In general, it’s true to say that older devices with community Android support are not completely up to date - the kernels are old, and vendor drivers are not getting updated. Outside of making big usability concessions in projects like Replicant, the community can’t do much here.
Good points. Though I'm a bit confused by your reply. Are you saying that LineageOS folks do not always or, at least, mostly use the latest AOSP common kernels for their relevant ROMs (as opposed to "some open source kernel fixes")?
I don’t know. I’m saying that custom rom use kernels that make your phone work. In the best case that involves shipping 1) the driver and firmware blobs the vendor provided while supporting the phone and 2) a kernel that is binary compatible with those blobs. Because of how Linux works, in the best case (2) is an old kernel of the same major version as the vendor shipped with the phone, with maybe some security fixes that made it into the mainline kernel or in the Android kernel. But if your stock rom has security bugs in e.g. the wifi driver, graphics driver of baseband firmware, your custom rom has those exact same bugs. Even if the custom rom is years newer than the latest vendor update.
Just ran across this relevant nice little article, which I found quite interesting: https://arstechnica.com/gadgets/2021/09/android-to-take-an-u.... I hope that people who interacted with me in this sub-thread (and other folks here) will enjoy reading it as well.
So would you please help me to find an ROM with an up-to-date Android Common Kernel for my i9300 Samsung Galaxy S3?
AFAIK, the only way to run it with working drivers for all hardware components, are ROMs which use the rusty 3.0.101 Linux kernel from back in the day and I think that is what DCKing is referring to. If you want to create a new ROM, you either have to use the old kernel and have an upper Limit of Android 7.x (in this case) or you have to accept, that not all components are supported (e.g. no GPS).
I would be glad if the situation would be different. Maybe it is different for phones you buy today?
Obviously, not all devices have up-to-date kernels. It depends on whether they are supported by relevant Android distributions. That's why I used the phrase "quite up-to-date" instead of just "up-to-date". Unfortunately for you, LineageOS has stopped supporting i9300 Samsung Galaxy S3 with the latest official release being 14.1, which is based on Nougat (Android 7.1.2).
Having said that, I ran across the following post that describes successful installation of LineageOS 18.1 (Android 11) ROM on Samsung Galaxy S3 i9300: https://devsjournal.com/install-lineage-os-in-galaxy-s3-i930.... This is just FYI. So, if you understand relevant risks and feel adventurous, you can try to install it on your device. Disclaimer: I'm neither affiliated with the author of the post, nor responsible for any damage that might be associated with following the advice contained in the above-linked post.
Thank you for looking up that ROM, as I might want to try it out. However, you are also proving my point, even that ROM with Android 11 is still running the old 3.0.101 Linux kernel. You can see it in the video at the last row:
So congratulations to the guy who made it possible to run Android 11 with that ancient Linux kernel, even when Android officially doesn't support it. And to illustrate what I mean by ancient: Linux 3.0 was released in 2011 and got support updates until 2013 [1]. So even when CyanogenMod/LineageOS supported the Samsung Galaxy S3 the included Linux kernels were old as crap. You can't blame them for it, as they had little choice given that a few crucial drivers are not open source and included in the upstream Linux kernel.
I just wonder if anything has changed for modern devices?
backported 4.2, which includes some of the 4.3 changes as well. supports lineage. 4.1 is a version google supports till 2024, so I'm assuming 4.2/4.3 is going to be even later. So, you got a phone from 2011 that's going to run a modern kernel and latest android till after 2024.
> And to illustrate what I mean by ancient
yes. I would love to see an iphone from 2011 that's going to be running the latest ios and apple kernel after 2024.
Given that the kernel still identifies as 3.0.101, my guess is that they just backported some features from 4.x and applied them to the ancient kernel ;-) I am not so sure that qualifies as a 4.1 in terms of Android support.
I think the discussion about which devices live longer is simple to answer: Apple (iPhone) and Google (Nexus/Pixel) do probably the best job of supporting their devices for a while from a manufacturers point of view (in comparison to Samsung, Xiaomi, LG, Huawei, Sony, etc.). However, if you want to spend some time and flash alternative ROMs yourself you are better off with Android due to the large modder community, but it also depends a bit on the device you bought.
My biggest issue on the other hand, is that if the manufacturers would also open source the drivers, they could be included in the Linux kernel and we would not have this discussions, because one could simply use an up-to-date kernel as you can with every PC.
And how does the kernel affect you in any way. Most of the internet runs on old kernels because servers user long term stable kernels anyway. If they ux is good the kernel shouldn't be a problem to you
1. UX: most of the time kernel updates don't affect the user experience. However, from time to time there are scheduler updates which can have positive effects.
2. Security: Being able to run the kernel with the latest security updates is evidently very important to have a system that is not vulnerable to newly discovered exploits.
3. Dependencies: As discussed already, some software components like the Android itself requires certain kernel features and therefore certain versions to let you run the latest versions of the software.
Btw. even LTS kernels are just supported for six years or so.
My biggest problem with the situation is, that 99% of the software is open source (Android incl. the Linux kernel) and just a few vendor-specific drivers make it very hard to upgrade the kernel and therefore the system.
It is different for phones made by the people who also make Android. Google. Which is why I was specifically talking about the pixel and the nexus phones sold by google. For example, kernel version 4.9.3 - the latest one (yes, originally released in november of 2017) supports up to the latest Android. In fact, since 4.1 supports the latest Android, and will till June 2024 according to google. I'm going to go on a limb here, and given the current timeline, project 4.9.3 is going to be supported for probably whatever android is released in 2026.
So, Nexus6 released in 2014 will be able to run the latest android, fully security patched including kernel (which is not that important), till about 2026.
Now let's keep in mind that I replied to a guy who said how great it is that ios has more longevity.
> So, Nexus6 released in 2014 will be able to run the latest android, fully security patched including kernel (which is not that important), till about 2026.
This is getting to borderline misinformation here. Sorry to have made you dig in to this position, but please don’t call this fully patched. Qualcomm abandoned the Snapdragon 805 in the Nexus 6 in 2017 (maybe even 2016), and no updates to that platform's kernel drivers or other proprietary components exist. You can patch up open source pieces - those are important too - but that doesn’t count as “fully security patched”. Kernel drivers are a very important vector on any system, on Android especially so.
This is why e.g. CalyxOS has these EoL notices for Google devices much newer than the Nexus 6 here: https://calyxos.org/install/
They’re honest not everything can be updated!
If you choose to run your devices this way, more power to you. It's a legit way of extending a phone's life with some tradeoffs. But please inform others about the actual limitations.
> For example, kernel version 4.9.3 - the latest one (yes, originally released in november of 2017) supports up to the latest Android.
I couldn't find anything online about Nexus 6 kernels that are not some version of Linux 3.10, which despite being an LTS release was EoLed by the Linux kernel developers end of 2017. Would be curious to get any sources on the information that the Nexus 6 has modern-ish kernels available.
It's a rare feat that Android devices get a new major kernel version, _even with_ vendor support.
It's not the kernel security updates that are important in regards to this 5 year promise, those are all open source and can be applied to any device a ROM (such as CalyxOS) supports. It's the proprietary firmware blobs that are the big deal, and what this 5 years promise from google means is that those blobs, required for certain hardware on the device, will receive 5 years of security updates. And that's good, because those are the security vulnerabilities that e.g. the CalyxOS team cannot patch themselves (no source code).
This is why CalyxOS now makes it clear what devices they support are still getting full security updates (kernel + firmware blobs) or just kernel updates. I believe the most recent CalyxOS patch added the ability for the user to see in settings the month and year of the last firmware security update for their device vs their current kernel security update.
Alright - I'll bite. This is a smartphone, not a windows PC with a bunch of services. There is Zero listening on any port. There is no attack surface for any kernel - the only thing there would be a bug in mms. Please share your source for kernel attacks, on any android version, that's not an attack on an app - but on the kernel. No, this is not a google play attack, or an attack on an outdated app - which are updated fine.
In addition, I'm unsure why you think you can't update the kernel on a phone. In fact, updating the kernel is standard procedure for... pretty much all directions on flashing a custom ROM. I had my nexus6 on kernel 4.9.3. There are literally new phones, right now, selling with that kernel version and earlier, with android11.
This is like saying windows server 2016 has a kernel that's outdated, or that windows 10 which came out in 2015 is outdated.
I think you are extremely confused.
>I really don’t recommend
Which is a good thing, because you should not be recommending about things you do not understand on even a basic level.
>After that, it’s probably left up to the community.
right. the entire point of my post. you can load stuff from the community. which includes the community of things like lineage - a big official community that's an llc - a corporation like redhat.
A phone is not a server. It is not a security risk to run an outdated kernel. there are no services running a hacker can connect to. You don't connect to a kernel over the internet. A kernel which is by no means out of date, and is currently running in many datacenters.
Smartphones aren’t servers, but they run tons of services that interact with the surrounding world.
Bluetooth, WiFi, etc…
The kernel also still plays a vital and security-meaningful role in processing calls from applications.
Running an out of date kernel could mean strangers ransoming your data, or could mean an attack becomes persistent and starts logging and uploading through reboots.
Running an out of date kernel often does not result in this, and that higher level security matters first.
However, the kernel does have an attack surface through those higher levels, and pwning the kernel still means something.
Those datacenters are running LTS kernels with minor versions updated, or have security patches backported, or have far more limited connections to the world than your phone — only one protocol, one port, one service, for example.
We are not talking about datacenter servers - we are talking about smartphones. you can run a 4.9 kernel with all security patches applied, just like you can run windows10 with all security patches applied. You can update bluetooth and wifi modems without going to a later kernel version. We call those drivers, not kernels.
The issue you note is only exploitable via a bug if you have an outdated version of the chrome browser. You don't need to update the kernel, in order to update an application.
Seriously, I feel like I'm talking to my wife here, who is not a tech person. Why are you and the other couple of people being purposely dense, and purposely ignoring the content of your own links that doesn't fit your viewpoint?
BTW, after you said smartphones aren't servers, you go on to talk about why an older kernel is bad on servers.
But since you asked, the latest 4.9.3 kernel running on that nexus6 from 2014, that's been compiled appears to be from the end of the year 2019.
Good luck finding drivers for phone wifi, bluetooth, etc. That’s the fking problem — linux doesn’t have a stable driver api, so the binary blobs drivers will not allow people upgrading major linux kernel versions.
If everyone around you is stupid, then maybe you don’t understand the topic at hand?
> There is no attack surface for any kernel - the only thing there would be a bug in mms. Please share your source for kernel attacks, on any android version
There are various kernel level vulnerabilities listed. Some weakening privacy over tcp connections, others locally exploitable via a malicious app such as Pegasus.
I don't understand why you call him confused. Perhaps you can approach with curiosity instead.
I'll start by saying I spent a full 5 minutes reading through those and gave up. I asked for an example, you pasted twenty pages of random garbage and said "here, maybe you'll find something in this dump I took - why don't you spend some time and maybe I'll prove you wrong."
In those five minutes of looking through your garbage dump, I found Zero vulnerabilities that do not need either you installing a virus, which then gets root (the vulnerability), or a bug in an application running as root that's out of date, which then of course gives the attacker of the application root. None of those are valid examples, and I'm now bored digging through random garbage.
Any hack, in Any application, will give the attacker root - we're running rooted phones (for the extra functionality).
If you want to make a point, note the actual bug listed that does not need a compromised application. You installing a virus then the virus getting root does not count. The thread is about a kernel bug giving a remote attacker control of your phone. Applications and drivers like your modem can be updated without you updating the kernel. The latest N6 kernel is 4.9.3, with updates from the end of 2019.
Do you also run all your programs as root on desktop? Wtf.
Also, regarding your previous post, modern Android and ios is lightyears ahead in security than any desktop os out there, for good reason (majority of people interact with their phones, and store much more sensitive data there)
>Do you also run all your programs as root on desktop? Wtf.
yes. always have. same in windows where I also don't use antivirus. and this is what most tech people do for their personal equipment. because the one issue I had, in my 30+ years of using computers, and 20+ years of doing it professionally as a dev, sysadmin, and storage admin, I only once got a virus.
i'll tell you a little secret too. yes, it's wtf to people who don't know what they're doing and need the safeguard against when they screw up. I know enough to not screw up. now go pipe a bash script from a webpage to sh to install something, because that's what the installation manual for your game said to do.
Anyone saying they know enough not to screw up, most definitely knows hardly anything. Also, screwing up is not about knowing enough, it’s about being human, who make mistakes.
Running anything under root is just insanely stupid.
for those times when I run that terminal application on my phone. which is already rooted, so it's doesn't need the kernel bug to get root. it can just run.
I'm not sure I'm the one confused here. Not really willing to get combative on what security priorities one should have, but I'll stick to mine.
> I had my nexus6 on kernel 4.9.3.
I find this very hard to believe, as no evidence of Nexus 6 kernels that are not Google's original 3.10 shipped exists that I can find. Even PostmarketOS that looks to update kernels links to LineageOS fork of the 3.10 kernel on their page for shamu/Nexus 6.
Unless you mean a custom kernel from "some guy on XDA" that names itself 4.9.3 like this one - which is just kernel 3.10 with some branding on it. It says so right in its description: https://forum.xda-developers.com/t/kernel-sm-4-9-3-o3-graphi... . Kernel 4.9.3 is a weirdly specific point release to be on in modern times anyway - there's kernel 4.9.0 all the way up to 4.9.287 - so it'd definitely be oddly specific if that's what you had.
Outside of valiant community efforts like Replicant and PostmarketOS, who have an extremely hard time getting working or feature complete kernels running, Android devices getting new kernels is almost unheard of. Even with vendor support. Community ROMs have to stick with what the vendor gave them to have a functional device.
I think you're terribly naive if you think a phone kernel has no attack surface. It is absolutely a security risk to run an outdated kernel. It has nothing to do with whether there are services running for a hacker to connect to; it's about whether it's possible for an attacker to trigger buggy behavior somehow, whether that's sending malformed packets or Bluetooth frames or invoking patterns of syscalls that cause bad things to happen. Heck, here's an obscure bug in Linux on the front page of HN right now, which Android is based on: https://googleprojectzero.blogspot.com/2021/10/how-simple-li... Also, I know GP was specifically talking about upgrading the kernel, but keeping drivers patched is much harder without vendor support, and there's likely to be more attack surface there.
your phone is not a linux server. yes, if you install a virus or an outdated app, someone can daisychain a priv escalation using a kernel bug. no need for that though - my phone is already rooted.
Your car has pieces that run linux too. Guess an attacker can make you crash.
> drivers
since this is about iphone and android comparison, guess what has those same driver blobs form those same exact manufacturers. apple doesn't make their own bluetooth chips. oh, btw, the drivers get updated just fine, since that's part of the kernel and os, which all get updated just fine.
google supports kernel 4.1 till 2024 for android 11. the nexus from 2014 runs 4.9. so probably 2026 kernel and android, fully patched - 12 years.
oh, sorry, did you forget this thread started with a guy claiming ios is great because you can put later versions of the OS on there? where's that iphone from 12 years ago running the latest version of ios, and still performing fast? because that's what this thread is about.
I really don't get why you're so hung up on this server thing. Yes, a phone is not a server. But it still runs a lot of complicated software. Software has bugs. We haven't found all the bugs yet. Hence, it's important to keep all of the software as up-to-date as possible for when people find some of the bugs.
> Your car has pieces that run linux too. Guess an attacker can make you crash.
> the drivers get updated just fine, since that's part of the kernel and os, which all get updated just fine.
Just because the kernel is getting updated does not mean the drivers and firmware are also getting updated. Drivers are specific to hardware, and if a vendor stops shipping updates for some chip that is no longer used in newer phones, then you aren't going to get updates for that chip.
> since this is about iphone and android comparison
This isn't about iphone and android comparison, not for me. You made naive claims about kernels not having attack surface and unimportance of staying updated, and I am responding to those claims.
That makes Google’s promise here so key. 5 years of updates is 5 years of kernel level fixes. After that, it’s probably left up to the community.
I really don’t recommend people to go out and buy abandoned Android phones to flash software. LineageOS and other community projects are a blessing in many many ways, but they don’t make your phone completely up to date. And that’s something one should make an informed decision about (buying an iPhone, I decided against that).