Relation between Android version and Linux kernel versio

by loic » Mon, 27 Sep 2010 20:04:50 GMT


Sponsored Links
 Hi,

I am looking at Android security at the moment and particularly at the
possibility to prevent the exploit of Linux kernel bugs.
I am wondering how the software update process (and particularly the
kernel updates) works on the phones.
There are several versions of Android (1.5, 1.6, ..., 2.2) and several
version of the Linux kernel (2.6.27,..., 2.6.32)

- Is there any link (for all constructors) between the Android version
number and the Linux kernel version number ?
- Once a flaw is detected in the Linux kernel and a patch for that
flaw is integrated in the Linux kernel, how is this patch sent to the
phones (if it is at all) ?
- Is the end user notified that he should install this new update ?
- Are the software updates signed in any way to protect the user
against "false" updates ?
- Is this update process the same for all phone vendors
(HTC,Samsung,...)?

That is a lot of questions but I couldn't find any good documentation
on these points on the Internet.

Any help or suggestion is very welcome !

--



Relation between Android version and Linux kernel versio

by Jan Niggemann » Tue, 28 Sep 2010 15:39:41 GMT


 Hi Loic,

you partly address my concerns.

2010/9/27 loic <loic.habermac...@gmail.com>

This IMHO highly depends on manufacturer, carrier and android version.
As for the distribution: AFAIK some android versions can be updated OTA.
Are phones patched at all? No, if manufacturers don't release updated
firmwares, security issues are likely to remain unfixed.

- Is the end user notified that he should install this new update ?
That would be really cool, but no. There is no notification mechanism,
because manufacturers more or less "cook" their own firmwares with their own
changes. This is called "fragmentation", it leads to the undesireable
problem that there are many different versions of android in the wild.
And that's not all, because the end-user has no means of even knowing there
is an issue to be addressed. May I refer to my earlier thread "Not a single
security 
announcement?"<


Sponsored Links


Relation between Android version and Linux kernel versio

by Chris Palmer » Thu, 30 Sep 2010 22:38:13 GMT


 The kernel is updated periodically, and released when new Android
releases are published. Additionally, patches make it into OTA
updates. Google only knows about and can update Google Experience
Devices; Google has no knowledge of or ability to update non-GEDs.

There is no necessary link between Android version and kernel version,
other than that both increase monotonically.

Yes, users are notified of updates. GED users with Froyo are getting
their 2.2.1 update now, in fact. Updates are signed.

Non-GED OEMs and carriers can ship updates however they like, or not
at all. Frequency of updates could be one factor that informed buyers
use to decide.

--



Relation between Android version and Linux kernel versio

by jan » Fri, 01 Oct 2010 04:52:27 GMT


 

The Samsung Galaxy S "with Google" I own is one of those.
Until now, it was never updated OTA (can you uptade Eclair OTA?).
Today it still does not have Froyo, let alone 2.2.1 that contains a
fix for the information disclosure bug in the browser.

Not true. They share big portions of code and the bugs therein.
And that's the reason I'd like Google to write release notes with
every update.
How am I supposed to know which bug in the vanilla Linux kernel made
it into the Android kernel?

True, but read above. That's one of the reasons I bought a Samsung
Galaxy S, but perhaps Google does not put enough pressure on Samsung
to release a new firmware.

But there should be release notes and security advisories regardless
of the device, as these issues are OS related and not device related.

--



Relation between Android version and Linux kernel versio

by loic » Fri, 01 Oct 2010 07:10:38 GMT


 Thanks for your answers. It is a bit more clear to me know.


That information is quite hard to get and to understand for the
average buyer

--



Relation between Android version and Linux kernel versio

by Disconnect » Fri, 01 Oct 2010 13:08:43 GMT


 





Just FYI, if you think back to the g1, OTA updates have been a part of
android since the very first device. (In fact, if it hadn't been a
requirement, the g1's crippling storage problems wouldn't be nearly as bad.
Literally half of the flash is unavailable, much of it to facilitate OTA
updating.) I believe as of 1.6 or so the majority of the code made it into
the open source project, although before that a few of us took the partial
code apart (mostly JF iirc) and worked out how to interface to it.

--



Relation between Android version and Linux kernel versio

by Dianne Hackborn » Fri, 01 Oct 2010 18:40:54 GMT


 



30% of the storage is used by the cache partition.  The cache partition is
also used for other things such as downloading media and apps.  (It is the
main storage for the download manager that is visible in the browser, which
performs downloads and manages the storage to expunge old downloads as it
becomes full.  Though the UI is in the browser, it is a separate facility
and also used for example by Market to download apps.)

-- 
Dianne Hackborn
Android framework engineer
hack...@android.com

Note: please don't send private questions to me, as I don't have time to
provide private support, and so won't reply to such e-mails.  All such
questions should be posted on public forums, where I and others can see and
answer them.

--



Relation between Android version and Linux kernel versio

by Disconnect » Fri, 01 Oct 2010 19:33:24 GMT


 30% is "much of" 50% :) Also, looking way way back at
 http://andblogs.net/fastboot/ :
*userdata*: 76 megs, Holds all the user applications and data. Reset the
phone to factory by erasing it. (Sometimes referred to as ata
*cache*: 70 megs, supposed to be temporary storage (/cache) but actually
never used except by T-mobile OTA updates.

So as far as the user is concerned, it is half of the available storage.
(And yah, if that page still mattered I'd update it to reflect the fact that
newer OS loads did more with it.)

To properly rephrase:
Literally 1/3 of the onboard flash was reserved purely for OTAs, although
later OS versions used it as scratch space for downloads and such. (Nearly
the same amount as was available to the user to begin with.)






>



Relation between Android version and Linux kernel versio

by Dianne Hackborn » Fri, 01 Oct 2010 22:01:07 GMT


 



Ah, okay, I misread you as blaming the cache for taking 50% of the space.
 Sorry about that.

To properly rephrase:

Cache has *always* been used for other things.  It's not like the browser
and Market had some other magical place to put their downloads.

Anyway, this is a silly discussion.

-- 
Dianne Hackborn
Android framework engineer
hack...@android.com

Note: please don't send private questions to me, as I don't have time to
provide private support, and so won't reply to such e-mails.  All such
questions should be posted on public forums, where I and others can see and
answer them.

--



Relation between Android version and Linux kernel versio

by jan » Sat, 02 Oct 2010 07:01:01 GMT


 

I hope you do not mean this whole thread and just disqualify the cache
issue on the G1?

--



Other Threads

1. PostMethod is removed from 1.0?

After I upgraded to 1.0, I found PostMethod is removed. Following is
my old code

HttpClient client = new HttpClient();
PostMethod method = new PostMethod(Constants.serverUrl +function);
method.setParameter(SharedConstants.NAME_EMAIL, userName);
method.setParameter(SharedConstants.NAME_PASS, passWord)
int statusCode=client.executeMethod(method);

I migrated HttpClient to DedaultHttpClient. But what is the new method
for PostMethod?

THanks!

APril
--~--~---------~--~----~------------~-------~--~----~

2. Issues with permissions when using delegation with Content Providers

Hello, All my content providers are accessed via one over arching
provider that delegates to the others based on the contents of the URI
pattern matcher. So below just the one provider "RunBuddyProvider"
There are actually three smaller providers and I have taken steps to
encapsulate their functionality into one content provider. Interacting
with the providers via INSERT and QUERY works fine for the
instrumentation.
But when using live services that interact with activities I can only
use QUERY successfully. Using INSERT, I get:

ERROR/AndroidRuntime(4197): Uncaught handler: thread main exiting due
to uncaught exception
ERROR/AndroidRuntime(4197): java.lang.NullPointerException

This suggests to me that the permission has not been granted for the
application trying to use the content provider. Has anyone used this
technique or anything similar with content providers? Is this just a
permissions issue from the Manifest? I would appreciate any comments
on the implementation.

Hearing that other people have had some success with this technique of
content provider delegation would put my mind at rest that it worked
and allow me to pursue the bug down the security issues side.
Can anyone offer any suggestions?


#
# In more detail, with code:
#

The delegating content provider is registered in the Manifest:
       <provider
            android:name=".provider.RunBuddyContentProvider"
            android:authorities="com.novoda.runbuddy" />

This then instantiates the factory which then delegates to the other
Providers based on the URI pattern matcher.
Th RoutesProvider is the providers I am using in this instance. When
instantiated; I call the provider to insert based on the query. But
this always throws an Uncaught Handler Exception.

# All the involved classes

http://code.google.com/p/runningbuddy/source/browse/trunk/RunningBuddy/AndroidManifest.xml
http://code.google.com/p/runningbuddy/source/browse/trunk/RunningBuddy/src/com/novoda/runbuddy/provider/RunBuddyContentProvider.java
http://code.google.com/p/runningbuddy/source/browse/trunk/RunningBuddy/src/com/novoda/runbuddy/provider/RunBuddyContentProviderFactory.java
http://code.google.com/p/runningbuddy/source/browse/trunk/RunningBuddy/src/com/novoda/runbuddy/provider/RoutesProvider.java
http://code.google.com/p/runningbuddy/source/browse/trunk/RunningBuddy/src/com/novoda/runbuddy/util/DBHelperImpl.java#118
--~--~---------~--~----~------------~-------~--~----~

3. Best practice for seamless, integration authentication?

4. Best practise for naming intent extras

5. Call for Speakers - Emerging Communications 09

6. Are invisible activities possible?

7. Videos on emulator's browser