this post was submitted on 04 Sep 2023

26 points (90.6% liked)

Android

27333 readers

226 users here now

DROID DOES

Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules

1. All posts must be relevant to Android devices/operating system.

2. Posts cannot be illegal or NSFW material.

3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.

4. Non-whitelisted bots will be banned.

5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.

6. Memes are not allowed to be posts, but are allowed in the comments.

7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.

8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.

Community Resources:

We are Android girls*,

In our Lemmy.world.

The back is plastic,

It's fantastic.

*Well, not just girls: people of all gender identities are welcomed here.

Our Partner Communities:

[email protected]

founded 1 year ago

MODERATORS

[email protected]

Is there any inherent risk in running software that has not been updated? (feddit.uk)

submitted 11 months ago* (last edited 11 months ago) by [email protected] to c/[email protected]

8 comments fedilink hide all child comments

I'm curious as I've been running DNS66 on my previous and current phone and whilst it does exactly what it says (blocks all ads across the device) my concern is that the last published update in fdroid sas 2021.

I'm currently running AdAway which has been more recently updated and does an equally good job of blocking in-app ads.

My question though is more, if the software is still doing what it was intended to do is there a fundamental risk in using software that is no longer being updated?

top 8 comments

sorted by: hot top controversial new old

[–] [email protected] 30 points 11 months ago* (last edited 11 months ago) (2 children)

Depends on your risk surface. If the program in question that doesn't get any updates is isolated from the network completely. air gapped. Then it's probably fine. It's working.

The trouble is the internet is constantly evolving, and so as soon as an exploit is discovered it's added to a bunch of exploit scanners which look for things online that they can exploit. So if you have a piece of software that's not getting updates, and it's attached to the network. You could get in trouble.

And not just the software itself, any libraries it used, any build environment objects that pulled in. All of those are part of the ecosystem. So while the code itself may not have somebody looking at it for an exploit, it could use a standard library which now has an exploit which is in metasploit with somebody's just scanning the internet to find your little phone.

[–] [email protected] 4 points 11 months ago (1 children)

So I have an older phone lying around and I've always wondered how risky would it be to connect it to Wi-Fi. Just because it has lost software updates a while back does that automatically open a gap in my network? Or would someone have to put in a lot of effort to get through like my routers firewall

[–] [email protected] 8 points 11 months ago (1 children)

Your router's firewall only blocks access to unauthorized ports. If your device is talking to the Internet, then that device is exposed to that connection. Your router's firewall does not prevent your device from using an outdated and exploitable software on the Internet.

Theoretical example, your device is stuck using an old web browser for whatever reason, that browser does not have a recent patch for an exploit involving loading infected pictures. You use that device to load a website with those infected pictures and your device loads malware because of that. Now your device could become a conduit for somebody to tunnel into your home network and look for any other things to exploit, whether those devices connect to the Internet themselves or not.

Obviously, you can often update web browsers on older devices, use a fork specifically designed for older devices, etc. But there are oversights. Old Android versions can't update Webview outside of OS updates. Webview is what apps use to load web pages inside the app, and if you're using an old app, which uses the old Webview, to load a webpage that the owner abandoned and has been taken over by a malicious third-party, your device could be exploited just by that app loading that webpage without you meaning to.

[–] [email protected] 2 points 11 months ago

Wow that makes a lot of sense thank you for taking the time to explain it!

[–] [email protected] 3 points 11 months ago

If the program in question that doesn’t get any updates is isolated from the network completely.

just adding that one can achieve that using an app like NetGuard: https://f-droid.org/en/packages/eu.faircode.netguard/

[–] [email protected] 10 points 11 months ago

2021 isn't that long ago to be honest.

[–] [email protected] 4 points 11 months ago

Depends on the software, what it does, known vulnerabilities (in the software itself but also underlying libraries etc).

Since it is likely intercepting DNS and blocking known ad domains, it could be vulnerable to exploits which rely on malicious encoding in DNS records etc

[–] [email protected] 2 points 11 months ago

There's no need to update if there are no known exploits. A lot of companies push updates just to force a new privacy policy these days. Not every update is a security patch or new feature, unfortunately.