To update or not to update the firmware on a personal phone, everyone decides on their own.
Someone puts CyanogenMod, someone does not feel like the owner of the device without TWRP or jailbreak.
In the case of updating corporate mobile phones, the process should be relatively uniform, otherwise even Ragnarok will seem like fun to IT people.
Read about how this happens in the "corporate" world under the cut.
Brief LikBez
iOS mobile devices receive regular updates similar to Windows devices, but:
- updates come out less frequently;
- Most devices receive updates, but not all.
Apple releases the iOS update immediately for most of its devices, except for those that are being withdrawn from support. At the same time, Apple supports its devices for a long time. For example, even the iPhone 14s, released in 6, will receive the iOS 2015 update. Of course, there are some bugs, such as the forced slowdown of older devices, which, as they say, was done not to force you to buy a new phone, but to extend the life of the old battery ... But in any case, it's better than the situation with Android.
Android is essentially a franchise. Google's original Android is only found on Pixel devices and budget devices that participate in the Android One program. On other devices, only Android derivatives are found - EMUI, Flyme OS, MIUI, One UI, etc. For the security of mobile devices, this diversity is a big problem.
For example, the "community" finds another vulnerability in Android or the system components that underlie it. Next, the vulnerability is assigned a number in the CVE database, the finder receives a reward under one of Google's bounty programs, and only then Google releases a patch and includes it in the next Android release.
Will your phone get it if it's not a Pixel or an Android One member?
If you bought a new device a year ago, then probably yes, but not right away. Your device manufacturer will still need to include the Google patch in their Android build and test it on supported device models. Top models support a little longer. Everyone else has to put up with it and not read the CVE database in the morning, so as not to spoil their appetite.
The situation with major Android updates tends to be even worse. On average, a new major version reaches mobile devices with custom Android in no less than a quarter, or even more. So the Android 10 update from Google was released in September 2019, and devices from different manufacturers that were lucky enough to earn the opportunity to update received it until the summer of 2020.
Manufacturers can be understood. The release and testing of new firmware is a cost and not a small one. And since we have already bought the devices, we will not receive additional money from us.
It remains ... to force us to buy new devices.
The leakiness of Android builds by individual manufacturers has caused Google to re-architect Android to deliver critical updates on its own. The project was called Google Project Zero, about a year ago they wrote about it on HabrΓ©. The feature is relatively new, but it has been built into all devices since 2019 that have Google services. Many people know that these services are paid for by device manufacturers who pay royalties for them to Google, but few people know that the case is not limited to commerce. To get permission to use Google services on a particular device, the manufacturer must submit its firmware to Google for verification. At the same time, Google does not accept firmware with ancient Android for verification. This allows Google to impose its Project Zero on the market, which will hopefully make Android devices more secure.
Recommendations for corporate users
In the corporate world, not only public applications available on Google Play and the App Store are used, but also applications of their own development. Sometimes the life cycle of such applications is terminated at the moment of signing the act of acceptance and transfer and payment for the developer's services under the contract.
In this case, installing a new major OS update often causes such job-is-done applications to stop working. Business processes come to a halt and developers are rehired until the next problem occurs. The same thing happens when corporate developers do not have time to adapt their applications to a new OS in time, or a new version of the application is already available, but users have not yet installed it. In particular, class systems are designed to solve such problems. .
UEM systems provide operational management of smartphones and tablets, timely installing and updating applications on the devices of mobile workers. In addition, they can rollback the application version to the previous one if necessary. The ability to roll back a version is an exclusive feature of UEM systems. Neither Google Play nor the App Store provide such an opportunity.
UEM systems can remotely block or delay mobile device firmware updates. Behavior varies by platform and device manufacturer. On iOS in supervised mode (read about the mode in our ) you can delay updating up to 90 days. To do this, it is enough to configure the appropriate security policy.
On Android devices manufactured by Samsung, you can disable firmware updates for free or use the additional paid service E-FOTA One, with which you can specify which OS updates to install on devices. This gives administrators the ability to pre-test the behavior of enterprise applications on new firmware on their devices. Understanding the complexity of this process, we offer our customers a service based on Samsung E-FOTA One, which includes services for checking the performance of target business applications on the device models used by the customer.
On Android devices from other manufacturers, alas, there is no similar functionality.
You can prohibit or postpone their update, except perhaps with the help of horror stories, such as:
"Dear users! Don't update your devices. This may cause applications to fail. If this rule is violated, your calls to the technical support service will NOT be considered / listened to!.
One more recommendation
Follow the news and corporate blogs of manufacturers of operating systems, devices and UEM platforms. Just this year, Google decided from supporting one of the possible mobile strategies, namely a fully managed device with work profile.
Behind this long title lies the following script:
Prior to Android 10, UEM systems fully managed device Π the workers profile (container)A that contains enterprise applications and data.
Starting with Android 11, full control functionality is possible only OR device OR working profile (container).
Google explains the innovations by concern for the privacy of user data and their wallet. If there is a container, then the user's data must be out of sight and control by the employer.
In practice, this means that it is now impossible to find out the location of corporate devices or install applications that the user needs to work, but do not require placement in a container to ensure the protection of corporate data. Or for this you have to abandon the container ...
Google claims that this access to personal space deterred 38% of users from installing UEM. Now UEM vendors are left to βeat what they giveβ.
We prepared in advance for innovations and this year we will offer a new version , which will take into account the new requirements of Google.
Little known facts
In conclusion, a few more little-known facts about updating mobile OS.
- Firmware on mobile devices can sometimes be rolled back. As the analysis of search phrases shows, the phrase βhow to restore Androidβ is searched more often than βAndroid updateβ. It would seem that minced meat cannot be turned back, but sometimes it is still possible. Technically, rollback protection is based on an internal counter, which does not increase with each firmware version. Within one value of this counter rollback becomes possible. This is about Android. In iOS, the situation is slightly different. From the manufacturer's website (or countless mirrors), you can download an iOS image of a specific version for a specific model. To install it over the wire using iTunes, Apple must sign the firmware. Usually in the first few weeks after the release of a new version of iOS, Apple signs the previous versions of the firmware so that users whose devices after the update are buggy can return to a more stable build.
- At a time when the jailbreak community had not yet spread to large companies, it was possible to change the version of the displayed version of iOS in one of the system plist. So it was possible, for example, to make iOS 6.2 from iOS 6.3 and vice versa. Why this was necessary, we will tell in one of the following articles.
- The general love of manufacturers for the program for flashing Odin smartphones is obvious. The best tool for flashing has not yet been made.
Write, discuss, ... maybe we can help.
Source: habr.com