cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
brontide
Token Ring
Posts: 94
Registered: ‎04-01-2019
Location: US
Views: 1,006
Message 61 of 79

Re: G7 Plus open to 10 critical security vulnerabilities, no compliance to Android Enterprise progra

There are literally dozens of model*channel*carrier variants, they claim a release when it's reased to any of them :-/

chilinux
Punch Card
Posts: 25
Registered: ‎12-15-2014
Location: US
Views: 967
Message 62 of 79

Re: G7 Plus open to 10 critical security vulnerabilities, no compliance to Android Enterprise progra


@brontidebrontide wrote:

There are literally dozens of model*channel*carrier variants, they claim a release when it's reased to any of them :-/


I agree.

However, the Motorola blog post from February 22, 2018 promises:

"Delivery of Android security updates within 90 days of release from Google,"

 

That clearly indicates *ALL* AEP covered models must be getting the security update.  They never disclosed they would only honor the promise in select regions or carriers.

 

I am coming under the impression that Lenovo is grooming Motorola for being sold off to another company.  We keep saying in this thread that Motorola has sold us out, but I think they are looking to literally sell themselves out.  Fraudulently claiming to provide 90 day security update frequency to only then give statements of non-commitment to that with responses like "you're on the latest software build" is not a good long term strategy.

 

They had trouble honoring their commitments to the Moto G6 series with three different models and then they expanded the work for doing updates by releasing four models of Moto G7 series phones.  In the short term this allows them to hit four different price points and promote to companies interested in buy a "successful" phone company that they sell 26 devices per minute.  In the long term when the lack of security updates is shown to cause major problems (like banking apps being compromised through vulnerabilities that has been patched over 100 days ago), at that point those long term issues will become the problem of whoever bought Motorola rather than being Lenovo's problem.

 

This seems like a major mistake.  A year ago, phone reviewers were already talking about a lack of commitment to 30 day updates as being a problem.  For example:

https://9to5google.com/2018/04/20/moto-g6-moto-e5-security-updates-android-p/

 

The article says:

"First spotted by ArsTechnica and later confirmed by Android Authority, Motorola has confirmed that it will be delivering security updates for the Moto G6 lineup and the Moto E5 as well. However, those updates will be anything but monthly. Instead, the company has committed to updates every '60-90 days.' There’s no way around it – that’s just pathetic."

 

If reviewers are willing to use strong language as "pathetic" for only committing to 90 days, then what will they say about that same Moto G6 being "up-to-date" with February 1, 2019 security patch level on June 21, 2019 for a total of 140 days.  ONE HUNDRED AND FORTY DAYS on a phone included in an AEP that the Motorola blog promises will never make it past double digits for the number of days between updates.

 

More importantly, Motorola is playing Russian roulette with it's customers.  They are gambling that a known vulnerability will not become a major in the wild attack when malware developers have 140 days to develop exploit code.  As these windows of infrequent security updates continue to grow, the risk factor improves that something will happen that will be highly corrosive to the Motorola brand.  If Tim Cook had a lot to deal with to apologize for "Battery-gate," can you imagine how hard it would be to even try to address the whiplash for a Motorola "Compromise-gate" or Moto G "Bank-gate"?

 

Focusing on releasing a lot of devices quickly without any intention of being able to provide security patches only seems like a "good" business decision if selling off the company will be perform soon.  Otherwise, the continued risk to the brand in the mid-term seems like a huge potential disaster.

 

What companies could Lenovo be looking to sell to that Google hadn't already tried to sell Motorola to?  Or what companies would now be interested and have the capital that didn't back when Google was selling?  We now know that Hauwei is never getting regularitory approval to make the purchase.  HMD/Nokia, LG or ASUS might be looking to enrich their existing offerings with the Motorola product offers and brand.  But would HMD, LG or ASUS even considering buying a company after a "Bank-gate" event?

 

Overall, I am beginning to feel sorry for the employees of Motorola that are still on a Titanic that gives the appearence of being an amazingly successful "unsickable" phone company that is clearly headed for disaster.  Being reduce to giving robotic like responses such as "you're on the latest [non-AEP compliant] software build" just won't cut it once the bank-gate iceberg is hit.

 

mclucid
Punch Card
Posts: 25
Registered: ‎06-13-2019
Location: US
Views: 955
Message 63 of 79

Re: G7 Plus open to 10 critical security vulnerabilities, no compliance to Android Enterprise progra

I completely agree with you. That being said, all we can do as consumers is jump ship. I did. I'm returning my G7 Power to Amazon and I bought a Pixel 3a XL. The only manufacturer that has consistent timely updates is Google. There's a chart you can find on a site that lists the manufacturers of smartphones and their update frequencies. Every company is in the red for Android except Google. That speaks volumes.

brontide
Token Ring
Posts: 94
Registered: ‎04-01-2019
Location: US
Views: 884
Message 64 of 79

Re: G7 Plus open to 10 critical security vulnerabilities, no compliance to Android Enterprise progra

I wish I could return my G7 at this point.  I bought it direct and even defended them when the updates were still within the 90 day window.  I received a few messages from the support people and then they stopped contacting me.

 

I guess I'll just have to warn as many people as possible of their scam.

brontide
Token Ring
Posts: 94
Registered: ‎04-01-2019
Location: US
Views: 827
Message 65 of 79

Re: G7 Plus open to 10 critical security vulnerabilities, no compliance to Android Enterprise progra

The option presented by support was to mail the device back to them for reflashing to the March firmware that doesn't have LTE support on CDMA.

 

So I pieced together data from ting support and the 3rd party firmware archive to update my own phone to the most current retus build which has LTE support PPOS29.114-16-7-2 which shows a Patch level of April 2019.  

 

https://help.ting.com/hc/en-us/community/posts/360029177814-Moto-G7-No-Data-CDMA?page=2#comments

chilinux
Punch Card
Posts: 25
Registered: ‎12-15-2014
Location: US
Views: 668
Message 66 of 79

Re: G7 Plus open to 10 critical security vulnerabilities, no compliance to Android Enterprise progra

To brontide:

As of today, the April 2019 security level patch is 98 days old.  Not only have you jumped through a lot of hoops to get something Motorola already promised you, you would have to jump through even more hoops to continue to bring the device into compliance with the Motorola blog post of having updates within 90 days.

 

I have contacted Motorola support again.  Moli, the Motorola virtual assistant put me through to Jo Ann.  It was again stated that a pop up will appear when an update is available or it will show when using the Motorola Smart Assistant.  The fact both indicate there is no updates "just" means there is no updates available.  The fact that the stated functionality of 90 days or less for security update releases is not being honored is completely lost on support.

 

I was then told by Jo Ann that she would call me and transfer me to Level 2 support.  I was on the phone for over 20 minutes of which the majority of the time was with on-hold piano music only to then have them hang-up on me without ever getting to talk to Level 2 support.  She also closed out the support chat online.

 

It is amazing the lengths support goes through to ignore Motorola's self-stated obligations for the frequency of security patches.

 

My previous support issue in June was marked "Resolved."  I am waiting to see when they mark the July issue as resolved.  Under the laws in my state, if three opertunities to bring a product into functioning as advertised fail then "lemon law" kicks in.  I have clearly documented twice in which I have given Motorola support the chance to repair the failing with the security patch level.

 

According to the following from the Motorola blog, May 2019 or later must now be the security patch level:

"Delivery of Android security updates within 90 days of release from Google, for a minimum of two years"

 

That is still not the case.

Spiff256
Punch Card
Posts: 18
Registered: ‎04-03-2019
Location: DE
Views: 656
Message 67 of 79

Re: G7 Plus open to 10 critical security vulnerabilities, no compliance to Android Enterprise progra

On June 4th, the security patch for May was announced. According to the german Motorola Support page already on May 30th. Regrettably, nothing of the update can be seen until today. If in July (!) the May update comes, 17 new _Critical Bugs_ from which are 8 "remote code execution" are not fixed. Motorola has had the May patches from Google since the beginning of April. April 1st + 90 days is July 1st, I'm here with Chilinux that the Moto G7 Plus is out of compliance to the Android Enterprise Recommended program (again).

brontide
Token Ring
Posts: 94
Registered: ‎04-01-2019
Location: US
Views: 641
Message 68 of 79

Re: G7 Plus open to 10 critical security vulnerabilities, no compliance to Android Enterprise progra

Yep, this unit is quickly becoming more of a liability than I want.  Besides Pixel are there any other recomendations for manufacturers that support security and stand by their hardware?

chilinux
Punch Card
Posts: 25
Registered: ‎12-15-2014
Location: US
Views: 624
Message 69 of 79

Re: G7 Plus open to 10 critical security vulnerabilities, no compliance to Android Enterprise progra

I do not have any such recommendations.

 

The Google Nexus 6 which was built by Motorola was an extremely solid phone.

 

The first generations of Pixel (built by Huawei and LG) resulted in class action lawsuits over bootloop issues.  While not everyone was impacted by the bootloop issues, how Google handled the issue all the way to it becoming a lawsuit doesn't make them seem like a company that is really standing by the hardware.

 

In terms of being supportive of community ROMs allowing for more frequent security updates, maybe OnePlus is what you are looking for?  I have never personally used it.  I would check around the XDA developers forum for more information.

 

In theory the Moto G7 series should allow shifting to Android Generic System Images (GSI) and Motorola was nice enough to supply a bootloader unlock website.  At the same time, Motorola seems to supply no resources to the third-party firmware community and results using such images seem to be mixed.

 

Regardless of what resources are available external to Motorola, I don't think that let's Motorola off the hook for commiting fraud such as on the following sites:
https://blog.motorola.com/2018/02/22/motorola-joins-android-enterprise-recommended-program/

https://www.motorola.com/us/products/android-enterprise-recommended-smartphones

 

If they need to maintain a "you get it when you get it" update model for their business, then they need to state that up-front.  But to maintain a policy that all that matters is the first 14 days for a refund and past that all marketted claims do not matter is complete crap and probably illegal.

 

In related news, D-Link reached an agreement with the USA Federal Trade Commission to have for 10 years a third party assessment of the security of the software on their products.  Hopefully at some point the FTC can move beyond looking at internet routers and address the systematic policy of fraud at Motorola.

Highlighted
Spiff256
Punch Card
Posts: 18
Registered: ‎04-03-2019
Location: DE
Views: 430
Message 70 of 79

Re: G7 Plus open to 10 critical security vulnerabilities, no compliance to Android Enterprise progra

Still no may update on my G7 Plus RETEU2. In the meantime, our Huawei P20 lite received Android 9 with the may updates on 01.07. and the june updates on 22.07.. What is Motorola doing? The may update was announced on 30.05.2019. Two months later still no update?

And We're back...

Move delayed but still coming

Learn More

Top Kudoed Authors