Want to understand why Android security can be a nightmare?…:
It seems like Google is working hard to update and upstream the Linux kernel that sits at the heart of every Android phone. The company was a big participant in this year’s Linux Plumbers Conference, a yearly meeting of the top Linux developers, and Google spent a lot of time talking about getting Android to work with a generic Linux kernel instead of the highly-customized version it uses now. It even showed an Android phone running a mainline Linux kernel.
But first, some background on Android’s current kernel mess.Currently, three major forks happen in between the “mainline” Linux kernel and a shipping Android device (note that “mainline” here has no relation to Google’s own “Project Mainline“). First, Google takes the an LTS (Long Term Support) Linux kernel and turns it into the “Android Common kernel”—the Linux kernel with all the Android OS-specific patches applied. Android Common is shipped to the SoC vendor (usually Qualcomm) where it gets its first round of hardware-specific additions, first focusing on a particular model of SoC. This “SoC Kernel” then gets sent to a device manufacturer for even more hardware-specific code that supports every other piece of hardware, like the display, camera, speakers, usb ports, and any extra hardware. This is the “Device Kernel,” and it’s what actually ships on a device.
This is an extremely long journey that results in every device shipping millions of lines of out-of-tree kernel code. Every shipping device kernel is different and device specific—basically no device kernel from one phone will work on another phone. The mainline kernel version for a device is locked in at the beginning of an SoC’s initial development, so it’s typical for a brand-new device to ship with a Linux kernel that is two years old. Even Google’s latest and, uh, greatest device, the Pixel 4, shipped in October 2019 with Linux kernel 4.14, an LTS release from November 2017. It will be stuck on kernel 4.14 forever, too. Android devices do not get kernel updates, probably thanks to the incredible amount of work needed to produce just a single device kernel, and the chain of companies that would need to cooperate to do it. Thanks to kernel updates never happening, this means every new release of Android usually has to support the last three years of LTS kernel releases (the minimum for Android 10 is 4.9, a 2016 release). Google’s commitments to support older versions of Android with security patches means the company is still supporting kernel 3.18, which is five years old now. Google’s band-aid solution for this so far has been to team up with the Linux community and support mainline Linux LTS releases for longer, and they’re now up to six years of support.