Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Daniel Micay Profile picture
Daniel Micay
@DanielMicay
Security researcher/engineer working on mobile privacy/security. Founder of @GrapheneOS.

Sep 21, 2020, 9 tweets

The public Android security bulletins are not nearly as useful as they used to be since so much information was stripped out of them. Need to figure out even basic details entirely from the commit message and changes to the code. Internal bulletins still have more information.

This makes it difficult to figure out when a bug was fixed with only the details of the bug including the impacted subsystem but not a CVE ID. threatpost.com/bluetooth-spoo… says the issue is unpatched on Android but that seems based on the researchers testing a device without updates.

It's highly likely that android.googlesource.com/platform/syste… is the fix for this issue since it's a fix for a security bug in pairing tied to authentication of a device that was previously paired. I'm not entirely sure it's the same bug since there aren't enough details available for the fix.

This fix is listed as CVE-2020-0379 as part of the 2019-09-01 patch level: source.android.com/security/bulle…. The bulletin simply refers to it as a high severity Information Disclosure (ID) in "System". Are they seriously just categorizing by component based on top level AOSP directory?

I could ask someone to check the internal bulletin, or I could ask someone at Google to check b/150156492. It seems strange that so little information is being provided now. Any resourceful adversary will be able to get access to the broadly distributed internal bulletins anyway.

I could post a few examples from a past month of the internal bulletin description vs. lack of any real public bulletin information. This just seems to make things much harder for external security researchers. They should want people verifying that fixes were done correctly.

Long-term support for older major versions in AOSP is also strange. AOSP has maintenance branches for the current major OS version with all kinds of bug fixes and other improvements. It's the same source tree they use to build the stock OS with their proprietary repos added in.

For previous major releases of AOSP, which now includes Android 10, they release tags for the monthly security updates based on the earliest tag for that major release. Those only include security patches added that month and an arbitrary assortment of previous security patches.

Internal security patch previews are a bundle of security patches to be applied consecutively onto the earliest tag for a major release without all non-security improvements in the AOSP maintenance releases. So, for past major releases, they're awkwardly publishing those via Git.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling