Android, Security and Failed Promises

August 18th, 2016

Every year or so, Google promises to make the Android update system more reliable. As it is, when an OS update is posted, there is no guarantee your Android smartphone will ever receive it. Sure, if you own a Nexus device, it should arrive, eventually, but otherwise you may be left waiting and waiting.

Suppose there’s a critical security bug. Google does its due diligence, confirms the bug and releases an update. For those not using a Nexus device, the update goes to the handset manufacturer, not the end user. The manufacturer, in turn, has to decide to push it. So they will integrate it with their own customized junkware. Once that’s done, it goes to the carrier, who may have its own junkware collection and its own agenda.

But once they sell you a phone and a service plan, there’s little incentive to provide ongoing support. Better you buy more hardware. Worse, buying a new Android handset may still saddle you with a fairly old OS.

According to the stats I saw at Mixpanel Trends, which records OS adoption rates, the number one Android OS, Lollipop 5.0/5.1, released in 2014, has a share of 33.46%. The next most popular Android OS is KitKat 4.4, released in 2013, at 27.76%.

What I said! The majority of Android handsets currently in use have operating systems that are nearly two to three years old. They will likely never receive upgrades for newer OS versions, or, if they do, it’ll take a long time for the red tape to be dealt with. So regardless of what spiffy new features are being offered by Google, customers won’t see it for years, and there’s no incentive for developers to support those features right away, since it won’t enhance a user experience for more than a small percentage of users.

Now consider what might happen if a critical security problem was discovered. That happens frequently, even on Apple’s platforms. But Apple made the smart decision to assume full control of their mobile gear, which means they can push OS updates whenever necessary. Just about every update for iOS and macOS includes a bunch of security fixes. While few, if any, result in compromised gear, it’s important to remove even the potential, and Apple has gotten increasingly proactive in delivering critical security fixes. A bounty of up to $200,000 was recently established for hackers and security researchers when they deliver evidence of a security problem.

Android? I don’t know what to say. According to a published report, a Linux TCP bug has made an estimated 1.4 billion Android devices vulnerable to hackers who want to hijack them. That means that 80% of all Android devices can be hijacked if this flaw is exploited.  This comes after another published report indicated that Android devices powered by Qualcomm chips may be vulnerable to rooting flaws; another flaw makes them vulnerable to theft.

According to the International Business Times: “The [TCP] vulnerability affects the Linux Kernel 3.6, which was introduced to Android smartphones during the update to Android version 4.4 KitKat, all the way up to the latest version…”

The article suggests ways to keep your Android gear safe, since receiving a real security fix from Google, the handset maker or the carrier, is slim, but they are definitely not for the casual user: “There are steps users can take to safeguard themselves in the meantime, the most basic of which is ensuring all the websites and apps you use are encrypted and use HTTPS with TLS. You can also use a VPN as an added layer of protection.”

As I said, it’s a solution definitely not suited to regular people, not in the least. Businesses large enough to have an IT department can get by. Clearly the IBTimes wrote that article for a very specific audience. But Android users need to be afraid, very afraid if the bug, considered to be of medium impact, results in lots of compromised gear.

Even if only a small number of Android handsets are compromised, it just goes to demonstrate the severe fragmentation of the Android platform that has resulted in hundreds of millions of users with gear running old operating systems that may never receive a single security update. As a practical matter, sticking within the Android ecosystem system and only downloading apps and music from the Google Play store will deliver the most secure experience. And be careful about the sites you visit.

Now this may not indicate anything, but consider the recent brouhaha with Apple and the FBI. Until they hired a hacker to break into an iPhone 5c owned by a deceased terrorist, the FBI was trying to force Apple to build a back door to iOS to allow them access. In other words, they only secured access to that iPhone with difficulty, and at great expense.

Compare that to Android. Does Google always give access to the FBI if they receive a request? Does the FBI ever face a problem unlocking an Android handset or tablet? Or do criminals prefer the iPhone because it’s more secure, harder to hack? As a practical matter, the iPhone 5c in question was actually a work phone owned by the San Bernardino County Department of Health.

But I do wonder why Google’s mobile OS hasn’t become an issue in government investigations. Does that demonstrate it’s less secure? I’m sure Android users will have a thing or two to say about that.

| Print This Article Print This Article

4 Responses to “Android, Security and Failed Promises”

  1. DaveD says:

    I am reminded that a user of Apple products was called a member of a cult or a sheeple. While I don’t like being called that, I chose Apple for the quality, usability of its products along with a confident sense of security and privacy. I doubt any Android users have a clue of any security/privacy issues with their devices. There is a federal case going to trial here in Washington state of an alleged Russian hacker who stole credit card data from small businesses (primarily pizza restaurants) and sold it online culminating in $170 million of fraudulent purchases. No mentioned of the cash register system in use.

  2. Dfs says:

    “…the most basic of which is ensuring all the websites and apps you use are encrypted and use HTTPS with TLS.” When you visit a page how do you know what its doctype without viewing its source code, and does any mobile browser allow you to do this? And anyway, you can’t determine doctype until after you’ve loaded the page in question and the damage, if any, has already been done (unless there is such a thing as a browser that only loads pages of predetermined doctypes, and I’ve never heard of such a thing). Maybe I’m just showing my ignorance, but this strikes me as useless advice.

Leave Your Comment