A new version of Android, Marshmallow, has been announced and will be released this fall. However, there are still a number of unanswered questions on the security issues related to Android. In fact, earlier this year, a software developer discovered a software bug, which has since been called “Stagefright,” which could potentially damage millions of Android devices.
The presence of the threat was acknowledged by Google, who sent out a patch to fix it to manufacturers and carriers. Then, a new bug was detected – in the patch sent by Google. Now, another patch has been sent to fix the hole in the previously sent patch! Already tens of thousands of Nexus phones are said to have been affected by this.
The biggest reason why security problems seem to crop up every now and then with Android, in contrast to iOS, which remains largely impregnable, has to do with Android’s business model. Google’s OS is completely dependent on its various hardware partners, and not the other way around.
Many of Google’s partners are today struggling to generate profits and are barely managing to keep up with the technology standards that are expected of them. This is a major issue and there doesn’t seem to be a way to solve it, as Android is being used by many more manufacturers around the world for a variety of other devices such as smartwatches, home automation and even cars.
In fact, it can be said that the entire Android ecosystem has become chaotic, which means Google is no longer in control of its own destiny. So, any updates made by Google require the approval of its partners before they can be passed on to the public. This clearly puts Google at a disadvantage vis-à-vis Apple, who can push their updates to the marketplace almost immediately, given that Apple is in complete control of the iOS ecosystem.
In fact, one may compare the security issues faced by Google with respect to Android to those faced by Microsoft in the 1990’s with Windows. Back then, there were a series of security attacks on Windows because Microsoft’s partners – the hardware manufacturers – failed to carry the updates or the patches to Windows security issues in time.
Most OEMs (original equipment manufacturers) take their time to install the patches sent by Google on their phones. That’s because the patches have to be tested first, before being installed on the phones. This takes time and money – and given how most Android OEMs are strapped for cash, this isn’t easy at all. So, many Android OEMs would rather use older versions of Android rather than install the latest versions on their phones.
This creates a vulnerability in Android phones, which is exploited by hackers. As Andrew Blaich, an analyst with Bluebox Security explains, “Every day you look at it now, there’s a new vulnerability that’s been reported. That shows there’s a very long tail that they have to move toward. It just takes time.”
Now, as Android is used for a variety of other devices, including cars and wearables, the security risks associated with the OS have only become more acute. It doesn’t take much for hackers to disturb the Android ecosystem – just a coded text message with malicious malware would be enough to affect millions of devices.
Also, it’s hard for Google to fight hackers because most hardware manufacturers still belong to the old school, and are often slow moving and unwilling to change – which only makes them vulnerable to attacks. As Chris Wysopal, the CTO of Veracode explains “The coordination across them is going to become an issue. I worry about the same update problem.”
Google does understand the gravity of the problem and has been taking steps to address the Android security issue, such as sending regular, monthly updates to all OEMs. Major OEMs such as Samsung and LG have committed themselves to this schedule.