Android's huge update problem

The Android ecosystem has a huge problem with deploying timely updates to Android phones and tablets. These lack of updates, especially security updates, needlessly and negligently exposes Android devices to malware infection.

 

When a vulnerability* is discovered in any operating system, be it Windows, MacOS, iOS (which runs on iPhone and iPad), Android, or whatever, the company that develops and maintains that OS* will patch (fix) the vulnerability and issue an update to all their customers. These updates are usually automatic so you don't have to do anything to receive them and be protected.

 

But Android devices, by the hundreds of millions, go unpatched for long periods of time and often aren't ever updated. Google is the company that develops and maintains Android. Even though Google patches vulnerabilities as they are discovered, the larger ecosystem in which Android operates needlessly delays the actual deployment of those updates.

Wow, why is that??

 

That's a really big question. Let's start at the beginning, shall we?  Yeah, I know, that sounds like you're in for a long read. It's really not that long. I want my articles to be interesting and informative.

How did Android come about anyway?

 

A very brief history of smart phones

 

Back in 2007, Apple caught the mobile phone world flat-footed when they released the iPhone. People bought the iPhone like crazy with long lines snaking around the stores that sold them. There was nothing else even close to it. Apple pretty much had the entire smartphone market to themselves for a good two years at least. Other manufacturers scrambled to develop their own smartphone and OS to compete with Apple but they were all floundering. It was a pivotal moment in the mobile industry and a genuine existential threat.

 

With competitors trotting out various devices, all doomed to fail, the competitive bloc needed a savior to unify their response to Apple. Certainly, no existing phone manufacturer could be trusted to develop the needed OS. Competition was fierce and cutthroat and besides they lacked the skill to do so.

 

Google was probably the only non-device-aligned company large enough to quickly pull-off the development of a device-agnostic OS that all the phone OEMs could get behind. Microsoft was a nonstarter as they were very late to the mobile game and, indeed, have since officially abandoned it.

 

To sweeten the deal, giving bickering manufacturers added incentive to use Android, Google opened Android and gave the phone makers and wireless carriers wide latitude over modifications to Android. And it was FREE. It was the easiest way to get widespread adoption even though the manufacturers had no real alternative. And THAT was the deal with the devil -- the fateful decision that led to today's Android security nightmare.

 

So herein lies the problem: Phone manufacturers (OEMs) are in the phone-making business. The wireless carriers are in the bandwidth and signal business. The modifications that OEMs and carriers perform on Android aren't done to make Android better or more secure. They are done to sell their ancillary services, period. So they aren't particularly interested in testing and deploying non-revenue-generating security updates coming from Google. They'd rather you just buy a new phone.

 

And since the manufacturers and carriers are an (uncooperative) integral part of the update process, well, then, updates are very slow in coming, if at all.

 

Update chain

Here's the chain of steps that an update, such as a security patch, traverses on it's way to your phone.

This is how most Android phones are sold.

The Phone Makers and Carrier steps shown in red above is where those updates, including critical security updates, languish and often die. Phones that have not reached end of life (more on this below) may receive these updates or they may not. Even if they do, those updates can sometimes take months to make its way through the chain and onto your phone.

The unlocked Pixel and Nexus-branded phones are the only exception. (Pixel replaced the Nexus brand in 2016) For the unlocked model, there is no OEM or carrier interference in the update process. For Android fans, the unlocked, Pixel-branded phones are the only phones to buy, period. New versions of Android, however, may require cooperation from the chipset manufacturer to write and update device drivers. That often doesn't happen. So you while your Pixel-branded phone might get timely updates for the existing version of Android, it might not be upgradable to the next version. This helps for security but does little for the overall Android fragmentation problem discussed below.

It's not that Android itself is necessarily less secure although there is some argument there. The problem is lack of updates. On the present course, there will eventually be an Android security armageddon -- a day of reckoning where the sloppy practices of today will bite the entire Android ecosystem on its ass, UNLESS the OEMs and carriers cease their petty turf wars and embrace proper security update protocols. They may yet do that if their survival instinct ever kicks in. But today they have not and there's little indication that will change any time soon. C-Suite executives rarely give security concerns proper treatment.


Apple is very different in this regard. Since Apple both manufactures their devices and develops the OS, they have total control and are able to deploy security fixes whenever necessary -- without needing cooperation from OEMs and wireless carriers. This is a critical advantage to iPhone (and iPad). It's enough of a reason all by itself to eschew Android in favor of iPhone -- unless, as mentioned above, you buy an unlocked Pixel-branded phone.


What kind of malware might infect my phone as a result?


Malware can be designed to do any number of nefarious tasks: Pilfer your passwords, exfiltrate (steal) sensitive data, add your device to a botnet, track everything you do including recording your phone calls, text messages, and your movements using the GPS receiver, spread to other devices using yours as a springboard (Typhoid Mary), "brick" your phone by overwriting the phone's firmware, encrypt your data (ransomware), and really any number of other things of the bad actor's choosing.


Fragmentation


Fragmentation is when there are hardware and/or software inconsistencies in the installed user base (people with phones). This, too, aggravates timely deployment of updates. As of this writing, the Android ecosystem has some 24,000(!) distinct device models (hardware) across dozens or possibly hundreds of brands. And there's numerous versions of Android (software) as well, making for even more distinctive combinations. These models have widespread and significant feature differences making it difficult for developers to take advantage of hardware features that aren't common. e.g. Biometric authentication such as a fingerprint reader or facial recognition. In short, the Android ecosystem is hugely fragmented.

Again, Apple is very different. As of this writing, Apple has released only eighteen iPhone models since its introduction way back in 2007. When iOS is upgraded, the penetration rate to already-sold iPhones is nearly universal. This lack of fragmentation makes it easier to develop for the Apple ecosystem since developers can expect certain hardware features to be present and for most Apple devices to be on the same iOS version. For example, all iPhones from the 5S onward have a fingerprint sensor. (*) This also makes it easier for Apple and developers to update and support older devices.

* The new iPhone X eliminates the home button which housed the fingerprint sensor in earlier models. Instead, the X uses facial recognition using a new advanced camera. But app-writers don't have to worry about that as it's handled by the operating system.

iOS vs. Android OS version penetration

As you can see on the blue pie chart, 87% of Apple's portable devices (iPhone, iPad) in the wild are on iOS 10 (as of Apr 2017). Another 10 percent are on iOS 9, the previous version. That's a fantastic penetration rate.

 

04-Oct-2017 Update: IOS 11 was released just two weeks ago (not shown on this pie chart) and is already on 25% of iPhones and iPads.

 

On the other hand, in the Android ecosystem (green pie chart), only a tiny percent of devices are on the latest version of Android, Oreo. Nougat was released a full year earlier yet only 18% of devices are on Nougat. This is true of most Android phones. The phones on any particular version of Android were nearly all purchased with that version already installed. Very few phones were actually upgraded from a previous version.

 

The large majority of devices in the wild are on older versions, some dating back years. This is a huge problem with Android.

 

Google names their Android versions after tasty snack treats. The first letter of the version name is the ordering. Using the list below, you can see the various versions of Android and the time of release.

 

  • Gingerbread, Dec 2010

  • Honeycomb, Feb 2011 - A minor release not shown on this chart

  • Ice Cream Sandwich, Oct 2011

  • Jelly Bean, July 2012

  • KitKit, Oct 2013

  • Lollipop, Nov 2014

  • Marshmallow, Oct 2015

  • Nougat, Aug 2016

  • Oreo, Aug 2017

Notable Vulnerabilities

Numerous critical security vulnerabilities have been discovered on the Android platform. And given the layer-cake approach to deploying security updates as described above, it's very unlikely that the vast majority of phones will ever receive these critical updates. This is fact. In light of this, the time to switch to iPhone has never been better or more advised.

 

Here's a couple of the more notable vulnerabilities discovered.

 

A critical flaw (Ars Technica Article) was discovered by a white-hat researcher that affects nearly one billion Android phones. Google was notified and they have created a fix. But since Google doesn't control Android update distribution, the chances of a widespread deployment for this patch are exceedingly low.

 

21-Sep-2017 update: An even more critical vulnerability, BlueBorne, has been discovered. This vulnerability affects several billion devices with Android devices being among the most susceptible. MORE HERE.

 

There are other critical security flaws as well. And those, too, are unlikely to be patched on already-sold phones. Again, because Google does not control the distribution of updates.

 

To be fair, iOS has had vulnerabilities discovered in the wild as well. It's those very vulns that make jailbreaking possible, after all. But Apple quickly patches and deploys security updates to fix these vulnerabilities. iOS vulns, once discovered, don't last very long in the Apple ecosystem.

To be sure, just because vulnerabilities exist doesn't mean your phone will definitely be exploited. It just means you're, well, vulnerable, which makes exploitation easier and more likely. Leaving your keys in your car doesn't mean your car will be stolen. But it makes it easier if a thief walks up to your car with bad intent, right?

 

Device end of life

End of life (EOL) refers to when a product no longer receives support by the manufacturer (It doesn't mean it quits working).

Android phones have a comparatively short product lifetime before reaching EOL. If you purchase (new) an Android phone that's a newly released model, you'll likely get upward two years of support before EOL. But if the phone has been out for a year or longer the EOL could be as little as six months. This is one reason that Android phone resale values are so low.

 

Apple, on the other hand, extends support much further back. For example, iOS 9 (released in Sep 2015) supports the iPhone 4S which was released in Oct 2011 -- four years earlier. By the time iOS 10 was released in Sep 2016 (and support for the 4S was finally dropped), the 4S will have enjoyed five years of support! A near-eternity for a phone. For many lower-income folks who may purchase a used or refurbished phone, their phone may be their only access to the internet, so longer device support lifetime is pretty darned important. This is one reason iPhone resale values are so high compared to Android.

* Definitions

 

Vulnerability: This a type of software bug that could allow malware unauthorized access into a system. You might think of it as a "chink in a knight's armor", a small exposed weak spot in an otherwise impenetrable suit of armor where a swordsman may target his attack to harm the knight. Software systems may contain hundreds (or more!) of such vulnerabilities, mostly waiting to be discovered.

 

OS or Operating system: This is the system software on computer (phone, laptop, whatever) upon which everything else runs. Notable examples include Windows, MacOS, iOS, Android, and Linux, although there are others. All computers and devices in the consumer space have an operating system.