By James Green ~ April 4th, 2014 4:04 PM MST
The Android update process is a precarious thing. The path updates take from Google, to device manufactures, through mobile service carriers, to finally arrive on consumer devices is like playing the Game of Life, but moving one square at a time and by the end your car is packed with more people that it should rightfully carry. This lengthy and complicated update process is responsible for considerable fragmentation of the Android operating system (OS).
Android OS updates are not simply a matter of getting the latest themes or better emoji support. Updates often include patches to newly discovered security vulnerabilities such as the ‘master key’ vulnerability discovered in July, 2013. The master key vulnerability is a great example of what is wrong with the Android OS update process. The master key vulnerability allows cybercriminals to inject malicious code into legitimate applications that will go undetected by Android security features due to a flaw in how applications security signatures are checked.
The master key vulnerability affects android versions 1.6 through 4.2. At the time of discovery approximately 900 million devices, or about 99% of all Androids operated on a vulnerable version of the Android OS. The master key vulnerability received a large amount of media coverage and Android users were understandably very concerned. Within weeks Google developed a patch for the master key vulnerability and it was released as part of the Android version 4.3 update. As of April 1st, 2104 (not an April fool’s joke) only 14.2% of Android devices have received the Andoird OS 4.3 update. Over eight months after Google patched the mastery key vulnerability a startling 85.8% of devices are still at risk.
The blame for this mess falls squarely on device manufacturers and mobile service providers. Devices manufactured and distributed by Google, such as the Nexus series, receive updates almost immediately after they are released. Unfortunately, other device manufacturers and mobile service providers customize new versions of the Android OS, and install proprietary applications before the update is pushed to consumers. Frequently Android updates are held hostage for months by manufacturers and service providers while customers’ devices remain at risk to well known vulnerabilities.
In the PC world this type of delay is unheard of. Computer manufacturers and internet service providers do not withhold operating system updates from customers to install custom software. Neither Microsoft nor Apple allow manufacturers to fiddle and tinker with updates while customers remain at risk.
Android is often equated with Windows as both are the dominant operating system for their computing platform, but Android lacks the streamlined update process that Windows enjoys. The Android update process is a problem that badly needs to be addressed. Computing is experiencing a shift towards mobile devices that are more affordable and more convenient. Failure to address Android fragmentation makes Android less secure, undermines consumer confidence, and makes a large scale data leak or cyber attack a realistic concern.
Because Android is so fragmented Android users must take steps to protect themselves from malware. There are three simple things that you can do to keep your android device, and the sensitive information it contains safe and secure.
- Install and use an Antivirus application.
- Read user reviews and visit application developers’ websites before downloading to establish credibility.
- Do not install applications from untrustworthy sources. ♦
James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com, Twitter: @James_AfA