The Android community is slowly beginning to understand that they are going to have to step up to the plate and deal with security like Apple has done from the beginning. The challenge is that unlike Apple, where there is one master in control, the Android community is fractured. The only one who has any hope of pulling off a solution is Google. They have the size (money) and the motivation to fix the problem.
Two examples popped up today.
First, Google has stepped up and is issuing monthly security updates – like Microsoft has done for a long time. Some vendors, such as Oracle, choose to announce patches quarterly. The advantage of that is that you only have to make 4 updates a year. The disadvantage is that the patch releases are monstrous – with hundreds of patches in each one – so many companies just ignore them. Typically, Microsoft’s monthly patch release is in the low teens for number of patches and often those are bundled so users have to deal with less details. Also, the bugs are fixed sooner with monthly releases. I vote for monthly.
In this month’s Google patch release, there are two patches which can be exploited remotely with specially crafted media files (Argh!, again) – this is a continuing effort to clean up the fright fest which is Android’s media handling (called Stagefright – you may remember that there were two earlier patches to fix problems in Stagefright. This is number 3. Expect more – they are announcing them as they fix them). There are also 3 other patches in this month’s collection.
Owner’s of Google Nexus phones will get these patches quickly. Owners of phones from other manufacturers will need to wait until the manufacturers decide to release the patches.
I am an Android user and am seriously considering making a Nexus phone my next phone since Google seems to have gotten the security message.
The other article is about Android Bloatware or Crapware. Those are the terms for all of the garbage that phone manufacturers think that you want and they need to add to differentiate their phones from their competitors. In most cases, they are so sure that you want this garbage that they do not give you a way to remove it. In fact, in many cases, they are being paid by the manufacturers of the software to install it on your phone, which is why they do not let you remove it. This is another advantage that Apple has. They control the phones. Since there is no competition, they control the price and don’t have to install Crapware to subsidize the price of the phone. This is one reason why Apple phones are more expensive than Android phones.
Google has a research team that hunts for bugs. Besides hunting for bugs in Windows, Mac OSx and Linux, they are now looking inside Android phones. This month, they announced, they found 11 bugs inside the Samsung Galaxy S6 Edge Crapware. These bugs likely won’t be on a Galaxy S5 or on a LG phone as the crapware, for the most part is tailored to the phone. Who did Samsung make a deal with for this particular phone.
The biggest risk is in software drivers – that software that talks to the hardware and has the most permissions. That is where these bugs, for the most part, were found.
The good news is that Samsung has fixed these. The bad news is that there are hundreds of phones and Google’s researchers do not the resources to review that many phones.
The manufacturers – like Samsung – need to realize that this is an impediment to sales and deal with it.
One more point. The patches that Google released ONLY patch Lollipop (5.x) and Marshmallow (6.x). Almost no one is running 6.x – it is brand new – and less than 15% are running 5.x according to a statistic that I just found. Almost 75% of the Android users are running 4.x and the patches just released DO NOT protect those users.
In their defense, Apple does the same thing. They patch the current release and one release back typically.
For Android users, they need to understand that if they are saving money by not upgrading their phones, they are at greater risk for being attacked because these old phones are not being patched.
As Google ramps up their security efforts and releases more patches, they are giving the hackers a road map for how to attack these old phones, making them more vulnerable every month.
Just food for thought.