Google Mulls Naming and Shaming on Android's Security Swamp

Google is considering naming and shaming device-making partners that don't offer Android security updates quickly enough.

The search giant is mulling how to combat the morass/quagmire/security swamp that is Android's fragmentation problem, sources told Bloomberg. The Android OS has several older releases that are still being used today by manufacturers to power everything from phones to tablets to set-top video streamers to home automation gadgets—and beyond.

But not only that, the OS is famously open—so OEM partners can create their own customized versions of Android to power specific devices to do specific things—like the Samsung Knox specialized extra-secure version of Android, or the ARCHOS smart-home Android tablet.

What that means is that unlike Apple with iOS, Google can’t just push out an update to the tens of millions of phones out there and call it a day. It can provide an update, but it’s up to each individual OEM partner (the handset- and gadget-makers) to implement its own specific version of the patch for its customers.

Too often, manufacturers drag their feet, but it’s also a scale problem: Android has an active install base of 1.4 billion devices, according to Google, all splintered across hundreds of versions of the OS.

For instance, a widespread vulnerability was recently discovered that affects Android devices going back a whopping five years. It gives attackers access to victims’ SMS databases and phone history, and allows them to access the internet—all undetected.

The issue affects both flagship and non-flagship devices that use Qualcomm chips and/or Qualcomm code, meaning that hundreds of models are affected and likely millions of gadgets. Mandiant’s Red Team has confirmed the vulnerability on devices running Lollipop (5.0), KitKat (4.4), and Jellybean MR2 (4.3) and Ice Cream Sandwich MR1 (4.0.3)—meaning that it’s mostly older devices that are affected. Qualcomm has addressed the issue and notified all of its OEM customers in early March 2016. The OEMs will now need to provide updates for all of their devices, across OS versions—a process that will take months, if not years, if it happens at all.

And the result of this is clear when considering the fact that, for instance, fixes for the now-infamous Stagefright software bug have only reached a fraction of Android’s base.

But wait, there’s more: Carriers have to approve the updates for their users as well, to avoid network disruption.

A source within Verizon Communications told Bloomberg that the cellco’s tests can take months, because it supports so many different kinds of Android phones, all of which must be tested before updates go live.

One thing that will help is if OEMs would, at the very least, update their users to the latest Android OS, which is, for now, the Marshmallow OS (Android N will be released later this year). Consider: Right now, 84% of Apple’s mobile devices run the latest iOS software, compared with 7.5% of Android devices that run the latest Android edition—according to Apple and Google internal numbers.

"It’s not an ideal situation," said Android chief Hiroshi Lockheimer at Google’s I/O developer conference, while describing the lack of updates as "the weakest link on security on Android."

According to Bloomberg, Google has a list that ranks manufacturers in order of how quickly they update devices to the latest version of Android. Sources said that the company was considering making this list public.

It’s part PSA, part shame-game.

The carriers of course are watching this with interest—and could help Google in its endeavors. "Google is putting pressure on," said Ryan Sullivan, vice president of product development at Sprint, who said that Sprint’s testing process for updates typically takes less than 12 weeks. He told Bloomberg that he has seen the data that Google uses to track who is falling behind. "Since we are the final approval, we are applying pressure because our customers are expecting it."

Photo © l i g h t p o e t/

What’s Hot on Infosecurity Magazine?