Google’s mobile operating system Android is open, mostly, and can be distributed by many actors within the global Android ecosystem.
For the best, but also for the worst.
For the best, first
Openness brings many possibilities in terms personalization and led to a diversity of mobile devices.
Today’s Android ecosystem counts hundreds of manufacturers, even if only a few of them count for more than 80% of devices.
On top of manufacturers, carriers also bring they touch of personalization to devices they sell.
This openness is for sure part of the reasons why Android is a success and why today (April 2015) more than 63% of mobile devices are running Android (iOS is now at 20.84%) according to statcounter.com
Then, for the worse
When dealing with security updates on applications, Android does not seem to be better of worse than iOS in the way it allows developers to push updated versions of their apps to app stores.
However, when it comes to operating system vulnerabilities, the update process if not really simple and prompt.
Let’s take the example of a flaw that is discovered by a security researcher or by Google itself. Google usually fixes the vulnerability within days or weeks and makes the update available in the AOSP (Android Open Source Project) repository. But the end-user device is not updated at this point. How much time does it take for devices to be updated?
Nexus devices benefit from the fact they are directly distributed and managed by Google and are therefore updated quite quickly.
Other devices distributed by mobile phone manufacturers are updated a bit later, as soon as the manufacturer updates its own “android branch” with the security patch. This generally takes time, since manufacturers tend to focus on new devices to be pushed to the market, and need to create android OS releases for their existing devices.
What about mobile carriers? Carriers first need to wait for manufacturers to create the patched android release for their devices. Then carriers will also bring their own modifications to the release (design personalization, specific apps…) and then push the update to their end-users.
In the end, some users will get the security update quickly within days, some will get it within weeks, other within months, and some will simply not get the patch for the vulnerability.
Google nexus devices will receive security updates for around 18 months after the device release. Some consumers buy devices upon release, but what about consumers buying devices one year after the release, when prices become a bit cheaper?
We often talk about planned obsolescence; we can here talk about planned insecurity.
Compared to computer operating systems, the support period is really short (12 years for Windows XP – a record)
Older versions of Android are not updated
Can you trust your device when it tells you that “Your product is up to date”?
Not really. If you use version 4.3 and that 4.4 is available at Google, it means you are exposed to vulnerabilities.
The thing is that old minor versions do not receive these updates: Back-porting is mostly nonexistent.
As an example, version 4.4 will receive the update, but 4.3.x will not.
What kind of vulnerability?
Vulnerability CVE-2013-6272 is a good example than can help people understand what a vulnerability on Android can be.
This flaw is basically a bug that allows applications to trigger calls from your mobile device, to any number, even if you did not authorize the application to do so!
In terms of exploitation, this vulnerability can be used by a malicious app developper/repackager to dial out to expensive services (their own service if they want to get some money) and your phone bill will become painful…
Keeping support costs reasonable
Openness allows for many things like personalization. Mobile manufacturers can this way try to differentiate themselves from others through the operating system.
This personalization process can also bring bugs and flaws into the software, but that’s another topic.
All vendors want satisfied customers, and hence need to update devices. But vendors also need to keep support costs reasonable, and try to find the right balance between openness and security.
– Stat Counter Global Stats: http://gs.statcounter.com/
– Android version history: http://en.wikipedia.org/wiki/Android_version_history