Tuesday, August 11, 2015

Google finally doubles down on security with monthly Android updates

Google's Android team and several Android phone vendors are introducing changes to the way updates are being delivered to Android phones in the wake of high-profile vulnerabilities. 

The most enduring criticism of Android is the difficulty of obtaining OS updates, a problem that has led to the formation of projects like Cyanogenmod to provide Android updates to devices abandoned by the manufacturer (among other reasons). In 2012, Google started delivering updates to some of the Android software components using the Play Store, which only applied a bandage to the underlying problem. Google had the opportunity to fix this issue in version 5.0 (Lollipop), but as Jack Wallen lamented in March 2015, failed again to do so.

There is a great deal of blame to go around for this problem. Device manufacturers have little reason to update their products, as the lack of updates for existing devices fuels demand for new devices. Carriers are irritatingly slow to provide updates, as individual carriers add bloatware to the package, and perform QA testing. Typically, if an Android version is stable enough to reach general availability, there should not be anything left for the carrier to debug to the extent that it takes six months or more to deliver the update.

Reports nearly four years old decry the security perils of this inefficient model. The patching problem was highlighted earlier this year with the Webview vulnerability that affects version 4.3 and below, which Google refused to patch because 4.3 is too old. Only in the wake of the highly-publicized Stagefright vulnerability, which only requires users to receive — not even view — a malicious MMS, has Google become more serious about prompt patch rollouts. Although Google created a patch for the issue within 48 hours of the disclosure, the process of taking this patch and delivering it to devices in use is an exercise in frustration, during which users would be vulnerable for months. However, that is changing for some users.

Inside the new Android update plans

On the official Android blog, Google has announced that Nexus devices — specifically, Nexus 4, 5, 6, 7, 9, 10, and Player — will begin receiving monthly updates for security starting on August 5, 2015. The first round of patching includes the fix that addresses the Stagefright vulnerability. Naturally, these patches will be uploaded to AOSP for other device manufacturers to use. Nexus devices do not depend on carrier or manufacturer involvement for software updates — Google manages the support for these devices internally.

Similarly, Samsung has announced a plan to push monthly updates to devices, noting that it is currently "in conversation with carriers around the world to implement the new approach." While it is encouraging that Samsung is pursuing this timetable, getting the carriers to relinquish control of updates may prove to be a difficult task.

Motorola's announcement of the new Moto X Pure Edition also brings hope for rapidly available version updates, as Motorola's strategy is to be as close to stock Android as possible, while just adding a handful of apps to utilize the phone's functionality. The Pure Edition is also substantively more affordable than other flagships, starting at $399.

Implications for BYOD

Having this many dependencies on outside vendors — Google, the phone manufacturer, and the mobile carrier — is far more involved than other alternatives. For example, Apple controls the hardware and software, and BlackBerry, due to its market position, must cede somewhat more control to carriers. Presently, not running a Nexus phone is a security liability for BYOD, as security patches and upgrades are too slow to be of practical reliability — having a Windows 7 desktop that is six months or more out of date is theoretically as much of a liability.

How bad is the Android update problem?

Comparing the figures available from the Android and iOS developer portals, the numbers (as of August 3, 2015) look rather bleak.

  • 85% of Apple users are on iOS 8, which was released in September 2014.
  • 13% of Apple users are running iOS 7.
  • 18.1% of Android devices run Lollipop (either 5.0 or 5.1), but only 2.6% are using 5.1, which was released in March 2015.
  • 39.3% of devices run Android 4.4 (Kit Kat), whereas a combined 33.6% of devices run versions 4.0 through 4.3 (Jelly Bean), which is susceptible to the Webview vulnerability that Google won't provide a patch for.

Although Apple updates are seemingly still subject to some level of carrier approval (it's necessary as a baseline to establish that the system radios function as expected), Apple's market position allows them to dictate the terms of how the device will function to a much greater extent than Android device manufacturers do.

Not all carriers are equal when it comes to updates. Verizon Wireless regularly takes longer than other carriers to deliver updates. Verizon has a reputation for creating artificial limits on phones, as well. For instance, the Galaxy Nexus never received an update to 4.3 on Verizon, though all other carriers pushed the update. Additionally, Verizon prevented support for Google Wallet on the Galaxy Nexus, despite the identical corresponding models on other carriers supporting it. This was allegedly done to prevent competition with the competing ISIS payment standard, which was renamed to Softcard for obvious reasons, and shortly thereafter sold to Google.

The issues with carriers are not limited to the US, either. Android devices on the Japanese carrier NTT Docomo have poor upgrade paths. As a representative example, the Fujitsu Arrows F-02F was released on November 29, 2013, with Android 4.2.2, despite 4.4 already being available at that time. On February 2, 2015, it received an update to Android 4.4.2, a version that was released 10 days after the tablet was released. At that time, version 5.0.2 was already available. NTT Docomo's upgrade plans indicate that there are no plans to upgrade the F-02F to Lollipop.

No comments:

Post a Comment