At the Kaspersky summit in San Juan, Puerto Rico, Chris Soghoian discussed the problem of Android user’s not updating their mobile devices to current software revisions. From Threatpost:
“With Android, the situation is worse than a joke, it’s a crisis,” … “With Android, you get updates when the carrier and hardware manufacturers want them to go out. Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.”
The core of the issue is that the mobile carriers are not eager to have every one of their mobile users downloading hundreds of megabytes across their networks for patches and OS updates to extend the value of their old phones. For them it’s pure overhead, so they don’t prioritize updates. And the results are pretty staggering, with adoption rates of new iOS software approaching 50% in a week, whereas Android … well, see for yourself.
Every mobile security presentation I have been to over the last 18 months devolves into a debate between “Android Security is Better” vs. “iOS security is superior”. But the debate is somewhat meaningless to most consumers, who only carry one or the other, and rarely choose phones based on security. General users don’t go out of their way to patch, and most users (who say they care about security when asked) don’t put much effort into security – including patching. So platform patches are mostly interesting to IT Operations at large enterprises dealing with BYOD, who are trying to keep their employees from becoming infected with mobile malware. Our research shows this has been a primary reason some of the Fortune 1000 don’t allow Android in the enterprise. Just as bad, as Mr. Soghoian points out, carriers also arbitrarily restrict – or ‘cripple’ – device features. There is no clear solution to these problems yet, so good for Chris for drawing attention to the issue – hopefully it will resonate beyond the security community.
Reader interactions
2 Replies to “The Problem with Android Patches”
After reading yet another article on the subject I learned that Google did provide security updates for previous versions of Android, so maybe my criticism of the release model was a little misplaced.
I suspect the Android release model contributes partly to the reluctance to provide updates. Updates to Android may include new features as well as security fixes. It’s new feature updates that will often require more extensive testing on devices, and with carrier/manufacturer customisations to the OS, than minimal security updates. When a new major Android version is released, carriers may need to decide whether to put effort into making the new release work on their existing devices, or backport fixes themselves.
Users may also be reluctant to update. I have one friend who, after applying an Android update to his phone previously, complained about the things that changed. When Ice Cream Sandwich was released for his phone he was adamant he would not upgrade because he liked it as is. (He has since lost his old phone, so is now happily using another phone with a newer Android release!)
I think one step to improving the situation would be for Google to provide stable releases that receive only security and minimal bug fixes. These updates should be smaller, easier to test, and have less of an impact on the carriers’ networks.