The Problem with Android Patches
At the Kaspersky summit in San Juan, Puerto Rico, Chris Soghoian discussed the problem of Android user’s not updating their mobile devices to current software revisions. From Threatpost:
“With Android, the situation is worse than a joke, it’s a crisis,” … “With Android, you get updates when the carrier and hardware manufacturers want them to go out. Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.”
The core of the issue is that the mobile carriers are not eager to have every one of their mobile users downloading hundreds of megabytes across their networks for patches and OS updates to extend the value of their old phones. For them it’s pure overhead, so they don’t prioritize updates. And the results are pretty staggering, with adoption rates of new iOS software approaching 50% in a week, whereas Android … well, see for yourself.
Every mobile security presentation I have been to over the last 18 months devolves into a debate between “Android Security is Better” vs. “iOS security is superior”. But the debate is somewhat meaningless to most consumers, who only carry one or the other, and rarely choose phones based on security. General users don’t go out of their way to patch, and most users (who say they care about security when asked) don’t put much effort into security – including patching. So platform patches are mostly interesting to IT Operations at large enterprises dealing with BYOD, who are trying to keep their employees from becoming infected with mobile malware. Our research shows this has been a primary reason some of the Fortune 1000 don’t allow Android in the enterprise. Just as bad, as Mr. Soghoian points out, carriers also arbitrarily restrict – or ‘cripple’ – device features. There is no clear solution to these problems yet, so good for Chris for drawing attention to the issue – hopefully it will resonate beyond the security community.