One of the problems with the Android is the fragmented ecosystem — not only are there several versions of the mobile operating system in devices on the market, wireless carriers take a scattershot approach to issuing updates to subscribers.
This causes CISOs no end of grief, particularly if they allow staff to use their own devices on the network.
But after a number of revelations of vulnerabilities, Google announced Wednesday it is starting to take the problem more seriously. It said patches for the recently-discovered Stagefright SMS vulnerability (see Related Articles) are now being issued, and that security updates for its Nexus devices — which get updates directly from Google and don’t need carrier clearance — will now be issued monthly.
At the same time Samsung said it will soon issue updates faster for Galaxy devices running Android, perhaps as fast as once a month. Samsung still has to negotiate with carriers on this new strategy. Details on which models will get faster updates has yet to be determined, but it’s a good bet that the newer handsets will see the updates.
That still leaves owners of Android devices from manufacturers like LG, HTC, Sony, Motorola/Lenovo and others completely dependent on their carriers for whether they get OS updates.
In a blog Adrian Ludwig, Google’s lead engineer for Android security and Venkat Rapaka, director of Nexus product management, said the latest security update is now available for Nexus 4 through 10 devices, plus for Nexus Player.
“This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues. At the same time, the fixes will be released to the public via the Android Open Source Project. Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.”
In a statement from Samsung, Dong Jin Koh, executive vice-president and head of mobile research, said because of recent Android vulnerabilities the company has found a faster way to deliver patches. “We believe that this new process will vastly improve the security of our devices and will aim to provide the best mobile experience possible for our users.”
This is a good start, but there are many carriers — including ones in Canada — that are letting Android subscribers down by not putting a greater priority on pushing updates out to users. It’s not enough for them to tout network security. Devices they sell have to be secure as long as subscribers are on that network.
According to Google, about 18 per cent of Android devices on the market run version 5.0 and up (Lollipop) of the OS. Just over 39 per cent are running v.4.4 (KitKat) and 33.7 per cent are running versions 4.1 to 4.3 (Jelly Bean — which dates back to the summer of 2012).
Carriers that do issue updates are likely doing so only for Lollipop.