AH Primetime: Android Needs To Tighten Up Its Security

Android Logo AH3

How secured is Android as a platform? While Android is arguably the largest computation platform on the planet right now, its security is still a cause for concern, not the least because of the hoops users have to go through before getting their rightful updates. Over the past three weeks or so, Android Security has been in the news for all the wrong reasons. The Stagefright vulnerability, the latest buzzword in security circles, was made public late last month by security firm Zimperium. The flaw, which was originally discovered by Zimperium zLabs security researcher Joshua Drake, reportedly allows hackers to take control of certain features on unpatched Android devices remotely, by injecting malicious code through a multimedia file sent via an MMS (Multimedia Messaging Service), thereby compromising the device. The only info needed by a hacker to carry out their attack is the phone number of the intended victim. While many OEMs and carriers have started rolling out security updates to patch-up the vulnerability in Android’s multimedia library, a report published last Thursday by Exodus Intelligence questioned the effectiveness of the patch, by pointing out that one of its own security researchers, Jordan Gruskovnjak, found “a severe problem with the proposed patch”.

While Google has since clarified that it has closed down that second security hole already, the twin threats, coming as they have amidst multiple reports of financial struggles of large Android OEMs, has been an absolute PR nightmare for the search giant and couldn’t possibly have come at a worse time. Google is looking to expand Android from being just the piece of software that powers little smartphones, to the operating system of choice for wearables (Android Wear), smart televisions (Android TV), cashless financial transactions (Android Pay) and Automobiles (Android Auto) where people would typically want airtight security because people’s physical and financial well-being might well be in jeopardy in the event of a breach. Meaning, Google needs to sort things out if it wants to have a stronger presence in the enterprise sector and be a serious competitor against Apple Pay in the future, as the technology gains wider acceptance.

Herein lies the problem with the open nature of Android. For all the benefits it brings to power users and DIY modders, the fact still remains that the hundreds of versions of Android floating around in the wild makes it well-nigh impossible for Google to try and patch things up in the event of a security flaw being discovered, because every single update will need to be routed firstly through the OEMs and then through the carriers. Unless of course, it’s an unlocked device, in which case, it’s ‘just’ the OEMs that Google needs to worry about. With so many obstacles before an update can finally reach its intended device, it often takes months for updates to eventually roll out even after Google has done its bit and patched up any existing security vulnerability. Bluebox Security analyst Andrew Blaich describes it as a “very long tail”, which struggles to keep up as the entire system moves forward.

Of course, with Android occupying around 80 percent of the mobile market globally, it is also the single biggest target for malware writers and would-be hackers, just like Windows has always been the target of attacks because of its ubiquitous nature, with over 90 percent of the desktop market share. The problem with Android however, is an order of magnitude higher than Microsoft ever had with Windows. That’s because of the monthly update schedule (otherwise known as ‘Patch Tuesday’) would, for the most part, take care of any security issue before it can cause widespread damage. Google unfortunately, doesn’t have that option for reasons already laid out earlier. Phone-makers and carriers call the shots about which updates go through to users and which ones don’t. Planned obsolescence of devices is a huge issue, which means apart from premium flagships, no other devices receive updates – security or otherwise – after an year of release. The lower mid-range ones and entry-level ones aren’t even that fortunate. Those devices are basically sold on an as-is-where-is basis, meaning you get what you get out the box, never to be updated again. Ever.

The CTO of Veracode, Chris Wysopal, dubbed the Stagefright bug “the Heartbleed of mobile”, and said that he is worried about the exact same problem from Android Auto. “I worry about the same update problem”, he said. “The coordination across them (Google and its partners) is going to become an issue”. Google meanwhile has already committed to rolling out monthly updates, much along the likes of Microsoft’s Patch Tuesday. While Samsung and LG have already said that they’ll support that schedule, it is just the tip of the iceberg. With most of the growth in the Android eco-system coming from small-time local manufacturers operating on razor thin margins, it will be interesting to see how many of them will even want to support the schedule seeing as they won’t be earning a dime from those software updates, whilst spending a boatload of cash on developers, thereby jacking up their overheads and dragging down their already slender profit margins even further.