Towards the end of last month, Android was hit with a fairly massive security exploit that has a lot of us worried. Stagefright was announced and detailed as an exploit that simply takes over your device, without you even doing about it, by just sending your device an MMS. Depending on which SMS app you’re using, you don’t even have to acknowledge its existence. Stagefright is a big deal, and even though Google reacted fairly quickly, it doesn’t matter what they do when it comes to security updates, because carriers and networks the world over and manufacturers will simply let them down, and more disturbingly, let us down.
This week, Google introduced a new take on security updates; 36 months of security updates for Nexus devices, 24 months of major software updates and monthly security updates. This sounds encouraging, and as a Nexus 9 owner, pretty satisfying. However, my main smartphone, my beloved Moto X (2014) is sat next to me on my desk, completely at risk from some jerk looking to crack into my phone. It’s a good job I am fairly secretive with my data, and don’t just hand out my phone number all over the internet, but then I could always get DOXXED and that’s it; game over. I recently swapped back to Textra to cover myself until Motorola get their god damn act together. Let’s start with Motorola, shall we? The only comment on Stagefright I can find is this from their forums manager which starts with “After Google informed us in late June, we’ve been working to integrate, test and deploy the patches. All of our newly launched products (Moto X Style, Moto X Play, and Moto G 3rd Gen) will have the patch integrated in the software.” Okay Moto, so you’re telling me you have had these patches since late June? I sincerely hope that was a typo.
Motorola is not alone, the only devices from a major OEM to have seen Stagefright patches are sporadic and recent Samsung devices on AT&T and Sprint (at least as of writing, anyway). Google can keep to their promises of monthly security updates all they want, but their partners won’t and neither will the carriers. It’s possibly got a lot to do with the networks thinking this is Google’s fault, without thinking that they control the pipe which updates flow down. Meanwhile, the manufacturers just don’t see the point in updating older hardware. This exploit travels back to the dark days of Android 2.2, which means anything even remotely recent is at risk. Still, why update and keep an older car moving when you can push that customer onto a shinier model?
Sprint and AT&T have been pretty good about Stagefright, with Sprint pushing out Google’s updates to Nexus devices and as many Samsung devices as they presumably had code for. Where is Verizon though? You know, the US’ largest network that not only offers a range of their own devices but practically every popular Android device going?And what of T-Mobile? The Un-carrier that cares more than the big boys? I could ask this question of pretty much every other smartphone manufacturer out there as well. The patches are coming from Google, if not already arrived at LG, Motorola, Sony, ZTE, Xiaomi, Huawei, Lenovo, HTC and whoever else.
That list of names above is perhaps the biggest cause of problems like Stagefright lingering around much longer than they ever should do. Unlike a Windows PC (which is the closest cousin to Google’s Android platform) my Moto X doesn’t get updates from Google, nor does my friend’s Xperia Z3. On a Windows PC however, my old homemade gaming rig would have gotten an immediate update from Microsoft, so would my girlfriend’s HP laptop. To get to the top, Google have let manufacturers do too much to Android, which means getting a security patch through the thick coats of third-party software is harder than it ever should be.
The only way Google can really get serious about security flaws like Stagefright is to rip back some control from their partners. A double-update strategy is the only realistic path here. Updates from Google for security and bug fixes, and then another from the manufacturer for major updates and app updates. Otherwise, how is anyone going to get the security updates they need and deserve? Right now, the current system is failing, and Google’s Nexus updates are nice, but won’t help the vast majority of Android users out there on an older device that Samsung or co. see no value in spending time updating. Google need to take back some control to take care of the flock they helped create, and the carriers and device manufacturers need to get the hell out of the way and let them do it.