Home / Mint-lounge / Features /  Google at crossroads with Android security

There have been growing concerns about the security of Google’s Android smartphone operating system. With “Stagefright" threatening almost 900+ million devices, the inability to roll out quick updates is quite worrying.

“Stagefright" is the nickname of the exploit that can take advantage of a potential vulnerability in the Android OS. A hacker can send a malicious code embeded in a video via a messaging app, which will use Android’s libStageFright process to mount the attack. It automatically starts the malicious code and starts reading the data in the phone without the user knowing about it. The libStageFright process has been in Android since version 2.2 (released in 2010), and that means hundreds of millions of phones are potentially at risk.

The simple fact is the current Android ecosystem structure cannot effectively handle any surprise security threats. And the response to the “Stagefright" vulnerability simply proves that the system had been broken all along. Google now says that they will be releasing monthly software updates for Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player. However, that is just serving a very small number of Android smartphone users—a minuscule number of Android users globally are using a Nexus phone or tablet. Surprisingly, it took Google so many years to even take charge of its own Nexus devices.

Android as an OS has the largest market share in the global smartphone market. But Google still uses the archaic chain of command method when rolling out software updates for the OS. As things stand, Google releases Android updates to the phone and tablet manufacturers (also known as OEMs); these OEMs then add their own customizations and features to the Android version and also tweak them to run on all the compatible phones and tablets in their portfolio. In certain countries such as India, the OEMs then release the updates to phones, which show up as a notification on the device and users can download. However, in the US and certain European countries, mobile phone operators (such as AT&T and Verizon) are also involved in the mix. Since they sell phones on a contract and these devices are locked to the network, they also have to approve the update (after testing it on their network and checking compatibility with their services), before it is released for installation on phones. In a nutshell, Google has very little control, and Android phone users are pretty much at the mercy of the phone manufacturer.

Security expert Cem Paya wrote on Twitter after the “Stagefright" became known on 28 July, “Google struck a Faustian-bargain w/carriers: cede control over Android, get market-share against iPhone."

Instead of one version of the update quickly rolling out for devices, there are many minor variations from different phone makers for their phones. This makes it very difficult to distribute security patches quickly. That is the basic difference between Apple and Google. If there is a problem, Apple rolls out the updates as soon as they are ready. Google allowed Android phone makers a lot of liberty over the years with customizations and tweaks to the core operating system, and that is now proving to be the stumbling block.

Smartphone makers are also realizing the folly of the entire thing. Samsung, the world’s largest smartphone maker, is promising a change. “With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner. Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected," says Dong Jin Koh, executive vice-president and head of mobile research and development office, IT and mobile communications, Samsung Electronics.

Motorola is also rolling out the updates to patch the “Statefright" bug in phones including the popular Moto E, Moto G and Moto X. However, Motorola’s says, “We will begin delivering software to our carrier partners to test starting 10 August for the phones listed above. Many carriers have unique requirements that result in unique variants of software. As a result, there are over 200 variants of software that we are working to patch, test and deploy to our carrier partners for their testing and approval."

Despite smartphone makers claiming to be changing their ways, Google will still have to ensure it has greater control over the way Android is used by individual smartphone makers. The Android One project was designed exactly to keep phone makers in check by restricting the amount of tweaking they can do on Android. But that hasn’t really caught on yet. Apple’s iOS strategy is often despised for being “closed", but that is exactly what Google will have to adopt if Android security is a priority.

Subscribe to Mint Newsletters
* Enter a valid email
* Thank you for subscribing to our newsletter.
Recommended For You
Edit Profile
Get alerts on WhatsApp
Set Preferences My ReadsFeedbackRedeem a Gift CardLogout