Should Android Users Hide their Smartphones?
January 27th, 2015I know there’s a tendency on the part of some online pundits to deliberately put Apple in the headline as hit bait. It’s not my intention to do the same thing with an Android slant. Aside from the obvious factual accuracy of this column, I just don’t play the hit bait game. I’d like to believe — naive as the concept might be — that the content will be sufficient to attract an audience.
So there’s a report from CNET with a headline that says a lot, “Google leaves most Android users exposed to hackers.” It’s so important I don’t know why it hasn’t made the headlines of every single mainstream newspaper, not to mention other tech sites. You see, despite the huge sales gains Apple is expected to report this week to the financial community, Android is still the number one mobile platform on Earth. Hundreds and hundreds of millions of handsets and tablets use Google’s OS, so if there are serious questions about security, people need to take notice.
But before I get to the meat of this commentary, let me remind you of the time when a Google executive remarked that Android security wasn’t important. Or when Executive Chairman Eric Schmidt — once an Apple board member — claimed that the Android platform was more secure than iPhone. Of course, few people take such silly claims — or much of anything Schmidt says — seriously, but let’s move on.
Now a known problem with Android is the fact that it is difficult, and usually impossible, to upgrade your gear to the latest and greatest OS. It’s a complicated process, unless you have a product bearing the Nexus label, which is supposed to contain the unvarnished version of Android not polluted with junkware from a wireless carrier or manufacturer. Even then, there are no guarantees, but the chances are better.
The problem Google has long confronted is getting its partners to provide prompt OS upgrades for eligible gear. Unlike Apple, who sends over-the-air updates to any eligible iPhone, iPad or iPod touch, Android updates go through a bureaucracy. First the handset or tablet maker needs to certify the update with their own bundled apps, or junkware. Next up is the wireless carrier who may add their own stuff to the configuration.
If a product isn’t recent, the upgrade priority isn’t high. Manufacturers and wireless carriers are anxious for you to upgrade to new gear, even if that new gear itself uses an older OS. There’s no profit in deploying free updates, so they get less emphasis. While Google has promised to improve this frustrating situation, it’s a hollow promise and hasn’t been fulfilled.
According to the CNET report, the latest problem is a security hole that impacts the default browser that ships with Android. Upgrading to Chrome, a far better browser than the one Google inflicts on you as standard issue, should fix the problem, but most Android users don’t really bother moving past the default apps.
So what is this security hole? Well, CNET doesn’t seem to understand that readers might actually want to know the specifics, and the dangers in keeping their gear unpatched. The sole specifics, such as they are, are contained in comments quoted from Adrian Ludwig, Google’s security chief, who says, “Keeping software up to date is one of the greatest challenges in security. Because the browser app is based on a version of the WebKit browser engine that’s now more than two years old, fixing the vulnerability in Android Jelly Bean and earlier versions is no longer practical to do safely.”
And why should that be? Well, Ludwig doesn’t explain, and it’s clear CNET isn’t curious.
The Android usage figures quoted in the article claim that 39.1% of smartphones and tablets are using Android 4.4 KitKat, while an additional .1% are using the latest and greatest, Android 5.0 Lollipop. These newer versions of Android aren’t susceptible to this security flaw.
The rest, over 60%, are saddled with Android 4.3 Jelly Bean and older and it’s clear that these people, even if they bought their smartphones or tablets yesterday, are being left in the dark.
Another quote, just as curious, comes from Tod Beardsley, an engineering manager at Rapid7, a security firm, who perhaps tried a little hard to be diplomatic about Google’s clear lack of concern for so many Android users. He was quoted as saying he hopes the company will reconsider.
Yes, that’ll get some action.
A more informative report comes from a Forbes article from Thomas Fox-Brewsterm that states that some one billion Android users have been abandoned when it comes to security updates. He writes, “The WebView piece of the messy Android jigsaw allows apps to display web pages without having to open another application. Many apps and ad networks use the component, which the Google Android team even advocates in its developer documentation on rendering web pages. It’s also the favored vector for attack for nearly any remote code execution vulnerability in the mobile OS, according to Rapid7 engineering manager Tod Beardsley.”
In short, this is a disaster in the making, and other than asking Android users with older OS versions to just be careful when they go online, or use a different browser altogether, there is no solution.
Except, of course, to turn these devices off permanently and buy something else. Maybe that’s the intention of Google and its hardware partners, but have they forgotten how well the iPhone is doing nowadays?
| Print This Post
The OpenSSL bug was fixed via Android 4.4.4 in mid-2014. Are those users of older Android devices such as those in the 60% group remain vulnerable? How about those that do have 4.4 KitKat, have they applied the update?