- Mar 24, 2011
Android Security Problems?
Another overwrought security vulnerability story rippled the news cycle recently. As DigitalTrends put it: Researchers at IBM have published a report detailing a serious vulnerability in the KeyStore that affects 86 percent of Android devices.
Only that isnt true. Its really just 10 percent of Android devices that are vulnerable; specifically, devices running Android v4.3 (Jelly Bean). But DigitalTrends, like a lot of other tech FUD/news sites, hasnt corrected that error as of this writing.
Furthermore, serious vulnerability is a serious misstatement. The bug is a buffer-overflow vulnerability which a hacker can exploit to gain administrator-level control over a device, but only if the hacker can get through all of the anti-tampering safeguards built into Android. Its about as serious as leaving a door open in the basement of Fort Knox.
That said, this tempest in a teapot highlights a different problem with Android, which pundits refer to as "Android fragmentation." In a nutshell, it means there are too many versions, and not enough support.
Google fixed this bug only in the latest v4.4 (KitKat), leaving all earlier versions unpatched. (Of course, only v4.3 needs patching; versions prior to that dont have this vulnerability.)
A related symptom of the too many versions problem is Google Wear, the companys latest OS for wearable devices such as smartwatches, health monitors, etc. Apps that work with Wear will not run on any Android version lower than 4.3, leaving about 75 percent of active Android devices to Wear nothing. Naked Androids? Run for the hills!
Why Can't I Upgrade?
Why are there so many obsolete versions of Android still in use? Why dont those users upgrade their operating systems, as Ive constantly exhorted desktop OS users to do? Well, for once users cant be blamed; most Android devices cannot be upgraded to the latest OS version by users alone.
You cant just go to the Android website and download the latest version to install on your device. Thats because the pristine Android OS wont do what your Android device is designed to do. The Android running on your phone or tablet has been heavily customized by the device maker to take full advantage of the particular hardware platform that the manufacturer has designed. You have to get that customized device-specific Android software from the device maker.
So why dont manufacturers make their custom versions of Android available to customers as soon as a new version of original Android is released? Because that new version would have to be customized again, and that is a herculean, expensive, lengthy undertaking. By the time a customized Android upgrade was ready, the hardware that consumers expect would be radically different and the upgrade would not enable all of the hardwares new features, if the upgrade ran at all.
Carriers like Verizon, AT&T, T-mobile, and Sprint contribute to the obsolete OS problem by binding customers to two-year contracts and lengthy phone-upgrade eligibility periods. Few customers are going to take the financial hit of ditching a months-old phone just to get the latest hardware and operating system version. Were seeing some erosion of this barrier to upgrading, but its still pretty high.
I will say that Verizon has been pretty good about providing Android upgrades, at least for the popular Samsung Galaxy models that I've had in the past couple years. My Galaxy S4 received the KitKat (v4.4) upgrade back in May. If you have a less popular or low-end Android device, you've probably not seen an Android OS update since you got your phone or tablet.
But is not having the latest version of Android a real problem or a psychological one? Your lawn mower probably isnt state-of-the-art. Does that cause you any angst? Do you expect the maker to send you an upgrade kit every time a new model comes out? Most people are perfectly happy if a lawn mower just cuts the grass quickly enough with a tolerable amount of effort.
But... but... SECURITY VULNERABILTIES! As I explained above, very few hysterically reported security holes matter at all. Those that do matter get patched in older versions of operating systems. Those that dont matter are simply closed in the next full release.
Old Androids Never Die, They Just Become Bots