Android's huge update problem

The Android smartphone ecosystem has a huge problem with deploying timely updates to Android phones and tablets. These lack of updates, especially security updates, needlessly and negligently exposes Android devices to malware infection.

When a vulnerability* is discovered in any operating system, be it Windows, MacOS, iOS (Apple devices), Android, or whatever, the company that develops that OS* will patch (fix) the vulnerability and issue an update to all their customers. These updates are usually automatic so you don't have to do anything to receive them and be protected.

 

But Android devices, by the hundreds of millions, go unpatched for long periods of time or they're not updated at all. That's the topic of this article.

 

Google is the company that develops and maintains Android. Even though Google generally patches vulnerabilities as they are discovered, the ecosystem in which Android operates needlessly delays the actual deployment of those updates.

damaged android robot

Wowzers! Why is that??

 

That's a really big question. Let's start at the beginning, shall we? Yeah, I know, it sounds like you're in for a long read. It's really not that long and a little history is always interesting.

How did Android come about anyway?

 

A very brief history of smart phones

 

Back in June 2007, Apple caught the mobile phone world flat-footed when they released the iPhone -- a time when most people used "candy-bar" phones or flip-phones like the Motorola Razr. The closest thing to a smartphone -- and it wasn't very close at that -- was the Blackberry. A phone that could do email and had a rudimentary browser.

The iPhone was singularly revolutionary -- nothing less than a tectonic shift in mobile technology. The hype was so loud and relentless that it was dubbed the "Jesus Phone" for its promised humanity-shifting influence. Turns out that hype was right, it is indeed humanity-shifting. Some 3.5 billion(!) people own a smartphone, almost 50% of the world's population. Consider how different the world would be today had the smartphone never been invented. But I digress...

Anyway... People bought the iPhone like crazy with long lines snaking around the stores that sold them. There was nothing else even close to it. Apple had the entire smartphone market to themselves for a good two years at least. Other manufacturers scrambled to develop their own smartphone and OS to compete with Apple but they were all floundering. It was a pivotal moment in the mobile industry and an existential threat to manufacturers, driving many out of business and others to be swallowed-up.

 

With competitors trotting out various devices, all doomed to fail, the competitive bloc needed a savior to unify their response to Apple. Certainly, no existing phone manufacturer could be trusted to develop the needed OS. Competition was cutthroat and besides they lacked the skill to do so.

Google was probably the only non-device-aligned company large enough to quickly pull-off the development of a device-agnostic OS that all the phone makers could get behind. Microsoft was a nonstarter as they were very late to the mobile game and, indeed, have since officially abandoned it.

 

To sweeten the deal, giving bickering manufacturers added incentive to use Android, Google opened Android and gave the phone makers and wireless carriers wide latitude over modifications to Android. And it was free. It was the easiest way to get widespread adoption even though the manufacturers had no real alternative. And that was the deal with the devil -- the fateful decision that led to today's Android security nightmare.

 

So herein lies the problem

Phone manufacturers are in the phone-making business. The wireless carriers are in the bandwidth and signal business. The modifications that phone makers and carriers perform on Android aren't done to make Android better or more secure. They are done to sell their ancillary services and for marketing-centric differentiation, period. So they aren't particularly interested in testing and deploying non-revenue-generating security updates coming from Google. They'd rather you just buy a new phone. 

And since the manufacturers and carriers are an (uncooperative) integral part of the update process, well then, updates are very slow in coming, if at all.

 

Here's the chain of steps that an update, such as a security patch, traverses on it's way to your phone.

Apple:

Apple Update ▶︎ Your phone

Android:

Google Update ▶︎ Phone Maker ▶︎ Wireless Carrier ▶︎ Your phone

The Phone Maker and Wireless Carrier steps shown in red above is where those updates, including critical security updates, languish and often die. Phones that have not reached end of life (more on this below) may receive these updates or they may not. Even if they do, those updates can sometimes take months to make its way through the update chain and onto your phone.

Google's Pixel-branded phones are the only exception. For the unlocked model there is no carrier interference in the update process. For Android fans, if timely updates are important to you, and they should be, the unlocked Pixel-branded phones are the only phones to buy. New versions of Android may require cooperation from the chipset manufacturer to write and update device drivers and that often doesn't happen. So you while your Pixel-branded phone might get timely updates for the current version of Android, it might not be upgradable to the next version. This helps for security but does little for the overall Android fragmentation problem discussed below.

It's not that Android itself is necessarily less secure although there is some discussion there. The problem is lack of updates. On the present course, there will eventually be an Android security armageddon. A day of reckoning where the sloppy practices of today will bite the entire Android ecosystem on its ass, unless phone makers and carriers decide to embrace proper security update protocols. They may yet do that if their survival instinct ever kicks in. But so far they haven't not and there's little indication that will change any time soon. C-Suite executives rarely give security concerns proper attention.


Apple is very different in this regard. Since Apple both manufactures their devices and develops the OS, they have total control and are able to deploy security fixes whenever necessary -- without needing (much) cooperation from phone makers and wireless carriers. This is a critical advantage to iPhone (and iPad). It's enough of a reason all by itself to avoid Android in favor of iPhone -- unless, as mentioned above, you buy an unlocked Pixel-branded phone.


What kind of malware might infect my phone as a result?


Malware can be designed to do any number of nefarious tasks: Pilfer your passwords, steal sensitive data, add your device to a botnet, track everything you do including recording your phone calls, text messages, track your location using the GPS receiver, spread to other devices using yours as a springboard (Typhoid Mary), "brick" your phone by overwriting the phone's firmware, encrypt your data (ransomware), and really any number of other things of the bad actor's choosing.


Fragmentation -- A big problem you've never heard of


Fragmentation is when there are multiple hardware and/or software versions and inconsistencies in the installed user base (people with phones). As of this writing, the Android ecosystem has over 20,000(!) distinct device models (hardware) across many dozens or possibly hundreds of brands. And there's numerous versions of Android (software) as well, making for even more distinct combinations. This too, aggravates timely deployment of updates because of the QC (Quality Control) needed to ensure patches don't break something else.

 

Fragmentation also makes it difficult for developers to take advantage of hardware features that aren't common. It's one of the biggest complaints that developers have regarding the Android ecosystem. That means if your shiny new Android phone has a relatively uncommon hardware feature (that you may particularly like) there's a good chance that feature won't be fully realized to its potential.

Again, here is where Apple is very different. As of this writing, Apple has released only a few dozen iPhone models (even accounting for various amounts of memory) since its introduction way back in 2007. And when iOS is upgraded, the rate of uptake to already-sold iPhones is nearly universal. This lack of fragmentation makes it easier to develop for the Apple ecosystem since developers can expect certain hardware features to be present and for most Apple devices to be on the latest iOS version. For example, all iPhones from the 5S onward have a fingerprint sensor. (*) This also makes it easier for Apple and developers to update and support older devices.

* The new full-screen iPhone eliminates the home button which housed the fingerprint sensor in earlier models. Instead, these models employ facial recognition using a new advanced camera. But app-writers don't have to worry about that as it's handled by the operating system.

iOS vs. Android OS version uptake

As you can see on the blue pie chart (dated 15-Oct-2019), 50% of Apple's portable devices in the wild have updated to iOS 13 which was released 19-Sep-2019, barely four weeks earlier. Another 40 percent are on iOS 12, the previous version and most of those will update soon after. There's only a scant 9% on older versions and the majority of those are older than five years and no longer supported. That's a fantastic rate of uptake.

 

On the other hand, in the Android ecosystem (green pie chart, dated 07-May-2019), only a small percent of devices are on the then-latest version of Android (Pie), which was released nine months earlier in Aug, 2018.

In fact, the phones on any particular version of Android were nearly all purchased with that version already installed. Very few phones were upgraded from a previous version.

The large majority of Android devices are on older versions, some dating back many years. Using the list below and the green pie chart, you readily see how stale most Android devices really are. That's a lot of phones running very old versions.

  • Q, Sep 2019 - Not shown on this chart.

  • Pie, Aug 2018

  • Oreo, Aug 2017

  • Nougat, Aug 2016

  • Marshmallow, Oct 2015

  • Lollipop, Nov 2014

  • KitKit, Oct 2013

  • Jelly Bean, July 2012

  • Ice Cream Sandwich, Oct 2011

  • Honeycomb, Feb 2011 - A minor release not shown on this chart

  • Gingerbread, Dec 2010​

ios uptake.png
android uptake.png

Notable Vulnerabilities

Numerous critical security vulnerabilities have been discovered on the Android platform. And given the layer-cake approach to deploying security updates as described above, it's very unlikely that the vast majority of phones will ever receive these critical updates. In light of this, the time to switch to iPhone has never been better or more advised.

 

Here's a couple of the more notable vulnerabilities discovered.

 

A critical flaw (Ars Technica Article) was discovered by a white-hat researcher that affects nearly one billion Android phones. Google was notified and they have created a fix. But since Google doesn't singularly control Android update distribution, the chances of a widespread deployment for this patch are exceedingly low.

 

An even more critical vulnerability, BlueBorne, has been discovered. This vulnerability affects several billion devices with Android devices being among the most susceptible.

 

There are other critical security flaws as well. And those, too, are unlikely to be patched on already-sold phones. Again, because Google does not control the distribution of updates.

 

To be fair, iOS has had vulnerabilities discovered in the wild as well. It's those very vulns that make jailbreaking possible, after all. But Apple quickly patches and deploys security updates to fix these vulnerabilities. iOS vulns, once discovered, don't last very long in the Apple ecosystem.

To be sure, just because vulnerabilities exist doesn't mean your phone will definitely be exploited. It just means you're, well, vulnerable, which makes exploitation easier and more likely. Leaving your keys in your car doesn't mean your car will be stolen. But it makes it easier if a thief walks up to your car with bad intent, right?

 

Device end of life

End of life (EOL) refers to when a product no longer receives support by the manufacturer (It doesn't mean it quits working).

Android phones have a comparatively short product lifetime before reaching EOL. If you purchase (new) an Android phone that's a newly released model, you'll likely get upward two years of support before EOL. But if the phone has been out for a year or longer the EOL could be as little as six months.

 

Apple, on the other hand, extends support much further back. iPhones receive between 4 and 5 years of support -- over twice the time as Android phones. And, importantly, Apple updates the OS as well, not just bug fixes and security updates. That means older phones can get new features that might only come with a major OS update. That's nearly unheard-of for Android since actual OS upgrades are quite rare.

Definitions

 

Vulnerability: This is a type of software bug that could allow malware unauthorized access into a system. You might think of it as a "chink in a knight's armor", a small exposed weak spot in an otherwise impenetrable suit of armor where a swordsman may target his attack to harm the knight. Software systems may contain hundreds (or more!) of such vulnerabilities, mostly waiting to be discovered.

 

OS or Operating system: This is the system software on computer (phone, laptop, whatever) upon which everything else runs. Notable examples include Windows, MacOS, iOS, Android, and Linux, although there are others. All computers and devices in the consumer space have an operating system.