Android Security – Culture vulture

Reply to this post

Security issues highlight more pressing problems. 

• Google is trying hard to fix the endemic security issues that continue to plague Android devices but unfortunately it is making almost no progress.
• Since August 2015, Google has been releasing monthly security updates to address the security flaws but there are two big problems.
  • First. Any security patches that Google makes to Android only apply to its own Nexus devices.
  • These devices make up an insignificant proportion of the Android device population meaning that almost no-one receives the updates.
  • Second. The updates themselves have yet to address all of the known security issues in Android.
  • For example, despite monthly updates the mediaserver (finds and indexes media on the device) remains critically flawed.
  • Google is playing a horrible game of whack-a-mole with this component as every time it fixes one flaw, another pops up.
• I have long believed that Google’s inability to effectively manage Android security and its updates is rooted in its history as a server company.
• When Google wants to update its search algorithms it simply updates the code on the server and the job is done.
• Because devices run their own software, they have to be individually updated and it this is very different to the way Google has operated for many years.
• Consequently, it has taken Google a very long time to come to grips with this problem and I am far from convinced that the issue is close from being resolved.
• To be effective, all Android devices need to receive these updates which brings in two more big problems.
  • First. Most Android devices are not updatable.
  • Android is a commoditised, brutally competitive market meaning that in the mid-range every cent of cost matters.
  • Making a device updateable means that extra resources have to be added to the device which are never reflected in the price.
  • Consequently, the vast majority of Android devices are not updateable to later versions of Android as there is no incentive for the device maker to add this capability.
  • Second. Google has no control over the update process for any of the devices that run its services.
  • It can update Google Mobile Services (GMS) from Google Play but lower level system updates (Android) are controlled by either the maker of the device or the mobile operator.
• Consequently, I think that Google has to take control of Android because in its current state, it is very unsecure with no scope for improvement.
• I continue to believe that this may happen in 2017 as Oracle has provided Google with the perfect excuse to do so (see here).
• This would result in a series of proprietary ecosystems based on an Android kernel of which GMS, Cyanogen and MIUI would be three.
• Google still has another good year ahead of it thanks to the underlying growth of Android users, but the medium term urgently requires for this problem to be fixed.
• I prefer Samsung and Microsoft to Alphabet in the long-term, although the immediate term for Alphabet continues to look good with absolute user numbers still growing very nicely.