Android security – Swiss cheese pt. III

Reply to this post

Security is just another reason to close Android down. 

• Another vulnerability has emerged that exposes over 900m Android devices to the possibility of granting root access to hackers potentially making the device part of an illicit botnet as well as the theft of all data on the device.
• Checkpoint has released details of four vulnerabilities (Quadrooter) that affect Android devices powered by Qualcomm chipsets but the good news is that there is no evidence to date that the exploits have been used in the wild.
• Checkpoint provided Qualcomm with the details of these vulnerabilities 90 days ago which in turn released patches for its vulnerable drivers but it is there where the orderly process stops.
• Qualcomm has made the patches available to any customer using its chipset, but whether the end devices themselves have been patched is a matter of great doubt.
• In the normal scheme of things, a vulnerability is found, communicated to system owners who then create a patch and make it widely available.
• In iOS and Windows, these updates are rapidly distributed to all users who then update their systems and within a few weeks the issue has been put to bed.
• However, with Android this is not the case as there are two issues that prevent devices from being updated.
  • First: Most Android devices are not updatable.
  • Android is a commoditised, brutally competitive market meaning that in the mid-range every cent of cost matters.
  • Making a device updateable means that extra resources have to be added to the device which are never reflected in the price.
  • Consequently, the vast majority of Android devices are not updateable to later versions of Android as there is no incentive for the device maker to add this capability.
  • Second: Google has no control over the update process for any of the devices that run its services.
  • It can update Google Mobile Services (GMS) from Google Play but lower level system updates (Android) are controlled by either the maker of the device or the mobile operator.
  • The two exceptions are Xiaomi and Cyanogen both of whom have retained the ability to update devices running their software.
  • This is provided that the devices themselves are updateable as per the first issue above.
• These issues are so acute that even Google, will not have fixed all four of the vulnerabilities in its devices until the September update is distributed and installed.
• I suspect that for many handset and tablet makers, this vulnerability will continue to exist for a long period of time.
• While the Quadrooter has not caused any damage per se, this issue clearly demonstrates that, should a major hack occur, it will take the Android community many months to fix it, if it fixes it at all.
• This issue combined with the endemic fragmentation of Android is a major reason why I think Android devices generate much less traffic than iOS devices and why Android users demonstrate much lower loyalty.
• One only has to look at the defection of users from Android to iOS when the iPhone 6 was launched for evidence of how vulnerable Android is to market share loss.
• This is bad news for Alphabet as RFM research finds that its long-term growth is dependent on traffic generated by Android devices meaning that these issues are hampering its growth potential.
• I continue to believe that Alphabet will solve this problem by taking Android completely proprietary, effectively removing it from open source (see here).
• This will solve all of these problems in one go but comes with the problem of convincing the community that going proprietary is in everyone’s best interest.
• Here, Google will have the advantage of being able to point the finger at Oracle (see here) as the architect of the problems that have forced it to close Android down which I think will make things much easier for Alphabet.
• I think that this will begin in earnest in 2017 probably at its developer conference (i/o) in May.
• I continue to prefer Baidu, Microsoft and Samsung over Alphabet for the immediate term with Tencent and Facebook on my watch list for the right signals to enter.