Security Experts:

Carriers Cripple Android, Prioritize Profits Over Protection

SAN JUAN, PUERTO RICO – So long as wireless carriers and phone manufacturers drag their feet on regular operating system updates, Android users will remain vulnerable to malware and other attacks, a technologist and policy analyst said Monday.

A sizeable number of Android phones currently in use are running versions that was released two years ago, and that won't change unless wireless carriers relinquish control over the update process, Chris Soghoian, principal technologist and senior policy analyst with the American Civil Liberties Union, told attendees at the Kaspersky Lab Security Analyst Summit. Of the more than 100 million Android devices deployed worldwide, nearly 50 percent of Android handsets are running the Google version of Gingerbread released in 2010, according to the Google Android Developers Dashboard.

Chris Soghoian Photo at Kaspersky Lab Security Analyst SummitEven though the operating system belongs to Google, the company generally doesn't have any control over how updates are delivered to Android handsets. Once the company's engineers release a new version, it's up to the manufacturers to port those changes and fixes into a unique version for each handset model since there are differences in how the operating system interacts with different types of phone hardware, chip, and radio card, Soghoian said. This is time-intensive, and manufacturers would rather stretch their resources to have engineers working on new products. But that has serious implications for end-users.

“You don’t need a zero-day exploit to attack most Android devices if consumers are running 13-month old software,” Soghoian said.

Nearly 90 percent of Android devices are not running the latest version of the mobile platform, which means attackers have a fairly substantial pool of victims to target. They don't need to worry whether Google had closed a security flaw in the current version since the majority of the users would still have the flaw, Soghoian said.

The Android story is very different from what Apple users have to deal with. When Apple releases a security update or a new feature, iOS users just plug their devices into their computer and get the carrier “whether or not their respective regional carrier likes it,” Soghoian said. Users are able to jump to the new version within days, or weeks, of Apple releasing a new iOS version, as opposed to months (or never) that Android users have to wait.

Android users “get updates when the carrier want it, and when the hardware manufacturer wants it. And usually, that's not very often,” Soghoian said.

The key difference boils down to power, Soghoian said. Apple has it, Google doesn't. When Apple was working on the first iPhone, the company approached Verizon about being the first carrier to have the phone. However, Apple refused to relinquish any control over the hardware or the software (down to not letting the carrier put a logo on the phone case at all), so Verizon balked. Apple didn't back down and gave the first phone to AT&T who agreed to the conditions.

When Google released Android, the situation was very different. The company released it as an open platform and allowed manufacturers and carriers to make modifications. The problem with this flexibility, however, is that if there is a feature that the carriers view as a threat to their business, the carriers “fix” the problem by disabling that functionality on the device, Soghoian said. The carriers don't see the financial benefit of allocating resources to release timely updates, so they don't bother.

When Google updates Android, the manufacturers have to update their custom version with the fix, and then the carrier has to apply the changes. There is a lot of “finger-pointing” about who is at fault, but the end-result is that consumers don't get the updates, Soghoian said. It's particularly galling when users are frequently locked into two-year contracts, and some devices rarely get a software device. Even those who get updated once rarely ever get a second update, he said.

Soghoian cited a recent report from Duo Security illustrating how some LG Android devices were up to 16 months behind in getting updates, and some Samsung models were down 13 months.

“With Greater Power Comes Great responsibility," Soghoian said, citing Spider-man, but noted that the the wireless companies want the power without the responsibility.

Soghoian made a point of saying Google wasn't at fault, saying the company's engineers fix issues quickly. “Google's team will usually fix it very promptly and make it available to all of their hardware partners,” Soghoian said. “The problem here is that fixes for critical security vulnerabilities are simply not getting downstream and reaching customers,” he said.

In fact, the safest Android phone is the Nexus S, which Google retained full control over, Soghoian said. The success of the update mechanism for the Nexus S is something Google has to be quiet about because of potential business tensions about trumpeting the benefits of their own products over their partners' phones, he said.

“The wireless carriers are public enemy number one when it comes to security,” he said. Soghoian believed the carriers need to relinquish control of the updates and allow Google to push out updates directly, or step up and release updates in a timely manner regardless of how much they don't want to. However, neither option is likely unless Congress steps in, Soghoian said.

“With Android, the situation is worse than a joke, it’s a crisis,” said Soghoian

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.