As mobile devices become more and more capable, they have become a more attractive target for attackers. They contain lots of sensitive information that could lead to serious problems if that information ever got into the wrong hands.
In many ways, this parallels Microsoft’s Windows OS on the desktop.
- It was designed for widespread adoption first and foremost
- Many manufacturers
- No standard form factor – designed to run in many mobile operating systems
- Manufacturers of Android devices are increasingly low margin
- Very high market share, which makes it an enticing target
Analogies are never perfect of course, but the parallels are quite striking. Windows was designed to be “run everywhere” and in some ways, Android matches that.
Is my data in danger?
Well, if you own an Android phone (I do and given Android’s market share, many people do), this is a pretty big deal for you. This post will focus purely on Android. Truth be told, all operating systems are vulnerable, but there are some particular problems with Android that I would like to discuss that make it especially problematic.
Android has a lot of system vulnerabilities that are slowly being uncovered with time. I don’t know what specific vulnerabilities will be uncovered. If I knew, I’d submit the information to Google right away.
But I can say that your phone is very likely vulnerable. That could mean loss of sensitive information, possible risk of identity theft, or whatever you have on the phone being widely read.
I’m not in a position to give you a firm yes or not as to whether or not your data is in danger tomorrow. Nobody really knows or the exploit would have been patched.
The Challenges with Android
One of the big challenges facing the Android operating system is that it was designed for adoption first, rather than for security in mind. This has in the past led to serious security vulnerabilities being uncovered and quickly being patched. Poor security is one of the reasons why Blackberry still sees very widespread usage in the enterprise. Over the past couple of years, there have been quite a few big security vulnerabilities uncovered.
Ars Technica has a great article about the potential security risks behind this model. The problem is that this adoption comes at the expense of security. Any security update has to be identified, then Google has to patch it, then the manufacturers have to patch their phones, and perhaps for carrier branded phones, they have to patch as well. There are numerous flaws with this model:
- Although Google generally does patch security updates fairly rapidly, it will still take time to identify, test, and patch.
- The manufacturers are a huge, huge barrier here. First, they only patch the newer phones. Second, what phones that do get patched have to go through the manufacturer’s custom skins, introducing further delays.
- In the case of carriers, they may have to patch as well.
Each step results in delays and potentially prevents every phone vulnerable from receiving necessary patches. Worse, most older devices will never get patched completely. The manufacturers here deserve the bulk of the blame. The problem I see is that what is good for manufacturers (deliberately making their devices not patched to the latest version of Android) is totally at odds with what is in the best interest of the consumer.
I’m reluctant to blame Google for this mess, as to their credit they do acknowledge and patch promptly. To their credit, they also do patch older versions of Android. I think though, it would be fairer to criticize Google for not taking greater control over the situation. They need to take greater control of the Android OS in regards to security and perhaps as the Ars article notes, follow in Microsoft’s footsteps. Perhaps though it would be fair to blame Android (the original company) and Google for not having the foresight to recognize the implications of designing for adoption first, without the security implications. Whatever the reasons though, Google will have to play a major part in addressing the problem.
It will not be a perfect solution, but the status quo is very much a disaster in the making. Someday I think there will be a big security risk uncovered that will affect many devices. For now though, it may be best to protect yourself, if you wish to buy an Android phone, I recommend purchasing a phone that is:
- A Nexus device (assured to receive rapid updates and a large community at XDA), despite any other flaws the Nexus may have, such as a non-removable battery and non-expandable storage, they still do get the fastest updates.
- A device from a manufacturer with a reputation for quickly patching (Nvidia and Asus come to mind).
- Finally, a device that is assured a large community development community. This will likely entail popular device with a Qualcomm Snapdragon SOC. The reason why I do not recommend other SOCs is because MediaTek, Samsung, and the other major SOC vendors often do not release the data needed to make AOSP based systems.
This may seem rather restrictive in device choice, but it is the price for rapid updates.
Could Android do better?
To begin with, I’ll note that Apple has been supporting their phones for a very long time. I do not agree with all of Apple’s business practices, but this one, they did correctly.
The Ars Technica article advocates for Google, like Microsoft patching up regularly. Right now Google has pledged monthly updates. A few of the other manufacturers have followed. Right now Android manufacturers, have a lot more control than Microsoft would allow.
The problem here is that there is a huge delay. A month is far too long for a vulnerability to go un-patched and depending on the nature of the attack, I’d argue could hit a lot more devices. The other of course is what devices get it. Bottom line is that with the possible exception of Nexus devices and the ones that are getting regular XDA updates, I don’t think that most phones are going to get much updates in the way of security.
Why? Most manufacturers have already demonstrated a poor record when it comes to delivering frequent updates and tend to abandon their phones far too quickly. Actually, what is good for the manufacturers is completely the opposite of what we as consumers want, namely frequent, timely updates. They want to sell more phones, and to do that, I suppose many probably see not providing such updates as a “planned obsolescence” way to address that, alongside non-removable batteries. That’s a huge problem, especially as the margins for smartphone vendors shrinks. Even the mighty Samsung is facing this, declining margins. The problem here is that we are essentially asking manufacturers to direct their already small margins towards fixing security problems as they emerge. Actually, many smaller firms are losing money as is, and the others just barely break even. I don’t think that they will comply.
Telecom carriers too are a problem as they introduce delays or demand customized variants of existing phones in the hopes of attracting more customers.
I think that in the end, Ars may be right, there may be no choice but to have Google exert a lot more control over the Android operating system.
How could such a model work?
It would work very similar to how Microsoft controls Windows 10 Mobile or even Windows on the desktop.
- Patches would be delivered by Google directly, so all phones would run stock AOSP, save with drivers for their hardware
- Manufacturers would not be allowed to customize the core operating system underneath, save for adding custom software and perhaps allowing for themes to modify appearances (perhaps this could end up like Linux, where there are environments such as KDE, Gnome, Cinnamon, etc)
- Google would patch quickly (which it already does) and roll out the updates
The advantages of this are simple:
- There will be much less time between when a vulnerability is identified and when it is patched.
- All phones, not just newer ones, are patched.
- Google could also introduce the latest version of Android to all phones quickly.
- If there are performance updates, such as those introduced in Android 2.2, they can be updated to all phones.
Essentially the main advantages that Apple has with the iPhone, only now Google has them. In some ways, this is what Windows phone already offers.
Google would have to maintain large testing facilities to make sure that its updates don’t break anything (Windows updates are known to at times do that), but I think that is trivial compared to the security problems.
I would also recommend redesigning substantial parts of the operating system for security first.
What will realistically happen?
I do not believe that many smart phone manufacturers will agree with my ideas. They are desperate to protect their already thin margins and they seem to think that skins, along with other customizations add value.
I’d argue that often, many of the customized software tend to take away value. They slow down the operating system, add lag, and prevent updates that would otherwise be much easier to port. So we will not see this, unless Google gets much more assertive.
Either one of two things happens:
- Google gets more assertive.
- We learn the hard way.
Google gets more assertive
If Google gets more assertive, I think that it will be able to get what it wants. Some will protest, but they do not have much power.
The reason is because manufacturers already have nowhere to go. This is not for lack of trying. Tizen, although a modest success, is nowhere near overtaking Android. I don’t see any alternatives doing so either. Windows Phone has largely failed to take a large part of the market as well. The only threats are the various attempts to build an Android variant locking Google out (and I will note that these will end up needing security updates too or they will learn the “hard way”). I’d love to see a Linux mobile variant take off, but I’m skeptical about its success prospects.
The other threat to Android of course, is Apple. By taking over greater control, Google can largely negate one of Apple’s biggest advantages. They cannot though negate other advantages, such as Apple’s outstandingly well designed SOCs. Perhaps if Google were to design its own SOC and then optimize Android around it, that might be possible. But that would mean Google becoming an ARM licensee and would require years of expertise to build up. I suppose it could also change the relationship that it has with Android manufacturers.
This is the outcome that I hope will happen, but seems unlikely. I think it’s unfortunate, but Google has shown no indication of wanting to take control. We have seen a greater part of Android being pushed onto Google services and less onto AOSP though.
We learn the hard way
The hard way is that manufacturers push back and cling desperately to the status quo. In that case, we might see someday a huge bug of some sort. It will affect millions of devices around the world. People may lose valuable personal data and be compromised. Android and by extension, Google’s reputation may be damaged. Certainly many manufacturers would be as well. We could see a spike in sales in that case, of Apple and other competing operating systems.
At that point, the situation will force Google to take control. If telecoms are affected, they might actually be pressuring rather than resisting Google to take charge of the situation, for fear that they will be harmed. The disjointed nature of Android could see many, many devices harmed. The market share of Android makes this a very attractive target for that reason.
I mean, this would not be the end for Android, but much like many of the bugs that affected MIcrosoft, it would force radical changes. Perhaps there would even be legal action under the circumstances. Android’s reputation would be negatively affected and its deployment in the enterprise, already in question, would be under even more question because of its poor security, unless Google attempted to make major, major changes.
I would like to avoid this worse-case scenario, but I fear that it may be inevitable. We can only hope that the worst vulnerabilities are identified by Google, security companies, or White Hat-type groups and quickly rectified, before they become exploited by malicious actors.
Android’s operating system is currently far from perfect. This is by design and because Android was made for adoption, not security. This affects millions of mobile devices. It may even provide an opportunity for a competing operating system to seize a substantial part of Android’s existing market share if a big security nightmare ever happens.
I believe that unless Google takes greater control, there will be someday many bugs that will widely affect Android and compromise the security of millions of users.
I just hope that someday, we’ll see a more secure Android. Actually, I have been wanting to write about a potentially more secure operating system. That will be for a future post.