Android fragmentation turning devices into a toxic hellstew of vulnerabilities

Android fragmentation turning devices into a toxic hellstew of vulnerabilities

Summary: With vulnerabilities such as Heartbleed and Pileup likely to go unpatched on tens, if not hundreds of millions of Android devices, the platform is fast becoming a toxic hellstew that should send chills down the spines of IT admins.

Some Android versions are vulnerable to Heartbleed

I'm a big fan of Android, not only because I use the platform, but also because I feel that competition in the mobile space has been good. This competition has allowed a technological version of Darwinian evolution to come about that makes the strong platforms even stronger while at the same time weeding out those floundering in the shallow end of the mobile tech gene pool.

Android itself is a strong operating system, but the way that the platform is delivered to end-users is critically flawed. Rather than taking the iOS approach where updates are sent to users directly, Google chose to adopt a much more convoluted approach.

Whenever Google releases either an update to Android – whether that be a tweaks and bugfixes or critical patches for serious flaws – or a completely a new version of operating system, the code then goes to device OEMs to be customized with their own tweaks and personalizations. Then, for smartphones and tablets that are hooked to a carrier contract, the carriers then get a chance to add their own branding. Not only is this a long chain, but the problem is made exponentially worse by the fact that neither the OEMs nor the carriers feel there's much of a benefit in pushing free software updates to customers, and would much rather focus on selling those people a new device. 

Bottom line, unless you buy a smartphone or tablet from Google -- and pay the full, unlocked price -- then you're at the mercy of the OEM and carriers.

One of the biggest problems with this fragmentation is that a huge number of users – numbering the hundreds of millions –are being left vulnerable to malware and data theft as a result of bugs and vulnerabilities in the code.

Two security issues that have surfaced lately have highlighted just how serious this problem has become. First there was the Pileup bugs which left every Android-powered smartphone and tablet – more than a billion devices in all – vulnerable to malware thanks to privilege escalation issues. Then came the Heartbleed OpenSSL bug. It turns out that this bug reaches much closer to home than servers, and the bug affects certain flavors of Android 4.1.x Jelly Bean. That might seem a limited issue until you realize that this version powers some 35 percent of all Android devices currently in use.

That's a huge problem, and one that is likely to hang around until these devices either die or are taken out of circulation, and given that over 17 percent of devices out there are still running Android 2.3.x Gingerbread.

Android's fragmented ecosystem, and the reliance on OEMs and carriers to push updates to the majority of users has finally caught up with the platform. This should send chills down the spines of IT admins who have embraced Android for BYOD. It would chill me to the bone, and it would make me think twice about allowing old Android devices inside my digital fortress. Same would go for old iOS devices, but there some 87 percent of users are running iOS 7, with a further 11 percent running iOS 6. Fragmentation is far less of a problem here because Apple pushes updates direct to the users.

Android needs to gets its house in order, and only Google can do that, either by strong-arming the OEMs and carriers or making it possible to update the operating system without needing to go through the carriers.

See also:

Topics: Mobility, Android, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Consumers dictate OEMs behavior

    Nobody seems very interested in regular updates for a long time for android devices.
    Maybe one day a brand will start to really make a difference with that and maybe, just maybe others will follow.
    Selling a shinning new device is always (it seems) more appealing, for makers and for costumers.
    • Agreed. The only people who seem to care about updates are technical people

      Everyone else seems content to use whatever they're using. And my rule of thumb for any purchase is: Do it based on what it does today and not some expectation of what it could, will, or is promised to do in the future. I got burned by Apple back in the Rhapsody days.
      • "The only people who seem to care about updates are technical people"

        Last I heard, 87% of iOS users have upgraded to v7. I didn't realize so many technical people used iOS devices.
        • How Many

          of them, outside of the speed readers, knew what they were doing?
          • It doesn't matter whether they had the faintest clue or not

            The simple fact of the matter is it was very easy for them to apply the update, no carrier held them back from the update, and they just did the update.

            If the user takes the right action to ensure their security, their intricate knowledge of why they did it doesn't really matter very much.
          • Therein Lies The Problem

            Hip Hip Hooray! 87% of ios users clicked the update button at the behest of a prompt, most of them without knowing the consequences of their action. Why? Because they have been socially engineered to do so.

            Doesn't this make them Ripe For The Picking?
          • How?

            Only if someone were to figure out how to spoof the app store. Updating is generally considered a GOOD security practice FYI.
          • As opposed to...

            never being given the opportunity to update?

            While I won't argue that some do just click the button when prompted, any update I've ever been prompted for has given me the option to read what that update offers.

            Personally, I think the practice of being "socially engineered" to never expect updates and just accept bugs and vulnerabilities is far more dangerous.
          • That is the problem

            The users had a red circle with a 1 in it to indicate and update, so they pressed the button. If it hadn't showed up, they wouldn't have noticed and they wouldn't have complained.

            The same is true on Android, when an update does come along and the device says they should update, they update. If it doesn't say they should update, they carry blithely on.

            Google issuing a blog post with update information won't help. Sites like this won't help much, It would need to appear on the main news that all Android user should update immediately or switch off their devices, then maybe they would start to question their carriers and handset manufacturers, where are the updates?
        • so when most of the users updated from iOS5 to iOS6

          They went from uniformly secure to uniformly insecure for 18 months thanks to the update.
        • They make it dead simple.

          They even tell you to do it, I've been nagging my boss to upgrade her SGSII from Gingerbread for over a year, has she? No. Most not tech savvy people do not give a shit, they follow a prompt if they're told, but they don't care if they're running GB ICS JB or KK, so long as they can text and call they're happy.
      • What you don't know *can* hurt you

        And OEMs would much rather sell new hardware than push out system updates for free (or even sell them) on old hardware.

        Yet another case where the interests of the vendor are different than those of the customer.
        John L. Ries
      • burned in rhapsody days??

        give it up!!
    • That might happen

      But then, no one wants to admit their tool wasn't designed properly the first time.

      We don't expect our hammers and screwdrivers to auto-update, do we? :)
      • Bad analogy...

        Hammers and screwdrivers are simple and single-purpose tools. No need for updates; the update cycle would be a new purchase of the same thing.

        An OS is a tool, but it's also a multi-purpose piece of software, and the updates can happen often and at any time, and without the user (the tool "owner") having to be involved directly.
    • re: wrong

      AT&T, Verizon, Comcast, and Time Warner Cable dictate consumer options, period. They also pretty much dictate what Congress does about it, which is nothing.
      Sir Name
      • that doesn't explain the iPhone

        Apple has been able to buck two of the four your named for it's iPhone. Not so much for TV though.
      • That's why

        I always buy an unlocked phone on Amazon or similar online store and get a SIM only contract. 9€ a month for 100 minutes and texts with data flat is enough for me, although my wife pays the extra 10€ for flat rate calls and SMS.
  • Shocker

    I bet absolutely no one could see this coming!