Android should embrace a Windows-style security update model

Android should embrace a Windows-style security update model

Summary: Google fixes Android's security problems relatively quickly, but the OEMs and carriers are painfully slow to implement them. Isn't it time for Google to take a page out of Microsoft's playbook and implement regular direct-to-user security updates?


When it comes to security, Android 2013 is a lot like Windows in the 1990s and much of the 2000s: A mess. Still, Microsoft got one thing right with security early on. Starting with Windows 98, Microsoft released regular direct-to-user security updates with Patch Tuesday. It's high time Google followed Microsoft's lead and start implementing its own direct-to-user security patches.

Google needs to force end-user Android security updates on OEMs and carriers.

Google does a decent job of fixing Android security holes. For example, the Bluebox Security hole was fixed three days after it was publicly announced. That's great as far as it went, but the Android OEMs and carriers have released the patch for only a handful of smartphones and none of the tablets.

This is unacceptable.

True, you'd need to ignore Android security basics to pick up an infected program, but there's a security fool born every minute. Besides, while today most Android malware infects devices via third-party Android app stores and questionable malware-laden Web sites, it's only a matter of time before hackers adopt more subtle ways to introduce malware into Android devices.

In short, Google needs to tighten Android's security. True, Google has introduced such advanced security features as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) in Android 4.1, Jelly Bean. That still doesn't protect you from all malware.

On top of that, only 37.9 percent of Android users are running 4.1 and higher. Over 60 percent are running earlier, more vulnerable, versions of Android. In addition, just like Windows, there are always new Android security holes being discovered and exploited even in the latest and newest versions.

Security is a never-ending battle.

While Microsoft's answer has its problems--for every Patch Tuesday, there's an Exploit Wednesday--at least Microsoft's approach ensures that careful users will be protected from most security holes regardless of whether they're running a Dell laptop, an HP PC, or a Lenovo ThinkPad.

Google needs to take the same approach. Just like Microsoft releases patches for XP from Windows 8.1, Google needs to push security patches from at least Android 2.1. Eclair, which still has 1.4 percent of the market, to market-leading Android 4.1 and up.

Microsoft doesn't depend on the big PC vendors to deliver patches and Google shouldn't either. As this latest episode shows, neither the OEMs nor the carriers can be trusted to keep their users secure.

Google needs to sit its Android OEM customers down and tell them that since they can't, or won't, deliver security patches, it will do it for them. Microsoft did it with Acer, Asus, and all the other PC vendors, Google must do it with HTC, Samsung, and all its smartphone and tablet partners.

The alternative is for Android's users to be permanently vulnerable to both old, long-fixed security holes and the latest malware.

Related Stories:

Topics: Security, Android, Google, Microsoft, Smartphones, Tablets

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • How could Google ensure compatibility with vendor customizations?

    Google has no way of knowing how a vendor may have modified the basic Android code, so how could Google push updates out safely? Do vendors only add custom skins, and leave the core code alone?
    • This

      Thank you.
    • word is that Google is pushing OEMs

      to make skins that don't change the core code going forward. it's yet to be seen to what extent that will actually happen though. android is open source after all.
      • but Google does have

        the OHA as leverage, so they might be able to do it for the major OEMs at least.
    • Sad but true

      That's why I (would) NEVER buy any device not from a major manufacturer.
      Unless it's a thowaway, cheap thing.
      (Even some of the "major" manufacturers have poor or non-existant updates)
    • Zogg: "Do vendors only add custom skins, and leave the core code alone?"

      Not likely all vendors. One example is Samsung's KNOX Solution for Android where they have introduced SE for Android code to Google's stock Android for OHA members (or, perhaps, AOSP?) . More on KNOX and the SEAndroid Project:

      Samsung is clearly after two thing here: (1) differentiating their products from other OHA handset manufacturers and (2) improving Android security in an effort to increase device sales in the enterprise market.

      P.S. I, for one, am glad to see SELinux find its way into Android and I hope that it is also accessible to consumers (more likely, prosumers) to enhance their personal device security. In addition, if Google is dragging its feet with Android security, then other OHA members have the freedom to move forward on their own.
      Rabid Howler Monkey
  • Here is a better idea.

    Android is a poorly designed platform and is dumped to the market to benefit Google and other thugs. Users privacy and security is the lacking from all Google products. On top of that they are releasing security vulnerabilities in competitor products publically. How can such a company serious about security.

    The better solution for android user security is to switch to competing mobile platforms.
    • Lol @ Owl...lNet

      To be fair, you'd have to be a total tool be affected by most Android stuff, like if you believe shaking your phone could recharge the battery with a certain app....

      Almost (dare I say all) known exploits rely on third-party app-stores, or apps being installed by the user. With a C++ and application security, they don't obscure private class members because a library user with a pointer could potentially find them, you assume that anything using the library is legit. Android assumes that anything you install you meant to install. Which is kind of the job of any OS. SOOOO

      If you install a third-party app store and download stuff from it, if you consent to the required permissions android - SHOCK - gives the application those permissions.

      Releasing details about exploits is needed however some companies choose to ignore them, until they are released, That's a whole different debate.
    • owlnet is a microsoft fanboy who ALWAYS trumpets their products over goog.

      So the better solution is to ignore everything he says and try it yourself.

      Apparently we are always better off paying Microsoft (a company who has perhaps made the three most security poor programs in history by number of critical updates) Than we are to accept a free and fast developed Android platform that is majority licences under BSB license.

      In other words, he is a troll or a paid shill.. either way his opinion is not relevant.
      • @frankieh

        Even if you buy Android, you still will be paying MS fees :-P
    • @OwlllllllNet

      Well, the article is about how to improve security in Android. Not a marketing pitch or discussing about how to avoid Android malware.

      I understand you like MS more and hate Google even more. However, giving your opinion in the discussion won't help your reputation buddy. You are a geek. So add your knowledge in the discussions and not your opinions. You have a better chance in making others see your point of view in that way.
  • Hell froze over

    SJVN said something nice about Microsoft and Windows
    Dreyer Smit
    • Android

      This is one reason I never liked Android. It's a security nightmare. iOS comes with updates regardless of when the device launched and Windows will always get updates given it remains in the support timeframe.

      Seriously Google needs to plug this black hole before it destroys their platform
      Dreyer Smit
      • No, iOS DOES NOT

        An iOS upgrade comes out about once every two years, and a device is deprecated after the second major upgrade. iPad 1 users haven't had any iOS updates since 5.1.1 - which was launched only 2 years after the device launched. This is Apple policy.
        • iOS gets a major upgrade every year.

          With multiple updates within the year (from 4-8). I have no idea why you would think iOS only gets updates once every 2 years. So far, the iPad 1 is mostly unique in how fast it was deprecated. But even the iPad 1 was maintained longer than models like the Nexus One.
          • Seriously?

            Please, tell me how big it's the update on IOS 6 or 7 please, how the improvements reach to the platform.

            About main post, Microsoft... seriously? They made Windows Phone 7 without updates! It's a mayor upgrade and no device have it! At least... iPhone 4 has IOS7 and Samsung Galaxy S2 has 4.2.2.
          • WP7 got updates

            @waltercool, Windows Phone 7 was updated to 7.5 then to 7.8.
          • @CageySee

            You missed the NoDo update :-)
        • show me one android handset that gets an update 2-3 years after launch...

          Unless it's a Google product or possibly Samsung, none get them.

          The iPhone 4 will see iOS 7, without the bells and whistles but with the security updates and that is a HUGE difference from Android. I purchased a Google Nexus because I didn't want to resort to rooting to get updates. 99% of the population shouldn't have to root their device to get an update - As a matter of support, manufacturers should provide updates...
          • My old Xperia.

            IT came out with Android 1.6, then they upgraded it to 2.1 then 2.3.3

            Over a period of 2.5 years. so it does happen. Nexus devices are updated until they are no longer capable of running the newest version.