Heartboned: Why Google needs to reclaim Android updates

Heartboned: Why Google needs to reclaim Android updates

Summary: Despite the best efforts of Google, last week's Heartbleed events show that much work remains before Android is up to par on its updating process.

TOPICS: Security, Android

"This one matters," said the SANS Institute in its briefing on the Heartbleed OpenSSL security flaw last week.

As far as security incidents go, this one was a doozy: Not only did it impact on the majority of secure web sites across the internet, clients were later found to be just as vulnerable.

The encouraging aspect to this issue is that the patching and re-issuing of SSL certificates was swift from many sites, and a good thing too, as any server that used any of the affected versions of OpenSSL should be assumed to have had its memory dumped for the two years that this bug avoided detection.

On the flip side though, it is absolutely damning that an almost two-year, three-releases old Jelly Bean version of Android has been found to be vulnerable to Heartbleed.

Of all the mobile operating systems that could have been impacted, fate decided to choose the one that upgrades between major versions at a pace that makes glacial an overstatement.

Despite the fragmentation between differing versions of Android, it just happens that the impacted 4.1.x series of Jelly Bean is the version with the largest userbase by some stretch.

In statistics published by Google at the start of the month, of Android devices that are accessing Google's Play Store, 5.3 percent of users are on the most recent KitKat release, 8.9 percent are on Jelly Bean 4.3, 18.1 percent use Jelly Bean 4.2, and 34.4 percent use the impacted Jelly Bean 4.1 series that was first released in mid-2012.

Given that 4.1 has been superseded for well over a year, and many flagship devices have been upgraded beyond that point, any devices left on Jelly Bean 4.1.1 or 4.1.0 are likely to remain stuck on it for quite some time.

With Google not releasing breakdown stats on the percentage of Android devices using 4.1.1 and 4.1.0, the best to hope for at this point is that most of the 34.4 percent are marooned on the unaffected 4.1.2 version.

The Heartbleed scenario does raise the question of the speed of patching and upgrading on Android. Take for instance, the example of the Samsung Galaxy S4, released this time last year, it has taken nine months from the July 2013 release of Jelly Bean 4.3 for devices on Australia's Vodafone network to receive the update, it took a week for Nexus devices to receive the update.

Google's patch for 4.1.1 is now making its way through the handset makers and telco companies that act as gatekeepers to Android updates, it will be a test for how rapid the architecture of the Android ecosystem can respond.

As someone that has suffered, and continues to do so, from a lack of expediency on Android updates, I'm far from confident that patching Heartbleed will be a swift and painless process.

Should this issue have impacted any of Android's competitors — iOS, Windows Phone, Firefox OS, BlackBerry — the companies behind those operating systems would have been able to unilaterally push out that update for millions of users.

Google has taken steps to improve its ability to update and abstract additional user functionality into a core suite of Google apps, rather than adding it into Android itself, but it can only do so much.

When an issue arises with a core library built into an operating system, the only way to resolve it is to push out a core update.

Once again, the reason for Android's popularity with telcos and handset makers, the ability to deploy customised versions of the operating system to promote one's services and offerings, becomes it's Achilles heel.

Heartbleed is asking plenty of questions of developers. Regulation has been proposed for cryptographic code, the low level of funding for struggling projects that are core to many open source operating systems has been highlighted, and why crucial security libraries continue to be written in ways and languages where issues like Heartbleed can occur.

Here we are, with the rest of the computing world patching OpenSSL and re-issuing secure certificates, and Android's fix is caught somewhere in the abyss between OS maker, handset manufacturer, and telco.

From an Android perspective, it was lucky that Heartbleed did not impact the version of Android used by any Samsung flagship phones, or even Android 4.1.2. Stakeholders in Android need to inform consumers on what would happen if a major security issue in the kernel were to impact a widely-used Android release.

As it stands, the experience with the 4.1.1 patch has been less than great. Google is up to speed, it's everyone else involved that is dragging the chain. Should handset manufacturers and telcos continue to be less than expedient, Google needs to develop a way to unilaterally protect its users — and while it may seem drastic, it would merely put Google on par with its competitors.

A bullet was dodged by Android this time, the next time a similar incident happens, it might not be so lucky.

ZDNet's Monday Morning Opener is our opening salvo for the week in tech. As a global site, this editorial publishes on Monday at 8am AEST in Sydney, Australia, which is 6pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and the US.

Previously on Monday Morning Opener


Topics: Security, Android


Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • re android updates

    Google provides the updates to the phone manufacturers ...it is up to them to integrate it in to their Android based User Interfaced OS.

    Each phone manufacturer has a different bastard version of Android installed.

    Unlocked Nexus devices have the pure Android OS and can be updated quickly without any tinkering.
    • Nexus is not Pure Android

      AOSP is pure Android
      • perhaps you forgot..

        you can't go buy an "AOSP" phone. you CAN go buy a Nexus phone. So what point
        are you trying to make anyway.
        • Pure Android Experience

          My point is the misconception often perpetuated by journalists using the "Pure Android Experience" cliche to describe a vendor (Google) modified Android version.
          • Yeah right

            In that case I'm not interested in 'Pure Android', I'm interested in Google Android, the one that runs on my Nexus phone, gets updated quickly and doesn't come with stuff I don't want or need pre-installed.

            Really, what are you on?
          • Nexus is the best

            And I also consider the Nexus being the pure Android experience, as I cannot imagine Android without Google services (mainly the Play Store).

            I've got the original Nexus 7 tablet and never wait more than a few days after a release before it is available for my tablet.
          • Android without Google

            A perfect example is Amazon's Fire OS.
            It is Android without Google.
            A Kindle Fire is just as much "pure Android as Nexus devices.
            The real pure Android is the AOSP code under the launchers and ecosystem customisations.
            Pure Android does not come with the GAPPS package. The Google apps in Nexus is technically Google bloatware.
            Nexus is Pure Google, but calling it pure Android is wrong.
          • I'm on Samsung :P

            Yeh tongue in cheek.
            but I'm not happy with what Google is doing with Nexus and the way they are "simplifying" the interface.
            I actually prefer the older tablet UI without the notification bar at the top as reaching for the top of the tablet is not ergonomic as well as additional waste of space since the bottom section is already used by navigation buttons. I prefered it all popping up from the bottom right instead of the split left and right drop downs. Even basic things like a battery percentage indicator in the notification bar is a missing option on Nexus tablets. Not being able to add or delete home pages is a glaring disability.
            If we are going to have the notification bar at the top, then the way Samsung does it is the best. Physical buttons without any section at the bottom for onscreen buttons. Samsung also has the edge swipe active at all times so I can still pulldown the notification section to toggle wireless or rotation lock while using fullscreen apps when the notification bar disappears. No so with Nexus, you have to tap to get the onscreen buttons to show, and then pop out of the app to home before you have access to the notification bar to toggle any swiches. It is too basic, lacking features, and tedious.
            Journalists like to toss around the Pure Android Experience cliche with Nexus devices but the Samsung Steroid Experience is superior.
          • Oh. Well,

            the author of this attack is not a journalist, this garbage article just serves to make zdnet look absurd. So you probably are wasting your time trying to inform him of anything.
          • What?

            Since Google is Android, I do not understand your point?
    • You Forgot One Thing

      Google provides updates to the phone manufacturers like HTC, Samsung, and others who take some time to integrate it with their software (Sense, Touchwhiz, whatever). From there it goes to the carriers (ATT, Verizon, T-Mobile, etc) who have to give their seal of approval, and then the update finally goes out. HTC actually put out a piece on all the steps involved with the update process to give their users an idea of why it takes so freaking long. It's a very interesting read, which you must do if you haven't already. Just do a Google search for it, it's a very popular article.
  • If it works....

    My android phone is at least three years old now and I've never been offered an update from 2.2, probably because the manufacturer is only interested in moving new product.

    As far as the carrier is concerned, my phone is only used for voice and text. I get 5GB per month in data which I never use.

    If I want to look at ebay, facebook, or ZDnet, it can wait until I get home and have a decent sized screen instead of squinting in the street and getting hit by passing traffic. "Look where you're going. Your facebook status can wait."

    The only reason I replaced my last phone (a Nokia 9000 brick) was because I could no longer get replacement batteries. I have spare batteries for this phone living in the fridge, so hopefully it will last another three years.

    The only thing that would make me rush out and buy a new phone would be the release of one that gave extended battery life by using Kindle-style e-paper instead of an illuminated screen.
    • re: If it works....

      If the only thing you use your phone for are voice and text, why do you even own a smartphone?
      • Seriously....

        Get a flip phone, or a slider phone if you text a lot. 75 bucks, if you can't get batteries in 3 years just get a new one.
        • So maybe he wants access to the vast Google app library

          ... like maybe he used his phone as a PIM.
      • he didn't say that.

        There is lots of uses for both smartphones and computers without a network attached.
  • Simplest solution seems to be to buy Nexus, and not buy from carriers

    You save on the carrier not tying you to a lengthy plan and built in handset repayment costs that way as well.
    • Not so simple

      Nexus devices aren't available for use on all carriers.
      • Unlocked Nexus devices can be used

        My Google Nexus S phone, several yrs old now, is an unlocked device that I can put in international SIM cards for travel. Not my usual phone but it works well enough. Probably should charge it up and see if the update is avail.
  • How does Windows Phone updates work?

    Apple's done a fantastic job of providing OS updates for iOS customers. But AFAIK, I don't think they can force an update. So someone who has not updated to the latest version may still be vulnerable I imagine (not for Heartbleed - I'm talking in general).

    But I'm interested in why Microsoft is able to provide updates. How come they don't have the same issue with carriers? Manufacturers can't make OS changes to the same level as Android, but how do they get past carriers dragging their heels?