"Android." Thud. "Android." Thud. "Android." Thud. That's the sound of my face going straight down into my desk this week as news emerged that US government authorities had issued a warning: Millions of Android users are vulnerable to security threats, including many of their own law enforcement officers and other officials. Yeah, look, thanks for joining us, guys. Various sections of the security community have been saying this very same thing for years.
In October 2011, AVG's chief technology officer Yuval Ben-Itzhak told me that they were already seeing advanced Android trojans that could record and save conversations, uploading them to a server later. Even before that, in March 2011, the DroidDream trojan managed to compromise more than 250,000 unpatched Android smartphones.
"The hackers will always be where users are," Ben-Itzhak said. "If everyone now is using Android on their phones and downloading the popular games and the popular apps, then surprise, surprise! The hackers will be there."
As the US warning (PDF) reminds us, Android is now the world's most popular mobile operating system and "continues to be a primary target for malware attacks due to its market share and open-source architecture ... The growing use of mobile devices by federal, state, and local authorities makes it more important than ever to keep mobile OS patched and up to date."
Patching is probably a good idea, yes, but we can't blame the FBI and DHS for having to keep reminding people of this. Maybe it needs to be tattooed on their foreheads.
Who we can blame, though, is the uncoordinated troika that comprises the Android industry: Google, the device manufacturers, and the telcos.
Handset manufacturers naturally want to differentiate their devices with unique applications and their own idiosyncratic ideas of what a slick smartphone user interface should look like. That's steadily becoming their only path for product differentiation, given that hardware capabilities are likely to plateau.
Telcos naturally want to fill the devices they sell with bloatware designed to channel traffic back to their content services. That's steadily becoming their only path for increasing revenue, given that the per-user revenue for raw communications services is declining.
Both of these players need to coordinate the development and testing of security patches with Google before those patches can be released. But neither of them have traditionally worked to the rapid development cycles needed to counter the new security threat landscape.
Consumer electronics used to be a sell-and-forget industry, bar the occasional repair service. Telcos used to supply hardware that lasted for decades. But reprogrammable network devices that form part of a living, evolving network under constant attack? They ain't in Kansas anymore, folks! And both would rather be selling the next shiny bright model to achieve the next quarterly results.
Not upgrading old devices to more recent versions of Android is one thing — older devices might lack the hardware grunt for a more demanding operating system. But security patching is quite another.
The personal computer industry learned long ago that consumers don't always follow their ideal planned-obsolescence cycle. Businesses upgrade when it makes business sense for them, not because vendors have a new product to flog. Operating systems stay in use far longer than expected, and need to be supported. Just look at Windows XP.
The Android industry needs to learn the same lesson. All three participants in the troika are involved in selling a network device into what we now know is a hostile environment. Quite frankly, if they're not working hard to be part of the solution to all those cyberthreats, then they're part of the problem.