The Android 'toxic hellstew' survival guide

The Android 'toxic hellstew' survival guide

Summary: Android itself is a strong operating system, but the way that the platform is delivered to end-users is critically flawed. This survival guide gives Android users the information they need to stay safe.


Earlier this year I wrote about the sorry state of Android. In that piece I pointed out that rampant fragmentation of versions, combined with the reluctance of hardware makers and the network carriers to push updates out to users, was turning Android into a "toxic hellstew" of vulnerabilities.

Fast forward to last week, when Apple CEO Tim Cook took my headline and gave it airtime during the WWDC keynote speech, and the Hardware 2.0 mailbox is brimming with people wanting to know one thing:

"I'm an Android user. What can I do to protect myself?"

(Source: Apple)

Before we go on to answer that, let's get a better handle on the problem.

A painfully flawed update mechanism

Android itself is a strong operating system, but the way that the platform is delivered to end-users is critically flawed. Rather than taking the iOS approach where updates are sent to users directly, Google chose to adopt a much more convoluted approach.

Whenever Google releases either an update to Android – whether that be a tweaks and bugfixes or critical patches for serious flaws – or a completely a new version of operating system, the code then goes to device OEMs to be customized with their own tweaks and personalizations. Then, for smartphones and tablets that are hooked to a carrier contract, the carriers then get a chance to add their own branding.

Not only is this a long chain, but the problem is made exponentially worse by the fact that neither the OEMs nor the carriers feel there's much of a benefit in pushing free software updates to customers, and would much rather focus on selling those people a new device. 

One of the biggest problems with this fragmentation is that a huge number of users – numbering the hundreds of millions – are being left vulnerable to malware and data theft as a result of bugs and vulnerabilities in the code.

(Source: Apple)
(Source: Apple)

Deep integration with Google products and services

Another problem with Android is how deeply integrated the operating system is with Google products and services, and this can mean that when users do get updates, this can have unexpected consequences.

Take, for example, the issue highlighted by ZDNet's Violet Blue the other day.

"In the background, Google+ began "unifying" people's identities (combining its background matching of users names and profiles) in Android address books. […] Users found out in January 2014 when Google+ force-integrated chat and SMS into "hangouts" in the Android 4.4 "KitKat" update.

At-risk users were disproportionately affected, most especially transgender people who needed to keep their identities separate for personal safety and employment reasons.

One woman was outed to a co-worker when she texted him, and risked losing her employment."

Make no mistake about it; this drive by Google to integrate its products and services into Android contributes to the toxic hellstew. Google's billions aren't coming from selling consumer electronics, or licensing software and services, its money comes from advertising revenue, and the more and better it knows Android users, the better it can target them with ads.

At the heart of the problem is a lack of empathy

So, on the one hand you have consumers who aren't getting updates, and that is putting their data at risk, while on the flipside you have users who are getting updates, but those updates are experiencing painful data leakage because of Google's desire to know more about people.

While I agree with ZDNet's Jason Perlow Google is chasing revenue, I believe that the bigger problem is that Google lacks the empathy to properly connect with consumers. Google is a tech company led by very brainy tech people, but in my experience, these people have a hard time seeing the human element in things. It is a company populated by people who don't understand why users don't get updates, and can't see what's wrong with integrating user's Google+ identities with their SMS identity.

Android survival kit

OK, so you're running an Android device – or maybe you're planning to do that, or maybe you're an IT admin having to support an ever-increasing number of Android devices coming through the door – what do you do?

Here's my Android survival guide:

  1. Know the risks: If you are not running Android version 4.4, codenamed KitKat, then you're running an outdated version that won't be getting any bug fixes or updates. Don't believe me? The last update for Android 4.3 Jelly Bean was released October 2013, while Android 4.1 and 4.2 – both also codenamed Jelly Bean – haven't seen an update since October 2012 and February 2013 respectively. That's eons ago in internet time.

  2. Check your Android version: Now you know the risks, check what version you are running (Settings About phone or About tablet).

  3. Be careful what you tell Google: Google is a data aggregation machine, so if there's something you don't want the world to know, don't tell Google. At the very least be careful what Google account you tie to your Android device. Sure, this is highly inconvenient, but Google choose to make it that way because it is in its best interests to do so.

  4. The best way to get updates: If you want to make sure that you get regular updates is to buy either a Google Nexus device, or an unlocked Motorola device. This will cost you more – much more – but it will mean that you are sent updates direct from Google HQ.

  5. Passcode and encryption: Use a secure passcode and be sure to encrypt your data to prevent it falling into the wrong hands (Settings > Security > Encrypt phone or Encrypt tablet). Note that encryption can mean slower performance, and it is a one-way process.

  6. Alternatively, go with Amazon: Amazon's Kindle Fire tablets used a forked version of Android and get their updates directly from Amazon. Given the broad range of BYOD features baked into the new Kindle Fire HDX tablet, this might be a great choice for those looking for a business tablet.

  7. Install security software: There are plenty of good apps to choose from.

  8. Install software only from trusted sources: And even then, don't go installing junk just for the sake of installing it.

  9. Don't root your device: This increases the device's vulnerability to rogue code.

  10. Enterprise folks: Have a clear security policy and make sure everyone understands it. Also, install endpoint software to control what devices can and cannot access the network. Consider blocking all devices running old versions of Android, along with all devices that have been rooted. 

See also:

Topics: Mobility, Android, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Thank you ! For NOT...

    making this article into a Gallery ! Agree with the purchase of the Nexus Device concept. I have reached the end of my updates for Google Galaxy Nexus as of last fall. I am considering going with CyanoGenMod now that JellyBean is starting to show it's age. I would gladly pay a small fee if Google would produce an update of KitKat for the Google Galaxy Nexus, but since that is not likely to happen, CyanoGenMod is next best thing.
    • AKH lost all credibility with Android

      When Tim Cook used his quote in an Apple presentation.
      Hyperbole FUDfest!
      Did Tim Cook tell anyone about the real Toxic Hellstew of in-app purchasing on iOS platform.
      The crims dont even bother to hack anymore, they just write an iOS app that steals billions thru itunes.
      Im sorry but thats the real toxic hellstew right there and Apple is driving it with greedy deceptive requirement of payment tie-in upon Apple ID sign-up.
      Hackers don't give a crap about hacking android when they can just setup an icloud proxy and mass hack iOS and demand money to unlock, Oleg Pliss style. This is the flipside to iOS security, you need Apple to rescue you from hackers brick locking. With Android, I just run recovery and its a fresh phone again.
      Android is far more secure than iOS.
      • If you want security

        Get a Windows Phone
        • If you want a phone that you actually want...

          Get an Android.
          • Not if I Want Privacy

            And Android allows applications to connect with other applications to steal data. I want something that is reasonably secure and is NOT advertisement-based. You don't pay for Android, so there has to be another way for Google to make money.
          • So basically...

            You are stating that Google is allowing applications to steal your private data. Google then buys this private data from the applications developers and uses it to make advertisements? Is that what you are saying?

            Also..since when did you become CFO to Google? How do you know how Google makes money?
      • LOL wow I guess

        the truth does ding - and it's not a FUD fest my kids lived/living it now.
    • Agreed

      although I'm not sure how the subsidising of phones works in the US. With my carrier in Germany it generally works out 10€ more expensive over 2 years to get a subsidised phone that it does to buy it discounted and unlocked on Amazon.
  • The real problem... the delivery mechanism for updates, which Google is well equipped to fix (Google could even make some money by selling them).

    Conventional Linux is fragmented too, but it's relatively easy to switch a distro out if your existing one is no longer maintained. Switching out one's Android is a bit harder.
    John L. Ries
    • actually if you have a nexus or unlockable android phone

      its easier to replace with a custom ROM such as CM than swapping out a linux distro.
      But if people just get a moto X or nexus there is no problem with the delivery mechanism. I have no clue why people continue to go for subsidised carrier phones.
      • I don't get it either

        Maybe if you insist on iPhone and don't have $500-600 to put out but not with Android. A moto g is $179 cash or less. A moto e is $129 if you don't care about lte or front camera. They will both get regular timely updates. Is it really worth getting into a contract or spending $500 on a Galaxy S5?
      • Subsidized Phone since stuck with Verizon

        I live in the hills to the East of SF Bay and most carriers suck in their coverage. Verizon is far and away the best. If I have to pay Verizon's high rates, why would I pay a lot of money for my own phone.

        It seems my battery life has decreased a bit since my S-4 was upgraded to KitKat. I just checked my battery use - and Android System used 13% and Android OS used 7%, this is in addition to Chrome and Gmail and other services. I think that prior to KitKat the Android use was only one thing, not divided into two, and it ran around 10% -- this is a less than perfect recollection. Anyone know anything about that?
    • Google has virtualised the API

      The underlying linux is not a huge issue for updates. There has been around 30 vulnerabilities since Android began, compared to about 400 for iOS.
      Google has put all the API changes into basically an app called Google Play Services and it updates on ANY Android in better fashion than any other mobile OS.
      Google has virtualised most of the important elements of Android already.
      The Android device doesn't even need to reboot after Google API updates!
      So what's with all the update-itis and phobias?
      Update your FUD.
      • Didn't you know?

        I'm a confessed Android and Linux user. I actually prefer Android to iOS and have zero interest in WP (sorry, MS-fans). So why would I engage in FUD against my preferred mobile OS? But we don't need to hide the problems with it; they need to be discussed and they need to be dealt with. Pretending they don't exist in the interest of bad publicity avoidance is dishonest.
        John L. Ries
        • I will not hesitate to slam Google where they deserve it

          And you know I vehemently slam Google for the SD card fiasco with KitKat.
          I don't see the huge problem with fragmentation as a user.
          I have quite a lot of Android devices (at least a dozen) and I have never felt that any of them needed an update to give me any real benefit.
          The only time that an update affect functionality was KitKat and 2 of my Samsungs (Note3 and Note10-14) are now Knox tripped and rooted in order to have the SDfix patch to regain proper SDcard function.
          My Sony Experia Z1 downloaded the KitKat update and I am NOT going to click the install as it is running fine on 4.3 and 4.4 will just take something significant away.
          Update-itis has cost me my Samsung warranty by tripping Knox efuse in order to root.
          I'm super anti-update now.
          • Don't Want The Upgrade Either

            A new Grief on my Nexus 4. For the 1st time, an ugly Upgrade Notification appeared that ignored the Clear Notifications button.
            I finally figured out how to block it since I will not use their Upgrade anytime soon till bugs are worked out, if ever. If ever, since I'll go to CM's OS most likely anyway.
            Settings/Apps/Google Play services/Uncheck.
            If anybody felt like I did about about a persistent Notification that ignored normal Deletion, you will thank me and ZDNet.
  • Just get a Windows Phone.

    Problem solved, and no Google crap!
    • Tell that to the owners of the 6.5 and 7 line of Winphones

      Especially the 7 - they were promised an update to 8... but didn't get it.
      • No

        Windows Phone 7 users were not promised an update to 8. They were promised an update, but it was never going to be to 8.
        Michael Alan Goff
        • No smart phone owners are promised anything.

          In this day and age however there is an implicit expectation that when you buy a "modern" smartphone it will be upgradable to the next software version. Microsoft betrayed smartphone owners by releasing smartphones that were not upgradable with windows mobile 6.5 and windows phone 7.

          Nokia betrayed smartphone owners by knowingly releasing an obsolete product. Shame on MS, shame on Nokia and shame on you for misconstruing the meaning of the previous poster.

          You know very well what he meant.