Earlier this year I wrote about the sorry state of Android. In that piece I pointed out that rampant fragmentation of versions, combined with the reluctance of hardware makers and the network carriers to push updates out to users, was turning Android into a "toxic hellstew" of vulnerabilities.
Fast forward to last week, when Apple CEO Tim Cook took my headline and gave it airtime during the WWDC keynote speech, and the Hardware 2.0 mailbox is brimming with people wanting to know one thing:
"I'm an Android user. What can I do to protect myself?"
Before we go on to answer that, let's get a better handle on the problem.
A painfully flawed update mechanism
Android itself is a strong operating system, but the way that the platform is delivered to end-users is critically flawed. Rather than taking the iOS approach where updates are sent to users directly, Google chose to adopt a much more convoluted approach.
Whenever Google releases either an update to Android – whether that be a tweaks and bugfixes or critical patches for serious flaws – or a completely a new version of operating system, the code then goes to device OEMs to be customized with their own tweaks and personalizations. Then, for smartphones and tablets that are hooked to a carrier contract, the carriers then get a chance to add their own branding.
Not only is this a long chain, but the problem is made exponentially worse by the fact that neither the OEMs nor the carriers feel there's much of a benefit in pushing free software updates to customers, and would much rather focus on selling those people a new device.
One of the biggest problems with this fragmentation is that a huge number of users – numbering the hundreds of millions – are being left vulnerable to malware and data theft as a result of bugs and vulnerabilities in the code.
Deep integration with Google products and services
Another problem with Android is how deeply integrated the operating system is with Google products and services, and this can mean that when users do get updates, this can have unexpected consequences.
Take, for example, the issue highlighted by ZDNet's Violet Blue the other day.
"In the background, Google+ began "unifying" people's identities (combining its background matching of users names and profiles) in Android address books. […] Users found out in January 2014 when Google+ force-integrated chat and SMS into "hangouts" in the Android 4.4 "KitKat" update.
At-risk users were disproportionately affected, most especially transgender people who needed to keep their identities separate for personal safety and employment reasons.
One woman was outed to a co-worker when she texted him, and risked losing her employment."
Make no mistake about it; this drive by Google to integrate its products and services into Android contributes to the toxic hellstew. Google's billions aren't coming from selling consumer electronics, or licensing software and services, its money comes from advertising revenue, and the more and better it knows Android users, the better it can target them with ads.
At the heart of the problem is a lack of empathy
So, on the one hand you have consumers who aren't getting updates, and that is putting their data at risk, while on the flipside you have users who are getting updates, but those updates are experiencing painful data leakage because of Google's desire to know more about people.
While I agree with ZDNet's Jason Perlow Google is chasing revenue, I believe that the bigger problem is that Google lacks the empathy to properly connect with consumers. Google is a tech company led by very brainy tech people, but in my experience, these people have a hard time seeing the human element in things. It is a company populated by people who don't understand why users don't get updates, and can't see what's wrong with integrating user's Google+ identities with their SMS identity.
Android survival kit
OK, so you're running an Android device – or maybe you're planning to do that, or maybe you're an IT admin having to support an ever-increasing number of Android devices coming through the door – what do you do?
Here's my Android survival guide:
- Know the risks: If you are not running Android version 4.4, codenamed KitKat, then you're running an outdated version that won't be getting any bug fixes or updates. Don't believe me? The last update for Android 4.3 Jelly Bean was released October 2013, while Android 4.1 and 4.2 – both also codenamed Jelly Bean – haven't seen an update since October 2012 and February 2013 respectively. That's eons ago in internet time.
- Check your Android version: Now you know the risks, check what version you are running (Settings > About phone or About tablet).
- Be careful what you tell Google: Google is a data aggregation machine, so if there's something you don't want the world to know, don't tell Google. At the very least be careful what Google account you tie to your Android device. Sure, this is highly inconvenient, but Google choose to make it that way because it is in its best interests to do so.
- The best way to get updates: If you want to make sure that you get regular updates is to buy either a Google Nexus device, or an unlocked Motorola device. This will cost you more – much more – but it will mean that you are sent updates direct from Google HQ.
- Passcode and encryption: Use a secure passcode and be sure to encrypt your data to prevent it falling into the wrong hands (Settings > Security > Encrypt phone or Encrypt tablet). Note that encryption can mean slower performance, and it is a one-way process.
- Alternatively, go with Amazon: Amazon's Kindle Fire tablets used a forked version of Android and get their updates directly from Amazon. Given the broad range of BYOD features baked into the new Kindle Fire HDX tablet, this might be a great choice for those looking for a business tablet.
- Install security software: There are plenty of good apps to choose from.
- Install software only from trusted sources: And even then, don't go installing junk just for the sake of installing it.
- Don't root your device: This increases the device's vulnerability to rogue code.
- Enterprise folks: Have a clear security policy and make sure everyone understands it. Also, install endpoint software to control what devices can and cannot access the network. Consider blocking all devices running old versions of Android, along with all devices that have been rooted.