Android fragmentation turning devices into a toxic hellstew of vulnerabilities

With vulnerabilities such as Heartbleed and Pileup likely to go unpatched on tens, if not hundreds of millions of Android devices, the platform is fast becoming a toxic hellstew that should send chills down the spines of IT admins.
Written by Adrian Kingsley-Hughes, Senior Contributing Editor
Some Android versions are vulnerable to Heartbleed

I'm a big fan of Android, not only because I use the platform, but also because I feel that competition in the mobile space has been good. This competition has allowed a technological version of Darwinian evolution to come about that makes the strong platforms even stronger while at the same time weeding out those floundering in the shallow end of the mobile tech gene pool.

Android itself is a strong operating system, but the way that the platform is delivered to end-users is critically flawed. Rather than taking the iOS approach where updates are sent to users directly, Google chose to adopt a much more convoluted approach.

Whenever Google releases either an update to Android – whether that be a tweaks and bugfixes or critical patches for serious flaws – or a completely a new version of operating system, the code then goes to device OEMs to be customized with their own tweaks and personalizations. Then, for smartphones and tablets that are hooked to a carrier contract, the carriers then get a chance to add their own branding. Not only is this a long chain, but the problem is made exponentially worse by the fact that neither the OEMs nor the carriers feel there's much of a benefit in pushing free software updates to customers, and would much rather focus on selling those people a new device. 

Bottom line, unless you buy a smartphone or tablet from Google -- and pay the full, unlocked price -- then you're at the mercy of the OEM and carriers.

One of the biggest problems with this fragmentation is that a huge number of users – numbering the hundreds of millions –are being left vulnerable to malware and data theft as a result of bugs and vulnerabilities in the code.

Two security issues that have surfaced lately have highlighted just how serious this problem has become. First there was the Pileup bugs which left every Android-powered smartphone and tablet – more than a billion devices in all – vulnerable to malware thanks to privilege escalation issues. Then came the Heartbleed OpenSSL bug. It turns out that this bug reaches much closer to home than servers, and the bug affects certain flavors of Android 4.1.x Jelly Bean. That might seem a limited issue until you realize that this version powers some 35 percent of all Android devices currently in use.

That's a huge problem, and one that is likely to hang around until these devices either die or are taken out of circulation, and given that over 17 percent of devices out there are still running Android 2.3.x Gingerbread.

Android's fragmented ecosystem, and the reliance on OEMs and carriers to push updates to the majority of users has finally caught up with the platform. This should send chills down the spines of IT admins who have embraced Android for BYOD. It would chill me to the bone, and it would make me think twice about allowing old Android devices inside my digital fortress. Same would go for old iOS devices, but there some 87 percent of users are running iOS 7, with a further 11 percent running iOS 6. Fragmentation is far less of a problem here because Apple pushes updates direct to the users.

Android needs to gets its house in order, and only Google can do that, either by strong-arming the OEMs and carriers or making it possible to update the operating system without needing to go through the carriers.

See also:

Editorial standards