Android should embrace a Windows-style security update model

Google fixes Android's security problems relatively quickly, but the OEMs and carriers are painfully slow to implement them. Isn't it time for Google to take a page out of Microsoft's playbook and implement regular direct-to-user security updates?
Written by Steven Vaughan-Nichols, Senior Contributing Editor

When it comes to security, Android 2013 is a lot like Windows in the 1990s and much of the 2000s: A mess. Still, Microsoft got one thing right with security early on. Starting with Windows 98, Microsoft released regular direct-to-user security updates with Patch Tuesday. It's high time Google followed Microsoft's lead and start implementing its own direct-to-user security patches.

Google needs to force end-user Android security updates on OEMs and carriers.

Google does a decent job of fixing Android security holes. For example, the Bluebox Security hole was fixed three days after it was publicly announced. That's great as far as it went, but the Android OEMs and carriers have released the patch for only a handful of smartphones and none of the tablets.

This is unacceptable.

True, you'd need to ignore Android security basics to pick up an infected program, but there's a security fool born every minute. Besides, while today most Android malware infects devices via third-party Android app stores and questionable malware-laden Web sites, it's only a matter of time before hackers adopt more subtle ways to introduce malware into Android devices.

In short, Google needs to tighten Android's security. True, Google has introduced such advanced security features as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) in Android 4.1, Jelly Bean. That still doesn't protect you from all malware.

On top of that, only 37.9 percent of Android users are running 4.1 and higher. Over 60 percent are running earlier, more vulnerable, versions of Android. In addition, just like Windows, there are always new Android security holes being discovered and exploited even in the latest and newest versions.

Security is a never-ending battle.

While Microsoft's answer has its problems--for every Patch Tuesday, there's an Exploit Wednesday--at least Microsoft's approach ensures that careful users will be protected from most security holes regardless of whether they're running a Dell laptop, an HP PC, or a Lenovo ThinkPad.

Google needs to take the same approach. Just like Microsoft releases patches for XP from Windows 8.1, Google needs to push security patches from at least Android 2.1. Eclair, which still has 1.4 percent of the market, to market-leading Android 4.1 and up.

Microsoft doesn't depend on the big PC vendors to deliver patches and Google shouldn't either. As this latest episode shows, neither the OEMs nor the carriers can be trusted to keep their users secure.

Google needs to sit its Android OEM customers down and tell them that since they can't, or won't, deliver security patches, it will do it for them. Microsoft did it with Acer, Asus, and all the other PC vendors, Google must do it with HTC, Samsung, and all its smartphone and tablet partners.

The alternative is for Android's users to be permanently vulnerable to both old, long-fixed security holes and the latest malware.

Related Stories:

Editorial standards